Cerebral fined $7 million by the FTC, New Colorado Law Protects Neurological Data, a Federal Privacy Bill is Gaining Traction, and More

Privacy News You Need For April 19th, 2024

This week has been buzzing with privacy-related news, especially on the legislative front. The U.S. House Committee on Energy and Commerce Innovation, Data and Commerce Subcommittee hearing discussed the drafted legislation for a new comprehensive federal privacy law, and we saw two state laws passed in Nebraska and Maryland, pending signatures from their Governors. The Consumer Financial Protection Bureau (CFPB) announced plans to enhance protections against financial data sharing with data brokers. At the same time, Colorado made history with the first U.S. law recognizing neurological and biological data as sensitive. Lastly, the Federal Trade Commission (FTC) took decisive action against Cerebral for sharing health data without consent.

Let’s dive in. 

FTC order bans telehealth company Cerebral from using or disclosing sensitive data for advertising and mandates a $7 million payment.

The FTC has proposed an order prohibiting telehealth firm Cerebral from using or disclosing sensitive consumer data for advertising purposes. The order will also require Cerebral to pay over $7 million in penalties.

According to the FTC’s complaint, Cerebral failed to secure and protect its customers’ sensitive health data. The company claimed it offered “safe, secure, and discreet” services, but in reality, it disclosed consumers’ sensitive mental health conditions to third parties like LinkedIn, Snapchat, and TikTok for advertising. The proposed order will permanently ban Cerebral from using or disclosing consumers’ personal and health information to third parties for most commercial purposes. It will also require the company to provide consumers with an easy way to cancel their Cerebral services.

FTC Chair Lina Khan stated that Cerebral’s actions violated its customers’ privacy by revealing their sensitive mental health data across the internet and in the mail. The order aims to address this “betrayal” of consumer trust. Overall, the FTC is taking enforcement action to restrict how Cerebral can handle and share its customers’ sensitive health data in the future while also penalizing the company for its past privacy violations.

Colorado Passes a Privacy Bill to Safeguard Neurological and Biological Data

Colorado has passed new legislation to protect consumer brain data as truly private. The law broadens the definition of “sensitive data” in the state’s existing privacy law to encompass biological and neural data generated by the brain, spinal cord, and nervous system.

This marks the first such law in the United States, as consumer neurotechnology data has primarily remained unregulated. Unlike medical data, the data collected by consumer brain-monitoring devices like meditation headbands and dating apps is not covered by federal health privacy laws. The law targets this loophole, requiring companies to obtain affirmative consent before collecting or sharing this sensitive neural data. It also gives consumers the right to delete their brain data.

This is the latest law passed in a broader trend of states updating privacy laws to cover emerging technologies like neural data. Other states like Minnesota and California are also considering similar “neurorights” legislation.

A Draft of a U.S. Federal Privacy Bill, The American Privacy Rights Act, Gains Momentum

The U.S. House subcommittee held a hearing to discuss the draft American Privacy Rights Act (APRA), a bipartisan and bicameral effort to create a federal privacy law. The draft APRA proposes provisions on data minimization, targeted advertising limitations, and enforcement mechanisms, which lawmakers and witnesses praised. The APRA aims to replace the existing patchwork of state privacy laws and give consumers more control over their personal information.

Some of the key provisions of the American Privacy Rights Act (APRA) draft legislation include:

• Giving consumers broad privacy rights, including the right to access, correct, delete, and port their personal data, as well as opt out of targeted advertising and certain data processing activities.
• Requiring covered businesses to designate privacy/data security officers, meet transparency requirements like detailed privacy policies, and adhere to data minimization and security standards.
• Prohibiting covered businesses from collecting or transferring sensitive data like biometrics without affirmative consent from the consumer.
• Establishing enforcement mechanisms, including federal agency enforcement by the FTC and a private right of action for consumers.
• Largely preempting existing state privacy laws, while preserving the strongest provisions from laws in states like California, Illinois, and Washington.
• Providing safe harbors for entities already complying with specific federal privacy laws like HIPAA and FCRA, though non-compliance could still trigger APRA applications.
• Tasking the FTC with issuing guidance on implementing key provisions like data minimization and safe harbors.

Maryland Online Data Privacy Act of 2024 Passes the Senate

Despite ongoing federal privacy legislation efforts, U.S. states continue to pass comprehensive privacy laws. Maryland is the latest state to do so, passing one of the country’s strictest laws.

The Maryland law has several notable provisions, including:

• Broad data minimization standards apply to businesses controlling or processing personal data on over 35,000 consumers or deriving 20% of revenue from selling data of over 10,000 consumers.
• An “all-out” ban on the use of facial recognition technology, with limited exceptions.
• Granting consumers rights like access, correction, deletion, and data portability of their personal information.

The nuance and strength of state privacy laws vary, but Maryland’s data minimization and facial recognition restrictions set it apart from other state laws passed so far. This bill is still waiting to be signed into law by the state’s governor.

Nebraska Passes the Data Privacy Act (LB 1074)

Nebraska has passed a new consumer data privacy law that largely follows the Texas Data Privacy and Security Act. The Nebraska law applies to businesses that conduct business in the state, process or sell personal data and are not considered small businesses under federal standards. It grants consumers rights like access, correction, deletion, and opt-out of data sales and targeted advertising.

The law recognizes universal opt-out mechanisms, following the Texas model, but only requires businesses to honor them if they are obligated to do so under another state’s law. It does not mandate additional disclosures for selling sensitive data like Texas does. It maintains key elements of the Texas law while diverging in certain areas, like universal opt-out requirements. Nebraska’s law will take effect once the governor signs it.