Photo of Kyle Dull

Kyle Dull

In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include:
Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny

On June 6, 2023, the governor signed the Florida Digital Bill of Rights into law. We previously covered the consumer privacy bill here. The law targets larger companies because a “controller” must have $1 billion in global gross revenue, plus one of the following:

  1. 50% of global gross revenue comes from the sale of

Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.

While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below.
Continue Reading Florida Joins the Privacy Pack with an Opt-In to Sale of Sensitive Data

The Federal Trade Commission’s (FTC) Notice of Proposed Rulemaking, Negative Option Rule (“Rule”), which proposes to substantially amend the existing Negative Option Rule and set higher standards for autorenewal promotions and sales than under existing federal or state laws and regulations, was published in the Federal Register on April 21, 2023, setting the clock ticking

Last week, the Federal Trade Commission (FTC) released its Notice of Proposed Rulemaking, Negative Option Rule (“Rule”), which proposes to substantially amend the existing Negative Option Rule and set higher standards for autorenewal promotions and sales than under existing federal or state laws and regulations.  If promulgated, the revised Rule will apply to many more businesses and scenarios than are currently subject to autorenewal regulation. Once the proposed Rule is published in the Federal Register, which will be shortly, interested parties have 60 days after the date of publication to comment on the proposed Rule, which  covers all forms of so-called “negative option” marketing and sales in all media, including negative options sold in a business-to-business (B2B) context (think about autorenewal terms in business services contracts), for month-to-month auto-renewing terms (think about “no contract” cell, Internet, media or entertainment services, and even auto-renewing monthly residential and commercial real estate tenancies) and for both the sale of goods and services. Other notable additions include enhanced disclosure, consent, and cancellation requirements, as well as a powerful misrepresentation prohibition and annual reminders.
Continue Reading UNSUBSCRIBED! — FTC Proposes Substantial Amendments to the Negative Option Rule to Cover all Autorenewals, including B2B Services, and Add New Disclosure, Consent, and Cancellation Requirements

On March 29, 2023, the California Office of Administrative Law (OAL) approved the regulations implementing the California Consumer Privacy Act (CCPA). The regulations were approved by the California Privacy Protection Agency (CPPA) during its February 3rd meeting (see our report here) and filed with the OAL on February 14, 2023. The regulations are

Kochava, an Idaho-based data broker, is currently embroiled in a federal lawsuit with the Federal Trade Commission (“FTC”) that has the potential to redefine the legal bounds of the data sharing and data brokering industries.  Privacy World immediately reported on the FTC v. Kochava, Inc. case the day after the FTC filed its motion for

Last week, a federal court in California dismissed a complaint concerning allegations that Otonomo, a data broker that partnered with car manufacturers, “used electronic devices in [drivers’] cars to send real-time GPS location data directly to [defendant],” allowing Otonomo to track drivers’ location in real-time.  Read on to learn more about what this means for

LinkedIn and hiQ Labs agreed to a consent judgment and permanent injunction to resolve all data scraping related claims after six years of litigation. This news follows last month’s summary judgment win by LinkedIn on its breach of contract claim against hiQ, based on a finding that hiQ’s data scraping and use of fake profiles violated LinkedIn’s user agreements. 
Continue Reading LinkedIn’s Data Scraping Battle with hiQ Labs Ends with Proposed Judgment

We have been covering the hiQ-LinkedIn data-scraping saga for several years now on CPW. (See previous posts here, here, here, and here).

After well-publicized litigation that made its way to the Supreme Court and back again, the United States District Court for the Northern District of California ruled[1] that the provisions of a website user agreement that prohibit anti-scraping and fake profiles are enforceable in a breach of contract claim. Businesses should take note and ensure that their own conduct enforces their terms and conditions in order to prevent violators from successfully claiming affirmative defenses. If a business knows of a violation, and wants to have enforceable terms, it should pursue remedying that violation.Continue Reading Federal Court Rules in Favor of LinkedIn’s Breach of Contract Claim after Six Years of CFAA Data Scraping Litigation