Insights
Search Results
Alerts
3.19.25
Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer
On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.
Alerts
7.12.24
Seven New States Join Patchwork of U.S. Comprehensive Privacy Laws: Top 10 Trends from the First Half of 2024
In the first half of 2024, seven new states—Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island—all enacted their takes on comprehensive privacy laws, bringing the total number of states with such laws up to 19 (20, if counting Florida1). At a high level, most of these laws substantively mirror the provisions in previously enacted state comprehensive privacy laws, including continuing the trend of not providing a private right of action and affording covered entities an opportunity to cure alleged violations. Nevertheless, new developments have emerged, including expanding definitions of sensitive data, adding standards for handling minors’ data, and providing new consumer rights, which may make implementing a nationwide privacy compliance program particularly challenging. Below, we have summarized 10 significant trends among the new laws.
Alerts
5.21.24
Colorado Passes First-in-Nation Artificial Intelligence Act
On May 17, 2024, Governor Jared Polis signed the Colorado Artificial Intelligence Act (SB 24-205) (CAIA), regulating the development, deployment, and use of artificial intelligence (AI) systems. Colorado is the first state to enact comprehensive AI legislation. The law becomes effective February 1, 2026.
Alerts
5.01.24
FTC Announces Proposed Settlement Agreements with Two Digital Health Companies for Disclosing Consumers’ Health Information to Third-Party Advertisers, Among Other Violations
The Federal Trade Commission (FTC) recently announced two proposed settlement agreements (in the form of a stipulated order)1 (the “consent orders”) with Monument, Inc., an alcohol addiction treatment service, and Cerebral, Inc., a subscription-based online health care treatment service, signaling the FTC’s continued commitment to pursue digital health companies that the FTC believes have improperly used or disclosed consumers’ health information. The complaints focus on the companies’ disclosure of consumers’ health information to advertising platforms without the consumers’ consent, as well as Cerebral’s alleged failure to honor its “easy” subscription cancellation promises. Of note, the FTC complaint against Cerebral named its CEO personally liable for his alleged involvement with the counts raised in the complaint. The CEO has not agreed to a settlement and the case will proceed in the district court.
Alerts
7.31.23
OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies
On July 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to approximately 130 hospitals, telehealth providers, health app developers, and other healthcare industry companies warning of the “serious privacy and security risks” related to the use of online tracking technologies integrated into their websites and mobile apps. The FTC released a press release about the joint letter here and OCR released a press release about the joint letter here.
Alerts
7.21.23
Texas, Oregon, and Delaware Join the Comprehensive U.S. State Privacy Law Landscape
Texas, Oregon, and Delaware are the latest states to join the growing landscape of comprehensive data privacy laws, adding to the many state privacy laws that were passed this year.1 On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act. On July 18, 2023, Governor Tina Kotek signed Oregon Senate Bill 619, referred to as the Oregon Consumer Privacy Act. Similarly, on June 30, 2023, the Delaware legislature passed the Delaware Personal Data Privacy Act. In doing so, Texas and Oregon officially became the 10th and 11th states, respectively, to enact a comprehensive privacy law. Assuming Governor John Carney also signs the Delaware Personal Data Privacy Act, his state would join as the 12th with that status. All three of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they each include some key particularities that companies should be aware of as they plan their compliance strategies.
Alerts
6.30.23
Sacramento Superior Court Delays Enforcement of CPRA Implementing Regulations
In a shocking turn of events, a Superior Court for the County of Sacramento issued a ruling on June 30, 2023, enjoining the enforcement of the California Privacy Protection Agency’s (the “Agency’s”) California Privacy Rights Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) regulations until one year after the regulations have been finalized. We previously issued an alert reminding businesses that the CPRA amendments to the CCPA become enforceable starting July 1, 2023, but, in accordance with the court’s ruling, the Agency’s recent modifications to the CCPA regulations to account for the CPRA’s changes to the CCPA now will not become enforceable until March 29, 2024. Per the court’s ruling, the prior CCPA regulations will remain in effect until the new regulations become enforceable.
