On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies.
Continue Reading GoodRx to Pay $1.5 Million in First Ever FTC Health Breach Notification Rule Enforcement Action

On January 4, 2023, the Irish Data Protection Commission announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. on the Instagram and Facebook platforms.
Continue Reading Meta Fined €390 Million by Irish DPC for Alleged Breaches of GDPR, Including in Behavioral Advertising Context

On January 10, 2023, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP and Cisco’s Privacy Center of Excellence published a joint report on “Business Benefits of Investing in Data Privacy Management Programs.”
Continue Reading CIPL & Cisco Publish Joint Report on Business Benefits and ROI of Accountable Privacy Programs

On December 1, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services released a Bulletin on the obligations of HIPAA covered entities and business associates under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies.
Continue Reading HHS Releases Bulletin on Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

On November 2, 2022, the ICO issued the UK Department for Education with a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service, a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for.
Continue Reading The Information Commissioner’s Office Issues UK Department for Education with Formal Reprimand

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices.
Continue Reading FTC Takes Action Against Chegg for Alleged Security Failures that Exposed Data of Employees and 40 Million Consumers

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the company’s alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.
Continue Reading FTC Takes Action Against Drizly and its CEO for Alleged Security Failures that Exposed Data of 2.5 Million Consumers

On October 24, 2022, the UK Information Commissioner’s Office issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the GDPR, during the period of March 2019 to December 2020.
Continue Reading UK Information Commissioner’s Office Fines Construction Company £4.4 Million for Breach of Security Obligations