Data Dive

The Federal Trade Commission (FTC) reached a settlement with weight loss company WW International (formerly known as Weight Watchers) requiring the company to pay a $1.5 million penalty, delete the personal information of children under the age of 13 that was allegedly obtained unlawfully and delete any work product—including algorithms—derived from that data.¹ This case marks the second time in two years that the FTC has ordered algorithm destruction as a result of alleged improprieties in a company’s data collection practices. 

On March 9, 2021, the U.S. Department of Health and Human Services Office for Civil Rights announced that the public comment period for the HIPAA proposed privacy rule would be extended until May 6, 2021. The rulemaking was published in the Federal Register on January 21, 2021, with an initial comment deadline of March 22, 2021. Noting the potential for confusion concerning the impact of the Regulatory Freeze announced on January 20, 2021, the agency determined that “the public may need additional time to review the proposals and submit comments.”

The U.S. Food and Drug Administration (FDA) announced that the newly-created post of Acting Director of Medical Device Security has been filled by Kevin Fu, a University of Michigan associate professor and founder of the Archimedes Center for Medical Device Security.  Fu, who was appointed for a one-year term, is expected to “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”¹ The creation of the position reflects the FDA’s ongoing efforts to ensure the safety and effectiveness of Internet of Things and medical devices such as insulin pumps, pacemakers, and hospital imaging machines.  These devices, which increasingly rely on software and the cloud to operate, are particularly vulnerable to threat actors targeting hospitals and other medical providers with ransomware and other attacks.  Such attacks have been on the rise, particularly given the shift to telehealth and remote operation of medical devices in the wake of COVID-19.

In the wake of the California voters’ approval of Proposition 24, or the California Privacy Rights Act of 2020 (CPRA), a ballot initiative that expanded data privacy obligations for businesses beyond those in the California Consumer Privacy Act (CCPA), several states promptly introduced new privacy laws of their own at the outset of 2021. Lawmakers in Washington state have notably revamped the Washington Privacy Act (WPA), while the landmark New York Privacy Act (NYPA) has also been reintroduced. Other state lawmakers continue to introduce measures to enhance their states’ data privacy and cybersecurity efforts. Below, please find a high-level overview of states’ new legislative efforts in this space.