House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) have introduced the American Privacy Rights Act. 

According to the legislator’s press release, this proposal seeks to establish national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.

Furthermore, the release describes other provisions of the proposed legislation: 

• Establishes Foundational Uniform National Data Privacy Rights for Americans

• Gives Americans the Ability to Enforce Their Data Privacy Rights

• Protects Americans’ Civil Rights

• Holds Companies Accountable and Establishes Strong Data Security Obligations

• Focuses on the Business of Data, Not Mainstreet Business

The draft can be seen here.

Lanton Law's experience in privacy and data protection enables these companies to navigate the complex legal and regulatory landscape effectively. By partnering with us, tech and healthcare organizations can develop robust strategies, ensuring compliance, safeguarding personal data, and maintaining trust among your consumers.

Contact us to learn more. 

In late June 2022 H.R. 8152 was introduced which seeks to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. 

What are some of the important aspects of the bill?

According to the Congressional Research Service the bill proposes the following:

Covered Entities. It would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds or service providers that use data on behalf of other covered entities, would face different or additional requirements.

Covered Data. It would apply to information that “identifies or is linked or reasonably linkable” to an individual.

Duties of Loyalty. It would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would require covered entities to get a consumer’s affirmative, express consent before using their “sensitive covered data” (defined by a list of sixteen different categories of data). It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

Youth Protections. It would create additional data protections for individuals under the age of 17, including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).

Third-Party Collecting Entities. It would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that it does not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC.

Civil Rights and Algorithms. It would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. Large data holders would be required to submit these assessments to the FTC and make them available to Congress on request.

Data Security: It would require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.

Small- and Medium-size Businesses: It would also relieve small- and medium-size businesses from complying with several requirements; for instance, these businesses may respond to a consumer’s request to correct their data by deleting the data, rather than correcting it.

Enforcement. It would be enforceable by the FTC, under that agency’s existing enforcement authorities, and by state attorneys general in civil actions.

Private right of action. It would create a delayed private right of action starting four years after the law’s enactment. Injured individuals would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.

Preemption. It would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.

Section by section specifics can be found here. 

We are going to see more privacy proposals on the state and federal level. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

Snapchat’s parent company is defending against a class-action lawsuit in the U.S. District Court for the Northern District of Illinois brought by two platform users identified as Adrian Coss and Maribel Ocampo. 

The lawsuit alleges that the platform violates the Illinois Biometrics Information Privacy Act by failing to provide users with the required disclosures under the act while collecting, storing and sharing users’ unique facial features and voices. 

The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Lanton Law’s technology practice, which includes biometrics and privacy issues, has been monitoring the Illinois Biometric Information Privacy Act for some time. We have posted several blogs addressing this issue as companies continue to evolve biometrics into their business models. 

Lanton Law is a national healthcare and life science boutique law and government affairs firm that closely monitors legislative, regulatory and legal developments for our clients. Our healthcare practice can help stakeholders understand what’s at issue so that we can help our valued clients reach their goals. Contact us to learn about how either our legal or lobbying services can help you attain your priorities.   

Lanton Law’s publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without prior written consent of us. To request reprint permission for any of our publications, please use our “Let’s Chat” form, which can be found on our website at www.lantonlaw.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship.

The FDA has just released a new cybersecurity draft titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions; Draft Guidance for Industry and Food and Drug Administration Staff; Availability.” The draft guidance can be viewed here. Comments are due July 7, 2022. 

What is the FDA proposing? 

In 2018, the FDA proposed updates to the final guidance, ‘‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,’’ and issued a draft guidance of the same name.”

This draft guidance replaces the aforementioned 2018 guidance and is “intended to further emphasize the importance of ensuring that devices are designed securely, are designed to be capable of mitigating emerging cybersecurity risks throughout the Total Product Life Cycle, and to clearly outline FDA’s recommendations for premarket submission content to address cybersecurity concerns.” 

Why is the FDA doing this? 

According to the draft guidance as “more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. As a result, ensuring medical device safety and effectiveness includes adequate medical device cybersecurity, as well as its security as part of the larger system.”

How Lanton Law can help

Society’s reliance on technology has become even more vital with the effects of COVID-19. With all of the hacking and malware attacks we have witnessed against various data stakeholders, we foresee cybersecurity as a major legal & policy area that will continue to be expanded.   

Lanton Law is a national boutique law and lobbying firm that focuses on technology and healthcare. If you are a tech or healthIT industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

The Federal Trade Commission (FTC) last month issued the FTC Report to Congress on Privacy and Security. 

What’s in the Report? 

