Category: Consumer Protection

“Arbitrary and Capricious” – A Sign of Things to Come?

On July 3, 2024, the US District Court of Northern Texas issued a Memorandum Opinion and Order in the combined cases of Americans for Beneficiary Choice, et al. v. United States Department of Health and Human Services (Civ. Action No. 4:24-cv-00439) and Council for Medicare Council, et al., v. United States Department of Health and Human Services (Civ. Action No. 4:24-cv-00446).

The Plaintiffs (in this combined case) challenged the Centers for Medicare and Medicaid Services (“CMS”) rule issued earlier this year. The new rules attempt to place reimbursements to third-party firms into the definition of compensation where the prior rules did not include reimbursements into the definition of compensation which would have been subject to the regulatory cap on compensation.

This Memorandum Opinion Order granted the Plaintiffs’ Motion for a Stay in part and denied it in part. The Motion was granted in relation to the new CMS rules around compensation paid by Medicare Advantage and Part D plans to independent agents and brokers who help beneficiaries select and enroll in private plans.

The Court found that the compensation changes were arbitrary and capricious and that the Plaintiffs were substantially likely to succeed on the merits of the case. The Court found that CMS failed to substantiate key parts of the final rule. During the rulemaking process, industry commenters asked for clarification around parts of the rule, but CMS claimed “the sources Plaintiffs criticized were not significant enough to warrant defending them.” The Court found “because CMS failed to address important problems to their central evidence…that members of the public raised during the comment period, those aspects of the Final Rule are most likely arbitrary and capricious.”

One of the Plaintiffs, Americans for Beneficiary Choice, also challenged the consent requirement of the final rule. The final rule states that personal beneficiary data collected by a third party marketing organization (“TPMO”) can only be shared with another TPMO if the beneficiary gives prior express written consent. The Plaintiff argued that the consent requirement is “in tension with HIPAA’s broader purpose of facilitating data sharing” and CMS stated that HIPAA might facilitate data sharing, but that does not limit CMS’s ability to limit certain harmful data-sharing practices. The Court denied the Motion to Stay regarding the consent requirement, but interestingly stated that Plaintiff’s “claim regarding the Consent Requirement may ultimately have merit, [Plaintiff]’s current briefing does not demonstrate a substantial likelihood of success at this stage”.

What does this mean now that we are less than 90 days from the start of the 2025 Medicare Advantage/Part D contract year?

  1. The consent requirement is still moving forward – While the memorandum order hints at the possibility of it being rejected, as of right now, TPMO’s must get prior express written consent before sharing personal beneficiary data with another TPMO.
  2. The fixed-fee and contract-terms restrictions in the final rule have had their effective date’s stayed until this suit is resolved. Therefore, the compensation scheme that was in place last year is essentially the same for those two sections.

How does this affect the FCC’s 1:1 Ruling?

It doesn’t. While this case does show that courts are willing to look critically at agencies’s rulemaking process, the FCC’s 1:1 consent requirement is different than the compensation changes set forth by CMS.

The FCC arguably just clarified the existing rule around prior express written consent by requiring the consent to “authorize no more than one identified seller”.

CMS, on the other hand, attempted to make wholesale changes and “began to set fixed rates for a wide range of administrative payments that were previously uncapped and unregulated as compensation.”

There is still the IMC case against the FCC , so there is the possibility (albeit small) there could be relief coming in that case. However, the advice here is to continue planning for obtaining consent to share personal beneficiary data AND single seller consent.

© 2024 Troutman Amin, LLP
For more news on Challenges to CMS in the US District Court of Northern Texas, visit the NLR Health Law Managed Care section.

The Privacy Patchwork: Beyond US State “Comprehensive” Laws

We’ve cautioned before about the danger of thinking only about US state “comprehensive” laws when looking to legal privacy and data security obligations in the United States. We’ve also mentioned that the US has a patchwork of privacy laws. That patchwork is found to a certain extent outside of the US as well. What laws exist in the patchwork that relate to a company’s activities?

