Privacy & Cybersecurity

Generative artificial intelligence creates content and work efficiencies but also comes with legal pitfalls. Mintz Venture Capital & Emerging Companies Practice Co-chair Jeremy Glaser and Associate Lorena Niebla look at the technology's potential uses as well as risks related to data privacy, intellectual property, and more.

The Federal Trade Commission (FTC) recently kicked off enforcement of its Health Breach Notification Rule (Breach Rule) by taking aim at GoodRx’s use of tracking technologies (e.g. pixels) and the sharing of consumer health data for advertising purposes. According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, the FTC “is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation." Bottom line, HIPAA applicability may no longer be as significant of a factor when it comes to the risk presented by collecting, using, disclosing, and maintaining identifiable health information (IHI).

As illustrated by a recent Office for Civil Rights (OCR) settlement with a dental practice, health care entities continue to struggle with how to respond to negative online reviews while maintaining compliance with the HIPAA Privacy Rule. Given the significant reputational harm that negative reviews on Yelp and other social media and public platforms (Platforms) can create, providers may be tempted to respond to such negative comments with patient specifics in an attempt to mitigate harm to their businesses.

The privacy compliance landscape has changed significantly in 2022. These acronyms have joined the CCPA, HIPAA, and GDPR in the privacy alphabet soup: CPRA, VCDPA, CDPA, CPA, and UCPA. Do you know what they all mean for your company and what they will require in order to be compliant?  

The European Commission has published its long-awaited draft of the new EU-US Data Privacy Framework, available here.  The Data Privacy Framework will replace the Privacy Shield decision that was invalidated in July 2020 by the Schrems II decision. President Biden’s recent Executive Order paved the way for the new Data Privacy Framework by creating a significantly more robust right of redress for people in the EU, along with stronger guardrails and greater oversight for US intelligence agencies’ data privacy compliance.

Covered Entities and Business Associates should promptly and carefully review their use of online tracking technologies on their websites and mobile apps following a bulletin (Bulletin) published by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) last week.  The Bulletin addresses multiple facets of compliance with HIPAA when using online third-party tracking technologies (Tracking Technologies).  In doing so, OCR significantly expands its interpretation of the definition of Protected Health Information (PHI) to include, in some instances, identifiable information gathered by Tracking Technologies where a user visits a website and does not interact with the entity in any other way. In its Bulletin, OCR interprets the act of an individual visiting a website as evidence of a relationship or anticipated future relationship between the visitor and the entity.

If you haven’t already got December 27^th on your calendar, it’s the deadline for updating your documentation for transfers of personal data from the European Economic Area (EEA) to other countries – including the United States. Read our blog post regarding this issue and contact the Mintz Privacy Team if you need assistance. 

This post provides insights and recommendations surrounding the DOJ's charges against 10 defendants involved in business email compromise schemes.

In what is considered the largest privacy-related settlement in history, Google will pay $391.5 million to 40 states to settle an investigation by 40 state attorneys general.  The bipartisan coalition of attorneys general alleged that Google misled users into believing that opting out of sharing their location data prevented the company from tracking users’ locations.

Effective January 1, 2023, New York City employers will be prohibited from using artificial intelligence in employment decision-making processes unless they take a number of specific and affirmative steps prior to doing so, including a bias audit of the tool.  These requirements have emerged following the passage of New York City Local Law 144 in December 2021, which creates a specific regime employers must adhere to in order to utilize automated employment decision tools, which the City has referred to as “AEDTs”. Many questions emerged following the passage of Local Law 144  and in response to some of these inquiries, the City’s Department of Consumer and Worker Protection (“DCWP”) has proposed rules that provide some answers, expand upon Local Law 144, and regulate the use of AEDTs.  Mintz attorneys Corbin Carter, Michelle Capezza and Evan Piercey analyze and discuss these proposed rules.

Read about how the SEC’s adoption of an electronic filing mandate for certain documents, including all Forms 144 for the sale of securities by US public company issuers, could impact public companies.

Read about how the California Privacy Rights Act (CPRA) will eliminate an exemption that allows employers to exclude some employee and applicant personal information from the reach of the California Consumer Privacy Act (CCPA) as of January 1, 2023.

Many organizations uses the European Union’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) to other countries.  Some organizations have ongoing transfers that started before the new SCCs became effective in June 2021.   Generally, ongoing transfers can continue to be made under the old SCCs until the grace period expires on December 27, 2022. That’s the date upon which any new SCCs-based transfers must be done under the new version of the SCCs.