According to the agency “This report responds to the Joint Explanatory Statement accompanying the Consolidated Appropriations Act, 2021, P.L. 116-260, directing the Federal Trade Commission (“Commission” or “FTC”) to “conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees [on Appropriations of the House and Senate] within 180 days of enactment of this Act.”

Additionally, “The report first provides an overview of the FTC’s authority related to privacy and security, highlighting certain recent efforts in those areas. Second, it discusses priorities for improving the effectiveness of our efforts to protect Americans’ privacy. Third, it identifies areas in which we could use additional resources to further ensure Americans’ privacy is protected. Finally, it discusses the need for Congressional action on the FTC’s authority.”

Lanton Law is a national boutique regulatory law and lobbying firm that focuses on healthcare/life science and technology. We continue to monitor the policy and legal developments around the FTC.

If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

U.S. Senator Gillibrand (D-NY) issued a press release announcing the Data Protection Act of 2021, which would create the DPA, an independent federal agency whose goal is to protect Americans’ data, instill privacy safeguards and work to ensure that there is transparency in data sharing practices. 

There have been some changes to this proposed legislation since last year’s version of the bill. These changes include:

• Supervision of Data Aggregators: Grants the DPA authority to review Big Tech mergers involving a large data aggregator, or any merger that proposes the transfer of personal data of 50,000 or more individuals.

• Office of Civil Rights: Establishes the DPA Office of Civil Rights to advance data justice and protect individuals from discrimination. 

• Enforcement Powers: Improves DPA enforcement powers to oversee the use of high-risk data practices and to penalize, examine, and propose remedies to the social, ethical, and economic impacts of data collection.

• Penalties and Fines: Prohibits data aggregators from committing any unlawful, unfair, deceptive, abusive, or discriminatory data practices; and allows for penalties and fines to be levied if violated, including triple penalties for violations against children.

• Defines Key Terms for Transparency: Provides Key Definitions for Privacy Harm, Data Aggregators, and High-Risk Data Practice, among other key terms.

According to the release “The DPA would be an executive agency. The director would be appointed by the president and confirmed by the Senate, serves a 5-year term, and must have knowledge of technology, protection of personal data, civil rights, and law. The agency may investigate, subpoena for testimony or documents, and issue civil investigative demands. It may prescribe rules and issue orders and guidance as is necessary to carry out federal privacy laws. The authority of state agencies and state attorneys general are preserved in the Act. The DPA would have three core missions:

1. Give Americans control and protection over their own data by authorizing the DPA to create and enforce data protection rules. 

2. Maintain the most innovative, successful tech sector in the world by ensuring fair competition within the digital marketplace. 

3. Prepare the American government for the digital age.”

Lanton Law’s technology practice has been monitoring privacy developments nationwide. If you are a banking/finance, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

The President’s request for fiscal year 2022 discretionary funding has been released. Below are a few mentions for cybersecurity:  

• To support agencies as they modernize, strengthen, and secure antiquated information systems and bolster Federal cybersecurity the discretionary equest recommends $500 million for the Technology Modernization Fund, an additional $110 million for the Cybersecurity and Infrastructure Security Agency, and $750 million as a reserve for Federal agency information technology enhancements.  

With increased hacking and ransomware attacks, cybersecurity is going to be more front and center for both policy and legal discussions. For example in this request by the Administration, the attack on SolarWinds Corp. and Microsoft Exchange’s email servers were expressly mentioned. For stakeholders that traffic in data, cybersecurity policies are essential. Ensuring compliance with federal and state requirements are key and we can help. 

Lanton Law is a national boutique law and lobbying firm that focuses on technology and healthcare. If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today. 

Senator Markey (D-MA) and Congressman Lieu (D-CA) have reintroduced the Cyber Shield Act. The proposed legislation will create a voluntary program to identify and promote internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes, and for other purposes. 

According to the legislators’ press release, the proposal will specifically establish an advisory committee of cybersecurity experts from academia, industry, consumer groups, government, and the public to create cybersecurity benchmarks for IoT devices – such as baby monitors, home assistants, smart locks, cameras, cell phones, and laptops. IoT manufacturers can then voluntarily certify that their products meet those cybersecurity benchmarks, and display this certification to the public with a “Cyber Shield” label that will help consumers identify and purchase more secure technology for their homes.”

The bill can be viewed here. 

Our reliance on technology has become even more vital with the effects of COVID-19. With all of the hacking and malware attacks we have witnessed against various data stakeholders, we foresee cybersecurity as a major policy area that will continue to be expanded.   

Lanton Law is a national boutique law andlobbying firm that focuses on technology and Health IT.If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions,contact us today.