State Privacy Law Workshop
Transcript of State Privacy Law Workshop
State Privacy Law Workshop
September 29, 2021Libbie Canter, Kate Goodloe, Kristen Hilton and Tanya Madison
Presenters
2
Libbie CanterCovington & Burling LLP
Kate GoodloeBSA | The Software
Alliance
Kristen HiltonOregon Department of
Justice
Tanya MadisonAristocrat
Technologies
Agenda
3
Privacy Hot Topics
Comprehensive Privacy Laws
Part IComprehensive Privacy Laws
4
Timeline of ActivityJune 2018:California ballot initiative qualifies for state-wide vote and CCPA is enacted
May 2019:Nevada enacts new privacy legislationOctober 2019: Nevada law comes into force
January 1, 2020: CCPA takes effect
August 2020: CCPA AG regulations finalized and take effect
November 2020: CPRA ballot initiative
March 2021: Virginia Consumer Data Protection Act signed by governor
January –May 2021: 22 state legislatures consider comprehensive privacy legislation
July 1, 2022: Deadline for adoption of final regulations implementing the CPRA
January 1, 2023: CPRA and VCDPA take effect
July 1, 2023: CPA takes effect
Enacted Laws: CaliforniaCCPA and CPRA
6
Consumer Rights Under the CCPA
TransparencyPortability
Access Deletion
Non-Discrimination
SaleCCPA Rights
CCPA Enforcement
Enforcement Examples AG Statements and FAQs
Privacy policies missing required disclosures
Inadequate opt-out procedures
Failure to have a functioning “Do Not Sell My Personal Information” link
Failure to provide a required Notice of Financial Incentives
Untimely responses to CCPA requests
The AG has asserted that the statutory requirement for 30-day notice of alleged non-compliance can come from sources other than the Attorney General.
The AG FAQs refer consumers to a proposed technical standard (“the GPC”) for user-enabled global privacy control.
California Privacy Rights Act of 2020
Prohibits Selling or Sharing Personal Information
Defines and Creates Heightened Protections for Sensitive Personal Information
Creates Right to Correct Inaccurate Information
Contemplates Rules Requiring Disclosure of Profiling and “Logic” Involved In Some Contexts
Prohibits Collection of Data of Children Under 16 Unless Affirmatively Authorized Collection
California Privacy Rights Act of 2020
Employee and B2B Exemptions Extended Until 2023
Additional Requirements for Contracts with “Service Providers” and “Contractors”
Requirements for Contracts with Parties To Whom Data Is Sold or Shared
Data Minimization Principles
Data Retention Principles and New Disclosures
California Privacy Rights Act of 2020
Creates a New Regulatory Agency to Enforce Consumers’ Rights
Eliminates the 30-Day Cure Period
Broadens Types of Personal Information Covered By Private Right of Action
Limits Future Amendment
What’s Next?Agency Charged With New Rules In At Least 20 Areas, Including:
Consumer Rights• Access and opt-out rights with respect to automated decision-making• How often and under what circumstances consumer may request correction• Defining “specific pieces of information” to which consumers are entitled to request access
Sharing of Data• Define requirements and technical specs for opt-out preference signals• Purposes for which service providers and contractors may use data received from a business• Defining when there is an “intentional interaction” (and therefore not a “sale” or “sharing” for which an
opt out is required)
Restrictions on use of “Dark Patterns” to secure consent
Risk assessments and annual cyber security audits
Scope and process for exercise of agency’s audit authority and other enforcement-related rules
Sunset for B2B & Employee Exemptions on January 1, 2023
Board has held open meetings, with future meetings scheduled
for Oct. 18 and Nov. 15.Board is working to hire
Executive Director and Chief Privacy Auditor
Board declined to immediately assume rulemaking authority, but has published invitation to comment due November 8 and announced plans for informal
hearings.
Board rulemaking committee has created subcommittees
responsible for (1) updating the existing rules, (2) drafting new
rules on items not yet addressed in the rules, and (3) the
rulemaking process.
