Happy Thursday everybody! One of the stories in this week’s Privacy Insider caught my eye — it has to do with a practice called the heel-stick test performed on newborn infants.
Within 48 hours after birth, doctors prick the heels of infants to test their blood for a range of metabolic and hormone disorders that aren’t immediately symptomatic but can be dangerous if left unrecognized and untreated. It’s so crucial that it’s often legally required and doesn’t require parental consent.
The issue isn’t with the test itself. The issue is what’s done with the excess blood samples afterward. Often, these samples are retained for decades afterward and are used — without parental consent — for any number of purposes, including criminal investigations. In fact, the story we linked to below describes a case in which an infant’s excess blood sample was used for a DNA analysis to gather evidence against the child’s father. According to a lawsuit over the issue, this allowed the police to obtain DNA evidence without showing probable cause first.
Data privacy professionals will probably recognize two key privacy concepts being violated here: retention and purpose limitation. These samples are being used for purposes beyond what they were originally intended for, and they’re being retained indefinitely without consideration for whether their original purpose has been satisfied.
It should be noted that the medical industry is regulated by more specific laws than omnibus data privacy laws like the CPRA and GDPR. Still, this story illustrates how privacy concerns can crop up in almost every aspect of life (like medical care for a newborn) and how essential the principles behind data privacy legislation really are.
Privacy concerns prompt states to reexamine storing newborns' heel blood tests
Within the first 48 hours after birth, doctors prick newborn infants’ heels to test their blood for serious genetic and metabolic issues. Because this test has such a large impact on public health, many states mandate it to be done and don’t require parental consent. However, the test also produces excess samples; these samples are sometimes stored for years and used for purposes ranging from third-party research to criminal investigations. The lack of disclosure and consent gathering around this practice has recently spurred multiple lawsuits.
Takeaways from the FTC’s first public forum on personal data collection and AI
Seeking information on how it should best regulate commercial surveillance and AI, the Federal Trade Commission (FTC) is collecting public comments as part of its Advanced Notice of Proposed Rulemaking (ANPR). Until October 21st, the FTC will consider issues raised by the public regarding AI and commercial data collection.
Drivers’ license data exposed in U-Haul breach
Hackers breached U-Haul’s rental contract database, accessing names and driver’s licenses but not credit card information. "The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts," said a U-Haul representative. "None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool."
Costs of Apple apps increased in connection with privacy changes
Research firm Apptopia found that in-app purchases for Apple Store apps became 40% more expensive after Apple released its App Tracking Transparency (ATT) privacy initiative. The research indicates that this price increase is connected with the greater difficulty of acquiring new customers as a result of ATT and associated privacy changes.
Apple iOS 16 updates features a host of new privacy and security features
Apple is doubling down on its focus on privacy with its latest iOS update. The update will bring a number of features designed to protect consumers’ privacy, including tools to protect victims of domestic abuse, turning users’ devices into physical passkeys for other systems, and more.
South Korea fines Google and Meta $71.8M for violating privacy laws
According to South Korea’s data protection authorities, Google failed to inform users of data collection and set the default choice to “agree” while covering up further options available via the settings screen of its apps and websites. Meta was also found to have violated personal information protection rules. The fine represents South Korea’s largest penalty for violating personal information protection laws.
3-month countdown to 2023’s state privacy laws
2023 inches ever closer, and with it, a slew of new US data privacy laws coming online throughout the next year. In our countdown series, we break down the major compliance activities businesses should partake in as the new year approaches.
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.