Health app Flo Health reached a settlement Thursday in a case involving allegations that sensitive health information was shared with third parties without user consent. Earlier in July, Google, also a defendant in case 21-00757, said it reached a settlement with the plaintiffs (see 2507090063). No details were released in either settlement.
It’s important for organizations to “actively stay up to date” on DOJ’s sensitive data rule even though enforcement began on July 9, blogged Constangy Brooks lawyers on Thursday.
So far in 2025, state lawmakers and regulators have focused on data related to health, children, geolocation and biometrics, said Sidley privacy attorneys Colleen Theresa Brown, Sheri Porath Rockwell and Sasha Hondagneu-Messner in a blog post Thursday.
With federal agencies deemphasizing rulemaking and enforcement, “states are advancing more prescriptive cybersecurity standards for financial institutions, including many that align with the approach and standards set by the New York Department of Financial Services (NYDFS),” the Cooley law firm blogged Wednesday.
Though several recent enforcement actions have targeted websites, mobile apps are also subject to all privacy laws, a lawyer said Thursday during a webinar by Privado, a privacy vendor. Daniel Goldberg, a Frankfurt Kurnit lawyer, also noted that it's no longer enough for companies to rely on privacy vendors for compliance; they must practice due diligence too.
There has been a quiet shift recently where state privacy enforcement is often aided behind the scenes by private law firms, according to a Tuesday blog post from Frankfurt Kurnit attorneys. These firms typically develop the case and can even appear in the final complaint filed in court, lawyers Daniel Golberg and Holly Melton wrote.
States should amend comprehensive privacy laws to remove loopholes for consumer reporting agencies (CRAs), the Electronic Privacy Information Center (EPIC) said in a white paper released Tuesday.
Age-verification vendors weren't "surprised" by attempts to circumvent proof-of-age mechanisms once the U.K. Online Safety Act (OSA) rules took effect Friday, Age Verification Providers Association Executive Director Iain Corby told us Tuesday.
The California Privacy Protection Agency (CPPA) announced a $55,400 fine Tuesday against Accurate Append for failing to register as a data broker and pay the annual fee required by the state’s Delete Act (see 2507290031). The CPPA's latest fine signals the agency's crackdown on data brokers, said Troutman Amin law clerk Tammana Malik in a blog post. However, a study last month on California data brokers argues they largely ignore regulation.
The California Privacy Protection Agency (CPPA fined Washington-based Accurate Append $55,400 for failing to register as a data broker and pay the annual fee required by the state’s Delete Act. The company failed to register by the Jan. 31, 2024 deadline for its 2023 activities, and only registered after the Enforcement Division contacted Accurate Append, the CPPA alleged.