Privacy & Data Protection

Subscribe to Privacy & Data Protection
Consumer data & privacy

In March 2023, the White House published its National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.  Buried in the report was a quiet, but notable, concern related to the possibility of deanonymizing a consumer due to “insufficient disassociability”.  See Report, pg. 6.  A new wave of class action lawsuits in California—already over three dozen at the time of writing—now seeks to turn a spotlight on these practices, claiming that companies are using “grey market” data to match user patterns with personal identifiable information (PII).

Continue Reading Another Wave of California Privacy Suits—Deanonymization as “Doxing”

Advances in artificial intelligence have become front and center in the minds of many, including attorneys general focused on consumer protection. Although concerns exist for consumer protection, the advancement of artificial intelligence has the opportunity to add value to consumers.  This is especially true in healthcare. Recently, attorneys general gathered to discuss these issues at the Attorney General Alliance Annual Meeting, during a panel that discussed  The Value of Disruptive Healthcare. In the last few years, the growth of telemedicine has dramatically changed the delivery of healthcare. While these changes were already afoot, the pandemic highlighted the need for virtual access to healthcare and wellness tools. That disruption has added value in many ways to consumers and health care providers managing care for their patients. Similarly, in the coming years, we can expect artificial intelligence to drive even more changes in treatment, therapies, and standards of care in the healthcare sector. During these periods of major technological advancements attorneys general should consider consumers’ safety, privacy, security and consumers’ overall livelihood and health. Dramatic changes in healthcare business and technology are already challenging existing laws in unexpected ways, often creating gaps between the law and what consumers and producers need or want the law to say. This gap period, or regulatory lag, will require producers to assume some regulatory risk and for attorneys general to monitor business activities that they believe create too much risk for consumers.

Continue Reading Attorneys General Consider Consumer Protection Issues Related to Artificial Intelligence in Consumer-Facing Healthcare Technology

Consumer data & privacy

On March 15, the Iowa House passed Senate File 262 (SF 262), a comprehensive state privacy law bill. If enacted, SF 262 would be the sixth state level privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut, and it would go into effect on January 1, 2025.

Continue Reading Iowa to Introduce the Sixth Comprehensive State Privacy Law in United States

In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.

Continue Reading Processing of Personal Data That May Indirectly Reveal Sensitive Information on the Basis of a Legal Obligation: The CJEU Draws the Contours

On August 24, 2022, the California Attorney General’s Office announced a settlement with Sephora, Inc. (Sephora), a French multinational personal care and beauty products retailer. The settlement resolved Sephora’s alleged violations of the California Consumer Privacy Act (CCPA) for allegedly failing to: disclose to consumers that the company was selling their personal information, process user requests to opt out of sale via user-enabled global privacy controls, and cure these violations within the 30-day period currently allowed by the CCPA.

Continue Reading $1.2 Million CCPA Settlement with Sephora Focuses on Sale of Personal Information and Global Privacy Controls

In the recent article, “Facebook and Google settled biometrics lawsuits. Look for more.” featured in Crain’s Chicago Business, Partner Jason Stiehl analyzes wider repercussions of Snapchat’s recent settlement after accusations that it used facial recognition technology that collected and stored users’ biometric information without consent. Stiehl explains that he expects more litigation due to Illinois’

The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”

Continue Reading California AG Interprets “Inferences” Under CCPA

On February 23, join Crowell attorneys Preetha Chakrabarti and Suzanne Trivette and Gail Gottehrer of Gail Gottehrer LLC for “Lawyers in the Metaverse.” Hosted by the National Association of Women Lawyers’ Women in Intellectual Property & Tech Law affinity group of which Preetha and Gail are co-chairs, this timely webinar will help lawyers understand how

CCPA California Consumer Privacy Act Lock Vertical - orange

The California Consumer Privacy Act (“CCPA”), which went into full effect on January 1, 2020, has seen robust enforcement efforts by the office of the California Department of Justice. In late January, California Attorney General Rob Bonta announced an investigative sweep of businesses operating loyalty programs in California and sent notices alleging noncompliance with the CCPA to major corporations in the retail, home improvement, travel, and food services industries. In addition, Attorney General Bonta has encouraged consumers to know and express their privacy rights through an online platform that allows them to directly notify businesses of potential violations.
Continue Reading Enforcement of The California Consumer Privacy Act Via Letters Noticing Noncompliant Loyalty Programs and Online Tool for Consumers to Notify Businesses of Potential Violations

Federal Trade Commission

Monday, October 18, 2021

Deceptive or Misleading Conduct & Protecting Older Consumers

  • The FTC issued its latest report to Congress on protecting older consumers, which highlights updated findings from the Commission’s fraud reports showing trends in how older adults report being affected by fraud with the most frequent type of fraud reported by older adults