What’s Next
July 2022 Rulemaking Deadline
Enacted Laws: NevadaNevada Privacy of Information Collected on the
Internet from Consumers Act (NPICICA)
14
Nevada Approach (NPICICA)
15
Scope• As initially drafted, applies only to operators of Internet websites and online services
Sale• Narrower opt out right (requires monetary consideration; narrow scope of information)• No opt-in requirements, regardless of age• Opt-out requests can be processed by email, telephone, or website
DSRs• No right to access, data portability, deletion, or non-discrimination
What’s Next?
16
SB260 Goes Into Effect on October 1, 2021
Broadens the scope of NPICICA to include data brokers
• Requires that data brokers, like operators, establish a designated request address for consumers to opt-out
• Data brokers defined as a “person whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship and who reside in this State from operators or other data brokers and making sales of such covered information”
Broadens consumers’ right to opt-out of sale
• Removes the requirement that the exchange be for the purpose of the other person licensing or selling covered information to additional persons
Enacted Laws: VirginiaConsumer Data Protection Act (CDPA)
17
Virginia CDPA
18
Consumer Opt-outs
Targeted advertising
Sale of dataProfiling
GDPR/CCPA-like rights CPRA-like rights
Correction
PortabilityDeletion
Access
Sensitive Data
Opt-in for sensitive personal information
Virginia CDPA
19
Controller Obligations Processor Obligations
Data Minimization
Purpose Specification
Consent: Sensitive Data + Unexpected Uses
Reasonable Security Measures
Data Protection Assessments for Specific Activities
Prohibition on Retaliation
Prohibition on Discrimination
Contract Required
Data Security Obligations
Subcontractor Requirements
Assist with Consumer Rights Requests
Duty of Confidentiality
Delete or Return Data at End of Services
Reasonable Assessments
What’s Next? Consumer Data Protection Work Group
20
Work Group Report:
Due Nov. 1, 2021
AG Recommendations
Governor Recommendations
Stakeholder Input
Enacted Laws: ColoradoColorado Privacy Act
21
Colorado Privacy Act (CPA)
22
Similarities to CDPA Differences from CDPA• GDPR/CCPA-like rights: access, portability, correction,
and deletion
• CPRA-like rights: opt-out rights for processing for purposes of targeted advertising and profiling
• Exemptions, including B2B and employment data, financial institutions and affiliates, and internal research
• Some language references “duties”
• Sale defined more broadly, as an exchange for monetary or other valuable consideration
• Requirement that controllers permit consumers to exercise their opt-out rights through a universal opt-out mechanism by July 1, 2024
• Requirement to opt-in for sensitive data • Specification that consent cannot be obtained through acceptance of terms of service or through dark patterns
• Creation of an appeals process
• No express private right of action
• Cure period (30+ days)
• Required data protection assessments
• Cure period expanded from 30 to 60 days, if cure is deemed possible (to expire on January 1, 2025)
• Civil penalties determined under Colorado Consumer Protection Act, varying based on the population affected and the deception alleged
• Comparable processor contract obligations • Contracts must afford the controller the opportunity to reject subcontractors
• More formal audit rights for controllers
What’s Next?
23
Rulemaking
The CPA provides rulemaking authority to the Attorney General.
• Required: Universal-opt out mechanism & related issues (by July 1, 2023)
• Optional: Opinion letters/interpretive guidance (by January 1, 2025)
Rulemaking is expected to begin in late 2021.
Possible Legislative Fixes
Some state legislators have indicated that they hope to refine certain provisions in a second bill to be passed in 2022.
• In his signing statement, Colorado governor Jared Polis encouraged lawmakers “to strike the appropriate balance between consumer protection while not stifling innovation” in these efforts.
Staffing
The Attorney General is currently hiring an Assistant Attorney General in its Consumer Fraud Unit to focus on rulemaking and enforcement of the CPA.
Uniform Law Commission
24
Uniform Personal Data Protection Act (UPDPA)
25
Approved July 11, 2021
GDPR/CCPA-like rights: access, correction
Transparency: privacy policy requirements
Distinction between compatible, incompatible, and prohibited uses of data
Privacy assessments
Authorization of voluntary consensus standards
Enforcement tired to existing consumer protection acts
Uniform Personal Data Protection Act (UPDPA)
26
Concerns Raised by State AGs Section 15: Requires State AG to
set up a formal process for stakeholders to request recognition of a voluntary consensus standard.
Section 11: Safe harbor for compliance with privacy protection law deemed as or more protective than the adopted uniform law.
