House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) have introduced the American Privacy Rights Act. 

According to the legislator’s press release, this proposal seeks to establish national data privacy rights and protections for Americans, eliminates the existing patchwork of state comprehensive data privacy laws, and establishes robust enforcement mechanisms to hold violators accountable, including a private right of action for individuals.

Furthermore, the release describes other provisions of the proposed legislation: 

• Establishes Foundational Uniform National Data Privacy Rights for Americans

• Gives Americans the Ability to Enforce Their Data Privacy Rights

• Protects Americans’ Civil Rights

• Holds Companies Accountable and Establishes Strong Data Security Obligations

• Focuses on the Business of Data, Not Mainstreet Business

The draft can be seen here.

Lanton Law's experience in privacy and data protection enables these companies to navigate the complex legal and regulatory landscape effectively. By partnering with us, tech and healthcare organizations can develop robust strategies, ensuring compliance, safeguarding personal data, and maintaining trust among your consumers.

Contact us to learn more. 

Technology companies are constantly collecting and using personal data. This data can include everything from names and addresses to browsing history and financial information. As technology companies collect more data, the importance of privacy becomes even more critical.

There are a number of reasons why technology companies need a lawyer to help them with privacy. First, lawyers can help companies understand the laws that apply to them. These laws can vary depending on the country or region where the company operates. 

Second, lawyers can help companies develop and implement relevant policies and procedures. These policies and procedures should be designed to protect the company's users. 

Third, lawyers can help companies respond to privacy inquiries and complaints. If a user has a question or complaint about a company's privacy practices, the company needs to be able to respond promptly and effectively. 

Privacy is a complex issue, and technology companies need to take it seriously. By working with a lawyer, technology companies can ensure that they are compliant with the law and that they are protecting the privacy of their users.

If you are a technology company and you are concerned about how to navigate an evolving regulatory environment, contact Lanton Law today. We stay up-to-date on the latest technology policy and legal trends and can help you implement new business strategies.

In late June 2022 H.R. 8152 was introduced which seeks to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. 

What are some of the important aspects of the bill?

According to the Congressional Research Service the bill proposes the following:

Covered Entities. It would apply to most entities, including nonprofits and common carriers. Some entities, such as those defined as large data holders that meet certain thresholds or service providers that use data on behalf of other covered entities, would face different or additional requirements.

Covered Data. It would apply to information that “identifies or is linked or reasonably linkable” to an individual.

Duties of Loyalty. It would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, such as geolocation information, biometric information, and nonconsensual intimate images.

Transparency. It would require covered entities to disclose, among other things, the type of data they collect, what they use it for, how long they retain it, and whether they make the data accessible to the People’s Republic of China, Russia, Iran, or North Korea.

Consumer Control and Consent. It would give consumers various rights over covered data, including the right to access, correct, and delete their data held by a particular covered entity. It would require covered entities to get a consumer’s affirmative, express consent before using their “sensitive covered data” (defined by a list of sixteen different categories of data). It would further require covered entities to give consumers an opportunity to object before the entity transfers their data to a third party or targets advertising toward them.

Youth Protections. It would create additional data protections for individuals under the age of 17, including a prohibition on targeted advertising, and it would establish a Youth Privacy and Marketing Division at the Federal Trade Commission (FTC).

Third-Party Collecting Entities. It would create specific obligations for third-party collecting entities, which are entities whose main source of revenue comes from processing or transferring data that it does not directly collect from consumers (e.g., data brokers). These entities would have to comply with FTC auditing regulations and, if they collect data above the threshold amount of individuals or devices, would have to register with the FTC.

Civil Rights and Algorithms. It would prohibit most covered entities from using covered data in a way that discriminates on the basis of protected characteristics (such as race, gender, or sexual orientation). It would also require large data holders to conduct algorithm impact assessments. These assessments would need to describe the entity’s steps to mitigate potential harms resulting from its algorithms, among other requirements. Large data holders would be required to submit these assessments to the FTC and make them available to Congress on request.

Data Security: It would require covered entities to adopt data security practices and procedures that are reasonable in light of their size and activities. It would authorize the FTC to issue regulations elaborating on these data security requirements.

Small- and Medium-size Businesses: It would also relieve small- and medium-size businesses from complying with several requirements; for instance, these businesses may respond to a consumer’s request to correct their data by deleting the data, rather than correcting it.

Enforcement. It would be enforceable by the FTC, under that agency’s existing enforcement authorities, and by state attorneys general in civil actions.

Private right of action. It would create a delayed private right of action starting four years after the law’s enactment. Injured individuals would be able to sue covered entities in federal court for damages, injunctions, litigation costs, and attorneys’ fees. Individuals would have to notify the FTC or their state attorney general before bringing suit. Before bringing a suit for injunctive relief or a suit against a small- or medium-size business, individuals would be required to give the violator an opportunity to address the violation.

