On August 29, 2024, the Office for Civil Rights of the United States Department of Health and Human Services (“HHS-OCR”) withdrew its appeal of an order by the United States District Court for the Northern District of Texas’ (“District Court”) declaring unlawful and vacating a portion of an HHS-OCR Bulletin
Online Privacy
Bidding Farewell, For Now: Google’s Ad Auction Class Certification Victory
A federal judge in the Northern District of California delivered a blow to a potential class action lawsuit against Google over its ad auction practices. The lawsuit, which allegedly involved tens of millions of Google account holders, claimed Google’s practices in its real-time bidding (RTB) auctions violated users’ privacy rights. But U.S. District Judge Yvonne Gonzalez Rogers declined to certify the class of consumers, pointing to deficiencies in the plaintiffs’ proposed class definition.
HHS Bulletin: Covered Entities’ Disclosure of PHI Collected via Online Tracking Technologies Falls under HIPAA
On December 1, 2022, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a Bulletin to highlight the obligations of HIPAA-covered entities and business associates when using “online tracking technologies,” or what OCR describes as “script or code on a website or mobile…
“A Full Plate”: FTC’s Open Meeting on PBMs, AI, Privacy and Online Harms
During a much anticipated Open Commission Meeting announced by Commission Chair Lina M. Khan, the Federal Trade Commission (“FTC”) voted in favor of issuing one new policy statement and one new report to Congress.
First, the Commission unanimously voted in favor of issuing a policy statement on FTC initiatives…
California Privacy Protection Agency Released Proposed CPRA Regulations
The California Privacy Protection Agency (the “Agency”) released draft regulations to the California Privacy Rights Act (“CPRA”) on May 31, 2022 (the “Proposed Regulations”). The Proposed Regulations are drafted as comments to the California Attorney General’s regulations for the California Consumer Privacy Act, California’s landmark privacy law, which was amended…
Update on FCC Privacy Rules
We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”
Consumer Review Fairness Act Taking Effect
The Consumer Review Fairness Act (CRFA) began to take effect yesterday, March 14, 2017. One aim of the CRFA is to protect consumers’ ability to publicly review services and vendors without being subject to restrictions or fines imposed by form contracts. It does so by voiding provisions within form contracts…
CJEU holds that mass surveillance must not be general and indiscriminate
The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.
The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).