Countdown to Data Privacy Day 2025
January 21 - January 28, 2025
Data Privacy Standards in Healthcare May Be Ramping Up in New York State
January 28, 2025
By: Gabriel S. Oberfield Esq., M.S.J.
As New York State Gov. Kathy Hochul is navigating her FY ’26 budget proposal, the New York State Senate and Assembly are already busy with bill activity of their own as their legislative sessions get underway. Right out of the gate, the Senate and Assembly passed a digital privacy bill championed by Senator Liz Kreuger and Assembly Member Linda Rosenthal.
The New York Health Information Privacy Act (NYHIPA) is intended to tighten up elements of data sharing and privacy – with potential implications across the healthcare space. The legislation is designed to ensure that apps storing ancillary data in the context of providing healthcare guidance on matters such as reproductive health first get permission before doing so. Another motivation is to prevent the sale of such data to those that might use the data for monitoring and tracking purposes.
Although some digital health entrepreneurs are allegedly pushing back on the bill and encouraging the governor not to sign it due to expected implementation costs, the governor may well create new law once the bill makes it to her desk.
If it is signed, the law will create a structure of sanctions including fines for mishandling of data under the standards. The bill is intended to bolt onto and enhance standards in New York State that go beyond the proverbial ‘floor’ set by the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). Put another way, HIPAA-covered entities are exempt from the standards, but only to the extent anything in the NYHIPA covers data HIPAA otherwise would protect (i.e., PHI). If data falls outside, they are fair game for NYHIPA.
Bond’s various practice groups – among them the firm’s cybersecurity and data privacy, health and long term care and government and regulatory affairs teams – all will be monitoring the developments closely, including whether the Governor ultimately signs the legislation into law. We simply do not know whether the Governor will sign the bill, or the timing of whether it will be signed, due to the nature of New York State’s legislative process: generally, the Governor will not officially consider a bill until it’s formally sent to her for consideration. That could happen much later during 2025, or, possibly, sooner if the Governor is ready to proceed.
If you have questions with respect to how to prepare for the bill’s potential signing into law, please contact Gabriel S. Oberfield Esq., M.S.J. or the attorney at Bond with whom you work most regularly.
Parental Consent Requirements for Online Services: What School Districts Need to Know
January 27, 2025
By: Mario F. Ayoub and Andrew R. Mark
Google recently announced important updates affecting students' access to its wide range of services through Google Workspace for Education accounts, emphasizing the need for its school district clients to obtain parent/guardian consent. This information memo examines districts’ privacy compliance obligations pertaining to students’ use of online resources through the lens of Google’s new consent requirements.
Google’s Services in the Classroom Setting
Google Workspace for Education offers two types of services: "Core Services" and "Additional Services." Core Services, which include essentials like Gmail, Calendar, Classroom, Assignments, Forms, Docs, Slides and Meet, are universally accessible to all students through their school accounts. On the other hand, Additional Services encompass more general consumer programs such as YouTube, Maps, Photos, Play, Earth and Blogger. While Core Services are readily available, districts have the option to restrict access to Additional Services.
Google's recent notification introduces a new requirement: school districts must obtain parental consent annually for students under 18 to access any Additional Services. The deadline for confirming this consent is March 2025. Google’s new requirement is in line with notice and consent requirements imposed by the Federal Education Privacy Rights Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA), given that many Additional Services may involve tracking technology for advertising and other commercial purposes, which might necessitate redisclosure of personal information.
Legal Landscape
FERPA. Enacted in 1974, FERPA is the leading federal authority that safeguards the privacy of student education records. Generally, FERPA grants parents the right to access their children's education records, request amendments to inaccurate or misleading information and control the disclosure of personally identifiable information. Districts must obtain written consent from parents or eligible students before releasing any information from education records, except under specific conditions such as health and safety emergencies or compliance with judicial orders.
COPPA. Enacted in 1998, COPPA establishes restrictions on the collection of children’s data through websites and online services. Covered entities must provide a clear and comprehensive privacy policy, obtain verifiable parental consent before collecting personal information from children and offer parents the ability to review and delete their children's information.