Preemption. It would generally preempt any state laws that are “covered by the provisions” of the ADPPA or its regulations, although it would expressly preserve sixteen different categories of state laws, including consumer protection laws of general applicability and data breach notification laws. It would also preserve several specific state laws, such as Illinois’ Biometric Information Privacy Act and Genetic Information Privacy Act and California’s private right of action for victims of data breaches.

Section by section specifics can be found here. 

We are going to see more privacy proposals on the state and federal level. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

In an interview with Pharmacy Times, Ron Lanton III, Esq, partner at Lanton Law, discussed the recent Supreme Court ruling on Dobbs v. Jackson Women’s Health and what this could mean for pharmacists. In the interview, Lanton said the decision leaves many things ambiguous, which will most likely result in litigation around the country in the coming weeks and months.

The interview can be viewed here. We have also provided the text from Aislinn Antrim’s interview at Pharmacy Times below:

In an interview with Pharmacy Times, Ron Lanton III, Esq, partner at Lanton Law, discussed the recent Supreme Court ruling on Dobbs v. Jackson Women’s Health and what this could mean for pharmacists. In the interview, Lanton said the decision leaves many things ambiguous, which will most likely result in litigation around the country in the coming weeks and months.

Aislinn Antrim: Hi, I'm Aislinn Antrim with Pharmacy Times,and I'm here with Ron Lanton, partner at Lanton Law, to discuss the recent Supreme Court decision in Dobbs v. Jackson Women's Health and what this means for pharmacists, contraception access, and all of these other questions. So to get started, can you explain the Supreme Court reasoning in this case?

Ron Lanton III, Esq: Absolutely. And before I get started, let me just put a disclaimer out there that while I'm not going to be discussing my personal views about the Supreme Court decision, I'm just going to talk like a lot of health care providers are probably talking right now, where they're just trying to figure out what happened, and what does this mean for them. So, with that out of the way, I'll quickly explained Dobb.

So basically, what happened in this case is that Roe v. Wade and Casey v. Planned Parenthood were both actually overturned by the Supreme Court on the basis that abortion at any time was not protected by the constitution. So basically, what they've done is that they didn't really put any standards around what they thought abortion was, or you know, how many weeks there should be at, because they felt that the state should actually control the outcome. So, the facts within Dobbs is that the state of Mississippi banned abortions at 15 weeks, which is pre-viability (viability referring to if the fetus can survive outside of the womb). And what Justice Alito said, writing for the majority opinion, is a quote that I wanted to make sure that everybody has heard in case they have not read the opinion. And the quote talks about this, it says, “The inescapable conclusion is that a right to abortion is not deeply rooted in the nation's history and traditions. On the contrary, an unbroken tradition of prohibiting abortion, on pain of criminal punishment, persisted from the earliest days of the common law until 1973.” So, this is definitely a landmark decision. You know, my entire life has been post-Roe. So, this is going to be very, very different for a lot of people and we'll see what happens.

Aislinn Antrim: Definitely. Where do states stand currently in terms of abortion access? And where do you see this headed in the coming weeks and months?

Ron Lanton III, Esq: I see a lot of litigation coming in the next weeks and months. Right now, it's kind of weird how we say this, because right now, there are 5 states where abortion is either illegal or banned. Those states are Texas, South Dakota, Oklahoma, Louisiana, and Kentucky. Soon there will be 16. And the reason I say that is because of what's called trigger laws. So basically, if Roe was ever overturned, which it was in this case, there were some states that have laws in the books that said, should this happen, then, you know, within 30 days abortions will be banned in that state.There is also another thing called zombie lawsthat are out there, in addition to the trigger laws, and what zombie laws are, is that these are pre-Roe abortion laws that may come back, they were never officially taken off of the books. So, they're just kind of there and a lot of states really don't know what to do with these and businesses that are operating there don't know what to do with these, or if they'll ever come back. So that number, while it may go up to 16 with the trigger laws, it may be more with these zombie laws. So, we really have to do a close scrutiny of what's on the books. And I think that if health care providers are wondering what that might be, I would just suggest that they look and see if their states do in fact have these laws on the books. There have been some states, though, that have taken the stance that they will be arresting medical providers that actually attempt to do these services. So, my prediction is just like I mentioned earlier, is that we're probably going to see a lot of different lawsuits, just for people that are trying to understand their rights and what they can and can't do, especially the health care providers.

