State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and...

State Privacy Law Workshop

May 6, 2020Libbie Canter, Kate Goodloe and Maggie Martin

Presenters

2

Libbie [email protected]

Kate [email protected]

Maggie [email protected]

Agenda

Comprehensive Privacy Laws Where Are We? The Substance The Battlegrounds

Other Privacy Topics Biometrics IoT Artificial Intelligence Health and Genetic Privacy Cybersecurity

3

Part IComprehensive Privacy Laws

4

Where Are We?

5

ffsdf

2019 Privacy Proposals

Signed into law

Introduced

Passed one chamber

6

Task force or study formed

ffsdf

2020 Privacy Proposals

Introduced

7

Signed into law

Passed one or more chamber

Hearings held

Ballot initiative

The Battle in Washington State

8

The Battle in Washington State

9

Coronavirus Impact

10

The Substance

11

Key Battleground Issues

12

Enforcement, including private right of action Scope of personal information covered

How “identifying” is it? To whom? Application to employee and household data Exclusions for de-identified or pseudonymous data Exemptions for federally regulated entities

Key Battleground Issues

13

Scope of rights with regard to sharing of data Rights with respect to targeted advertising Right to opt out of any disclosure of personal

information Additional consumer rights “Other” issues (e.g. facial recognition) Distinguishing between “controllers”/businesses and

“processors”/third parties or service providers

Key Legislative Models

14

Minnesota HF 3096Factors Content of Law

Personal Data Covered All state residentsTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from saleOther Rights Non-discriminationAccountability

Other FeaturesEnforcement AG & PROA

15

New Hampshire HB 1680Factors Content of Law


Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from sale (opt-in for minors)Other RightsAccountability

Other FeaturesEnforcement AG only (except PRA for data breaches)

16

Connecticut SB 134Factors Content of Law


Access Rights

Deletion



17

Nebraska LB 746Factors Content of Law

Personal Data Covered Employee/B2B exceptionsTransparency

Access Rights

Deletion


Other FeaturesEnforcement AG only

18

Illinois SB 3299/HB 5603Factors Content of Law


Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from saleOther RightsAccountability


19

Arizona SB 1614Factors Content of Law

Personal Data Covered All consumers when any aspect of commercial conduct takes place in AZ

Transparency (but only if business sells data)Access Rights

Deletion


Other Features HCR 2013 expresses preference for federal standard

Enforcement AG only (except PRA for data breaches)20

Maryland SB 957Factors Content of Law


Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from sale and disclosureOther RightsAccountability

Other FeaturesEnforcement AG, PRA (violation of CPA)

21

Illinois SB 2330Factors Content of Law

Personal Data Covered Employee exceptionTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from sale and disclosuresOther Rights Correction and opt out of processingAccountability Risk assessments


22

Massachusetts S. 120Factors Content of Law

Personal Data Covered Narrow Employee ExceptionTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Opt-out from third-party disclosureOther RightsAccountability

Other Features Prohibits disclosure of PI if a business knows/willfully disregards under 18

Enforcement AG Enforcement & PRA23

Florida SB 1670Factors Content of Law


Access Rights (contemplated, but not clear)Deletion X

Sale/Disclosure Restrictions Opt-out from saleOther Rights Correction right contemplatedAccountability

Other FeaturesEnforcement Dep’t of Legal Affairs only (no PRA)

24

Louisiana HB 617, HB 654Factors Content of Law


Access Rights

Deletion XSale/Disclosure Restrictions Opt-out from sale

Other Rights Correction right contemplatedAccountability

Other Features Restrictions on use of public records datafor marketing/solicitations

Enforcement DOJ only25

Washington PSSB 6281Factors Content of Law

Personal Data Covered Commercial/Employment exceptionsTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Opt out of saleOther Rights Rights to correction; opt out of targeted

advertising and profiling Accountability Data protection assessments

Other Features Facial recognition regulationEnforcement Initially AG only; PRA added

26

Wisconsin AB 870, 871, 872Factors Content of Law

Personal Data Covered All Wisconsin residentsTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Via right to restrict processingOther Rights Right to restrict processing and

nondiscriminationAccountability Recordkeeping requirements

Other Features Requires basis to process personal data; further limits sensitive personal data