There are laws that apply when companies host websites, including the most well-known, the California Privacy Protection Act (CalOPPA). It has been in effect since July 2004, thus predating COPPA by 14 years. Then there are laws the apply if a company is collecting and using biometric identifiers, like Illinois’ Biometric Information Privacy Act.

Companies are subject to specific laws both in the US and elsewhere when engaging in digital communications. These laws include the US federal laws TCPA and TCFAPA, as well as CAN-SPAM. Digital communication laws exist in countries as wide ranging as Australia, Canada, Morocco, and many others. Then we have laws that apply when collecting information during a credit card transaction, like the Song Beverly Credit Card Act (California).

Putting It Into Practice: When assessing your company’s obligations under privacy and data security laws, keep activity specific privacy laws in mind. Depending on what you are doing, and in what jurisdictions, you may have more obligations to address than simply those found in comprehensive privacy laws.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Privacy Laws, visit the NLR Communications Media Internet section.

American Privacy Rights Act Advances with Significant Revisions

On May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (“APRA”), which was released just 36 hours before the markup session. With the subcommittee’s approval, the APRA will now advance to full committee consideration. The revised draft includes several notable changes from the initial discussion draft, including:

  • New Section on COPPA 2.0 – the revised APRA draft includes the Children’s Online Privacy Protection Act (COPPA 2.0) under Title II, which differs to a certain degree from the COPPA 2.0 proposal currently before the Senate (e.g., removal of the revised “actual knowledge” standard; removal of applicability to teens over age 12 and under age 17).
  • New Section on Privacy By Design – the revised APRA draft includes a new dedicated section on privacy by design. This section requires covered entities, service providers and third parties to establish, implement, and maintain reasonable policies, practices and procedures that identify, assess and mitigate privacy risks related to their products and services during the design, development and implementation stages, including risks to covered minors.
  • Expansion of Public Research Permitted Purpose – as an exception to the general data minimization obligation, the revised APRA draft adds another permissible purpose for processing data for public or peer-reviewed scientific, historical, or statistical research projects. These research projects must be in the public interest and comply with all relevant laws and regulations. If the research involves transferring sensitive covered data, the revised APRA draft requires the affirmative express consent of the affected individuals.
  • Expanded Obligations for Data Brokers – the revised APRA draft expands obligations for data brokers by requiring them to include a mechanism for individuals to submit a “Delete My Data” request. This mechanism, similar to the California Delete Act, requires data brokers to delete all covered data related to an individual that they did not collect directly from that individual, if the individual so requests.
  • Changes to Algorithmic Impact Assessments – while the initial APRA draft required large data holders to conduct and report a covered algorithmic impact assessment to the FTC if they used a covered algorithm posing a consequential risk of harm to individuals, the revised APRA requires such impact assessments for covered algorithms to make a “consequential decision.” The revised draft also allows large data holders to use certified independent auditors to conduct the impact assessments, directs the reporting mechanism to NIST instead of the FTC, and expands requirements related to algorithm design evaluations.
  • Consequential Decision Opt-Out – while the initial APRA draft allowed individuals to invoke an opt-out right against covered entities’ use of a covered algorithm making or facilitating a consequential decision, the revised draft now also allows individuals to request that consequential decisions be made by a human.
  • New and/or Revised Definitions – the revised APRA draft’s definition section includes new terms, such as “contextual advertising” and “first party advertising.”. The revised APRA draft also redefines certain terms, including “covered algorithm,” “sensitive covered data,” “small business” and “targeted advertising.”
Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.2154by: Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth
For more on the American Privacy Rights Act, visit the NLR Communications Media Internet section.

CFPB Launches Public Inquiry into Rising Mortgage Closing Costs and ‘Junk Fees’

Go-To Guide:
  • The Consumer Financial Protection Bureau (CFPB) has launched a public inquiry into rising mortgage closing costs, seeking to understand the reasons behind the increase, identify who benefits, and find ways to reduce costs for both borrowers and lenders.
  • This inquiry, part of a broader effort against “junk fees,” aims to gather public input on the impact of these fees on consumers’ financial health and the mortgage lending market, with a focus on third-party costs, fee beneficiaries, and the evolving nature of these expenses.

