On August 24, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora over allegations that the cosmetic retailer had violated the California Consumer Privacy Act (CCPA).  This first public enforcement action—and subsequent noncompliance letters the Attorney General sent to other retailers—clearly highlight the continued focus of regulators on online tracking practices and opt-out signals such

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations.  The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.

The Amendments contain three significant changes relating to ransomware.  First, the Amendment specifically adds “the deployment of ransomware

In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make.

The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting

On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources.
Continue Reading  FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices

The California Attorney General’s Office recently released a fourth set of proposed regulatory modifications to the California Consumer Privacy Act (the “CCPA”).

As background, the Attorney General’s Office had only just recently given notice of a third set of modifications on October 12, 2020.  The third set of modifications revised the regulations relating to the

On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”).  The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”).

As background, the original CCPA

Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).

To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance.  First, it

On Friday, February 7, 2020, the California Attorney General’s (AG) Office released modified regulations to the California Consumer Privacy Act (CCPA).  The modified regulations incorporate amendments to the CCPA signed into law after the AG’s Office promulgated regulations in October 2019. The modified regulations also reflect public comments made during the initial comment period, which