The BR Privacy & Security Download: July 2022

The BR Privacy & Security Download July 2022

Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.

STATE & LOCAL LAWS & REGULATIONS

California Privacy Regulator Starts Formal Rulemaking Process
The California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the California Privacy Rights Act (“CPRA”), has unanimously voted to begin the CPRA rulemaking process. The CPPA released draft regulations to implement the CPRA as part of the CPPA’s June 8 public board meeting materials. At the June 8 meeting, the CPPA board moved to approve the draft regulations, authorizing Executive Director Ashkan Soltani to take all steps necessary to initiate the rulemaking process by preparing and submitting a package of materials, including a Notice of Proposed Rulemaking Action, the Initial Statement of Reasons, and the draft regulations, along with other forms and materials, to the Office of Administrative Law. While the CPPA has released the Initial Statement of Reasons, it has not yet published the Notice of Proposed Rulemaking Action. Once the package is submitted, the public comment period will begin and allow the CPPA board to make any changes to the draft regulations. Currently, the draft regulations do not address all of the topics the CPRA requires the CPPA to adopt and will likely be subject to extensive public comment and modification before becoming final.

Colorado Attorney General to Begin Pre-Rulemaking Listening Sessions
The Colorado Attorney General’s Office held informal public listening sessions about upcoming rulemaking for the Colorado Privacy Act. The Attorney General’s Office invited input on topics that may require clarification, address consumer concerns or compliance challenges, and specifically solicited feedback on universal opt-out, consumer consent, dark patterns, and profiling. The listening sessions will not be part of the official rulemaking record. The Attorney General will provide public notice of its proposed rules once they are prepared and hold formal public rulemaking hearings at that time. The Attorney General continues to solicit informal comments on the Colorado Privacy Act and the rulemaking process through its website.

Vermont Enacts Insurance Data Security Law
Following in the footsteps of Kentucky, Maryland, and 20 other states, Vermont has enacted its own insurance data security law (H.515) modeled from the National Association of Insurance Commissioners’ Insurance Data Security Model Law (“MDL-668”). H.515 requires insurance carriers to develop, implement, and maintain a comprehensive written information security program that contain certain administrative, technical, and physical safeguards and to require their third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the insurance carriers’ information systems and nonpublic information accessible to or held by the service provider. H.515 will take effect January 1, 2023, but provides insurance carriers a one-year grace period to comply with the requirements for a written information security program and a two-year grace period to implement the third-party service provider oversight requirement.

Maryland Enacts Amendments to Data Breach Notification Law and Student Privacy Law Takes Effect
Maryland enacted HB 962, which amends the Maryland Personal Information Protection Act, the state’s data breach notification law. Once HB 962 takes effect on October 1, 2022, data owners and licensors will be required to notify affected individuals within 45 days of discovering or being notified of a breach, rather than within 45 days of concluding their investigation into the breach, as was required previously. HB 962 also sets forth specific content requirements for notifications to the Maryland attorney general and clarifies the definition of genetic information that is considered personal information. Additionally, amendments to Maryland’s Student Data Privacy Act (SB 325) took effect June 1, 2022. SB 325 clarifies and expands the definitions of certain key terms (i.e., “covered information,” “operator,” and “persistent unique identifier”) and re-establishes the Student Data Privacy Council (“Council”), consisting of 17 members holding specific positions across state government and educational organizations, to review and analyze best practices and developments in technologies related to student data privacy and make recommendations for statutory and regulatory changes to the Student Data Privacy Act. The Council must report such recommended changes to the Maryland governor on or before December 1, 2025.

Minnesota Enacts Education Data Privacy Bill
Minnesota enacted H.F. 2353, which provides that technology providers (i.e., those who contract with a public education agency/institution to provide a school-issued device for student use and creates, receives, or maintains educational data pursuant or incidental to a contract with a public education agency or institution) are not the owners of educational data. H.F. 2353 prohibits technology providers from: (i) accessing or monitoring a school-issued device’s location-tracking feature, audio or visual recordings, and web-browsing activity; (ii) using the educational data for any commercial purpose; and (iii) from selling, sharing, or disseminating the educational data with certain exceptions. H.F. 2353 further sets forth the contractual provisions that must be in place between the technology provider and the public educational agency/institution and requires technology providers to notify public educational agencies/institutions of a data breach, in accordance with Minnesota’s data breach notification law. H.F. 2353 is effective for the 2022-2023 school year and later.

FEDERAL LAWS & REGULATIONS

Bipartisan Comprehensive Privacy Legislation Introduced
The American Data Privacy and Protection Act (the “Act”) quickly moved from discussion draft to formally introduced legislation that was unanimously advanced to a full committee markup by the House Committee on Energy and Commerce Subcommittee on Consumer Protection and Commerce. The Act establishes a duty of loyalty for organizations that requires covered entities to limit what they collect, process, and transfer to information that is reasonably necessary to provide or maintain products or services requested by individuals, prohibits certain data practices, and requires implementation of “privacy by design” and information security practices. The Act would also preempt state privacy laws, with certain exemptions, including for Illinois’ Biometric Information Privacy Act, the California Consumer Privacy Act’s private right of action regarding data breaches, and state unfair and deceptive acts and practices laws, among others. It would also provide a limited private right of action that could be exercised only after first notifying the Federal Trade Commission (“FTC”) or the attorney general of the person’s state of residence of a violation. The Act has seen certain modifications in the legislative process already, including adjustments to the types of damages available to plaintiffs under the private right of action, enhanced requirements for algorithmic assessments, and a reduction of sensitive data categories.