Aislinn Antrim: Absolutely. There are many things that are still really unclear. One of the major things that's come into play is access to mail-order abortion pills, and from my understanding, the FDA has permanently allowed these pills to be accessible by mail. But some governors are still looking to ban them. Can you explain this, what this means, and where it stands?

Ron Lanton III, Esq: Yeah, of course. Well, the FDA has been using the pill since 2000, and in December of 2021 what they did was they had some labeling and some evidence-based medicine requirements that they put in and finalized in December of 2021. I can't really speak to specifics about what those are. I know they did them, but if people are interested, I would just go to the FDA and just look. They have that stuff there on their site. The FDA does allow the pill to be prescribed by mail or by telehealth and it's authorized for use during the first 10 weeks of pregnancy. And what was interesting was that when I was looking at this is that more than half of the abortions in the United States are actually medication abortions, which I did not know.

You have mentioned some of the anti-abortion policies that tend to happen with this. So, there have been some anti-abortion states that have laws on the books that stipulate that this pill either has to be given in-person or it has to be prescribed, instead of done through telehealth or by mail. And also, they're saying it's only allowed through the seventh week, whereby the FDA says that it's the tenth week. So that's different. So, what we're seeing here, and what we're also hearing, is that some states may even try to ban the pill. And there's questions legally on whether they can do this. It's really a Tenth Amendment versus Supremacy Clause question. You know, I don't think the FDA, this is just me personally, I think you should check this out. But you know, just for me, I'm not sure you could do that as a state, just legally, with something that the FDA has already approved. It's also going to come down to what the Board of Medicine in your particular state is allowing a physician to do. So, these are just other things that a health care provider would have to check out.

I do think it is interesting to bring up what the Department of Justice has said about this very issue. So, here's a quote I’d like to share with you. So, in what the Department of Justice has said, has stated, “…and we stand ready to work with other arms of the federal government that seek to use their lawful authorities to protect and preserve access to reproductive care. In particular, the FDA has approved the use of medication (Mifeprex). States may not ban this based on disagreement with the FDA’s expert judgment about safety and efficacy.” So, if a state has a policy where it's just challenging the safety of it, that's not going to stand. So, what really remains to be seen is if states are going to continue to do this regardless, we'll have to see.

Aislinn Antrim: Very interesting. And there are also states where legislators are attempting to interpret IUDs as abortion to restrict their access. What is the legal basis for this? And what are the implications if they are successful?

Ron Lanton III, Esq: Yeah, so let's go back to the Supreme Court majority opinion. In this case, they said that other rights, like the rights to contraception and marriage, do not discuss the ending of human life as abortion does. So, they tried to make a distinction in this ruling. Now, with what you just brought up, I started thinking about Plan B and copper IUDs because those stop an already fertilized egg or an embryo from implanting and thus creating the pregnancy. Right? So, the argument Dobbs was they sided with Mississippi in that Mississippi could deny an abortion at pre-viability, which they already ruled that they can. So, therefore, a state could potentially rule with regards to Plan B or the copper IUD, that these are not contraception and that they are a form of abortion. I mean, theoretically it could happen, as they stop an embryo from implanting, thus stopping human life. So especially if the state believes that human life starts at fertilization, and not implantation. So, many health care providers are definitely likely to be concerned about this because it could also affect IVF treatments. Basically, this ruling has allowed states to ban abortion but kind of has left the door open because they were ambiguous on, you know, they didn't say anything about weeks or what abortion was, there was no definition about it. So, this could potentially bleed over into contraception. So honestly, a legal basis for this could be a new law that describes when human life starts, such as fertilization instead of implantation. So, Dobbs opened the door to that and, you know, that's another one of those things we just don't know.

Aislinn Antrim: Definitely. Many people are urging the Biden administration and Congress to codify a right to abortion. Do you have a sense of whether this could happen or where this stands?

Ron Lanton III, Esq: Well, let's just talk about the Senate makeup right now. So, to get anything passed in Congress has been very difficult to do lately because of just the hyper-partisanship stuff that's been going on. And the Senate, it's almost like forget about it. You know, if you don't have those 60 votes to satisfy the threshold, then you're just not getting anything done. So right now, with an issue this divisive—and really, I mean, anything can be hyper-partisan but, you know, this is definitely one of those issues. I don't know if they can get anything passed in the Senate that could codify Roe.

Now, I like to go back to whether it's accurate when we say codify Roe, because Roe v. Wade hasn't been in place since 1992. And the reason I say that is because the Supreme Court had the Casey v. Planned Parenthood case that I referenced earlier, which was also overturned with Roe in the Dobbs decision. Now, in Casey, the court upheld Roe’s decision holding that a woman has the right to choose to terminate a pregnancy up until the point of fetal viability, and that states could restrict abortion after that point, subject to exceptions such as, you know, protecting the life and health of the pregnant woman. But in Casey the court said that Roe too severely limited state regulation prior to fetal viability and held that states can impose restrictions on abortion throughout pregnancy to protect potential life, as well as the maternal health, which, you know, which has been status quo up until just recently. What was also interesting about Casey is that had had the undue burden test, which basically said that states can't make a law that makes it too hard for someone that wants to seek an abortion. So again, that's been status quo until now. And now we're really not sure what's going to happen.

