Stay informed and subscribe. Signup

Privacy Summer School – “Back to School” Recap

September 18, 2024

This summer, Paul Rothermel presented a three-part webinar series “Privacy Summer School” covering key privacy topics. These programs, drawing on Paul’s deep privacy experience, covered key areas of compliance and risk as well as new and emerging laws and regulations. Check out this article for a series recap. You can also watch the recorded webinars linked below:


Session 1 Recap: 10 Things You Should Know About Privacy, Consent, and HIPAA

Several federal laws govern the protection of personal information in the U.S. including Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Federal Trade Commission Act (FTCA), Children’s Online Privacy Protection Act (COPPA), CAN-SPAM Act, and Telephone Consumer Protection Act (TCPA), among others.

Additionally, numerous states have enacted comprehensive privacy laws, each with unique provisions that organizations must navigate. Key states include California with the California Consumer Privacy Act (CCPA), which defines personal information broadly and provides extensive rights to consumers regarding their data. Other state laws, like Washington’s “My Health My Data” Act (MHMDA), offer specific protections for consumer health data.

Around the globe, laws such as the General Data Protection Regulation (GDPR) in Europe and other similar legislation directly impact the processing of personal data and impose further standards and requirements.

We previously summarized key takeaways from this program here.

Session 2 Recap: Do I Really Need A Privacy Officer, DPO, or CISO?

Privacy officers, information security officers, and data protection officers play a critical role in ensuring that companies comply with privacy laws and protect personal data. The specific responsibilities and qualifications of these roles can vary depending on the jurisdiction and the applicable laws.

HIPAA Privacy Official Requirements

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must appoint a privacy official responsible for developing and implementing privacy policies and procedures. This role involves overseeing the protection of patient information, handling complaints, and ensuring compliance with HIPAA regulations. Covered entities must also appoint a security official responsible for information security program implementation and oversight. Business associates, while not required to appoint a dedicated privacy officer, must still designate a security official.

GDPR Data Protection Officer (DPO) Requirements

The GDPR mandates that certain organizations appoint a Data Protection Officer (DPO). This requirement applies to controllers and processors of personal data regulated by the European Union who meet certain criteria, including those whose core activities involve large-scale processing of special categories of data, such as health information. The DPO is responsible for advising the organization on compliance, monitoring data protection practices, and serving as a contact point for data subjects and supervisory authorities, among other key responsibilities.

State-Specific Requirements

Some U.S. states have introduced laws that implicitly or explicitly require the appointment of privacy or security personnel. For instance, the Massachusetts Data Security Regulation and the New York SHIELD Act mandate that organizations designate employees to oversee information security programs. These roles involve developing, implementing, and maintaining security policies to protect personal information.

Session 3 Recap: Privacy Policy Pop Quiz – Are You Ready?

Achieving compliance with privacy laws requires a combination of strategic planning, clear policies, and ongoing monitoring. Developing an effective privacy approach for your website(s) is a seemingly basic but highly important step towards mitigating your company’s privacy risk.

Develop Comprehensive, Accurate, and Readable Privacy Policies

A well-crafted privacy policy is a key element of any privacy program. It should clearly outline the types of personal information collected, the purposes for collection, how the information is used, and with whom it is shared. The policy should also detail the privacy rights of individuals and how they can exercise those rights.

To ensure readability and accessibility, privacy policies should use plain language and be easily accessible on the company's website. Consider including layered notices that provide summaries of key points with links to more detailed information.

Identify and develop your website and privacy policy to comply with requirements relevant to your company and be sure to revisit it regularly to make sure it is still accurate and addresses the latest requirements.

Case Studies and Enforcement Actions

Understanding real-world examples of privacy enforcement actions can provide valuable insights into what regulators are looking at, key risk areas, and how to improve your privacy program. The Federal Trade Commission (FTC) provides a list of recent enforcement actions related to privacy and security. Other regulators, such as the California Attorney General have also been actively enforcing privacy requirements.

Some cases highlighting key focus areas include

  • BetterHelp, an online mental health service provider, faced FTC enforcement for allegedly sharing sensitive health information with third parties for advertising purposes without proper consent. The FTC's action resulted in a significant financial penalty and a requirement for BetterHelp to obtain express consent before sharing sensitive health information in the future. This case underscores the importance of transparency and accuracy in privacy practices.
  • TiltingPoint Media, a mobile game developer, was fined $500,000 by the California Attorney General for allegedly violating the California Consumer Privacy Act (CPPA) and Children's Online Privacy Protection Act (COPPA). The company allegedly collected personal information from children without proper parental consent and shared it for advertising purposes, among other activties. This case highlights the need for rigorous compliance with privacy laws, especially when handling the data of children or other vulnerable persons. It also reflects the importance of diligently evaluating third party software for privacy compliance functions.
  • Vitagene, a DNA testing company, was also subject to FTC enforcement for alleged misleading claims about its privacy practices. The FTC said the company promised to delete DNA samples upon request but failed to do so. Additionally, Vitagene was alleged to have expanded data sharing with third parties without obtaining proper consent. This case emphasizes the need for companies to honor their privacy commitments and ensure that their practices align with their public statements.

Conclusion

Navigating the complex landscape of privacy laws requires a proactive and informed approach. By understanding the requirements of various regulations, appointing qualified privacy officers, and implementing best practices for data protection, organizations can ensure compliance and build trust with their customers. As privacy laws continue to evolve, staying vigilant and adaptable will be key to maintaining robust privacy programs in 2024 and beyond. To get more detailed discussion about the topics summarized above, catch recordings of Privacy Summer School here.

Contact Us

Compliance with privacy laws requires a thorough understanding of both federal and state regulations, as well as international laws. Organizations must stay informed about the evolving legal landscape and implement robust privacy practices to protect personal data and avoid significant penalties. Gardner Law has extensive experience with applying data, privacy, and cybersecurity considerations to life sciences companies of all sizes. If you have questions, contact the team at Gardner Law or reach out to one of our attorneys directly.