On May 30, 2024, the CFPB issued a new request for information (RFI) from the public regarding “why closing costs are increasing, who is benefiting, and how costs for borrowers and lenders could be lowered.”

As part of a wider effort targeting what both the CFPB and the Biden administration refer to as “junk fees,” the CFPB is focusing on evaluating how these fees affect consumers’ financial health and the broader impact on mortgage lenders. This follows the CFPB’s continued expression of interest in “junk fees,” on which GT reported in a May 2024 blog post.

“Junk fees and excessive closing costs can drain down payments and push up monthly mortgage costs,” CFPB Director Rohit Chopra said in a separate press release. “The CFPB is looking for ways to reduce anticompetitive fees that harm both homebuyers and lenders.”

The Request for Information

According to a recent CFPB analysis, mortgage closing costs surged by over 36% from 2021 to 2023. The CFPB alleges that these unavoidable fees can strain household budgets and limit the ability to afford a down payment, while also hindering lenders from offering competitive mortgage options due to the higher costs they must absorb or pass on.

The CFPB is seeking public input to address these concerns and make mortgage costs more manageable. Some key areas of interest include:

  • Competitive pressure. The CFPB aims to evaluate the extent to which consumers or lenders currently apply competitive pressure on third-party closing costs, seeking to understand market barriers that limit competition.
  • Fee beneficiaries. The CFPB aims to identify the beneficiaries of required services and determine whether lenders have control or influence over the third-party costs that are transferred to consumers.
  • How fees are evolving and their impact on consumers. The CFPB seeks details on which expenses have surged the most in recent years and the factors driving these increases, such as the higher prices for credit reports and credit scores. Additionally, the CFPB is interested in understanding how closing costs affect housing affordability, access to homeownership, and home equity.

Takeaways

The CFPB oversees numerous laws and regulations concerning mortgage lending and real estate settlement, such as the Truth in Lending Act, the Fair Credit Reporting Act, and the Real Estate Settlement Procedures Act. The insights gained from this inquiry are poised to shape rulemaking, guidance, and various policy initiatives moving forward.

The CFPB invites comments and data from the public and stakeholders within 60 days of the RFI being published in the Federal Register.

We have provided ongoing analysis and commentary on this issue as it has developed. See below more context on legislative and regulatory efforts to curb “junk fees”:

Zeba Pirani contributed to this article

©2024 Greenberg Traurig, LLP. All rights reserved.
For more on the CFPB, visit the NLR Financial Institutions & Banking section.

On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States

It’s Bigger. But is it Better?

They say everything is bigger in Texas which includes big privacy protection. After the Texas Senate approved HB 4 — the Texas Data Privacy and Security Act (“TDPSA”), on June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation.[1]

Like many state consumer data privacy laws enacted this year, TDPSA is largely modeled after the Virginia Consumer Data Protection Act.[2] However, the law contains several unique differences and drew significant pieces from recently enacted consumer data privacy laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa.

Some of the more notable provisions of the bill are described below:

More Scope Than You Can Shake a Stick At!

  • The TDPSA applies much more broadly than any other pending or effective state consumer data privacy act, pulling in individuals as well as businesses regardless of their revenues or the number of individuals whose personal data is processed or sold.
  • The TDPSA applies to any individual or business that meets all of the following criteria:
    • conduct business in Texas (or produce goods or services consumed in Texas) and,
    •  process or sell personal data:
      • The “processing or sale of personal data” further expands the applicability of the TDPSA to include individuals and businesses that engage in any operations involving personal data, such as the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
      • In short, collecting, storing or otherwise handling the personal data of any resident of Texas, or transferring that data for any consideration, will likely meet this standard.
  • Uniquely, the carveout for “small businesses” excludes from coverage those entities that meet the definition of “a small business as defined by the United States Small Business Administration.”[3]
  • The law requires all businesses, including small businesses, to obtain opt-in consent before processing sensitive personal data.
  • Similar to other state comprehensive privacy laws, TDPSA excludes state agencies or political subdivisions of Texas, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education. But, TDPSA uniquely excludes electric utilities, power generation companies, and retail electric providers, as defined under Section 31.002 of the Texas Utilities Code.
  • Certain categories of information are also excluded, including health information protected by HIPAA or used in connection with human clinical trials, and information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971, emergency contact information used for emergency contact purposes, and data necessary to administer benefits.