Other States
27
ffsdf
2021 Privacy Proposals
Introduced
28
Signed into law
Passed one or more chamber
Hearings held
Models of State Legislation
29
Individual Rights
Opt Out of Sale/Sharing
Prohibition on Retaliation
Obligations for Service Providers
Individual Rights
Opt Out of Sale, Targeted Advertising, Profiling
Consent For Sensitive + Unexpected Uses
Prohibition on Retaliation + Prohibition on Discrimination
Obligations on Data Processors
ULC Model
Fiduciary Model (NY)
Tiers of Protected Information (TX)
CA Without New Regulator (FL, WV, AK, AL)
CPA – (1) applies to non-profits, (2) universal opt-out mechanism, (3) AG
rulemaking, (4) dark patterns
WPA – (1) study of global privacy controls, (2)
narrower language on non-retaliation; (3) dark
patterns
Recent CCPA-like State Proposals
30
Florida (HB 969)
Kentucky (HB 408)
Maryland (SB 930)
Massachusetts (SB 46, HB 142)
Minnesota (MN HF 1492; MN
HF 36)
Mississippi (SB 2612)
New York (SB 567; SB 2886)
North Dakota (HB 1330)
Oklahoma (HB 1602)
Pennsylvania (HB 1126)
West Virginia (HB 3159)
Recent CDPA-like State Proposals
31
Connecticut (SB 893)
Minnesota (HF 1492 / SF
1408)
North Carolina (SB 569)
Utah (HB 200)
Overview of Key State Proposals
32
Category Topic CPRA Virginia CDPA
CPA
Notice
At or before point of collection
In a reasonably accessible privacy notice
Opt-out
Sale
TargetedAdvertising/Cross-Context Behavioral Advertising
Profiling To be addressed by AG
SensitiveData
Consent to Processing of Sensitive Data
(opt-out only)
Consumer Rights
Access, Portability, Correction, Deletion,Non-discrimination
Overview of Key State Proposals
33
Category Topic CPRA Virginia CDPA
CPA
Business Obligations
Data Minimization
Impact Analysis To be addressed by AG
Fiduciary Duty
Enforcement
Dedicated data privacy protection agency
Private Right of Action
AG Enforcement; Fine/Civil Penalty
What To Watch – Heading Into 2022
34
A Case Study: Oregon
35
A Case Study: Oregon
36
Key Trends and Battlegrounds
37
Key Battleground Issues
38
Enforcement, including private right of action and whether there is a right to cure
Scope of personal information covered How “identifying” is it? To whom? Treatment of publicly available data Exclusions for de-identified or pseudonymous data
Distinguishing between “controllers”/businesses and “processors”/service providers
Application to employee and B2B data
Key Battleground Issues
39
Additional rights and obligations Duties of care and loyalty Right to consent to collection and processing of data
Age at which minors should be subject to heightened protections (e.g., 13, 16 or 18)
Scope of rights Right to opt out of any disclosure of personal
information Rights with respect to targeted advertising
Industry Interplay
40
Apple’s Policies on Transparency and Choice
41
Federal Interplay
42
Federal Developments
43
Part IIPrivacy Hot Topics in 2021
44
Vaccine Passports
45
Vaccine PassportsExecutive Orders• Governors in Arizona, Montana, Texas, and other states
have signed executive orders, banning or withdrawing funding from, businesses from requiring vaccine documentation
Legislative Bans• Utah law prohibits vaccination requirements for employment;
participation in government activities; or attendance of events hosted or sponsored by a government entity
• Alabama law bans public and private businesses from requiring proof of vaccination to provide goods or services.
• Florida law prohibits businesses, governmental entities, and educational institutions from requiring vaccine documentation.
Vaccine Passport Programs• New York has a voluntary vaccine passport program.• California launched the Digital COVID-19 Vaccine Record
portal.