Notably, COPPA generally allows districts to provide informed consent on behalf of their students, without the need to collect parent or guardian consent. Federal Trade Commission (FTC) guidance is clear, however, that this exception only extends to situations where educational institutions provide “personal information from students for the use and benefit of the school, and for no other commercial purpose.”[1] Thus, while student use of Google’s Core Services, such as Docs, Sheets and Slides, can all be reasonably construed to solely confer an educational benefit on a district, Google’s Additional Services, such as YouTube, may expose students to a variety of “commercial purpose” functionality such as behavioral advertising, activity tracking and user profiling that makes it difficult, and possibly unlawful, for educational institutions to consent on a parent’s behalf.
So, while FTC guidance provides some insights into how COPPA interacts with student privacy, its application to traditionally commercial online services in an academic setting is not completely clear. Thus, when in doubt, educational institutions should opt for a conservative approach and ensure that any notice and consent language provided to parents and guardians comply with COPPA. For more information on the application of COPPA, please refer to our recent information memo published last week and available at here.
Ed Law 2-d. New York's Education Law Section 2-d (2-d) includes specific provisions regarding parent and guardian consent to protect the privacy of student data. Districts must obtain verifiable parental consent before disclosing a student's personally identifiable information to third-party contractors or vendors. This consent ensures that parents are fully informed about how their child's data will be used, stored and protected.
In response to Google's new requirement, the New York State Education Department has issued a letter reminding districts that compliance with FERPA is not the sole consideration. To allow students access to Additional Services, districts must also ensure these services are covered by a 2-d compliant data processing agreement (DPA) in addition to certain public disclosures regarding vendor data use. This dual compliance ensures that students' data is protected not only under federal law but also under the specific provisions of New York's education law, including 2-d’s prohibition on using student data for any commercial or marketing purpose.
Key Takeaways
If a district is considering whether to permit student access to Google’s Additional Services or other similar online services with potential commercial applications, educational institutions must keep the following compliance measures in mind:
- Parent/Guardian Consent – Obtain parental consent for students under 18 before enabling access to services that may contain commercial functionality. Google has provided a template notice and consent form to aid in this process, which can be tailored to meet the district's specific needs.
- Data Protection Agreement – Ensure a 2-d compliant DPA covers all online services a student may access using school IT resources. This often involves coordination with district IT professionals and guidance from outside privacy counsel. Note that large service providers like Google are unlikely to modify their own agreements and typically provide standard data processing terms. If introducing a district’s own terms is not feasible, districts should carefully review service provider terms to account for state- and industry-specific compliance requirements and to ensure the service provider’s DPA accurately captures the processing activities.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters, including privacy compliance in educational settings. For more information regarding student data privacy and to discuss compliance efforts educational institutions should be taking, please contact Mario F. Ayoub, Andrew R. Mark or any attorney in Bond’s cybersecurity and data privacy practice
[1] Federal Trade Commission. "Complying with COPPA: Frequently Asked Questions." Federal Trade Commission, www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions. Accessed 27 Jan. 2025.
FTC Releases Long Awaited Enhanced Protection for Children’s Online Privacy
January 24, 2025
By: Jessica Copeland, CIPP/US, Shannon Knapp, CIPP/A/US and Leah Dawit
At the beginning of this year, the FTC finalized significant changes to the Children’s Online Privacy Protection Act (COPPA). Enacted in 1998 and effective since 2000, these recent amendments to COPPA (the Amended Rule) are the first since 2013 and are an effort by the FTC to address the evolving digital landscape and its effects on children’s data privacy. The adopted changes range from amending definitions to new obligations. The Amended Rule will be published in the Federal Register and will take effect 60 days later. Generally, entities subject to the Amended Rule will have one year from publication to become fully compliant. Below we outline some of the key changes made by the Amended Rule:
Parental Opt-in Consent, Consent Methods and Third Party Disclosure
The Amended Rule introduces a requirement that organizations obtain separate and specific opt-in verifiable parental consent prior to using such children’s data for targeted advertising or disclosing children’s personal information to third parties. Unlike current practices, this Amended Rule does not allow organizations to obtain one verifiable consent for all actions (such as collection, use and disclosure), and instead requires separate consent for disclosure and targeted advertising.
