State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and...
Transcript of State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and...
![Page 1: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/1.jpg)
State Privacy Law Workshop
May 6, 2020Libbie Canter, Kate Goodloe and Maggie Martin
![Page 3: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/3.jpg)
Agenda
Comprehensive Privacy Laws Where Are We? The Substance The Battlegrounds
Other Privacy Topics Biometrics IoT Artificial Intelligence Health and Genetic Privacy Cybersecurity
3
![Page 4: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/4.jpg)
Part IComprehensive Privacy Laws
4
![Page 5: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/5.jpg)
Where Are We?
5
![Page 6: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/6.jpg)
ffsdf
2019 Privacy Proposals
Signed into law
Introduced
Passed one chamber
6
Task force or study formed
![Page 7: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/7.jpg)
ffsdf
2020 Privacy Proposals
Introduced
7
Signed into law
Passed one or more chamber
Hearings held
Ballot initiative
![Page 8: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/8.jpg)
The Battle in Washington State
8
![Page 9: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/9.jpg)
The Battle in Washington State
9
![Page 10: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/10.jpg)
Coronavirus Impact
10
![Page 11: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/11.jpg)
The Substance
11
![Page 12: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/12.jpg)
Key Battleground Issues
12
Enforcement, including private right of action Scope of personal information covered
How “identifying” is it? To whom? Application to employee and household data Exclusions for de-identified or pseudonymous data Exemptions for federally regulated entities
![Page 13: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/13.jpg)
Key Battleground Issues
13
Scope of rights with regard to sharing of data Rights with respect to targeted advertising Right to opt out of any disclosure of personal
information Additional consumer rights “Other” issues (e.g. facial recognition) Distinguishing between “controllers”/businesses and
“processors”/third parties or service providers
![Page 14: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/14.jpg)
Key Legislative Models
14
![Page 15: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/15.jpg)
Minnesota HF 3096Factors Content of Law
Personal Data Covered All state residentsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from saleOther Rights Non-discriminationAccountability
Other FeaturesEnforcement AG & PROA
15
![Page 16: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/16.jpg)
New Hampshire HB 1680Factors Content of Law
Personal Data Covered All state residentsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale (opt-in for minors)Other RightsAccountability
Other FeaturesEnforcement AG only (except PRA for data breaches)
16
![Page 17: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/17.jpg)
Connecticut SB 134Factors Content of Law
Personal Data Covered All state residentsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale (opt-in for minors)Other RightsAccountability
Other FeaturesEnforcement AG only (except PRA for data breaches)
17
![Page 18: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/18.jpg)
Nebraska LB 746Factors Content of Law
Personal Data Covered Employee/B2B exceptionsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale (opt-in for minors)Other RightsAccountability
Other FeaturesEnforcement AG only
18
![Page 19: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/19.jpg)
Illinois SB 3299/HB 5603Factors Content of Law
Personal Data Covered All state residentsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from saleOther RightsAccountability
Other FeaturesEnforcement AG only
19
![Page 20: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/20.jpg)
Arizona SB 1614Factors Content of Law
Personal Data Covered All consumers when any aspect of commercial conduct takes place in AZ
Transparency (but only if business sells data)Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale (opt-in for minors)Other RightsAccountability
Other Features HCR 2013 expresses preference for federal standard
Enforcement AG only (except PRA for data breaches)20
![Page 21: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/21.jpg)
Maryland SB 957Factors Content of Law
Personal Data Covered Employee/B2B exceptionsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale and disclosureOther RightsAccountability
Other FeaturesEnforcement AG, PRA (violation of CPA)
21
![Page 22: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/22.jpg)
Illinois SB 2330Factors Content of Law
Personal Data Covered Employee exceptionTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from sale and disclosuresOther Rights Correction and opt out of processingAccountability Risk assessments
Other FeaturesEnforcement AG only (except PRA for data breaches)
22
![Page 23: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/23.jpg)
Massachusetts S. 120Factors Content of Law
Personal Data Covered Narrow Employee ExceptionTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt-out from third-party disclosureOther RightsAccountability
Other Features Prohibits disclosure of PI if a business knows/willfully disregards under 18
