US Privacy News Roundup | February 2023

Illinois fails to pass their Consumer Privacy Act and makes a ruling that could result in billions of dollars in fines

A state consumer privacy bill failed to garner support in Illinois. The Illinois state House of Representatives adjourned its 2023 session without passing HB 3910, the Consumer Privacy Act.

On February 17th, Illinois ruled that under the Biometric Information Privacy Act (BIPA) companies violate the state's biometric privacy law each time they misuse a person's private information, not just the first time. This ruling could subject businesses to billions of dollars in penalties.

For more information about biometric data, read the Han Santos Biometric Data terms and reference page.

President Biden calls for legislative action to protect minors’ online privacy rights

During President Biden’s State of the Union address, he highlighted the need for bipartisan legislation on the collection of minors' and others' personal data.

The President also focused on the need for protections against targeted advertising towards children and for social media platform transparency for US data subjects while highlighting the bipartisan opportunity for legislative action.

FTC fines GoodRX $1.5 million civil penalty

The Federal Trade Commission filed a proposed order against GoodRx, a U.S. healthcare company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty.

This case signals an increase in the FTC's use of its unfairness authority in privacy cases, with some important takeaways for privacy programs that handle health-related data.

San Francisco judge sanctions Meta for sharing user information with third-parties

U.S. District Judge Vince Chhabria in San Francisco ordered Meta, Facebook’s parent company, and the law firm Gibson Dunn to pay about $925,000 in a data privacy lawsuit over the company’s sharing of user information with third-parties.

Judge Chhabria said Meta and Gibson Dunn attempted to make the litigation unnecessarily difficult and expensive for the plaintiffs. The court had ordered Facebook to turn over data it had collected on the plaintiffs in the case, regardless of whether it had been shared.

The Digital Advertising Alliance releases specifications to help with user choice experience

The Digital Advertising Alliance announced a joint approach to privacy controls and user consent management for both websites and mobile applications. The coalition's approach features "interface guidelines and technical specifications" for brands and publishers to "simplify and improve the user experience" through consent management platforms and the AdChoices program.

State bills regarding genetic information privacy advanced in Virginia, Tennessee, and New York

In Tennessee, the Genetic Information Privacy Act (SB 1295) would require companies to disclose to consumers essential information about a company’s collection, use, and disclosure of genetic information, including obtaining consumer’s initial express consent. In Virginia, SB 1087 would similarly regulate companies using biometric data. In New York, SB S4457 would require private entities in possession of biometric identifiers or biometric information to develop a written compliance plan.

A Michigan class-action lawsuit against The Economist results in a $9.5 million settlement

The Economist publisher agreed to a settlement in a Michigan class-action lawsuit, where it was alleged the magazine sold subscriber information to third parties without their consent. Plaintiffs alleged the sale of their subscription information without their consent violated the Michigan Preservation of Personal Privacy Act. Under the terms of the agreement, The Economist did not admit wrongdoing but paid a $9.5 million settlement.

California finalizes regulations for the California Privacy Rights Act

The California Privacy Protection Agency Board voted 4-0 at its latest meeting to finalize its first set of proposed California Privacy Rights Act regulations. The regulations will now be sent to the California Office of Administrative Law for review and approval. The agency expects the final regulations to take effect sometime in April.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.