McDermott+ Check-Up: May 2, 2025
THIS WEEK’S DOSE
House Committees Begin Reconciliation Markups. Non-health-related committees moved forward this week, with the House Energy and Commerce Committee tentatively scheduled to mark up its legislative text in the coming weeks.
House Energy and Commerce Committee Advances Health Bills. The bills include the SUPPORT Act reauthorization and other public health legislation.
Senate Appropriations Committee Examines Biomedical Research. Senators voiced broad bipartisan support for federal research funding.
House Oversight and Government Reform Subcommittee on Cybersecurity, IT, and Government Innovation Holds Hearing on IT Modernization. The hearing examined how information technology (IT) modernization could impact the efficiency and functionality of the federal government.
Administration Releases FY 2026 “Skinny” President’s Budget. The fiscal year (FY) 2026 budget request is abbreviated, or “skinny,” which is common in a new administration and will be followed by a full budget request at a later date.
Administration Publishes Report on Gender-Affirming Care. The report outlines action taken to comply with an executive order and was followed by a published review of evidence for the treatment of gender dysphoria and the associated ethical considerations.
SCOTUS Rules Against DSH Hospitals. The Supreme Court of the United States (SCOTUS) sided with the administration in a challenge to how Medicare disproportionate share hospital (DSH) payments are calculated.
CONGRESS
House Committees Begin Reconciliation Markups. Multiple committees in the House – although none in the healthcare space – advanced their “committee prints” this week, which include the provisions within their jurisdiction for the House’s budget reconciliation package. This process will continue into the week of May 12, when the House Energy and Commerce Committee is tentatively scheduled to hold its markup to finalize the $880 billion in savings across Medicaid, the Children’s Health Insurance Program, and Medicare. The Ways and Means Committee is also signaling that it may be ready to move a tax package forward the same week.
Several Republicans representing competitive seats have been discussing with committee and House Republican leadership their concerns about policies that they perceive as cutting Medicaid. Rep. Bacon (R-NE) has publicly stated that he will not support more than $500 billion in Medicaid savings. The components most widely expected to be included in the Energy and Commerce Medicaid package include work requirements, more stringent and frequent eligibility verifications, and repeal of Biden-era Medicaid eligibility regulations. In recent days, focus also has been on Medicaid provider tax changes and potentially converting the Medicaid expansion population to a per capita cap. The challenge facing Energy and Commerce is the need to get to $880 billion in savings across its jurisdiction. While the committee is expected to get some savings out of energy policy changes and spectrum auction, Medicaid is its largest target. Meanwhile, Energy and Commerce Democrats released a report showing how many individuals would lose coverage if national work requirements were implemented.
Once all House committees have passed their packages, the House Budget Committee will combine the legislative texts and vote on the entire package, followed by a vote on the House floor. (Note that the Budget Committee’s package does not need to directly resemble the packages passed out of each committee.) Then, it will be the Senate’s turn to act. Speaker Johnson’s (R-LA) goal is for the House to pass the package before Memorial Day, and to have it signed into law by July 4, 2025, although that timeline is not guaranteed. The biggest factor that would enforce a real deadline is if the US Department of the Treasury were to announce an earlier date than anticipated for the United States hitting the debt ceiling. That pronouncement was expected this week but appears to have slipped. There is no indication that the date will be earlier than late summer or early fall. This is directly relevant to reconciliation because Republicans hope to address the debt limit increase as part of that process.
House Energy and Commerce Committee Advances Health Bills. This week’s markup considered six pieces of healthcare legislation largely related to public health. All passed with broad bipartisan support, although two had some Democratic pushback:
H.R. 2483, the SUPPORT Reauthorization Act of 2025, would reauthorize certain programs that provide for opioid use disorder prevention, treatment, and recovery.
The bill passed 36 – 13. All Republicans voted aye. Democrats were almost evenly split, with opponents citing concerns about workforce cuts at the Substance Abuse and Mental Health Services Administration, the agency responsible for administering the legislation’s programs.
