As you slowly emerge from your tryptophan coma next week, and realize that the first of December is upon us, many complex legal tasks may seem too daunting to face. Luckily, the privacy team at Stoel Rives has developed a plan to keep your privacy program running from the comfort of your post-Thanksgiving stretch pants.

Privacy Policy Review: Carving Out Time for Compliance

Once you satisfy the Black Friday itch, consider carving out some time to reflect – on food, family, festivities of the season, and of course, federal (and state!) privacy requirements. Whether you’re in healthcare, tech, finance, retail or otherwise, your privacy policies should reflect the current reality of business operations, and importantly, confirm that an annual review was performed. A “last revised: 2020” date on your privacy policy is a red flag for regulators – just like those leftovers on the counter, it’s time for a refresh.

If the types of personal information you collect, your target marketing audience, actual customer numbers, or how you process personal information, and especially health-related data (e.g., protected health information), has changed this year, it might be time for a policy update. Pay attention to vendor practices too – with rapid adoption of AI, vendors and business associates alike may be changing their capabilities and data processing practices, and the (tur-)key is to know how those changes might impact your data and business operations, and update policies accordingly.

Dark Meat… Dark Patterns: When Digital Design Goes Bad

Just as you might be wary of overcooked dark meat at your Thanksgiving table, businesses should be equally cautious about the “dark patterns” in their digital interfaces. Dark patterns are deceptive tools or designs used to impair user privacy choices or manipulate user behavior – like that second serving of pumpkin pie.

These digital design techniques are deemed a dark pattern if they have the effect of substantially subverting or impairing user autonomy, decision-making, or choice – a business’s intent is not determinative of whether the user interface is a dark pattern, but a factor that is considered.

Dark patterns can take many forms. A common example is a cookie banner with a bright, oversized “ACCEPT ALL COOKIES,” with an adjacent, neutral “manage preferences” button. This presents a visual cue to a user to click the conspicuous button, while not providing an equivalent button to reject – neither in language nor in the steps taken to effectuate the request. Dark patterns may also be disguised ads, difficult to cancel subscriptions, buried terms, tricks to obtain personal information, and more. Many state privacy laws prohibit the use of dark patterns, and the FTC continues to actively enforce regulations against them. Regulators emphasize that the use of dark patterns invalidates consumer consent. Because these practices can manipulate choices through deception or coercion, they undermine informed decision-making, rendering any consent neither voluntary nor fully informed.

Cookies and Tracking Technologies: Save Room (and Attention!) for Dessert

Some things to consider about your cookie policy while digesting your turkey and watching football: A cookie policy explains what cookies are, how they track your activity, and how you can control them.

Is your website using any new third-party software that may receive personally identifiable information or collect data for the software vendor’s own purposes? Tracking technology may be included in software developer kits (SDKs), plug-ins, or other features or functions on your website or application.

Is your consent manager accurately facilitating consent and consumer-friendly opt-out preferences before dishing out cookies? The California privacy regulatory body has held that website owners, not consent management platforms are responsible for the proper configuration of consent mechanisms (i.e., cookie banner).

Is your cookie policy compliant with different jurisdictional requirements? Obligations may vary based on location.

Whether you need a simple temperature check, or a more in-depth review, the privacy team at Stoel Rives is here to help cross annual compliance updates (and lots of other tasks) off of your long holiday to-do list.

Tags: Cookie Policy, Cookies, Health Privacy, Privacy, Privacy Policy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan Kimble Susan Kimble

Susan Kimble is a healthcare attorney with extensive experience counseling healthcare clients in regulatory, compliance, privacy, clinical risk management and related legal matters. She has defended hundreds of clinicians in medical malpractice litigation and licensing matters, managed and advised health systems through regulatory

Susan Kimble is a healthcare attorney with extensive experience counseling healthcare clients in regulatory, compliance, privacy, clinical risk management and related legal matters. She has defended hundreds of clinicians in medical malpractice litigation and licensing matters, managed and advised health systems through regulatory surveys, provided day-to-day legal guidance to individual clinicians, practice groups, and health systems, and developed and delivered legal, risk management, and medical staff education. With experience serving in-house for two health systems and two health-tech startups, Susan offers a deep understanding of the complexities within the evolving healthcare industry and a unique insider’s perspective on clinical and business operations.

Before joining Stoel Rives, Susan was associate general counsel for 98point6, Inc., a developer of a virtual telehealth platform, and its affiliated primary and behavioral healthcare clinic.  Earlier in her career, Susan was assistant general counsel with MultiCare Health System and a staff attorney with St. Charles Health System in Bend, Oregon.

Read more about Susan Kimble
Show more Show less
Photo of Colleen Dewhirst Colleen Dewhirst

Colleen Dewhirst practices in Stoel Rives’ Technology & Intellectual Property group. Colleen is a skilled negotiator and contract specialist with a keen ability to balance knowledge and nimbleness to adeptly identify legal risks and craft appropriate, innovative business solutions and best practices. Click…

Colleen Dewhirst practices in Stoel Rives’ Technology & Intellectual Property group. Colleen is a skilled negotiator and contract specialist with a keen ability to balance knowledge and nimbleness to adeptly identify legal risks and craft appropriate, innovative business solutions and best practices. Click here to view Colleen’s full bio.

Read more about Colleen Dewhirst
Show more Show less
Photo of Kenny Gutierrez Kenny Gutierrez

Kenny Gutierrez is an intellectual property (IP) attorney who counsels clients on IP and commercial transaction issues. Kenny has drafted and negotiated various commercial agreements relating to IP and technology transactions, including various IP licenses, SaaS agreements, professional services agreements, terms of use…

Kenny Gutierrez is an intellectual property (IP) attorney who counsels clients on IP and commercial transaction issues. Kenny has drafted and negotiated various commercial agreements relating to IP and technology transactions, including various IP licenses, SaaS agreements, professional services agreements, terms of use, master service agreements, supply agreementstechnology distribution agreements, and reseller agreements.

Read more about Kenny Gutierrez
Show more Show less
Related Posts
Nationwide Impact: HIPAA Reproductive Health Care Privacy Rule Vacated
July 1, 2025
New Proposed Part 2 Rules Aim for Greater HIPAA Alignment
February 3, 2023
Certified Community Behavioral Health Clinics Beware! 
January 18, 2023

About the Health Law Insider Blog

Learn More

The Health Law Insider blog provides insights about health care-related laws and regulations from Stoel Rives’ dedicated team of health care lawyers and industry experts. This blog covers the full spectrum of regulatory and compliance issues faced by the health care industry, including data privacy and security, fraud and abuse, reimbursement, health care transactions, antitrust, taxation, and insurance regulation.