In addition, the Amended Rule expands COPPA’s recognition of permissible methods to obtain verifiable parental consent. Knowledge-based questions, facial recognition with a government issued ID, email plus certification and text plus verification are now all accepted methods.
The Amended Rule also expands parental disclosure requirements. Specifically, organizations are mandated to provide direct notice to parents listing all third parties (by name and category) to whom children’s personal information would be disclosed. The disclosure must also include details regarding the purpose of sharing the information and whether the information will be made publicly available. The disclosure must also indicate that the parent can consent to the collection and use of the child’s information without consenting to the disclosure of such information, except to the extent such disclosure is integral to the nature of the service or website.
Personal Information Definition
The Amended Rule expanded the definition of “personal information” to include biometric identifiers. The rules describe biometric identifiers to be an “identifier that can be used for the automated or semi-automated recognition of an individual, such as fingerprints; handprints; retina patterns; iris patterns; genetic data, including a DNA sequence; voiceprints; gait patterns; facial templates; or faceprints.”
Data Retention
Consistent with past precedent, the Amended Rule explicitly limits organization’s ability to retain data. The Amended Rule requires organizations to have a written data retention policy that outlines the purpose for the collection, the business need for retaining such information and the timeframe for deletion. Such policy must be provided in the organization’s COPPA notice of information practices. Further, the Amended Rule expands on its previous retention limitations to include additional language reiterating that data must be securely deleted when it is no longer reasonably necessary for the purposes for which it was collected and to explicitly prohibit indefinite retention.
Safe Harbor Program Transparency
The Amended Rule makes significant changes to COPPA’s safe harbor program. COPPA’s safe harbor program permits industry groups to self-regulate their member-organizations and establish their own guidelines for COPPA compliance that are approved by the FTC. There are currently six FTC approved safe harbor programs. Under the Amended Rule, there are increased transparency and review requirements, including that the safe harbor programs must review both the security programs and privacy programs of its members. Additionally, the safe harbor programs are now required to publicly disclose their membership lists, and during routine reviews they must provide the FTC with all consumer complaints and other additional information.
Omissions
One obvious omission from the Amended Rule is the FTC’s silence on how COPPA applies to the use of educational technology by schools and students. The Rule stated that, in an effort to not conflict with potential amendments by the Department of Education to the Family Educational Rights and Privacy Act (FERPA) that would clarify disclosure of personal information issues, the FTC chose not to finalize amendments to COPPA related to education technology and the role in schools.
Bond attorneys regularly assist and advise clients on an array of data privacy and cybersecurity matters. For more information regarding COPPA and to discuss compliance efforts businesses should be taking, please contact Jessica Copeland, CIPP/US, Shannon Knapp, CIPP/A/US, Leah Dawit or any attorney in Bond’s cybersecurity and data privacy practice.
Financial Data Privacy: CFPB Updates
January 23, 2025
By: Dori Bailey, Savanna Klinek and Shannon Knapp, CIPP/A/US.
The current federal framework for financial data privacy protections consists primarily of the Gramm-Leach-Bliley Act (the GLBA) and the Fair Credit Reporting Act (the FCRA), along with the respective implementing regulations of these laws. The Consumer Financial Protection Bureau (the CFPB) has been increasingly focused on emerging data privacy concerns and challenges facing consumers in the digital world, particularly as it relates to the existing protections under the GLBA, the FCRA and other federal law. Below we outline two updates from the CFPB concerning financial data privacy.
CFPB Personal Financial Data Rights Rule:
At the end of 2024, the CFPB announced its final rule regarding “Personal Financial Data Rights” (the Rule). The Rule implements Section 1033 of the Dodd-Frank Act, which provides consumers with the right to access and transfer their financial information between different financial institutions and other financial providers without cost. The goal of the Rule is to accelerate the shift to “open banking” and to increase competition within the financial services sector.
The Rule applies to Data Providers, which includes banks, credit unions and other depository institutions, consumer credit lenders and payment facilitation companies. It also applies to third parties accessing consumer data, such as financial technology companies providing financial management tools. The Rule exempts small depository institutions with fewer than $850 million in assets from compliance with the Rule.