Antitrust and Privacy
46
Biometric Privacy Laws
47
“From 2008 to 2018, there were 163 BIPA class action lawsuits filed. In 2019, well over 300 BIPA
class action lawsuits were filed–more than double the previous 10 years combined. In
addition, in 2020, there were at least 54 court rulings referencing BIPA, which is more than
double the count from 2019 . . .”-Bloomberg Law (June 18, 2021)
Facial Recognition Technology
48
Bans on city use of facial recognition technology Alameda, Berkeley, Oakland, & San Francisco in
CA Boston, Brookline, Cambridge, Northampton,
Somerville, & Springfield in MA Portland, ME Minneapolis, MN Jackson, MS King County, WA
Bans on private use of facial recognition Baltimore, MD New York, NY Portland, OR
State-wide legislation: Maine, Massachusetts, Vermont, Virginia, & Washington
State Data Breach Laws
49
July 1, 2003:California’s data security breach notice law goes
into effect2012: 46 states, DC, Puerto Rico and Guam have adopted breach
notice laws
2018: South Dakota and Alabama enact breach
notice laws, becoming last of 50 states to enact such laws (and at least 6 other states
strengthen laws)2019 and 2020:
Illinois, New York, Texas, Washington, and other states strengthen
breach notice laws
2021: Arkansas, Connecticut, Texas, and
Utah amend breach notice laws
Enforcement by State Attorneys General
50
Recent cases on data security Home Depot reaches $17.5
million settlement with 46 states and Washington, DC for 2014 data breach
Equifax data breach settlement challenged in the Eleventh Circuit
Enforcement by State Attorneys General
51
Tech sector Location tracking Third-party
tracking
Health and Genetics
52
Signed into Law• In April 2021, Arizona
signed HB 2069 into law, creating confidentiality protections for genetic data and granting individuals property rights over their own genetic material.
• In July 2020, Floridabecame the first state to enact DNA privacy law blocking insurers from using data from direct-to-consumer genetic tests to price policies and offerings.
Proposed Laws• In September 2021, the
California legislature passed a law imposingobligations on companies that collect or process genetic information. The bill closely mirrors a law vetoed by Gov. Newsom in August 2020.
• A proposed Texas law would prohibit the use of genetic information from direct-to-consumer tests by long-term care benefits plans.
Signed into Law• The Utah Genetic
Information Privacy Act went into effect in May 2021, protecting genetic data collected from direct-to-consumer tests.
Data Broker Laws
53
Vermont: H 764
Applies to Handling of“Brokered Personal Information”
Annual Registration with AGMandatory Disclosures
Information Security Program
California: AB 1202
Applies to Handling of “Personal Information”
Annual Registration with AG
Discretionary Disclosures
Delaware: HB 262*
Applies to Handling of“Brokered Personal Information”
Annual Registration with DOJ
Mandatory Disclosures
Information SecurityProgramAcquisitionProhibitions
Internet of Things Legislative Proposals
54
California• Requires manufacturers of “connected
devices” to equip the device with “a reasonable security feature or features”
• Features should be:• appropriate to the nature and
function of the device• appropriate to the information it
may collect, contain, or transmit• designed to protect the device and
its information from unauthorized access, destruction, use, modification, or disclosure
• Effective January 1, 2020
Oregon• Requires manufacturers of “connected devices”
to equip the device with “reasonable security features” (defined similar to Cal.)
• “Connected device” limited to Internet-connected devices:
• used primarily for personal, family or household purposes; and
• that is assigned IP address or another device or address that identifies device for purpose of short-range wireless connections to other devices.
• Effective January 1, 2020
Recent Artificial Intelligence and Other Proposals
55
Bots
• Prohibits deceptive uses of “bots” and requires regulation of bot communications (Washington)
“Automated Decision Systems” (ADS)• Prohibits insurers from using ADS in a
discriminatory manner (Colorado – signed into law in July 2021)
• Creates reporting requirements for certain employers who rely on ADS (Illinois – signed into law in July 2021)
• Requires businesses that use ADS to establish processes to continually test for bias (California)
• Mandates that public agencies purchasing products that use ADS adhere to responsible AI standards (Maryland)
• Requires the Secretary of Digital Services to adopt standards on the development, use, and procurement of ADS by the state (Vermont)
Profiling• Restricts AI-enabled
profiling, including for businesses operating in public spaces (Washington)
Future Proofing Your Privacy Program
56
Future Proofing Your Privacy Programs
57
What to expect: Legislative, regulatory,
and enforcement activity
Additional consumer rights, e.g., correction, profiling
Additional protections for sensitive personal data
Questions?
58