Enforcement AG Enforcement & PRA23
![Page 24: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/24.jpg)
Florida SB 1670Factors Content of Law
Personal Data Covered Employee/B2B exceptionsTransparency
Access Rights (contemplated, but not clear)Deletion X
Sale/Disclosure Restrictions Opt-out from saleOther Rights Correction right contemplatedAccountability
Other FeaturesEnforcement Dep’t of Legal Affairs only (no PRA)
24
![Page 25: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/25.jpg)
Louisiana HB 617, HB 654Factors Content of Law
Personal Data Covered All state residentsTransparency
Access Rights
Deletion XSale/Disclosure Restrictions Opt-out from sale
Other Rights Correction right contemplatedAccountability
Other Features Restrictions on use of public records datafor marketing/solicitations
Enforcement DOJ only25
![Page 26: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/26.jpg)
Washington PSSB 6281Factors Content of Law
Personal Data Covered Commercial/Employment exceptionsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt out of saleOther Rights Rights to correction; opt out of targeted
advertising and profiling Accountability Data protection assessments
Other Features Facial recognition regulationEnforcement Initially AG only; PRA added
26
![Page 27: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/27.jpg)
Wisconsin AB 870, 871, 872Factors Content of Law
Personal Data Covered All Wisconsin residentsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Via right to restrict processingOther Rights Right to restrict processing and
nondiscriminationAccountability Recordkeeping requirements
Other Features Requires basis to process personal data; further limits sensitive personal data
Enforcement AG only27
![Page 28: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/28.jpg)
Arizona HB 2729Factors Content of Law
Personal Data Covered Employee/B2B exceptionsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt out of saleOther Rights Rights to correction; restriction of
processingAccountability
Other FeaturesEnforcement AG only
28
![Page 29: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/29.jpg)
Minnesota SF 2912Factors Content of Law
Personal Data Covered Employee exceptionTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Objection to targeted advertising (includes sale)
Other Rights Objection to Processing, Rectification, Profiling
Accountability Risk AssessmentsOther FeaturesEnforcement AG only
29
![Page 30: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/30.jpg)
Virginia HB 473Factors Content of Law
Personal Data Covered Employee/B2B exceptionsTransparency
Access Rights
Deletion
Sale/Disclosure Restrictions Opt out of sale for targeted adsOther Rights Rights to correction and to object to
processing and/or targeted advertisingAccountability Risk assessments
Other FeaturesEnforcement Broad PRA
30
![Page 31: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/31.jpg)
New York Privacy Act – S 5642 Factors Content of Law
Personal Data Covered Broad definition, but excludes employees and contractors
Transparency Privacy noticeConsumer Rights Access, Correction, Deletion, Restrict
processing, Portability, Object to processing, Profiling restriction
Sales/Disclosure Restrictions Opt-in (sale and processing)Accountability Likely an indirect requirementOther Features No minimum company revenue threshold,
Fiduciary duty, Pass through
Enforcement AG, PRA: injunction/damages (+atty’s fees)
31
![Page 32: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/32.jpg)
Vermont H. 899Factors Content of Law
Personal Data Covered Not clearly definedTransparency (must include monetary value of data)Access Rights X
Deletion (social networking services only)Sale/Disclosure Restrictions X
Other RightsAccountability
Other Features Facial recognition restrictionsEnforcement AG only
32
![Page 33: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/33.jpg)
Rhode Island H. 7778 Factors Content of Law
Personal Data Covered All State ResidentsTransparency
Access Rights XDeletion X
Sale/Disclosure Restrictions XOther Rights XAccountability X
Other FeaturesEnforcement AG only
33
![Page 34: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/34.jpg)
Uniform Law Commission
34
ULC – Timeline
Winter/Spring 2020 Drafting sessions
Summer 2020 First reading draft to full ULC
Summer 2021 Final draft to full ULC
Summer 2022 Available for adoption by states
![Page 35: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/35.jpg)
Uniform Law Commission
35
Factors Content of LawPersonal Data Covered Excludes employees
Transparency + “privacy commitment”Consumer Rights Access, Correction, Deletion, Confirmation
of ProcessingSales/Disclosure Restrictions Opt-out of targeted advertising, profiling
Accountability Privacy impact assessments, privacy officersOther Features Duties of: loyalty, data minimization, purpose
limitation, nondiscrimination, data security
Enforcement AG, PRA
![Page 36: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/36.jpg)
Practical Implications
Internet- and profile-based companies driving the legislative conversation. But do we want to create consumer dossiers where they don’t already exist?
Outsourcing implications (cloud, CRM, ad agencies) Different incentives and risk balancing when faced with PRA
versus AG enforcement. How broadly to apply exceptions? Resourcing choices? What does “do the right thing” mean?