H.R. 2484, the Seniors’ Access to Critical Medications Act of 2025, would establish an exception to the physician self-referral prohibition for certain outpatient prescription drugs furnished by a physician practice under the Medicare program.
The bill passed 38 – 7. All Republicans and most Democrats voted aye. The seven Democrats who voted against the bill stated their concerns that the policy would increase healthcare consolidation.
For more information about the bills, view the markup memo.
Senate Appropriations Committee Examines Biomedical Research. During the hearing, members from both parties voiced their support for biomedical research. Democrats expressed concern over the implications of federal cuts and mass firings on future research, and Republicans acknowledged the importance of federal funding for lifesaving research.
House Oversight and Government Reform Subcommittee on Cybersecurity, IT, and Government Innovation Holds Hearing on IT Modernization. During the hearing, Democrats emphasized the essential role of a qualified modern IT workforce for the security, efficiency, and effectiveness of federal systems, and highlighted the negative impacts of replacing federal workers with artificial intelligence. Republicans focused on identifying the biggest barriers to change, such as procurement requirements, hiring processes, budget limitations, and bureaucratic hurdles. They stressed the importance of modernizing federal IT to improve overall government efficiency.
ADMINISTRATION
Administration Releases FY 2026 “Skinny” President’s Budget. The abbreviated budget request only includes discretionary items and, ultimately, is a document that sets forth the administration’s policy priorities. While the budget request is expected to provide guidance to Congress as it begins the FY 2026 appropriations process, the priorities and funding levels included in the document will not necessarily be the final levels that are approved by Congress. The budget requests a 22% cut to domestic spending overall, including large cuts to the US Department of Health and Human Services (HHS). Health-related highlights include:
$93.8 billion for HHS, a 26.2% decrease from the FY 2025 level of $127 billion. This includes cuts to various agencies, such as:
$3.6 billion from the Centers for Disease Control and Prevention
$18 billion from the National Institutes of Health
$674 million from the Centers for Medicare & Medicaid Services (CMS)
$500 million to support the Making American Healthy Again Commission.
The full elimination of several programs, including the Administration for Strategic Preparedness and Response Hospital Preparedness Program and the Community Services Block Grant.
The administration also released other facts sheets and supporting documents here.
Administration Publishes Report on Gender-Affirming Care. The report provides updates on actions taken by the administration to implement executive order (EO) 14187, “Protecting Children from Chemical and Surgical Mutilation.” Cited actions include:
HHS:
Began work on the required literature review of best practices to treat children with gender dysphoria. The report was also published this week.
Began reviewing data tools to ensure that federal data collection aligns with the administration’s definition of medically useful information.
Eliminated 215 grants to medical institutions that provide gender-affirming care.
CMS issued a quality and safety special alert memo entitled “Protecting Children from Chemical and Surgical Mutilation.”
The US Department of Defense and Office of Personnel Management have taken steps to exclude coverage of gender-affirming care for minors.
The US Department of Justice:
Prepared guidance to enforce laws outlawing female genital mutilation.
Initiated investigations of multiple entities that allegedly misled the public about long-term side effects of gender-affirming care.
Drafted and submitted for review legislation creating a private right of action for children who have received gender-affirming care and their parents.
Prepared to establish a Parental Rights Task Force.
COURTS
SCOTUS Rules Against DSH Hospitals. The 7 – 2 ruling sided with HHS in a case about how DSH payments are calculated. CMS only counts Medicare enrollees who received supplemental security income (SSI) cash payments during the same month they received hospital care as low-income patients for the purposes of DSH payment. The plaintiff hospitals argued that CMS should include all patients in the SSI system at the time of their hospitalization. SCOTUS found that CMS’s formula was adequate, meaning that DSH hospitals will receive lower payments than they believe they are entitled to.
QUICK HITS
Ways and Means Republicans Outline Priorities for CMS Innovation Center. In a letter led by House Ways and Means Committee Chair Smith (R-MO) and Health Subcommittee Chair Buchanan (R-FL), 25 Republican committee members asked CMS Administrator Oz and CMS Innovation Center Director Sutton to focus on payment models that save money and improve transparency, ensure solicitation of stakeholder feedback, and renew attention on improving rural healthcare.