There are three main requirements that apply to Data Providers. Specifically, Data Providers are required to (1) make consumer data available without fees or charges to the consumers to whom the account relates, as well as any entity authorized to act on the consumer’s behalf; (2) establish and maintain an accessible developer interface for third parties to access consumer-authorized data; and (3) implement a standardized format that is usable to consumers and authorized third parties. The interface must have security safeguards consistent with GLBA and provide necessary disclosures to consumers to ensure they have the necessary information to make requests and use the interface. The standardized format can be obtained in multiple ways, including through industry standard-setting bodies, which issue consensus standards that providers can use to comply with the Rule. The CFPB has set varied compliance deadlines based on the size of the Data Provider, with the largest providers required to comply by April 1, 2026, and smaller providers given extended timelines spanning from 2027 to 2030.
CFPB Report Concerning Federal and State Privacy Protections for Consumers’ Financial Data:
At the end of 2024, the CFPB released a report identifying limits in federal privacy protections afforded by the FCRA and the GLBA and the impact on the protection of consumer financial data (the Report). Specifically, the Report notes that many states have enacted new data privacy laws that include exemptions for financial institutions that are separately required to comply with the GLBA and the FCRA. As a result, while such states provide consumers with greater protection and more control over their non-financial information (including the right to know what information a business has and the right to request deletion of such information), the CFPB believes that privacy protections for financial information now lag behind required safeguards under these state consumer privacy laws.
In the Report, the CFPB notes that although GLBA was groundbreaking in 1999 and provides important protections today, certain limitations in its framework have been identified, especially as consumers continue to use digital tools for their finances. The CFPB specifically points out that the focus of the GLBA on notice and opt-out rights is important, but that an opt-in approach that prohibits financial institutions from sharing information until the consumer affirmatively agrees could be more protective of consumer financial data. The Report further notes that consumers who do not wish to share information need to separately inform each financial institution that they are opting out. The CFPB believes that a global opt-out request mechanism whereby all financial institutions would be notified through one mechanism would better protect consumers. This type of global opt-out mechanism is already required under some state privacy laws.
The CFPB is also concerned that many state consumer privacy laws reach beyond exempting traditional financial institutions (such as banks and credit unions) and also exempt other businesses engaged in financial activities due to the broad definition of a financial institution under GLBA.
As a result of the above concerns, the CFPB is encouraging state lawmakers to consider how consumers are impacted by exemptions for financial institutions that are contained in the state consumer privacy laws.
The CFPB continues to focus on data privacy matters for consumers. If you have any questions about any of the information contained in this memo, please contact Dori Bailey, Savanna Klinek, Shannon Knapp, CIPP/A/US.
Employee Device Tracking in New York
January 22, 2025
By: Mario F. Ayoub and Paige M. Roseman
An employer’s implementation of GPS tracking devices in company-owned property, including vehicles or company-issued cell phones, requires different considerations depending on whether it is a unionized or non-unionized workplace.
Unionized Employers
In a unionized environment, an employer must determine whether the implementation of GPS tracking is a mandatory subject of bargaining. The Supreme Court has held that matters that are both “plainly germane to the working environment” and “not among those managerial decisions, which lie at the center of entrepreneurial control” are mandatory subjects of bargaining.
National Labor Relations Board (the Board) decisions analyzing use of surveillance cameras provide guidance here. For example, in Colgate-Palmolive Co., the Board held that the installation and use of hidden video surveillance is “germane to the working environment, and outside the scope of managerial decisions lying at the core of entrepreneurial control,” and “has the potential to affect the continued employment of employees whose actions are being monitored.” 323 NLRB 515, 515 (1997). As a result, the use of hidden cameras was deemed a mandatory subject of bargaining.
The Board clarified that the same rule applies for surveillance cameras which are in plain view. Several Board decisions have since held that the unilateral installation of openly visible surveillance cameras without providing the union the opportunity to bargain over the installation is a violation of Section 8(a)(5) of the National Labor Relations Act, which prohibits employers from engaging in unfair labor practices.
Both the courts and the Board have provided guidance on bargaining issues related to surveillance cameras. In particular, the Board noted that, “the circumstances under which the cameras will be activated, the general areas in which they may be placed, and how affected employees will be disciplined if improper conduct is observed.”
