Author: John T. Wolak

Massachusetts Supreme Court Takes a Closer Look at Wiretap Laws, Potentially Narrowing Privacy Actions

The Massachusetts Supreme Judicial Court recently issued an important ruling in Vita v. New England Baptist Hospital et al., addressing whether tracking a user’s activities on a website and sharing that data with third parties constitutes intercepting communications in violation of the state’s 1968 Wiretap Act (the “Act”). In dismissing the plaintiff’s statutory claims, the court emphasized that it is the responsibility of the legislature – and not the court – to address gaps in statutory protections related to privacy and modern tracking technologies, highlighting that as technology and any corresponding digital privacy concerns evolve, legislative frameworks must be modified to adapt accordingly. Plaintiff Kathleen Vita claimed that New England Baptist Hospital and Beth Israel Deaconess Medical Center violated the Act by “intercepting” communications without her consent or knowledge through the use of tracking tools on their websites. Specifically, the plaintiff alleged that the hospitals used third-party software to record her activity when she browsed the hospitals’ websites to obtain information about doctors, search for information about medical symptoms and other healthcare-related issues, and obtain and review medical records. The plaintiff alleged that the hospitals then shared this data with third parties that processed the data for targeted advertising campaigns tailored to the individual user’s data. The court concluded that although the web tracking practices raised...

New Jersey’s Consumer Data Privacy Statute – What You Need to Know

On January 16, 2024, Governor Murphy signed S332 into law, making New Jersey the 13th state to enact legislation designed to protect the personal data of its residents. The law will become effective next year, on January 15, 2025, and imposes various obligations on a person or entity (designated as either a “controller” or a “processor”) that collects, discloses, processes, or sells the personal data of New Jersey consumers. The statute establishes various rights for New Jersey residents with respect to their own personal data and also provides consumers with the ability to opt out of disclosure and sale of their personal data in certain circumstances. Finally, the Division of Consumer Affairs has the authority to develop rules and regulations necessary to effectuate the purposes of the statute, and the Attorney General has sole and exclusive enforcement authority. The scope of S332 signed by the Governor was expanded significantly from prior versions. As late as December 17, 2023, the bill only applied to a person or entity that operated “any service provided over the Internet that collects and maintains personally identifiable information from a consumer.” The law enacted less than one month later, however, is not limited to collection of data over the internet; it applies to all “personal data” regardless of how it is...

GoodRx Fined $1.5 Million for Disclosure of Users’ Personal Information to Third Parties Without Notice or Consent

On February 1, 2023, the Federal Trade Commission (FTC) filed a “first of its kind” enforcement action under the FTC’s Health Breach Notification Rule, 16 CFR Part 318, which offers several useful takeaways for all companies that collect and process a consumer’s personal information – not just companies that handle health-related data. The FTC’s proposed order seeks to impose a $1.5 million civil penalty against GoodRx, a digital health platform, for sharing the sensitive personal health and other information of millions of GoodRx users with various advertising platforms, including Facebook and Google, and failing to report these disclosures to consumers. According to the FTC complaint, GoodRx collects sensitive personal information from users and represents that it will treat users’ information in accordance with its privacy policies. Since at least 2017, the GoodRx privacy policy specifically stated that GoodRx “would never disclose personal health information to advertisers or any third parties.”  Yet for several years, GoodRx allegedly violated these promises “by sharing information with Advertising Platforms, including Facebook, Google and Criteo, about users’ prescription medications or personal health conditions” and “did so without notice to users, and without obtaining consent.” In addition, GoodRx monetized the personal health information it collected through the creation of advertising campaigns on Facebook and Instagram that targeted GoodRx users. In August...

Colorado Is the Latest State to Enact a Data Privacy Law: Here’s What You Need to Know

Colorado has become the third state to enact a comprehensive data privacy statute imposing compliance obligations on legal entities that collect or process the personal data of its residents. The Colorado Privacy Act (CPA) is based on and enforces many of the same key concepts as do other data privacy statutes and regulations. As such, companies that are implementing or updating compliance programs for the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (CDPA) will be familiar with the main provisions of the CPA and likely will have an easier time achieving compliance. There are, however, some important distinctions that companies must consider as part of any ongoing compliance efforts in anticipation of the CPA’s effective date of July 1, 2023. As a threshold matter, the CPA applies to legal entities that (i) conduct business in Colorado or produce or deliver commercial products or services that are “intentionally targeted to residents of Colorado,” and (ii) either (a) control or process personal data of more than 100,000 consumers per year or (b) earn revenue (or receive a discount on goods or services) from the sale of personal data and control or process personal data of more than 25,000 consumers. Notably, the CPA...

