Privacy & Information Security Law Blog

On July 22, 2022, companies are required to notify the Arizona Department of Homeland Security when they experience a data breach impacting more than 1,000 Arizona residents. This notification requirement is in addition to obligations to notify affected individuals, the Arizona state attorney general and the three largest national consumer reporting agencies. The notification to the Arizona Department of Homeland Security must be made within “45 days after a determination that there has been unauthorized acquisition and access that materially compromises the security or ...

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold a remote, special public meeting at 9AM PDT to discuss possible action on proposed federal privacy legislation, including the American Data Privacy and Protection Act (“ADPPA”), according to the Board’s publicly released agenda.

On July 1, 2022, amendments to Florida’s State Cybersecurity Act (the “Act”) took effect, imposing certain ransomware reporting obligations on state agencies, counties and municipalities and prohibiting those entities from paying cyber ransoms.

On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce (the “Committee”) passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote.

Following the ruling in Dobbs, the National Institutes of Health’s (“NIH’s”) certificates of confidentiality offer an important layer of privacy protection to reproductive health research data. The Public Health Service Act created the certificates of confidentiality program, which prohibits the disclosure of identifiable, sensitive research data “in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding” without the research subject’s consent. These certificates add a layer of protection to abortion and fertility data collected as part of NIH research.

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On July 6, 2022, the Better Business Bureau National Programs’ Children’s Advertising Review Unit (“CARU”) announced that it had found Outright Games in violation of the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and Guidelines for Children’s Online Privacy Protection. Outright Games owns and operates the Bratz Total Fashion Makeover app, which CARU determined to be a “mixed audience” child-directed app subject to COPPA and CARU’s Guidelines due to the app’s subject matter, bright colors, visual content, lively audio and gameplay features.

On July 7, 2022, the Irish Data Protection Commission (the “DPC”) sent a draft decision to other EU data protection authorities, proposing to block Meta’s transfers of personal data from the EU to the United States.

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”