PRIVACY & DATA SECURITY
Amazon Faces First Health Privacy Lawsuit Under Washington’s My Health My Data Act
A Washington resident has filed the first lawsuit under the state’s landmark My Health My Data Act, accusing Amazon of unlawfully collecting and monetizing location data from millions of mobile phone users through third-party apps using its software development kit, including the Weather Channel App, OfferUp, and CallerIDBlocker. The lawsuit, which seeks class action status, alleges that Amazon violated the state’s health privacy law by covertly gathering consumer health data without consent, using the data for its own targeted advertising activity, and selling the data to third parties. Additionally, the suit alleges violations of federal wiretap laws, and other consumer protection statutes related to collection methods. The plaintiff seeks compensatory and statutory damages, an injunction, and other remedies.
BUSINESSES NEED TO KNOW: The lawsuit is just one of several recently filed across the country targeting Amazon’s alleged data collection and usage practices. However, it is the first to claim violations of the My Health My Data Act, which generally requires companies to obtain consent to collect and share data that identifies the consumer’s past, present, or future health status, which includes wellness, nutrition, fitness, location, and other health-related data. The law is significantly broader than the federal Health Insurance Portability and Accountability Act. My Health My Data law is also one of few U.S. privacy laws that offers consumers a private right of action seeking treble damages of up to $25,000 per violation. The outcome could set a significant precedent for digital privacy rights and corporate data security practices.
Want to know more? Listen to this video by M&S privacy attorney, Joshua Stevens.
Check out our latest blog
M&S News & Insights: Understanding UDAP Frameworks: A Key to Privacy Compliance
TCPA/TELESERVICES
FCC Expands “Do Not Originate” Rules to Combat Illegal Robocalls
The FCC has adopted new rules expanding the use of “do-not-originate” lists to block calls that are highly likely to be illegal, such as numbers designed to receive calls but not make them, in addition to unused, unallocated, and invalid numbers. The new rules will require all voice service providers in a call path to block calls purporting to come from numbers appearing on a reasonable do-not-originate list. Additionally, voice service providers will also need to designate a specific code to notify callers when their calls are blocked in an effort to provide greater clarity and prevent future erroneous blocking for legitimate callers. The new rule follows a similar, more expansive order considered in September that also included text messages.
BUSINESSES NEED TO KNOW: With more voice service providers needing to comply with the FCC’s “do not originate” rules, businesses should ensure their providers are up-to-date with these regulations to avoid disruptions.
Voice Service Provider Faces Hefty $4.5M Penalty for Allowing Robocall Traffic
The FCC proposed a nearly $4.5M fine against voice service provider Telnyx LLC for allowing government imposter robocalls to originate on its network, marking the first Commission-level action under recently appointed chair Brendan Carr. These calls targeted, among others, FCC staff and their families, falsely claiming to be from an FCC “Fraud Prevention Team.” The FCC has gone after the service provider with full force with a Notice of Apparent Liability (NAL) alleging Telnyx failed to take affirmative, effective measures (commonly referred to as “know your customer” or KYC diligence) to verify the caller’s identity and thus prevent the malicious caller from using its network to originate illegal voice traffic.
BUSINESSES NEED TO KNOW: Telynx has responded strongly to the agency’s NAL so we’ll see how this legal fight ultimately plays out. However, keep in mind that KYC diligence is not just solid business advice, it’s a legal requirement for voice service providers, whom regulators consider to be the frontline when it comes to keeping illegal robocalls off public voice networks. Under FCC rules, all voice service providers are obligated to do their due diligence and verify their customers before allowing them to originate calls.
ADVERTISING & MARKETING
FTC Fines DoNotPay for Deceptive Claims About AI “Robot Lawyer”
The FTC finalized an enforcement order against DoNotPay, requiring the company to stop making deceptive claims about its AI chatbot, marketed as “the world’s first robot lawyer.” The FTC alleged that DoNotPay made deceptive claims about its AI chatbot, including that the service could substitute for the expertise of a human lawyer and save consumers legal fees. DoNotPay did not test whether its “AI lawyer” operated to the level of a human lawyer when generating legal documents and giving advice and did not hire or retain attorneys to test the quality and accuracy of its service’s law-related features. The order mandates DoNotPay to pay $193,000 in monetary relief, notify affected consumers, and refrain from advertising its service as equivalent to a real lawyer without sufficient evidence.
BUSINESSES NEED TO KNOW: As AI-driven business services rapidly grow, beware of lofty performance and cost-savings promises, especially when it comes to high-risk services, such as financial, legal, or educational matters. State and federal laws prohibit unfair, deceptive, and abusive marketing misrepresentations. Thus, always ensure marketing claims are accurate and substantiated.
GENERAL COMPLIANCE
The Future of the CFPB (If There is One)
The Trump administration has denied plans to eliminate the Consumer Financial Protection Bureau (CFPB), despite closing its headquarters, placing employees on leave due to “disruptive protests,” canceling key vendor contracts, and pulling the plug on an increasing number of enforcement actions under acting Director Russell Vought. During his confirmation hearing, director-nominee Jonathan McKernan emphasized his commitment to following the law and maintaining the agency’s functions as defined by the Dodd-Frank Act. But will the embattled agency have any teeth?
BUSINESSES NEED TO KNOW: Long criticized by the industry for its regulatory overreach, it appears the CFPB may finally be brought to heel by the administration’s pro-business stance and aggressive push to rein in government bureaucracy and spending. This won’t be a quiet takedown, however. Expect a fight from alarmed consumer advocacy groups.
Coming next week – March 19th!
M&S Webinar – Privacy Watch: Lessons from the Front Lines: Navigating Privacy Enforcement
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.