The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information. If passed, the new law – the My Health My Data Act (MHMDA) –would take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that can be linked
Data Protection
FinCEN Analyzes BEC Trends in the Real Estate Sector

On March 30, 3023, the Financial Crimes Enforcement Network (FinCEN) issued a Financial Trend Analysis focusing on business email compromise (BEC) trends and patterns in the real estate sector (referred to as “RE BEC”). The report is required under Section 6206 of the Anti-Money Laundering Act of 2020 (AMLA). This section of AMLA requires FinCEN…
The Iowa Senate and House Pass a Consumer Data Privacy Rights Bill
On March 15, 2023, the Iowa House passed Senate Bill 262 on a 97-0 vote. The Bill had previously passed the Iowa Senate on March 6, 2023. If ultimately signed by Iowa Governor Kim Reynolds, Iowa would join California, Colorado, Connecticut, Utah, and Virginia as the sixth U.S. state with a comprehensive consumer data privacy…

Colorado Finalizes CPA Regulations
On March 15, the Colorado Attorney General’s Office finalized the Colorado Privacy Act regulations. The finalized regulations track the draft rules. The rules will go into effect July 1, 2023.

California Enforcement Sweep Targets Mobile Apps – With a Focus on Honoring “Permission Slip” App
On Friday, January 27, California Attorney General Rob Bonta announced an investigative sweep of businesses that provide mobile apps, issuing warning letters to those that AG Bonta alleges failed to comply with the California Consumer Privacy Act (CCPA). This sweep focused specifically on “popular retail, travel, and food service industry apps” that failed to comply…
Heightened Cybersecurity Requirements for Medical Devices Passed Into Law
Many privacy professional may have missed it, but In the run-up to the New Year — while many U.S. companies were focused on complying with the California Privacy Rights Act (CPRA) — Congress passed an appropriations bill that contains significant new cybersecurity requirements for medical device companies. The Omnibus Appropriations Bill, which was signed…
2023 Privacy and Data Security Preview

2022 proved to be an historic year for privacy and data security. Connecticut and Utah joined the list of states that have now passed comprehensive data privacy laws, bringing the total to five (5) states. For the first time, federal privacy legislation advanced to a House Subcommittee, and though the American Data Privacy and Protection…
The Cost of a Click: Microsoft fined 60 Million Euros by French Privacy Watchdog for French Data Protection Act Violations
On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any…
New York Restricts Automated Decision Making in Employment
Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023. This law applies broadly to employers and employment agencies operating in New York City that target New York City residents using what it refers to…
CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice
The CFPB recently published a circular confirming that covered persons and service providers under the Consumer Financial Protection Act (CFPA) may violate the CFPA’s prohibition against unfair acts or practices when they fail to adequately safeguard consumer information. However, the lack of clear substantive standards creates uncertainty as to what the CFPB would deem to be adequate data security practices.
Pursuant to the Gramm-Leach-Bliley Act, the FTC and federal banking agencies have promulgated rules and interagency guidelines requiring financial institutions to establish appropriate administrative, technical, and physical safeguards to protect the security and confidentiality of customer information. Such safeguards include restricted access to customer information, encryption of information, and periodic reports on the information security program to the board of directors, among other requirements. In the August 11, 2022 circular, the CFPB stated that failure to comply with these specific requirements may also be an unfair act or practice under the CFPA in certain circumstances, but “[w]hile these requirements often overlap, they are not coextensive.” This leaves open the question of what exact security measures companies would need to implement in order to avoid an unfairness violation under the CFPA.…
Continue Reading CFPB Warns Failure to Safeguard Consumer Data May Be Unfair Act or Practice