Does the SHIELD Act Cover Your Business and Are You Ready?

As we have previously written, the privacy and security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) are effective as of March 21, 2020. The SHIELD Act implements broad new data security requirements for all businesses that have the private information of New York residents, and reaches beyond New York’s own borders to compel companies – including companies that do not do business in New York – to take affirmative steps to protect the personal and private information of New York residents that the company may be collecting or storing. Initially, the SHIELD Act expands the definition of “private information” that must be safeguarded to include any information that can be used to identify a person, in combination with a social security number, a driver’s license number, a financial account number, or biometric information. Separate and apart from these “data elements,” the definition of “private information” also now includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.” Second, the SHIELD Act applies to any company that possesses the private information of even a single New York resident – even if the company does not conduct business in New York. All companies must...

NJ Assembly Initiates (Then Withdraws) Proposal to Ensure COVID-19 Coverage

Last week, legislation was introduced in the New Jersey Assembly that would require property insurers to cover business interruption losses arising from the COVID-19 pandemic suffered by small businesses (i.e., businesses with less than 100 full-time employees who work 25 or more hours per week). The bill would require coverage for any loss of business or business interruption “due to global virus transmission or pandemic” that is suffered for the duration of the State of Emergency declared by Governor Murphy on March 9, 2020. It appears that such coverage must be provided regardless of existing policy requirements (e.g., direct “physical loss” or “damage”) or potentially applicable exclusions (e.g., the “Virus or Bacteria” exclusion in many policy forms). After an initial favorable vote by the NJ Assembly Homeland Security and State Preparedness Committee, the bill was reportedly withdrawn by its sponsors, but may be amended and reintroduced in the short-term. The bill as initially drafted would provide significant relief to policyholders with small- to medium-sized businesses that may be the hardest hit in what is rapidly developing into a global economic crisis. This would certainly be welcome relief. However, that proposed relief comes with a potential backend cost to all policyholders in New Jersey. While insurers would have the obligation to indemnify policyholders for qualifying loss,...

Insurance Coverage in the Age of COVID-19

As the coronavirus continues to dominate the news cycle, the actual (and anticipated) impact on business operations and business continuity has hijacked the attention of owners, managers, and C-suite executives at all levels and in all industries. Among the myriad issues to be resolved, one obvious question is the extent to which insurance coverage is available for business losses arising from this public health crisis, including reduction of business income, incurring of extra expenses, disruption of supply chains, event cancellations, and potential liability from stakeholder lawsuits. Some companies may have purchased specialized forms of insurance policies that are designed to provide specific coverage for losses suffered as a result of public health crises. However, the vast majority of companies will need to look to their traditional insurance policies – like property and directors and officers coverage – in order to obtain available insurance, if any, for these business related losses. As an initial matter, coverage for actual loss of business income and extra expense is typically part of a company’s property insurance policy and not separate, standalone coverage. Therefore, coverage for business income and related losses depends on demonstrating that these losses resulted from “physical loss” or “damage” to covered property. Coverage may also be available if civil authorities prohibit access to the Insured’s premises...

CCPA Amendments Expand Private Right of Action and AG’s Enforcement Power

On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual gross revenues of $25,000,000; Annually buys, receives, sells or shares “personal information” of 50,000 or...

Eleventh Circuit Rules FTC’s Data Security Cease and Desist Order Against LabMD Is Unenforceable

In its June 6, 2018 decision, the Eleventh Circuit concluded that the Federal Trade Commission’s (“FTC”) Final Order against LabMD lacked adequate specificity and therefore was unenforceable. The Eleventh Circuit had previously issued a stay of enforcement of the FTC’s Final Order – as reported by this blog on November 16, 2016  – which had concluded that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The FTC initiated an enforcement action against LabMD in August 2013, alleging that LabMD, which operated as a clinical laboratory testing center, failed to implement reasonable data security measures to protect patients’ sensitive personal information. LabMD’s alleged data security failures allowed an employee to install and maintain file-sharing software on a work-related computer for a period of at least three years, which allowed exposure of patient information on a peer-to-peer network accessible daily by millions of users. In July 2016, and on appeal following a hearing before an Administrative Law Judge, the FTC concluded that LabMD’s failures had caused, and were also likely to cause, substantial consumer injury, including identity theft and medical-identity theft, which constituted an unfair act or practice in violation of Section 5 of the...

New Jersey Poised to Mandate Across-the-Board Information and Data Security Preparedness

The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct due diligence when engaging third-party service providers with access to the company’s records containing personal...