CBO Explains Its Role in Budget Reconciliation Process. In a blog post and a letter to Reps. Pfluger (R-TX) and Westerman (R-AR), the Congressional Budget Office (CBO) outlined how it develops cost estimates during reconciliation and how CBO and the Joint Committee on Taxation collaborate during that process.
ASTP/ONC Takes Deregulation Actions. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) clarified that it is using its nonenforcement discretion in relation to insights condition and maintenance of certification reporting requirements and USCDI v3 data elements related to sexual orientation and gender identity.
HHS Announces Universal Vaccine Technology. Generation Gold Standard was developed by the National Institute of Allergy and Infectious Diseases and aims to protect against multiple strains of the same virus, including influenza and coronaviruses.
GAO Releases Reports on Prescription Drugs. In a statutorily required report, the US Government Accountability Office (GAO) described CMS’s implementation of the Inflation Reduction Act Medicare drug negotiation program and inflation rebate program. An additional report included findings on the market presence of nonprofit drug companies.
GAO Releases Additional Reports on Human Genomic Data, Nursing Homes. GAO urged HHS to systemically track the use of foreign testing labs and strengthen oversight of security measures, and recommended that the US Department of Veterans Affairs identify additional enforcement actions to ensure that nursing homes comply with quality standards.
Senators Introduce Resolution to Reinstate Richardson Waiver. Sens. Wyden (D-OR), Markey (D-MA), and King (I-ME) led 16 senators in introducing a resolution to reinstate the Richardson Waiver, which directed government agencies to use the more formal rulemaking process for rules regarding “public property, loans, grants, benefits, or contracts.” In February, HHS issued a policy statement rescinding the waiver. Read the senators’ press release here.
NEXT WEEK’S DIAGNOSIS
Both chambers will be in session next week, with healthcare activity expected at the committee level, including:
A House Oversight and Government Reform Committee hearing on the welfare state.
Senate Finance Committee and Senate Health, Education, Labor, and Pensions (HELP) Committee nomination hearings for James O’Neill to be deputy HHS secretary (both committees), Gary Andres to be an assistant HHS secretary (Finance Committee), and Janette Nesheiwat to serve as Medical Director in the Regular Corps of the Public Health Service and Surgeon General of the Public Health Service (HELP Committee).
The House Energy and Commerce Committee will tentatively hold a markup of their reconciliation package the week of May 12.
CPPA and UK ICO Sign Declaration of Cooperation
On April 29, 2025, the UK Information Commissioner’s Office (the “ICO”) and the California Privacy Protection Agency (the “CPPA”) signed a declaration of cooperation regarding international privacy and data protection coordination, formalizing their existing collaboration.
The statement from the CPPA sets out the key aims of the declaration, namely:
facilitating joint research and education activities related to data protection and new technologies;
comparing investigative methods, best practices and knowledge;
organizing meetings between staff members; and
developing mechanisms for collaboration.
The ICO considers the declaration to be a “commitment to work together on common issues so people’s privacy rights are respected across the UK and California.” Tom Kemp, Executive Director at the CPPA stated that through the collaboration, the CPPA “can deepen…[its] knowledge base and leverage best practices from other regulators whose citizens face many of the same privacy harms that Californians have.”
The declaration marks the latest collaboration between the CPPA and international data protection authorities. In January 2025, the CPPA entered into collaboration with the Republic of South Korea’s Personal Information Protection Commission, and in June 2024, the CPPA entered into collaboration with the French data protection authority, the Commission Nationale de l’Informatique et des Libertés.
Read the CCPA press release.
State Regulators form Privacy Consortium for Collaboration and Enforcement
The California Privacy Protection Agency (“CPPA”) and California Attorney General recently announced the formation of a new coalition of state regulators called the Consortium of Privacy Regulators (the “Consortium”). The Consortium includes regulators from California, Colorado, Connecticut, Delaware, Indiana, New Jersey and Oregon, all of which represent states with comprehensive privacy laws. The participating members will hold regular meetings and coordinate enforcement efforts where they have common interests.