While the Board has not explicitly addressed bargaining obligations for GPS tracking technology, the Board’s Office of General Counsel (OGC) has considered the installation of GPS devices mandatory subjects of bargaining under the rationale discussed previously. For example, the OGC found that the installation GPS technology which collected and recorded data relating to location, movement and operation of the company vehicle constitutes a mandatory subject of bargaining. The OGC reasoned that the GPS tracking system was an investigatory technique for monitoring employee misconduct, which is similar to other systems that have previously been deemed mandatory subjects, such as surveillance cameras.
Similarly, the OGC found that the installation and use of a GPS device to track an employee suspected of stealing time was a mandatory subject of bargaining.
Therefore, to the extent that an employer intends to implement GPS tracking of company-owned property, such as vehicles or company-issued cell phones, this decision is a mandatory subject of bargaining. The second level of analysis is whether the parties have already negotiated a resolution in their collective bargaining agreement. This involves a careful review of the applicable collective bargaining agreement and to assess whether the company has the right deploy GPS tracking technology.
Non-unionized Employers
In non-unionized workplaces, the analysis is much simpler because the employer can unilaterally implement GPS tracking devices. However, in this situation, private employers are required to follow New York’s employee monitoring law. This law requires private employers to provide written notice to employees about any electronic monitoring, including GPS tracking.
This written notice must be given upon hiring and must be acknowledged by the employee either in writing or electronically Employers are also required to post the notice of electronic monitoring in a “conspicuous place which is readily available for viewing by its employees.” Generally, this notice should be posted with the other required labor postings. You can read Bond’s previous blog post outlining these requirements here.
GPS Tracking in Other States
Given the myriad of state consumer privacy laws, in addition to state-specific employment laws, GPS tracking outside of New York may be subject to other restrictions. U.S. state consumer privacy laws generally exclude data collected by employers from their scope. California’s CPRA, however, restricts the use of such data.
Bond’s cybersecurity and data privacy practice routinely assist employers with meeting state-specific regulatory requirements pertaining to data collection in the workplace. For more information or if you would like assistance in complying with the employee monitoring law, please contact Mario F. Ayoub or Paige M. Roseman.
What to Expect From This Year's Countdown
January 21, 2025
By: Cybersecurity and Data Privacy Practice
Data Privacy Day is Jan. 28. First recognized in 2007, Data Privacy Day is an international effort to raise awareness about data privacy and to encourage the protection of personal information online. Every year, Bond counts down to Data Privacy Day with a targeted series of privacy-related articles that span a variety of practice areas and disciplines. This year, Bond will be exploring the following topics listed below.
- Employee Cell Phone Monitoring: Mario Ayoub and Paige Roseman will explore data privacy and employment law considerations for organizations using mobile device management software to track employee cell phone use.
- Artificial Intelligence Tools: Jessica Copeland and Mario Ayoub will highlight the major privacy risks and mitigation strategies associated with common generative artificial intelligence tools such as ChatGPT, CoPilot and Google Gemini.
- Privacy Challenges in the Financial Services Industry: Dori Bailey, Shannon Knapp and Savanna Klinek will identify privacy concerns unique to the financial services industry.
- Children’s Online Privacy: Jessica Copeland and Shannon Knapp will outline key requirements mandated by the widely applicable Children’s Online Privacy Protection Act and examine recent FTC enforcement actions in this space.
- School Privacy Compliance: Andrew Mark and Mario Ayoub will discuss the growing use of online software and services in K-12 settings and critical education privacy obligations pertaining to informed parent/guardian consent and opt-out rights.
- Healthcare Privacy: Gabriel Oberfield will delve into privacy and data protection challenges facing healthcare providers and HIPAA covered entities through the lens of state and federal regulatory requirements.
- 2025 Data Privacy Preview: Amber Lawyer and Mario Ayoub will preview new privacy laws, regulations and guidance to prepare organizations in every industry for significant developments and unique compliance challenges coming in 2025.
If you'd like more information or if you have any questions, contact any attorney in Bond's cybersecurity and data privacy practice.