Archives: Regulations

Subscribe to Regulations RSS Feed

InfoLawGroup Launches CPO on Demand™ Service

InfoLawGroup announces the launch of CPO on Demand™, a service through which we serve as outside Chief Privacy Officers, Privacy Counsel, and DPOs as required under EU regulation. CPO on Demand™ brings the depth and breadth of our privacy and security focused attorneys to support your business’s legal, compliance, and privacy teams. Please click here … Continue Reading

Caveat Venditor: FTC Amends Telemarketing Sales Rule to Enhance Anti-Fraud Protections and to Update and Clarify Several Key Provisions Relating to the National Do Not Call Registry

On November 18, 2015, the Federal Trade Commission (FTC) released a final rule setting forth a number of key amendments to its Telemarketing Sales Rule (TSR).  [FN1]  Specifically, in response to changes in the financial marketplace, the final rule prohibits the use of certain payment methods in telemarking.  In addition, and of likely much greater … Continue Reading

COPPA AND RECENT AMENDMENTS TO THE COPPA RULE: A COMPREHENSIVE OVERVIEW

By Justine Young Gottshall And Damien Wint As we approach six months since the Federal Trade Commission’s (FTC) amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, 16 C.F.R. Part 312 (the “Rule” or, as amended, the “Amended Rule”) became effective, it is essential that any website or online service that is not in … Continue Reading

FTC’s Amended COPPA Rule Seeks to Keep Up with the Internet Revolution

The FTC announced that it had finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, which the FTC originally enacted in 2000.  The original Rule was created with the goal of protecting the online privacy of Children younger than the age of 13 (“Children”) by requiring that websites: 1) obtain parental consent before … Continue Reading

Chesbro v. Best Buy Stores, L.P.: Court Rejects Defense of “Informational” Calls

Andrew Hoffman contributed to this post. What makes an automated call “telemarketing” versus “informational”? It might be less than you think. In a recent ruling out of the Ninth Circuit, Chesbro v. Best Buy Stores, L.P., the Court has ruled that certain calls are telemarketing calls subject to the TCPA, even if the calls do not explicitly … Continue Reading

Changes to HIPAA Privacy Rule Proposed by HHS – Find Out Who Has Accessed Your Health Records

On May 31, 2011 the Department of Health and Human Services Office for Civil Rights issued a notice of proposed rulemaking that would add substantial data privacy requirements to the HIPAA Privacy Rule. One of the requirements the HHS proposed pursuant to both the HITECH Act and its more general authority under HIPAA is for … Continue Reading

“Privacy by Design”: A Key Concern for VCs and Start-Ups

(co-authored by Nicole Friess, Esq.) The privacy landscape appears to be shifting toward a model that promotes greater consumer awareness of and control over data. Reflecting its consumer protection mission, the FTC’s Protecting Consumer Privacy in an Era of Rapid Change issued December 1, 2010 urges companies to adopt a "privacy by design" approach. Senators … Continue Reading

A Novel Data Security Law Proposed in Colorado

Over the past couple years, many predicted that new state laws would follow the lead of states like Nevada and Massachusetts, and some anticipated we could see a situation where 50 different privacy/security laws across the country. Now it looks like we are beginning to see some renewed activity on the state level. In Hawaii we have a proposed bill that would require breached entities to provide credit monitoring and call center services to impacted individuals. In my home state, Colorado, a legislator (Dan Pabon) has proposed a novel bill that takes a new approach to incentivizing companies to implement good security. In this post, we take a look at the highlights of the Colorado bill. … Continue Reading

As California Goes, so Goes the Nation? Part One

Many of you probably read earlier this month that California's Office of Administrative Law approved the California Department of Insurance's proposal to repeal certain privacy regulations. The California changes actually have greater significance than may be apparent on a quick glance. Although rarely noted in the media coverage, State insurance privacy regulations across the country (not just in California) find their roots in the federal Gramm Leach Bliley Act, so California's decision to make such changes provides a helpful illustration of the extraordinarily complex and confusing web of privacy regulation that governs even small organizations in this country. Also, California's move with respect to these changes contravenes the conventional wisdom that California is a renegade pro-consumer state when it comes to privacy regulation. Many of our followers have asked me to break down this newest California development, so here goes. … Continue Reading

FAQ on the “BEST PRACTICES Act” – Part Two

We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. "BEST PRACTICES Act" or "Act"). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for de-identified information and application and enforcement. … Continue Reading

FAQ on the “BEST PRACTICES Act” – Part One

Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. "BEST PRACTICES Act" or "Act"). We have put together a summary of the Act in "FAQ" format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act. … Continue Reading

Health Net Agrees to $250,000 Fine and “Corrective Action Plan” to Settle Loss of PHI

It didn’t take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement.  Indeed, Heath Net of the North … Continue Reading

Do the New EU Processing Clauses Apply to You?

A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations. … Continue Reading

Information Security Standards and Certifications in Contracting

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data. … Continue Reading

Information Governance

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to "information governance" that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations. … Continue Reading

Live from the IAPP Global Privacy Summit in Washington, DC, It’s Monday Afternoon

This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days. … Continue Reading

Privacy’s Trajectory

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. … Continue Reading

The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

The last two plaintiff-banks still breathing after 1st Circuit Appeal Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via … Continue Reading

Highlights of the FTC’s Self-Regulatory Principles for Online Behavioral Advertising

Earlier this year the Federal Trade Commission released an FTC Staff Report entitled “Self-Regulatory Principles for Online Behavioral Advertising” (the “Report”).  The Report arose after over a year of public comments and debate by both marketers and consumer privacy advocates.  The Principles allow for a self-regulatory approach that purportedly strikes a balance between marketing innovation … Continue Reading

New Jersey Security Requirements (including encryption of personal information)

A proposed New Jersey regulation that may be come law in 2008. It has very specific requirements around encryption of personal information at rest and in transit. In particular, if these rules pass organizations would be required to encrypt according to the Federal Information Processing Standard (FIPS) recommended standard, which is the Advanced Encryption Standard … Continue Reading
LexBlog