According to CPPA’s announcement, the Consortium will support collaboration on the implementation and enforcement of the participating members’ privacy laws with the shared goal of protecting consumers. The CPPA notes that the Consortium’s goals include facilitating discussions of privacy law developments and shared priorities, with a focus on consumer protection across jurisdictions. The CPPA also notes that, in addition to sharing their expertise and resources, participating regulators will coordinate their efforts to investigate potential violations of applicable laws.
“We’re proud to collaborate with states across the country to advance consistent, streamlined enforcement of privacy protections to address real-world privacy harms. The Consortium reflects this shared commitment—now and for the future,” said Michael Macko, the CPPA’s head of enforcement. Rob Bonta, California’s Attorney General, added, “Collaborating with partners across the country provides another tool in the toolbox for my office to tackle enforcement priorities and continue safeguarding the privacy rights of Californians.”
US House of Representatives Pass the Take it Down Act
On April 28, 2025, the US House of Representatives voted 409-2 to pass S.146, the Take it Down Act. The bill aims to stop the misuse of Artificial Intelligence (AI) created illicit imagery and Deepfake Abuse. The bill will be enforced by the Federal Trade Commission (FTC).
The bill requires online platforms to remove nonconsensual intimate imagery (NCII) within 48 hours of a request. The bill also makes it illegal for a person to “knowingly publish” authentic or synthetic NCII and outlines separate penalties for when the image depicts an adult or a minor.
Free speech advocates and digital rights groups say the bill is too broad and could lead to censorship of legitimate images. Other critics, such as the Cyber Civil Rights Initiative, an organization dedicated to protecting victims of online sexual abuse, are concerned that the bill “is an alarming expansion of the FTC’s enforcement authority.”
As the regulatory framework around AI and digital privacy evolves, companies developing or deploying AI, or engaging in content moderation will need to be alert to shifting expectations around accountability and enforcement priorities.
U.S. House of Representatives Pass the Take it Down Act
On April 28, 2025, the U.S. House of Representatives voted 409-2 to pass S.146, the Take it Down Act. The bill aims to stop the misuse of Artificial Intelligence (AI) created illicit imagery and Deepfake Abuse. The bill will be enforced by the Federal Trade Commission (FTC).
The bill requires online platforms to remove nonconsensual intimate imagery (NCII) within 48 hours of a request. The bill requires online platforms to remove NCII within 48 hours of a request. The bill also makes it illegal for a person to “knowingly publish” authentic or synthetic NCII and outlines separate penalties for when the image depicts an adult or a minor.
Free speech advocates and digital rights groups say the bill is too broad and could lead to censorship of legitimate images. Other critics, such as the Cyber Civil Rights Initiative, an organization dedicated to protecting victims of online sexual abuse, are concerned that the bill “is an alarming expansion of the FTC’s enforcement authority.”
As the regulatory framework around AI and digital privacy evolves, companies developing or deploying AI, or engaging in content moderation will need to be alert to shifting expectations around accountability and enforcement priorities.
Michigan Attorney General Takes Action Against Roku, Alleging COPPA Violations
On April 29, 2025, Michigan Attorney General Dana Nessel filed a lawsuit against Roku, Inc., alleging that the company collects and monetizes personal data from children without proper consent. The lawsuit claims that Roku’s practices violate the Children’s Online Privacy Protection Act (COPPA) and other privacy laws.
Michigan Attorney General’s Allegations
In its complaint, filed in the United States District Court for the Eastern District of Michigan, the Michigan attorney general, joined by plaintiffs’ firm Korein Tillery, alleges that Roku violated COPPA (15 U.S.C. § 6502), the Video Privacy Protection Act (18 U.S.C. § 2710), the Michigan Preservation of Personal Privacy Act (M.C.L. § 445.1711), and the Michigan Consumer Protection Act (M.C.L. § 445.901 et seq.) by:
Collecting Data from Children: Roku collects personal information from children, including voice recordings, location data, and browsing histories, including via tracking pixels and cookies.