Enforcement AG only27

Arizona HB 2729Factors Content of Law


Access Rights

Deletion

Sale/Disclosure Restrictions Opt out of saleOther Rights Rights to correction; restriction of

processingAccountability


28

Minnesota SF 2912Factors Content of Law

Personal Data Covered Employee exceptionTransparency

Access Rights

Deletion

Sale/Disclosure Restrictions Objection to targeted advertising (includes sale)

Other Rights Objection to Processing, Rectification, Profiling

Accountability Risk AssessmentsOther FeaturesEnforcement AG only

29

Virginia HB 473Factors Content of Law


Access Rights

Deletion

Sale/Disclosure Restrictions Opt out of sale for targeted adsOther Rights Rights to correction and to object to

processing and/or targeted advertisingAccountability Risk assessments

Other FeaturesEnforcement Broad PRA

30

New York Privacy Act – S 5642 Factors Content of Law

Personal Data Covered Broad definition, but excludes employees and contractors

Transparency Privacy noticeConsumer Rights Access, Correction, Deletion, Restrict

processing, Portability, Object to processing, Profiling restriction

Sales/Disclosure Restrictions Opt-in (sale and processing)Accountability Likely an indirect requirementOther Features No minimum company revenue threshold,

Fiduciary duty, Pass through

Enforcement AG, PRA: injunction/damages (+atty’s fees)

31

Vermont H. 899Factors Content of Law

Personal Data Covered Not clearly definedTransparency (must include monetary value of data)Access Rights X

Deletion (social networking services only)Sale/Disclosure Restrictions X

Other RightsAccountability

Other Features Facial recognition restrictionsEnforcement AG only

32

Rhode Island H. 7778 Factors Content of Law

Personal Data Covered All State ResidentsTransparency

Access Rights XDeletion X

Sale/Disclosure Restrictions XOther Rights XAccountability X


33

Uniform Law Commission

34

ULC – Timeline

Winter/Spring 2020 Drafting sessions

Summer 2020 First reading draft to full ULC

Summer 2021 Final draft to full ULC

Summer 2022 Available for adoption by states

Uniform Law Commission

35

Factors Content of LawPersonal Data Covered Excludes employees

Transparency + “privacy commitment”Consumer Rights Access, Correction, Deletion, Confirmation

of ProcessingSales/Disclosure Restrictions Opt-out of targeted advertising, profiling

Accountability Privacy impact assessments, privacy officersOther Features Duties of: loyalty, data minimization, purpose

limitation, nondiscrimination, data security

Enforcement AG, PRA

Practical Implications

Internet- and profile-based companies driving the legislative conversation. But do we want to create consumer dossiers where they don’t already exist?

Outsourcing implications (cloud, CRM, ad agencies) Different incentives and risk balancing when faced with PRA

versus AG enforcement. How broadly to apply exceptions? Resourcing choices? What does “do the right thing” mean?

For national and international companies, single standard ideal

36

Future Proofing Your Privacy Programs

37

What to expect: Right to opt-out of any

disclosures of PI Additional consumer rights,

e.g., correction, profiling Additional protections for

sensitive personal data Risk assessment

requirements

Key uncertainties: Application to HR data and

B2B data Broader right to restrict or

opt-out of processing PI Litigation risk

Extraterritoriality: Deep Dive

38

What are limits on states’ ability to regulate interstate commerce? Dormant Commerce Clause Jurisdiction

Other limits include: Federal preemption First Amendment

Other Notable Proposals

39

Data Broker Regulation

40

State Key Elements StatusWashington Registration HB 1503

House passed 87-11Hawaii Registration and opt-in consent

for sale of browser information or geolocation data

HB 2572

Minnesota Additional disclosures SF 2912/HF 2917

CPRA Ballot Initiative Timeline

Proposed CPRAsubmitted to AG with request for title and summary

October 9, 2019

Amended version of ballot initiative filed

November 13, 2019

AG issued official title and summary

December 17, 2019

Deadline for Qualification

June 25, 2020

Title / SummaryDepartment of Justice; 30-day comment period

QualificationSecretary of State review (623,212 signatures)

Potential To Challenge

California Privacy Rights Act of 2020

Prohibits Selling or Sharing Personal Information

Defines Sensitive Personal Information and Limit Its Use

Creates Right to Correct Inaccurate Information

Requires Disclosure of Profiling and “Logic” Involved In Some Contexts

Prohibits Collection of Data of Children Under 16 Unless Affirmatively Authorized Collection