Don’t Mess with Texas Consumers

Texas’s longstanding libertarian roots are evidenced in the TDPSA’s strong menu of individual consumer privacy rights, including the right to:

  • Confirm whether a controller is processing the consumer’s personal data and accessing that data;
  • Correct inaccuracies in the consumer’s personal data, considering the nature of the data and the purposes of the processing;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to a controller in a portable and readily usable format, if the data is available digitally and it is technically feasible; and
  • Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces legal or similarly significant legal effects concerning the consumer.

Data controllers are required to respond to consumer requests within 45 days, which may be extended by 45 days when reasonably necessary. The bill would also give consumers a right to appeal a controller’s refusal to respond to a request.

Controller Hospitality

The Texas bill imposes a number of obligations on data controllers, most of which are similar to other state consumer data privacy laws:

  • Data Minimization – Controllers should limit data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection that have been disclosed to a consumer. Consent is required before processing information in ways that are not reasonably necessary or not compatible with the purposes disclosed to a consumer.
  • Nondiscrimination – Controllers may not discriminate against a consumer for exercising individual rights under the TDPSA, including by denying goods or services, charging different rates, or providing different levels of quality.
  • Sensitive Data – Consent is required before processing sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual; personal data collected from a child known to be under the age of 13, and precise geolocation data.
    • The Senate version of the bill excludes data revealing “sexual orientation” from the categories of sensitive information, which differs from all other state consumer data privacy laws.
  • Privacy Notice – Controllers must post a privacy notice (e.g. website policy) that includes (1) the categories of personal data processed by the controller (including any sensitive data), (2) the purposes for the processing, (3) how consumers may exercise their individual rights under the Act, including the right of appeal, (4) any categories of personal data that the controller shares with third parties and the categories of those third parties, and (5) a description of the methods available to consumers to exercise their rights (e.g., website form or email address).
  • Targeted Advertising – A controller that sells personal data to third parties for purposes of targeted advertising must clearly and conspicuously disclose to consumers their right to opt-out.

Assessing the Privacy of Texans

Unlike some of the “business-friendly” privacy laws in Utah and Iowa, the Texas bill requires controllers to conduct data protection assessments (“Data Privacy Protection Assessments” or “DPPAs) for certain types of processing that pose heightened risks to consumers. The assessments must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer as mitigated by any safeguards that could reduce those risks. In Texas, the categories that require assessments are identical to those required by Connecticut’s consumer data privacy law and include:

  • Processing personal data for targeted advertising;
  • The sale of personal data;
  • Processing personal data for profiling consumers, if such profiling presents a reasonably foreseeable risk to consumers of unfair or deceptive treatment, disparate impact, financial, physical or reputational injury, physical or other intrusion upon seclusion of private affairs, or “other substantial injury;”
  • Processing of sensitive data; and
  • Any processing activities involving personal data that present a “heightened risk of harm to consumers.”

Opting Out and About

Businesses are required to recognize a universal opt-out mechanism for consumers (or, Global Privacy Control signal), similar to provisions required in Colorado, Connecticut, California, and Montana, but it would also allow businesses more leeway to ignore those signals if it cannot verify the consumers’ identity or lacks the technical ability to receive it.

Show Me Some Swagger!

The Attorney General has the exclusive right to enforce the law, punishable by civil penalties of up to $7,500 per violation. Businesses have a 30-day right to cure violations upon written notice from the Attorney General. Unlike several other laws, the right to cure has no sunset provision and would remain a permanent part of the law. The law does not include a private right of action.