Failing to Implement Parental Controls: Roku does not offer options for parents to create children’s profiles, ensuring that both parents and children are subject to the same data collection practices.
Sharing Data with Third Parties: Roku shares collected data with third parties, including data brokers and advertising companies, without adequate parental consent.
Misrepresenting Privacy Practices: Roku misleads parents about its data collection practices and the privacy protections in place for children.
The complaint also asserts common law claims for intrusion upon seclusion and unjust enrichment, and requests that Roku stop its allegedly illegal data collection practices and comply with federal and state privacy laws. It also aims to recover damages and penalties for Roku’s misconduct.
Roku’s Response
In response to the lawsuit, Roku stated it will challenge the lawsuit. “Roku strongly disagrees with the allegations in today’s filing, which do not reflect how our services work or our efforts to protect viewer privacy,” the company wrote. “We plan to challenge these inaccurate claims and look forward to demonstrating our commitment to trust and compliance.”
“Roku respects and values the privacy of our users. We do not use or disclose children’s personal information for targeted advertising or any other purpose prohibited by law, nor do we partner with third-party web trackers or data brokers to sell children’s personal information,” the statement continued. “We take the responsibility of creating a safe and trusted online environment seriously. Our viewers rely on Roku for engaging content, and we take pride in connecting our viewers to the streaming content they love every day.”
Takeaways
The Michigan attorney general’s complaint against Roku is the latest in a spate of state attorney general privacy enforcement actions, and businesses should take note that the wave of state enforcement may just be beginning. Further, the recent interest in COPPA enforcement may also be driven by the Federal Trade Commission’s (FTC) recent amendments to the COPPA Rule, which will take effect on June 21, 2025. The FTC’s amendments to COPPA include opt-in parental consent for advertising, enhanced direct notice requirements, and new data security and retention requirements. Companies subject to COPPA must comply with these new requirements by April 22, 2026.
Navigating the Rise in Data Subject Access Requests
Recently, there has been an increase in individual rights activity across Europe, particularly organizations receiving Data Subject Access Requests (DSARs) from former employees. This surge in activity may be attributed to several factors, including economic uncertainty leading to increased redundancies across industries globally and a growing awareness among individuals about their data rights.
Quick Hits
Implementing an internal process for managing individual rights requests will be key to organizations remaining compliant with applicable data protection laws and managing compliance costs.
The role of artificial intelligence and individual rights may lead to organizations undertaking excessive, unnecessary, and costly work when responding to requests.
Organizations that fail to respond to DSARs continue to be actively investigated and penalized by regulators in the EU, the UK, and other jurisdictions.
The current global economic climate has led to a rise in redundancies, and this appears to be prompting former employees to exercise their individual data rights. There has been a marked uptick across Europe in DSAR submissions—or requests to exercise the right for individuals to obtain copies of the information an organization has relating to them. Organizations are faced with dealing with this legal challenge, in many cases for the first time, and en masse. DSARs are also becoming increasingly comprehensive, with requests frequently requiring employers, and organizations in general, to search for, capture, and review all personal information being processed across their often complex digital ecosystems. This trend is likely to continue as economic conditions remain volatile and as individuals become increasingly knowledgeable about their individual data rights, which is in part due to increased data protection activism in the European Union, media coverage, and educational awareness around data privacy.
It also appears that artificial intelligence (AI) tools are being used by individuals to draft their DSARs. Although AI can generate requests that are comprehensive, well-written, and seemingly credible, these requests often include imperfect interpretations of legal requirements, including the applicability of these requirements in a particular context, as well as sometimes confusing circular descriptions; arguably, common traits of AI-generated content that has not undergone human review. This use of AI presents challenges for organizations, and organizations may want to note these when managing DSARs. An organization aiming to be compliant with a DSAR without challenging the accuracy of the request, might end up providing information that is outside of the parameters of the request, disclose commercially sensitive information that it might otherwise withhold, or indeed disclose information it is not legally permitted to disclose such as the personal data relating to other employees.