Aislinn Antrim: Definitely. Going back to what you were saying a few minutes ago, there are also discussions of whether a future Supreme Court case could impact contraception access. What could this look like from a policy or legal standpoint?

Ron Lanton III, Esq: I think [policy and legality] these are 2 related issues, but when we're looking at legalities, I mean, you know, we can split hairs all day but those legally are 2 different issues. So, for contraception that prevents fertilization, you know, such as the pill, that would require a state to draft an entirely new law that outlawed contraception. And that would have to be pushed through several states, and then in order to get to the Supreme Court, someone would have to challenge that and make it all the way up through the ladder. So, these cases are coming faster than they used to before, but that's the process that would have to happen. The rights of contraception is a bit different than what we were talking about in Dobbs because the contraception was actually a different case based on Griswold v. Connecticut. And that basically held that married couples have a protected right to privacy, and that this is being violated by states banning contraception. So, Griswold was not overturned or even mentioned in the majority opinion. Now, I think what has people talking is the Justice Thomas concurring opinion, which basically said that we ought to look at cases like Griswold. Well, that's different from the majority opinion. So, the majority opinion is what we base everything off of now. Concurring opinions happen, judges put their opinions in there all the time. Whether someone later may look at that concurring opinion and shape a different policy, legally or whatnot, that remains to be seen. But the majority opinion did not talk about Griswold. I just want to make sure that was very clear.

Aislinn Antrim: Definitely. Thank you. Could this Dobbs ruling potentially impact the legality of scientific research and innovation in the area of women's health and contraception?

Ron Lanton III, Esq: Yes. So, any current or future research that is connected to the use of an already fertilized egg or an embryo may be deemed unlawful by a state, depending on what their abortion laws actually are. So, as we talked about earlier, Dobbs opens the door for states to determine when human life actually begins. And they're now able to put in their own standards about how they feel about abortion. So, I think in order to answer your question, it really depends on how the state is going to regulate the practice of medicine. So, it’s going to come down to where you live and how medicine is regulated.

Aislinn Antrim: With a wide range of restrictions varying state-to-state, do you have any resources or suggestions for pharmacists who may not know exactly how to handle things in their state, what's legal what they can and can't do? Where can they look?

Ron Lanton III, Esq: That's a good question. I think if I were a pharmacist in this environment, I would definitely look at the Board of Pharmacy to see if there's any guidance about that. I think the second thing that you have to do is really understand how Plan B is going to be regulated. And I think if that's the case, you might want to call an attorney—I'd hate to even get to that kind of level, but you want to make sure that you're complying with what is going on. But I think an issue that most people miss is privacy and HIPAA. And, you know, if you have someone that's coming to a pharmacy that is in a state like the Northeast, where it's pretty much status quo with how they're going to rule or regulate this issue, you know, you can't be telling another state what's going on based on that. So, you really should understand your privacy laws and just look at that in your state. And just make sure you have a good understanding of HIPAA, which will help you in your practice going forward. So, I think those are the 3 places that I would look at first, to make sure. So, make sure that you understand your privacy, get a lawyer if you have questions about things, and just make sure that you're familiar with Board of Pharmacy and their policies and procedures.

Aislinn Antrim: Absolutely. Well, we've covered a lot. Is there anything that you wanted to add?

Ron Lanton III, Esq: I wish I could, I wish I had a crystal ball to kind of figure out how all this is going to go. Like I said, I think with this decision it's going to be a lot of litigation. So, this is not going to be over by, you know, any short imagination. This is going to go on for quite a while. And the only thing that could change things again, back to the way things were, is either an act by Congress, which would invalidate a court decision, or this comes back up through the Supreme Court again and they rule a different way. So that's a long way of me saying that we just have to wait and see what happens.

Aislinn Antrim: Absolutely. Well, thank you so much for diving into this with me.

Ron Lanton III, Esq: You’re welcome, thank you for the time.

The California Privacy Protection Agency, the regulator established by the California Privacy Rights Act in November 2020 has posted draft regulations for its upcoming June 8 Board meeting. The draft CPRA regulations can be viewed here. 

The draft regulations do need work to clarify several issues. The draft does address privacy notice requirements, as well as how companies must notify its contractors and vendors to delete personal information as well as how to respond to opt out preference signals. The rules are forecasted to take effect on January 1, 2023. 