Next Steps for TDPSA Compliance

For businesses that have already developed a state privacy compliance program, especially those modeled around Colorado and Connecticut, making room for TDPSA will be a streamlined exercise. However, businesses that are starting from ground zero, especially “small businesses” defined in the law, need to get moving.

If TDPSA is your first ride in a state consumer privacy compliance rodeo, some first steps we recommend are:

  1. Update your website privacy policy for facial compliance with the law and make sure that notice is being given at or before the time of collection.
  2. Put procedures in place to respond to consumer privacy requests and ask for consent before processing sensitive information
  3. Gather necessary information to complete data protection assessments.
  4. Identify vendor contracts that should be updated with mandatory data protection terms.

Footnotes

[1] As of date of publication, there are now 17 states that have passed state consumer data privacy laws (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Massachusetts, Montana, New Jersey, New Hampshire, Tennessee, Texas, Utah, Virginia) and two (Vermont and Minnesota) that are pending.

[2] See, Code of Virginia Code – Chapter 53. Consumer Data Protection Act

[3] This is notably broader than other state privacy laws, which establish threshold requirements based on revenues or the amount of personal data that a business processes. It will also make it more difficult to know what businesses are covered because SBA definitions vary significantly from one industry vertical to another. As a quick rule of thumb, under the current SBA size standards, a U.S. business with annual average receipts of less than $2.25 million and fewer than 100 employees will likely be small, and therefore exempt from the TDPSA’s primary requirements.

© 2024 Winstead PC.
by: Elizabeth Rogers of Winstead
For more news on State Privacy Laws, visit the NLR Consumer Protection and Communications, Media & Internet sections.

Mid-Year Recap: Think Beyond US State Laws!

Much of the focus on US privacy has been US state laws, and the potential of a federal privacy law. This focus can lead one to forget, however, that US privacy and data security law follows a patchwork approach both at a state level and a federal level. “Comprehensive” privacy laws are thus only one piece of the puzzle. There are federal and state privacy and security laws that apply based on a company’s (1) industry (financial services, health care, telecommunications, gaming, etc.), (2) activity (making calls, sending emails, collecting information at point of purchase, etc.), and (3) the type of individual from whom information is being collected (children, students, employees, etc.). There have been developments this year in each of these areas.

On the industry law, there has been activity focused on data brokers, those in the health space, and for those that sell motor vehicles. The FTC has focused on the activities of data brokers this year, beginning the year with a settlement with lead-generation company Response Tree. It also settled with X-Mode Social over the company’s collection and use of sensitive information. There have also been ongoing regulation and scrutiny of companies in the health space, including HHS’s new AI transparency rule. Finally, in this area is a new law in Utah, with a Motor Vehicle Data Protection Act applicable to data systems used by car dealers to house consumer information.

On the activity side, there has been less news, although in this area the “activity” of protecting information (or failing to do so) has continued to receive regulatory focus. This includes the SEC’s new cybersecurity reporting obligations for public companies, as well as minor modifications to Utah’s data breach notification law.

Finally, there have been new laws directed to particular individuals. In particular, laws intended to protect children. These include social media laws in Florida and Utah, effective January 1, 2025 and October 1, 2024 respectively. These are similar to attempts to regulate social media’s collection of information from children in Arkansas, California, Ohio and Texas, but the drafters hope sufficiently different to survive challenges currently being faced by those laws. The FTC is also exploring updates to its decades’ old Children’s Online Privacy Protection Act.

Putting It Into Practice: As we approach the mid-point of the year, now is a good time to look back at privacy developments over the past six months. There have been many developments in the privacy patchwork, and companies may want to take the time now to ensure that their privacy programs have incorporated and addressed those laws’ obligations.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Privacy, visit the NLR Consumer Protection section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

FTC: Three Enforcement Actions and a Ruling

In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.

The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.

The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.

X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits).  X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.

InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.

Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.

Sensitivity of Browsing and Location Data

It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.

In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.

The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.

Accountability and Consent

With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.

The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.

If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.

The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.