To effectively respond to the increasing volume and complexity of DSARs, organizations may want to consider the following steps:
Developing and implementing a DSAR response process for handling requests that is both comprehensive and easily operational. Consider including in this process clear procedures for identifying, retrieving, and reviewing personal data.
Undertaking a data-mapping exercise, if this has not already been done, to identify where personal data is processed across an organization’s operations and what systems are involved. This will enable the DSAR response team to easily contact the relevant team or person when a DSAR is received, and to coordinate the quick capture of personal data.
Ensure the organization is familiar with, or capable of quickly finding out, applicable data protection laws and legal timeframes. This can help minimize the risk of repeat DSARs, complaints to supervisory authorities, and potential regulatory fines.
The rise in DSAR activity and increased data rights awareness presents significant challenges for organizations. By establishing a comprehensive and efficient method for responding to these requests, organizations can ensure compliance with data protection laws and mitigate commercial and reputational risks, including reducing compliance costs, business disruption, risk of regulatory scrutiny, and reputational damage.
In addition, organizations may want to verify, using proportionate means, the identity of requestors, consider whether the existence of a DSAR should be reported to other teams in the organization as a wider employment issue, and ensure they remind individuals of their rights regarding their personal data including their right to lodge a complaint with the relevant data protection authority.
Organizations may want to assess their current approach or implement a new process to manage individual rights requests to ensure they are identifying these requests when they are being made, undertaking searches for information to the extent they are legally complied with and in a commercially sensible way, and meeting all applicable legal deadlines.
Failure to comply with up-to-date data protection laws and rules regarding individual rights can lead to commercial and reputational damage. If appropriate measures are not taken, corrective sanctions can be assessed such as significant financial penalties.
SAP NetWeaver Visual Composer Requires Urgent Patch
SAP Netweaver Visual Composer users are urged to patch a critical vulnerability that attackers are actively exploiting. According to ReliaQuest, which detected the vulnerability, the attacks allow full system compromise through unauthenticated file uploads. Although SAP has issued an emergency patch, security researchers report that the vulnerability is being exploited throughout critical industries, and is therefore “immediate and severe,” and designated a 10 out of 10 for criticality.
Urgent patching is required and available through SAP.
Privacy in Manufacturing: Safeguarding Information and Data in a Tech-Forward Era [Podcast]
In this podcast, Shareholder Michael McKnight (Raleigh) and Associate Lauren Watson (Raleigh) discuss the primary privacy challenges that manufacturers face, including pitfalls and best practices surrounding employee monitoring, biometric data collection, and information storage, especially when employers use tools enabled with artificial intelligence (AI) to surveil employees. In addition, Lauren and Michael discuss how manufacturers can comply with various state and sector-specific privacy laws and provide practical tips for manufacturers responding to data breaches. Michael and Lauren offer valuable insights on how manufacturers can balance the need to comply with the various privacy laws, protect their employees’—and the employers’ own—data and devices, and efficiently run their manufacturing businesses in an increasingly tech-forward but regulated environment.
Privacy Tip #442 – Oregonians Push Back Against DOGE’s Access to Personal Information
On April 21, 2025, the Oregon Department of Justice’s Privacy Unit reported a “big spike” in complaints about the Department of Government Efficiency (DOGE) in the first quarter of 2025.
The report stated, “Specifically, Oregonians are concerned about how government entities are handling their personal information. As of March 31, 2025, the unit had received more than 250 complaints about DOGE.”
The Oregon Department of Justice has joined other Attorneys General to file suit against the administration, requesting limitations on DOGE’s access to Americans’ personal information, and a court issued an order blocking DOGE’s access to Treasury Department information. Oregonians are not alone in their concern about DOGE’s vast and unrestricted access to personal information. Many states have consumer protection divisions that allow consumers to issue complaints about privacy protections.
If you are concerned about unrestricted access to your personal information by federal government and/or DOGE representatives, consider contacting your state consumer protection division so your voice is heard.