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

According to the U.S. House Committee on Energy and Commerce:

“U.S. Representatives Frank Pallone, Jr., D-N.J. and Cathy McMorris Rodgers, R-Wash., Chairman and Ranking Member of the House Committee on Energy and Commerce, and U.S. Senator Roger Wicker, R-Miss., Ranking Member of the Senate Committee on Commerce, Science, and Transportation, today released a discussion draft of a comprehensive national data privacy and data security framework. The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support.”  

What does the American Data Privacy and Protection Act do?

• Establish a strong national framework to protect consumer data privacy and security;

• Grant broad protections for Americans against the discriminatory use of their data;

• Require covered entities to minimize on the front end, individuals’ data they need to collect, process, and transfer so that the use of consumer data is limited to what is reasonably necessary, proportionate, and limited for specific products and services;

• Require covered entities to comply with loyalty duties with respect to specific practices while ensuring consumers don’t have to pay for privacy;

• Require covered entities to allow consumers to turn off targeted advertisements;

• Provide enhanced data protections for children and minors, including what they might agree to with or without parental approval; 

• Establish regulatory parity across the internet ecosystem; and

• Promote innovation and preserve the opportunity for start-ups and small businesses to grow and compete.

The discussion draft can be found here.

Lanton Law is a national healthcare & technology law and government affairs firm. Our technology practice has been monitoring privacy developments nationwide. If you are a commerce, technology or healthcare/life science stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

On Episode 1 Lanton Law speaks with STACK CEO Jonathan Ogurchak about privacy trends, healthcare efficiencies using SAAS and whether healthcare is ready for tech disruption. Click here to listen to the podcast.

Senators Ron Wyden (D-OR) and Rand Paul (R-KY) have introduced the Protecting Data at the Border Act .

According to the press release “The bipartisan bill prevents law enforcement agencies from continuing to take advantage of the so-called border search “exception” in order to conduct warrantless searches of Americans’ phones and laptops.” 

“The Protecting Data at the Border Act would provide statutory clarity by recognizing that the principles from Riley v. California extend to searches of digital devices at the border. In addition, this bill requires that U.S. persons know their rights before they consent to giving up online account information (like social media account names or passwords) or before they consent to give law enforcement access to their devices.”

The bill summary can be found here.  

Lanton Law is a national boutique regulatory law and lobbying firm that focuses on technology and healthcare/life science. Our privacy practice monitors relevant policy and regulatory decision makers and we counsel clients on emerging trends within this rapidly developing field. 

If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

On October 6th, California Governor Newsom (D-CA) signed SB 41 titled Privacy: genetic testing companies. The bill can be viewed here. Below are the highlights of the bill:

This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data, as specified.

This bill would require a direct-to-consumer genetic testing company to honor a consumer’s revocation of consent in accordance with certain procedures, and to destroy a consumer’s biological sample within 30 days of revocation of consent. The bill would further require a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified. The bill would exclude from its provisions the California Newborn Screening Program, specific tests, and certain information, providers, entities, and activities subject to specified state and federal laws.

This bill would provide that the act does not reduce a direct-to-consumer genetic testing company’s duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security and would further provide, if a conflict exists between the act and any other law, that the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

This bill would impose civil penalties for a violation of those provisions, as specified. The bill would require actions for relief pursuant to these provisions to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act. Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.

Lanton Law is a national boutique law and lobbying firm that focuses on healthcare/life sciences and technology. 

If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

The Federal Trade Commission (FTC) last month issued the FTC Report to Congress on Privacy and Security. 

What’s in the Report? 

According to the agency “This report responds to the Joint Explanatory Statement accompanying the Consolidated Appropriations Act, 2021, P.L. 116-260, directing the Federal Trade Commission (“Commission” or “FTC”) to “conduct a comprehensive internal assessment measuring the agency’s current efforts related to data privacy and security while separately identifying all resource-based needs of the FTC to improve in these areas. The agreement also urges the FTC to provide a report describing the assessment’s findings to the Committees [on Appropriations of the House and Senate] within 180 days of enactment of this Act.”

Additionally, “The report first provides an overview of the FTC’s authority related to privacy and security, highlighting certain recent efforts in those areas. Second, it discusses priorities for improving the effectiveness of our efforts to protect Americans’ privacy. Third, it identifies areas in which we could use additional resources to further ensure Americans’ privacy is protected. Finally, it discusses the need for Congressional action on the FTC’s authority.”

Lanton Law is a national boutique regulatory law and lobbying firm that focuses on healthcare/life science and technology. We continue to monitor the policy and legal developments around the FTC.