Implementing and Maintaining Safeguards

Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.

For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.

The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.

Ongoing Commitment to Privacy Protection:

The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.

What Does a Company Need To Do?

Given the recent enforcement actions by the FTC, companies should:

  1. Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
  2. Consider browsing and location data as sensitive personal information;
  3. Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
  4. Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
  5. Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
  6. Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
  7. Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.
© 2024 Ward and Smith, P.A.. All Rights Reserved.
For more on the FTC, visit the NLR Communications, Media & Internet section.

Eleventh Circuit Affirms Dismissal of FCRA Claims Since Alleged Inaccurate Information Was Not Objectively and Readily Verifiable

In Holden v. Holiday Inn Club Vacations Inc., No. 22-11014, No. 22-11734, 2024 WL 1759143 (11th Cir. 2024), which was a consolidated appeal, the United States Court of Appeals for the Eleventh Circuit (“Eleventh Circuit” or “Court”) held that the purchasers of a timeshare did not have actionable FCRA claims since the alleged inaccurate information reported to one of the consumer reporting agencies (“CRAs”) was not objectively and readily verifiable. In doing so, the Eleventh Circuit affirmed two decisions issued by United States District Court for the Middle District of Florida (“District Court”) granting of summary judgment in favor of the timeshare company in the respective cases.

Summary of Facts and Background

Two consumers, Mark Mayer (“Mayer”) and Tanethia Holden (“Holden”), entered into two separate purchase agreements with Holiday Inn Club Vacations Incorporated (“Holiday”) to acquire timeshare interests in Cape Canaveral and Las Vegas, respectively. Holiday is a timeshare company that allows customers to purchase one or more of its vacation properties in weekly increments that can be used annually during the designated period. As part of the transaction, Holiday’s customers typically elect to finance their timeshare purchases through Holiday, which results in the execution of a promissory note and mortgage.

  1. Mayer’s Purchase, Default, and Dispute

On September 15, 2014, Mayer entered into his purchase agreement with Holiday, which contained a title and closing provision stating the transaction would not close until Mayer made the first three monthly payments, and Holiday recorded a deed in Mayer’s name. The purchase agreement also included a purchaser’s default provision stating that upon Mayer’s default or breach of any of the terms or conditions of the agreement, all sums paid by Mayer would be retained by Holiday as liquidated damages and the parties to the purchase agreement would be relieved from all obligations thereunder. Further, the purchase agreement provided that any payments made under a related promissory note prior to the closing would be subject to the purchaser’s default provision. On the same day, Mayer executed a promissory note to finance his timeshare purchase, which was for a term of 120 months. On July 13, 2015, Holiday recorded a deed in Mayer’s name, and he proceeded to tender timely monthly payments until May 2017. As a result of Mayer’s failure to tender subsequent payments, Holiday reported Mayer’s delinquency to the CRA.

Approximately two years later, Mayer obtained a copy of his credit report and discovered Holiday had reported a past-due balance. Thereafter, Mayer sent multiple letters to the CRA disputing the debt, as he believed the purchase agreement was terminated under the purchaser’s default provision. Each dispute was communicated to Holiday, who in turn certified that the information was accurately reported. Mayer sued Holiday for an alleged violation of 15 U.S.C. § 1681s-2(b) of the FCRA based on the furnishing of inaccurate information and failure to “fully and properly re-investigate” the disputes. Holiday eventually moved for partial summary judgment, which the District Court granted. The District Court reasoned that the underlying issue of whether the default provision excused Mayer’s obligation to keep paying was a legal dispute rather than a factual inaccuracy and, in turn, made Mayer’s claim not actionable under the FCRA. Mayer timely appealed to the Eleventh Circuit.

