Starting June 30, 2022, all apps available in the Apple App Store that offer account creation must also allow users to initiate account deletion within the app. This requirement does not come as a surprise: Apple first announced this policy in 2021, and initially planned to roll it out by…
The Health Insurance Portability and Accountability Act (“HIPAA”) establishes standards by which Protected Health Information (“PHI”) may be deidentified. Upon deidentification, HIPAA generally allows covered entities to use or disclose the information without limitation. However, states are increasingly passing privacy laws with definitions of personal information expansive enough to arguably…
On May 10, 2022, Connecticut Governor Ned Lamont signed into law an Act Concerning Personal Data Privacy and Online Monitoring (“Connecticut Data Privacy Act”, “CTDPA” or the “Act”). Like the California Privacy Rights Act, Colorado Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, the Act provides…
On April 21, 2022, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced its decision to fine medical software company Dedalus Biologie €1.5 million following a data breach that exposed health information of nearly 500,000 people. The CNIL noted the company violated several GDPR obligations,…
The United States is making efforts to further ease the burden of managing cross-border data transfers amid vast and often divergent privacy regulations across the globe. In addition to the recent announcement from the EU and U.S. on agreement for the Trans-Atlantic Data Privacy Framework, as announced by the US…
After years of lengthy debates, Congress passed and the President signed into law a bipartisan bill requiring entities in sectors deemed to constitute “critical infrastructure” to report certain cyber incidents and ransomware payments. Currently, companies may and often do voluntarily report cyber incidents to the FBI or other federal agencies,…
In a decision that is certain to reverberate through the big data community, the U.S. Court of Appeals for the Ninth Circuit ruled that the primary legal tool that companies tried to use to limit scraping of their websites – the criminal statute Computer Fraud and Abuse Act (“CFAA”) –…
The Kingdom of Saudi Arabia (“Saudi Arabia” or the “Kingdom”) has enacted the Personal Data Protection Law (“PDPL”), the country’s first comprehensive data protection law. The PDPL was scheduled to become effective on March 23, 2022 but full implementation was recently delayed until March 17, 2023, a positive development for…
On March 25, 2022, President Biden and the President of the European Commission (“EC”) von der Leyen announced that the US and EU reached an agreement in principle on a new Trans-Atlantic Data Privacy framework for transatlantic data flows (the New Framework). The parties now need to translate the consensus…
On March 24, 2022, Utah became the fourth U.S. state to adopt consumer data privacy legislation after Utah Gov. Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”). The UCPA is largely based on the Virginia Consumer Data Protection Act (“VCDPA”). It regulates how a controller (defined by the UCPA…