If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

In the wake of the Colonial Pipeline attack, President Biden has signed the Executive Order on Improving the Nation's Cybersecurity. The EO has a number of provisions including: 

• Establishes a “Cybersecurity Safety Review Board” comprising public- and private-sector officials, which can convene after cyber attacks to analyze the situation and make recommendations.

• Requires IT service providers to tell the government about cybersecurity breaches that could impact U.S. networks, and removes certain contractual barriers that might stop providers from flagging breaches.

• Plans for enhancing software supply chain security 

This comes amid an increase in cyber attacks on private healthcare and technology companies as well as the federal government. 

Ransomware attacks are becoming a bigger threat and being prepared from a compliance and risk management standpoint is becoming more crucial. Having appropriate cyber policies in place is one step.  We have other solutions. 

Lanton Law is a national boutique law and lobbying firm that focuses on technology and healthcare. If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

H.B. 969 titled Consumer Data Privacy has failed to become the nation’s third comprehensive consumer privacy law. The legislature adjourned without reaching a legislature agreement between the House and Senate as the Senate voted 29-11 to send the bill back to the House. The main controversy around this bill not being able to advance is centered on whether a consumer should have a private right of action to sue a company for an alleged violation. 

Lanton Law’s technology practice has been monitoring privacy developments nationwide. If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

On April 22, 2021, Justice Breyer wrote the majority opinion for AMG CAPITAL MANAGEMENT, LLC, ET AL. v. FEDERAL TRADE COMMISSION, which was a shock to many consumer advocates where the Court ruled unanimously against the Federal Trade Commission (FTC). The ruling could make it less cost effective for the FTC to pursue companies that violate privacy rules.

According to the case, the Federal Trade Commission filed a complaint against Scott Tucker and his companies alleging deceptive payday lending practices in violation of §5(a) of the Federal Trade Commission Act. The District Court granted the Commission’s request pursuant to §13(b) of the Act for a permanent injunction to prevent Tucker from committing future violations of the Act, and relied on the same authority to direct Tucker to pay $1.27 billion in restitution and disgorgement. On appeal, the Ninth Circuit rejected Tucker’s argument that §13(b) does not authorize the award of equitable monetary relief. 

The Court held that “Section 13(b) does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.” Congress is set to address this issue soon as it looks to reaffirm the agency’s power to provide consumer relief. 

FTC Acting Chairwoman Rebecca Kelly Slaughter released a statement about the case where she stated: 

“In AMG Capital, the Supreme Court ruled in favor of scam artists and dishonest corporations, leaving average Americans to pay for illegal behavior,” Acting Chairwoman Rebecca Kelly Slaughter said. “With this ruling, the Court has deprived the FTC of the strongest tool we had to help consumers when they need it most. We urge Congress to act swiftly to restore and strengthen the powers of the agency so we can make wronged consumers whole.”

Over the past four decades, the Commission has relied on Section 13(b) of the Federal Trade Commission Act to secure billions of dollars in relief for consumers in a wide variety of cases, including telemarketing fraud, anticompetitive pharmaceutical practices, data security and privacy, scams that target seniors and veterans, and deceptive business practices, among many others. More recently, in the wake of the pandemic, the FTC has used Section 13(b) to take action against entities operating COVID-related scams. Section 13(b) enforcement cases have resulted in the return of billions of dollars to consumers targeted by a wide variety of illegal scams and anticompetitive practices, including $11.2 billion in refunds to consumers during just the past five years.

Lanton Law is a national boutique law and lobbying firm that focuses on highly regulated industries such as technology, fintech, healthcare and clean energy. If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today.

A new bi-partisan privacy bill has been introduced by Senators Wyden (D-OR) and Paul (R-KY) titled “The Fourth Amendment is Not For Sale Act.” The bill proposes to close a legal loophole and prevent law enforcement and intelligence agencies from obtaining subscriber or customer records in exchange for anything of value, and to address communications and records in the possession of intermediary internet service providers. Currently, this information can be exchanged without judicial oversight.  

According to the press release, some highlights of the proposal include: 

• Requires the government to get a court order to compel data brokers to disclose data — the same kind of court order needed to compel data from tech and phone companies.

• Stops law enforcement and intelligence agencies buying data on people in the U.S. and about Americans abroad, if the data was obtained from a user’s account or device, or via deception, hacking, violations of a contract, privacy policy, or terms of service. As such, this bill prevents the government buying data from Clearview.AI.

• Extends existing privacy laws to infrastructure firms that own data cables & cell towers.

• Closes loopholes that would permit the intelligence community to buy or otherwise acquire metadata about Americans’ international calls, texts and emails to family and friends abroad, without any FISA Court review.