Alerts
6.27.23
Are You Ready for the 3Cs?: California, Colorado, and Connecticut’s New Privacy Laws Become Enforceable July 1, 2023
On July 1, 2023, the Colorado Privacy Act (ColoPA) and Connecticut Data Privacy Act (CTDPA) will go into effect, joining California and Virginia, whose data privacy laws are already in effect. Notably, while the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, those amendments will also become enforceable starting July 1, 2023. While there are a number of compliance obligations that overlap among these laws, businesses should be aware of the key obligations for ColoPA, specifically the ColoPA Rules that were finalized just a few months ago, and the CTDPA, since they may require businesses to update their privacy notices and practices. This alert provides a high-level summary of significant obligations from the ColoPA law and regulations and the CTDPA to aid companies preparing to be in compliance by the July 1st deadline.
Alerts
3.08.23
FTC Announces Settlement with BetterHelp for Disclosing Consumers’ Health Information to Third-Party Advertisers
On March 2, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (also referred to as “proposed consent order”) with BetterHelp, Inc., an online counseling service, for allegedly disclosing its website visitors’ and users’ “health information” to advertisers, despite making representations on the company’s website and in the company’s privacy policy that such information would stay anonymous or be disclosed only for limited purposes. Of note, the proposed consent order completely prohibits BetterHelp from disclosing any information associated with its website visitors and users to third parties for targeted advertising purposes, even if the company obtains consent from its users for such ad targeting. The proposed consent order also requires BetterHelp to obtain consent before disclosing any information associated with its website visitors and users to third parties for any other purpose, with some exceptions for company vendors.
Alerts
2.08.23
FTC Announces First Enforcement Action Under the Health Breach Notification Rule Against GoodRx
On February 1, 2023, the Federal Trade Commission (FTC) announced a complaint against and proposed settlement agreement (the “proposed order”) with GoodRx, a digital health company, over its data sharing practices that allegedly resulted in the disclosure of sensitive health information to third-parties. This is the first enforcement action the FTC has ever brought under the Health Breach Notification Rule (HBNR).1 The commissioners unanimously voted to approve the proposed order, which must be published for public comment before the FTC can approve the final order. The case follows the FTC’s policy statement from September 2021, which signaled the FTC’s intention to target digital health apps and connected devices under the HBNR. The GoodRx final order, if approved by the FTC, would require the company to pay $1.5 million in civil penalties and permanently cease sharing health information with third parties for any advertising purpose, thus demonstrating the FTC’s desire to impose new, aggressive remedies against digital health apps and connected devices.
Alerts
2.07.23
Colorado Attorney General’s Office Releases Third Version of Draft Rules for Colorado Privacy Act: Key Takeaways
On January 27, 2023, the Colorado Attorney General’s (Colorado AG) office released the third version of its proposed draft rules (third draft) for the Colorado Privacy Act (ColoPA) based on public comments it received on the modified proposed rules published on December 21, 2022 (second draft).1 During a February 1, 2023, rulemaking hearing, the Colorado AG's office emphasized that it aimed to incorporate stakeholder feedback, add clarity and flexibility to the regulations, and increase interoperability with other jurisdictions’ privacy regimes. Below are the key takeaways from the changes in the third draft as well as insights from the recent hearing.
Alerts
1.30.23
NIST Releases Its Artificial Intelligence Risk Management Framework (AI RMF)
On January 26, 2023, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its Artificial Intelligence Risk Management Framework (AI RMF). The AI RMF is intended to provide a resource to organizations designing, developing, deploying, or using AI systems to manage risks and promote trustworthy and responsible development and use of AI systems. Although compliance with the AI RMF is voluntary, given regulators’ increased scrutiny of AI, the AI RMF can help companies looking for practical tips on how to manage AI risks.