  1. Holden’s Purchase, Default, and Dispute

On June 25, 2016, Holden entered into her purchase agreement with Holiday, which contained a nearly identical title and closing provision to that of Mayer’s purchase agreement. Additionally, Holden’s purchase agreement incorporated a similar purchaser’s default provision. Similarly, Holden executed a promissory note to finance her timeshare purchase, which was for a term of 120 months, and entered into a mortgage to secure the payments under the note. After making her third payment, Holden defaulted and hired an attorney to cancel the purchase agreement pursuant to the closing and title provision and purchaser’s default provision. However, Holiday disputed the purchase agreement was canceled and, on June 19, 2017, recorded a timeshare deed in Holden’s name. More importantly, Holiday reported Holden’s delinquent debt to the CRA.

In response, Holden’s attorney sent three dispute letters to Holiday, which resulted in Holiday investigating the dispute and determining the reporting was accurate since Holden was still obligated under the note. Eventually, Holden sued Holiday for various violations of Florida State law and the FCRA. Holden claimed Holiday reported inaccurate information to the CRA, failed to conduct an appropriate investigation, and failed to correct the inaccuracies. The parties filed competing motions for partial summary judgment, which ended with the District Court granting Holiday’s motion and denying Holden’s motion. Specifically, the District Court held that Holden’s FCRA claim failed because contract disputes regarding whether Holden still owed the underlying debt are legal disputes and not factual inaccuracies. Holden timely appealed to the Eleventh Circuit.

The Fair Credit Reporting Act

As the Eleventh Circuit reiterated in Holden, when a furnisher is notified of a consumer’s dispute, the furnisher must undertake the following three actions: (1) conduct an investigation surrounding the disputed information; (2) review all relevant information provided by the CRA; and (3) report the results of the investigation to the CRA. When a furnisher determines an item of information disputed by a consumer is incomplete, inaccurate, or cannot be verified, the furnisher is required to modify, delete, or permanently block reporting of the disputed information. See 15 U.S.C. § 1681s-2(b)(1)(E). Additionally, any disputed information that a furnisher determines is inaccurate or incomplete must be reported to all other CRAs. See 15 U.S.C. § 1681s-2(b)(1)(D). Despite the foregoing, consumers have no private right of action against furnishers merely for reporting inaccurate information to the CRAs. The only private right of action a consumer may assert against a furnisher is for a violation of 15 U.S.C. § 1681s-2(b) for failure to conduct a reasonable investigation upon receiving notice of a dispute from a CRA. See 15 U.S.C. § 1681s-2(c)(1)).

To successfully prove an FCRA claim, the consumer must demonstrate the following: (1) the consumer identified inaccurate or incomplete information that the furnisher provided to the CRA; and (2) the ensuing investigation was unreasonable based on some facts the furnisher could have uncovered that establish the reported information was inaccurate or incomplete.

The Eleventh Circuit’s Decision

In affirming the District Court’s decisions granting summary judgment and dismissing the FCRA claims, the Eleventh Circuit clarified that whether the alleged inaccuracy was factual or legal was “beside the point. Instead, what matters is whether the alleged inaccuracy was objectively and readily verifiable.” Specifically, the Eleventh Circuit cited to Erickson v. First Advantage Background Servs. Corp., 981 F. 3d 1246, 1251-52 (11th Cir. 2020), which defined “accuracy” as “freedom from mistake or error.” The Eleventh Circuit continued by reiterating that “when evaluating whether a report is accurate under the [FCRA], we look to the objectively reasonable interpretations of the report.” As such, “a report must be factually incorrect, objectively likely to mislead its intended user, or both to violate the maximal accuracy standards of the [FCRA].”

Based on this standard, the Eleventh Circuit held that the alleged inaccurate information on which Mayer and Holden based their FCRA claims was not objectively and readily verifiable since the information stemmed from contractual disputes without simple answers. As such, the Eleventh Circuit found that Holiday took appropriate action upon receiving Mayer and Holden’s disputes by assessing the issues and determining whether the respective debts were due and/or collectible, which thereby satisfied its obligation under the FCRA. While Mayer and Holden argued to the contrary, the Eleventh Circuit held that the resolutions of these contract disputes were not straightforward applications of the law to facts. In support of its decision, the Eleventh Circuit cited to the fact that Florida State courts have reviewed similar timeshare purchase agreements and reached conflicting conclusions about whether the default provisions excused a consumer’s obligation to pay the underlying debt.