• Ensures that intelligence agencies acquiring data on Americans do so within the framework of the Foreign Intelligence Surveillance Act and that when acquiring Americans’ location data, web browsing records and search history, intelligence agencies obtain probable cause orders. This language is similar to language that was in the 2020 Wyden-Daines amendment to legislation to reform Section 215.

• Takes away the Attorney General’s authority to grant civil immunity to providers and other third parties for assistance with surveillance not required or permitted by statute. Providers retain immunity for surveillance assistance ordered by a court. 

Lanton Law is a national boutique law and lobbying firm that focuses on technology and healthcare. If you are an industry stakeholder with questions about the current landscape or if you would like to discuss how your organization’s strategic initiatives might be impacted by either Congress, regulatory agencies or legal decisions, contact us today. 

On February 26, 2021 in the United States District Court Northern District of California, the Court found that Facebook was ordered to pay $650 million. This issue derived from the underlying lawsuit alleging whether the collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing. As a result of this dispute, the company’s automatic facial recognition tagging features are now an opt-in feature instead of being an opt-out choice. 

The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Lanton Law’s technology practice which includes biometrics and privacy issues, has been monitoring the Illinois Biometric Information Privacy Act for some time. We have posted several blogs addressing this issue as companies continue to evolve biometrics into the business models. As 2021 unfolds we confidently believe that legislative and regulatory oversight will increase leading to more litigation that fine tunes points left unanswered about this emerging field. 

We at Lanton Law can help. Our legal and policy tools can help offer your organization a clear path forward to navigate what will be changing policies for technology stakeholders. Contact us today to discuss your options.   

Lanton Law’s privacy practice has been closely monitoring the various state conversations around data privacy. We previously wrote a blog post titled California’s Consumer Privacy Act Could Be Coming to a State Near You, where we traced how California took the first step to create a consumer privacy law in the wake of Europe’s General Data Protection Regulation.    

So what’s going on with Virginia? Earlier this month the Virginia Senate passed 

 Senate Bill 1392, titled the Consumer Data Protection Act. The Virginia House of Delegates approved a companion (identical) House Bill H.B. 2307 by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. The state General Assembly will adjourn on March 1, it is expected that Governor Northam will sign the legislation. 

What does the bill do? The proposed legislation seeks the following:

“Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill provides that the Attorney General has exclusive authority to enforce violations of the law, and the Consumer Privacy Fund is created to support this effort. The bill has a delayed effective date of January 1, 2023.”

As with major policy issues that have yet to have a federal solution, states like California, Virginia and others are creating piecemeal policies, which will create compliance issues for entities that operate in several jurisdictions. New York, Oklahoma, Washington State, Minnesota, and North Dakota are jurisdictions that we continue to monitor with brewing policies on point.  

As we become more reliant on technology which crosses several sectors now, businesses are finding that they have to increase their awareness of state and federal policy in order to remain compliant. We at Lanton Law can help. Our legal and lobbying tools can help offer your organization a clear path forward to navigate what will be changing policies for healthcare, technology and clean energy stakeholders. We are a D.C. based firm with no state boundaries as we are active nationwide. Contact us today to discuss your options. 

We are honored to have worked with STACK for Pharmacy on a great and timely webinar titled “The New Concerns of a Digital Workplace. COVID-19 has changed the way that we work, communicate and transfer information and finances. We discuss the early trends of what we are seeing from a transitioning marketplace.

Click here to access the webinar

Recently, we have learned of Amazon’s new hand scanning idea to revolutionize consumer interactions via fintech. The idea would involve creating a payment system that would biometrically scan a user’s hand to transfer payment from the user to Amazon, instead of via a credit card, phone application or cash. New point of sale terminals equipped with this technology would be placed in brick and mortar stores so that customers can “travel lighter” by not having to worry about carrying physical payment forms. There are early indications that Visa will be working with Amazon on this idea, along with potentially Mastercard, J.P. Morgan, Wells Fargo and others. While this theoretically sounds like a logical fit for where technology and banking or “fintech” is moving, are there laws in place that govern biometrics? 

Surprisingly, there is not a lot of established law on the issue of biometrics. We first started hearing about biometrics in 2014 with a Congressional bill titled the “Biometric Information Privacy Act,” also known as H.R. 4381. Sponsored by Representative Stockman (R-TX), the bill called for penalties to a business entity, governmental entity or person who knowingly (1) fraudulently obtains personal physiological biometric information relating to an individual; or (2) discloses personal physiological biometric information without permission from the individuals to which the personal physiological biometric information pertains. That bill did not get much traction. 