The VPPA: An Old Law with New Streams
Enacted in 1988, the Video Privacy Protection Act (VPPA) was intended to regulate the then-booming videotape industry by limiting how video rental and sales data is disclosed. The law was enacted in direct response to the publication of a Supreme Court nominee Robert Bork’s video rental history. Though videotapes may be a memory of the past, plaintiffs have revived the VPPA in a more current context: online video subscriptions and pixel tracking tools.
To file a VPPA claim, a plaintiff must show that a videotape service provider knowingly disclosed a consumer’s personally identifiable information. A business is a videotape service provider when it “engage[s] in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual material.”
While the definition of a videotape service provider may seem antiquated and narrow, courts have broadly applied it. In 2024, a court held that a local newspaper was a videotape service provider because it delivers audio-video materials. Another court held that a video game store was a videotape service provider because its games included noninteractive cutscenes, mini-videos that interrupt gameplay and fill gaps in the game’s storyline or plot. Thus, both types of businesses were considered to fall under the VPPA.
Under the VPPA, a consumer is defined as “any renter, purchaser, or subscriber of goods and services from a video tape service provider.” Although there is inconsistency across circuits on what qualifies as a consumer in relation to video subscriptions, courts have held that subscriptions to a website that offers video content can make a plaintiff a subscriber, and therefore a consumer, under the VPPA.
On April 25, 2025, a plaintiff filed a class action lawsuit against a cinema chain, Tivoli Enterprises, for allegedly installing the Meta tracking pixel on its website to “secretly and surreptitiously” send consumers’ personal information to Meta.
The complaint asserts that Tivoli is a videotape service provider under the VPPA because it is a video streaming platform through which website users access video content. The complaint further alleges that when consumers watch a movie trailer on the Tivoli website, the company uses Meta Pixels to track and disclose various pieces of consumer data to Meta, including the movie title and consumer personal information.
According to the plaintiff, when a user visits the Tivoli website on the same web browser used to log into Facebook, the browser reportedly transmits a Meta-specific cookie called the “c_user” cookie to Meta. The complaint emphasizes that the c_user cookie enables anyone – not just Meta – to identify an individual consumer. If the c_user ID is tacked onto a Facebook URL, it will direct anyone to the Facebook account associated with that c_user cookie. For example, if a c_user ID is 050125, it can be tacked on at the end of a Facebook.com URL to bring anyone to the Facebook account and profile associated with the c_user ID 050125.
The plaintiff notes that while under the VPPA, informed, written consent allows a videotape service provider to disclose consumer personal information to a third party when signing up for a rewards account on the Tivoli website. Users allegedly were not asked to consent to Tivoli sharing their information with third parties.
The VPPA contains a unique consent requirement where written consent must be given in a separate form that is distinct and separate from other legal or financial agreements. This requirement might mean that even if a website’s privacy policy or terms of service obtain user consent for general website use, this consent is not covered under the VPPA’s definition and may not be an adequate defense in responding to such VPPA claims. Therefore, companies providing video content to website subscribers should consider obtaining separate user consent for disclosing consumer information to third parties related to that video content or eliminating tracking technology on such pages altogether.
In 2024, the Second Circuit stated that the VPPA is “no dinosaur statute.” Although Tivoli has yet to respond to the complaint, the prevalence of VPPA lawsuits like this one is a reminder that while videotape technology is obsolete, the VPPA is far from Jurassic. It stays alive with a new roar.
PIH Health Settles HIPAA Violations for $600,000
PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and financial information.
PIH notified the individuals and the Office for Civil Rights (OCR) of the incident in January 2020. OCR launched an investigation and found alleged violations of HIPPA’s privacy, security and breach notification rules.
In addition to the $600,000 settlement payment, PIH entered into a resolution agreement with OCR that required it to:
Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Develop, maintain, and revise, as necessary, its written policies and procedures to comply with HIPAA rules.
Train its workforce members who have access to PHI on HIPAA policies and procedures.
These requirements are essential to a HIPAA compliance program, and this settlement is a reminder for covered entities to update and maintain security risk assessments, analyses, and risk management plans to address risks and vulnerabilities on an ongoing basis.