Conclusion

Holden is a limited victory for furnishers, as the Eleventh Circuit declined to impose a bright-line rule that only purely factual or transcription errors are actionable under the FCRA and held a court must determine whether the alleged inaccurate information is “objectively and readily verifiable.” Accordingly, there are situations when furnishers are required by the FCRA to accurately report information derived from the readily verifiable and straightforward application of the law to facts. One example of such a situation is misreporting the clear effect of a bankruptcy discharge order on certain types of debt. Thus, furnishers should revisit their investigation and verification procedures so they do not run afoul of the FCRA. Furnishers should also continue to monitor for developing case law as other circuit courts confront these issues.

© 2024 Blank Rome LLP
For more news on Fair Credit Reporting Act Litigation, visit the NLR Litigation / Trial Practice section.

A New Day for “Natural” Claims?

On May 2, the Second Circuit upheld summary judgment in favor of KIND in a nine year old lawsuit challenging “All Natural” claims. In Re KIND LLC, No. 22-2684-cv (2d Cir. May 2, 2024). Although only time will tell, this Circuit decision, in favor of the defense, may finally change plaintiffs’ appetite for “natural” cases.

Over the many years of litigation, the lawsuit consolidated several class action filings from New York, Florida, and California into a single, multi-district litigation with several, different lead plaintiffs. All plaintiffs alleged that “All Natural” claims for 39 KIND granola bars and other snacks were deceptive. Id. at 3. Plaintiff had alleged that the following ingredients rendered the KIND bars not natural: soy lecithin, soy protein isolate, citrus pectin, glucose syrup/”non-GMO” glucose, vegetable glycerine, palm kernel oil, canola oil, ascorbic acid, vitamin A acetate, d-alpha tocopheryl acetate/vitamin E, and annatto.

The Second Circuit found that, in such cases, the relevant state laws followed a “reasonable consumer standard” of deception. Id. at 10. Further, according to the Second Circuit, the “Ninth Circuit has helpfully explained” that the reasonable consumer standard requires “‘more than a mere possibility that the label might conceivably be misunderstood by some few consumers viewing it in an unreasonable manner.’” Id. (quoting McGinity v. Procter & Gamble Co., 69 F.4th 1093, 1097 (9th Cir. 2023)). Rather, there must be “‘a probability that a significant portion of the general consuming public or of targeted consumers, acting reasonably in the circumstances, could be misled.’” Id. To defeat summary judgement, the plaintiffs would need to present admissible evidence showing how “All Natural” tends to mislead under this standard.

The Second Circuit agreed with the lower court that plaintiffs’ deposition testimony failed to provide such evidence where it failed to “establish an objective definition” representing reasonable consumer understanding of “All Natural.” Id. at 28. While one plaintiff believed the claim meant “not synthetic,” another thought it meant “made from whole grains, nuts, and fruit,” while yet another believed it meant “literally plucked from the ground.” Id. The court observed that plaintiffs “fail[ed] to explain how a trier of fact could apply these shifting definitions.” Id. The court next rejected as useful evidence a dictionary definition of “natural,” which stated, “existing or caused by nature; not made or caused by humankind.” Id. at 29. The court reasoned that the dictionary definition was “not useful when applied to a mass-produced snack bar wrapped in plastic” – something “clearly made by humans.” Id.

The court, finally, upheld the lower court’s decision to exclude two other pieces of evidence the plaintiffs offered. First, the Second Circuit agreed that a consumer survey was subject to exclusion where leading questions biased the results. Id. at 21-22. The Second Circuit also agreed that an expert report by a chemist lacked relevance where it assessed “typical” sourcing of ingredients, not necessarily how KIND’s ingredients were manufactured or sourced. Id. at 22-24.

© 2024 Keller and Heckman LLP
by: Food and Drug Law at Keller and Heckman of Keller and Heckman LLP

For more news on Food Advertising Litigation, visit the NLR Biotech, Food, Drug section.