Congressional members have recently taken a cautious tone when dealing with Amazon’s cutting edge technology. For example, in late 2018 Rep. Jimmy Gomez (D-CA) joined by Senator Edward Markey (D-MA), Reps. Luis Gutiérrez (D-IL), John Lewis (D-GA), Judy Chu (D-CA), Ro Khanna (D-CA), Pramila Jayapal (D-WA), and Jan Schakowsky (D-IL) sent a letter to Amazon Chairman, President, and CEO Jeff Bezos, requesting information about Amazon’s facial recognition technology, branded and sold as “Amazon Rekognition. The letter expressed concern of the technology’s potential impact on communities of color. And while there are no federal rules outlining biometrics, we do see federal agencies speaking with the tech community on utilizing biometric technology for future unspecified projects.

State policy on this issue has been a bit of a mixed bag. While Illinois, Washington and Texas have biometric laws on the books, other states are following suit. Florida, Arizona, Massachusetts, Connecticut and New Hampshire to name a few are states that are debating biometrics, while California is about to undergo implementing its CCPA otherwise known as the California Consumer Privacy Act protections. We wrote a prior blog on the specifics of the new California law, which we believe will be a precursor to similar policies being developed in the near future.  

In conclusion, we expect fintech to continue to be ahead of the law as companies like Amazon push forward to create marketplace solutions that provide convenience and a relatable user experience.  The question becomes whether policymakers are comfortable with the pace of expansion and the awkwardness of proceeding with little to no regulatory oversight on something as personal to us as our biometrics.

Contact Lanton Law for additional information or for strategies on how to deal with unsettled legal and policy within biometrics. 

In 2016, the Athens Orthopedic Clinic in Georgia was hacked by an anonymous hacking group called the “Dark Overlord.” The group’s action caused a major data breach and affected approximately 200,000 patients. The information obtained involved social security numbers, health insurance information, birth dates, and addresses. 

The Clinic refused to pay the ransom to the thief and advised those affected patients to set up anti-fraud protections. A lawsuit by the victims ensued seeking damages from the Clinic, which caused the courts to consider whether a data breach victim must suffer actual financial loss to be compensated or is the threat of future harm enough to make a claim for compensation? 

On December 23, 2019 the Georgia Supreme Court in Collins et al. v. Athens Orthopedic Clinic, P.A. reversed the Georgia Court of Appeals decision and ruled that “the injury the plaintiffs allege that they have suffered is legally cognizable.” 

As we rely more on technology and sensitive information such as our healthcare records are quickly exchanged from one healthcare provider to another, the risk of data breaches rises. Protected health information (PHI) often includes items such as Social Security numbers, birth dates, home and email addresses, and diagnosis codes can be used by hackers to buy prescription drugs online, purchase medical equipment, or create false identifications, to name a few. It seems that health care data is now more valuable than credit card data since health care data fraud takes longer for a consumer to both realize and report. 

That is why it is even more important for stakeholders that traffic in data to not only ensure that these stakeholders have adequate security protocols to protect against data breaches, but these stakeholders must develop rapid response plans to alert affected parties and assess potential monetary damages. Lanton Law assesses stakeholders potential risks and makes recommendations to help limit stakeholder liability. Contact Lanton Law to get started!    

In November 2019, we published a blog post titled More Data Oversight on the Horizon that discussed increasing Congressional oversight over data privacy, while highlighting the importance of the Online Privacy Act of 2019. 

In preparation for 2020, Lanton Law is forecasting that it is more likely than not that some form of federal privacy legislation will become law in 2020. One proposed legislative candidate for privacy in 2020 is the Consumer Online Privacy Rights Act (COPRA). This bill is sponsored by Senator Cantwell (D-WA).

According to Senator Cantwell’s press release, the Act otherwise known as S.2968 “establishes privacy rights, outlaws harmful and deceptive practices, and improves data security safeguards for consumers shopping or conducting business online.” The release discusses specifics stating that (COPRA) “gives Americans control over their personal data; prohibits companies from using consumers’ data to harm or deceive them; establishes strict standards for the collection, use, sharing, and protection of consumer data; protects civil rights; and penalizes companies that fail to meet data protection standards. The legislation also codifies the rights of individuals to pursue claims against entities that violate their data privacy rights.” 

The question is whether this legislation will be able to pass in a hotly contested election year. At this point it is unknown. This bill thus far has no Republican co-sponsors so it has yet to gain bi-partisan traction. However; with the new and increasing scrutiny surrounding tech companies and their treatment of consumer data, we anticipate that the political winds may shift against technology companies. It’s better to be aware of trends instead of being caught off guard by them. 

Lanton Law helps tech and fintech stakeholders navigate both the regulatory and legislative landscape on a state and federal level. If you have questions about compliance, new potential business strategies or what the policy landscape will look like for your business, contact us to learn about your options.