FTC Re-Files Advanced Notice of Proposed Rulemaking
The FTC re-filed an Advanced Notice of Proposed Rulemaking (“ANPRM”) with the Office of Management and Budget covering potential rulemaking on privacy and artificial intelligence. When previously filed, the FTC did not follow through with rulemaking steps. The short text of the Advanced Notice mirrors a pre-filing from the FTC in December 2021 and indicates that the FTC is considering initiating rulemaking activities “to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” The comment period for the ANPRM began at the start of June and will end in August.

Senators Introduce Legislation to Ban Data Brokers from Selling Americans’ Location and Health Data
Senators Warren, Wyden, Murray, Whitehouse, and Sanders introduced the Health and Location Data Protection Act (the “Act”) which aims to ban data brokers from selling health and location data. If passed, the bill would require the FTC to create new rules and implement the law within 180 days—while making exceptions for Health Insurance Portability and Accountability Act (“HIPAA”)-compliant activity, protected First Amendment speech, and authorized disclosures. The bill would allow the FTC, state attorneys general, and persons injured from the sale of their health and location data, to sue for enforcement of the law. The Act would also provide one billion dollars in funding to the FTC over the next decade to enforce the Act and other related projects.

HHS Publishes Guidance on Audio-only Telehealth Practices
The U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) issued guidance on audio-only telehealth services to assist covered entities in using audio-only telehealth in compliance with HIPAA rules, including when the OCR’s notification of enforcement discretion for telehealth remote communications is no longer in effect. In particular, OCR clarified that “(1) HIPAA covered entities may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with HIPAA privacy regulations, (2) the HIPAA Security Rule applies to electronic protected health information—covered healthcare providers and health plans must meet the requirements of the HIPAA Security Rule in order to use remote communication technologies to provide audio-only telehealth services, (3) HIPAA Rules require a covered entity to enter into a business associate agreement (“BAA”) with a telecommunication service provider (“TSP”) only when the vendor is acting as a business associate, and (4) covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.”

U.S. LITIGATION

Aerojet Rocketdyne Settlement of False Claims Act Litigation Is Another Win for DOJ’s Cyber-Fraud Initiative
On June 30, 2022, Aerojet Rocketdyne Holdings, Inc. (“Aerojet”) and Relator Brian Markus settled his qui tam False Claims Act (“FCA”) litigation alleging Aerojet misrepresented its cybersecurity practices to secure a government contract. To resolve the claims, Aerojet has agreed to pay nine million dollars, with a portion going to the Relator, as well as confidential amounts in attorneys’ fees and to settle the Relator’s individual claims. The parties agreed to settle the case, captioned United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245-WBS-AC (E.D. Cal.), on April 27, 2022, two days after trial began, and filed a stipulation of dismissal, along with the public terms of the settlement, on June 30, 2022. Although the government early on declined to intervene in the case, it nonetheless submitted a Statement of Interest—just weeks after the Department of Justice announced its Cyber-Fraud Initiative—that helped the Relator defeat Aerojet’s motion for summary judgment. Aerojet is widely viewed as presenting a roadmap for future actions alleging that government contractors violated the FCA by misrepresenting their cybersecurity and data protection capabilities.

U.S. ENFORCEMENT

HHS Issues Guidance on Health Data Privacy in Wake of Dobbs Decision
The U.S. Department of Health and Human Services announced new guidance on the privacy of medical information in response to the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization. The guidance addresses how federal law protects protected health information (“PHI”) relating to abortion and other sexual and reproductive healthcare and the extent to which medical information is protected on personal devices, and provides tips for protecting privacy when using period trackers and other health information apps. Specifically, the guidance explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety. With respect to health information generated by health apps, which the guidance explains is not generally subject to the protections of HIPAA, the guidance provides tips about steps individuals can take to help minimize collection and sharing of health information without an individual’s knowledge such as turning off location services and identifying best practices for selecting apps, browsers, and search engines.

California Attorney General Releases Statement of Privacy of Reproductive Health Information
California Attorney General Rob Bonta released a statement emphasizing health apps’ obligations under California law to secure and protect reproductive health information. The Attorney General reminded health app providers that the California Confidentiality of Medical Information Act (“CMIA”), which includes privacy protections that go beyond HIPAA, applies to certain apps that are designed to store medical information, including some fertility trackers. The Attorney General further reminded app providers that even where the CMIA may not apply, other California privacy laws such as the California Consumer Privacy Act require that health apps secure personal information they store and honor user requests not to sell personal information. The statement encourages health app providers to develop and maintain an information security program; protect information using strong authentication protocols, including at a minimum two-factor authentication; obtain affirmative consent before sharing or disclosing sensitive information; and provide employee privacy training.

FTC Seeks Public Comment on Digital Deception Guidance
The FTC announced it was seeking public input on ways to modernize its 2013 guidance titled “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (the “.com Guidance”). The FTC stated that companies are wrongly citing to the .com Guidance to justify dark patterns and other forms of digital deception, such as by claiming they can avoid FTC Act liability by burying disclosures behind hyperlinks. The FTC is seeking comment through August 2, 2022, on issues such as the use of sponsored and promoted advertising on social media, advertising embedded in games and virtual reality, and dark patterns, among other things.

INTERNATIONAL LAWS & REGULATIONS

RECENT PUBLICATIONS & MEDIA COVERAGE

New & Amended Telemarketing Laws Sweep the States (Blank Rome Client Advisory)
Sharon R. Klein Named a “2022 Legal Visionary” by Los Angeles Times B2B Publishing (Los Angeles Times)
Privacy Laws Spread in U.S. States Almost As Fast as Sports Betting (VIXIO Gambling Compliance)
FTC Reigns as De Facto US Data Privacy Enforcer (Global Data Review)
Legal Tokenization: Emerging Legal Issues Surrounding NFTs (The Legal Intelligencer)

© 2022 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.