California Privacy Rights Act of 2020

Creates of a New Regulatory Agency to Enforce Consumers’ Rights

Eliminates the 30-Day Cure Period

Creates New Class of Regulated Entities (Contractors)

Broadens Types of Personal Information Covered By Private Right of Action

Limits Future Amendment

Part IIOther Privacy Topics

44

ffsdf

2019 Biometric Legislation

Existing Biometric Law

Introduced

Passed one chamber

45

ffsdf

2020 Biometric Legislation

Existing Biometric Law

Introduced

46

What Counts as Biometric?

47

Common elements: DNA, retina or iris scan,

fingerprint, voiceprint, hand or face geometry

Tied to identifying an individual Exceptions Photographs, video/audio

recording, health care, writing samples, human samples for scientific research

Reading the Tea Leaves

48

How does one develop a compliance approach with respect to biometric data in light of the changing legal landscape?

What is the risk profile for biometric data?

Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186“[A]n individual need not allege some actual injury oradverse effect, beyond violation of his or her rights underthe Act, in order to qualify as an ‘aggrieved’ person andbe entitled to seek liquidated damages and injunctiverelief pursuant to the Act.”

Internet of Things Legislative Proposals

49

Data Collection• Requiring stickers on

physical connected devices that gather data and transmit it to third parties (Washington)

• Prohibit smart speaker data to be used for ad purposes or shared with or sold to third parties (California)

Vehicle Data• Would require

disclosure of data recording devices in vehicles (New Jersey)

• Would provide owners ownership rights over vehicle data (Maryland)

• Would regulate collection or disclosure of precise geolocation generally (Maryland, New Jersey, Illinois, New Hampshire)

Reasonable Security Features

• Would require connected device manufactures to equip devices with reasonable security features (Maryland)

Artificial Intelligence and Other Proposals

50

Bot Regulation• Prohibiting deceptive

uses of “bots” and requiring regulation of bot communications (Washington)

Miscellaneous Proposals• Would require ISPs to keep personal information

confidential and not disclose without consent (New York)

• Would require consent to share audio or video data with third parties (Minnesota)

• Would require search engines to remove content of minimal value upon request (Iowa)

• Would require social networking services to give users who close accounts option of removal of personal information (Iowa)

Profiling• Restricts AI-enabled

profiling, including for businesses operating in public spaces (Washington)

Health and Genetics

51

Genetic Testing• Provides that results of

genetic tests are exclusive property of the individual (Arizona)

• Regulates companies that provide direct-to-consumer genetic testing (California, Washington, Illinois)

• Biometric proposal would require consent to process genetic data (South Carolina)

Online Activities• Requires consent and

security safeguards for websites that collect data that could infer health or medical condition (Wash.)

Data Security• Would amend security

and breach notice laws to include genetic test and activity tracking data (Maryland)

• In 2019, three states amended breach notice laws to cover biometric and/or health info (Arkansas, New York, Wash.)

New York SHIELD Act – Data Security Provisions

52

Covered entities: own/license computerized data that includes private information of NY residents

Two main impacts on businesses: Expands breach notification requirements Requires businesses to maintain “reasonable safeguards” to

protect “private information” of New York residents Enforcement: AG only

New York SHIELD Act – Data Security Provisions

53

Must develop, implement, & maintain reasonable safeguards Two primary means to achieve compliance: Comply with one of a list of regulatory frameworks (e.g., GLBA) Implements a data security program with specific elements

Adm

inis

trativ

e designating employees to coordinate programidentifying reasonably foreseeable internal and external risksassessing the sufficiency of safeguards in place;trainingservice provider oversight and managementadjusting the security program in light of changes

Tech

nica

l assessing risks in network and software designassessing risks in information processing, transmission, and storagedetecting, preventing, and responding to attacks or system failuresregularly testing and monitoring the effectiveness of key controls, systems, and procedures

Phys

ical assessing risks of information

storage and disposaldetecting, preventing, and responding to intrusionsprotecting against unauthorized access to or use of private informationdisposing of private information within a reasonable amount of time

Questions?

54

State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and...

Documents

Transcript of State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and...