For national and international companies, single standard ideal
36
![Page 37: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/37.jpg)
Future Proofing Your Privacy Programs
37
What to expect: Right to opt-out of any
disclosures of PI Additional consumer rights,
e.g., correction, profiling Additional protections for
sensitive personal data Risk assessment
requirements
Key uncertainties: Application to HR data and
B2B data Broader right to restrict or
opt-out of processing PI Litigation risk
![Page 38: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/38.jpg)
Extraterritoriality: Deep Dive
38
What are limits on states’ ability to regulate interstate commerce? Dormant Commerce Clause Jurisdiction
Other limits include: Federal preemption First Amendment
![Page 39: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/39.jpg)
Other Notable Proposals
39
![Page 40: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/40.jpg)
Data Broker Regulation
40
State Key Elements StatusWashington Registration HB 1503
House passed 87-11Hawaii Registration and opt-in consent
for sale of browser information or geolocation data
HB 2572
Minnesota Additional disclosures SF 2912/HF 2917
![Page 41: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/41.jpg)
CPRA Ballot Initiative Timeline
Proposed CPRAsubmitted to AG with request for title and summary
October 9, 2019
Amended version of ballot initiative filed
November 13, 2019
AG issued official title and summary
December 17, 2019
Deadline for Qualification
June 25, 2020
Title / SummaryDepartment of Justice; 30-day comment period
QualificationSecretary of State review (623,212 signatures)
Potential To Challenge
![Page 42: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/42.jpg)
California Privacy Rights Act of 2020
Prohibits Selling or Sharing Personal Information
Defines Sensitive Personal Information and Limit Its Use
Creates Right to Correct Inaccurate Information
Requires Disclosure of Profiling and “Logic” Involved In Some Contexts
Prohibits Collection of Data of Children Under 16 Unless Affirmatively Authorized Collection
![Page 43: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/43.jpg)
California Privacy Rights Act of 2020
Creates of a New Regulatory Agency to Enforce Consumers’ Rights
Eliminates the 30-Day Cure Period
Creates New Class of Regulated Entities (Contractors)
Broadens Types of Personal Information Covered By Private Right of Action
Limits Future Amendment
![Page 44: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/44.jpg)
Part IIOther Privacy Topics
44
![Page 45: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/45.jpg)
ffsdf
2019 Biometric Legislation
Existing Biometric Law
Introduced
Passed one chamber
45
![Page 46: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/46.jpg)
ffsdf
2020 Biometric Legislation
Existing Biometric Law
Introduced
46
![Page 47: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/47.jpg)
What Counts as Biometric?
47
Common elements: DNA, retina or iris scan,
fingerprint, voiceprint, hand or face geometry
Tied to identifying an individual Exceptions Photographs, video/audio
recording, health care, writing samples, human samples for scientific research
![Page 48: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/48.jpg)
Reading the Tea Leaves
48
How does one develop a compliance approach with respect to biometric data in light of the changing legal landscape?
What is the risk profile for biometric data?
Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186“[A]n individual need not allege some actual injury oradverse effect, beyond violation of his or her rights underthe Act, in order to qualify as an ‘aggrieved’ person andbe entitled to seek liquidated damages and injunctiverelief pursuant to the Act.”
![Page 49: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/49.jpg)
Internet of Things Legislative Proposals
49
Data Collection• Requiring stickers on
physical connected devices that gather data and transmit it to third parties (Washington)
• Prohibit smart speaker data to be used for ad purposes or shared with or sold to third parties (California)
Vehicle Data• Would require
disclosure of data recording devices in vehicles (New Jersey)
• Would provide owners ownership rights over vehicle data (Maryland)
• Would regulate collection or disclosure of precise geolocation generally (Maryland, New Jersey, Illinois, New Hampshire)
Reasonable Security Features
• Would require connected device manufactures to equip devices with reasonable security features (Maryland)
![Page 50: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/50.jpg)
Artificial Intelligence and Other Proposals
50
Bot Regulation• Prohibiting deceptive
uses of “bots” and requiring regulation of bot communications (Washington)
Miscellaneous Proposals• Would require ISPs to keep personal information
confidential and not disclose without consent (New York)
• Would require consent to share audio or video data with third parties (Minnesota)
• Would require search engines to remove content of minimal value upon request (Iowa)
• Would require social networking services to give users who close accounts option of removal of personal information (Iowa)
Profiling• Restricts AI-enabled
profiling, including for businesses operating in public spaces (Washington)
![Page 51: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/51.jpg)
Health and Genetics
51
Genetic Testing• Provides that results of
genetic tests are exclusive property of the individual (Arizona)
• Regulates companies that provide direct-to-consumer genetic testing (California, Washington, Illinois)
• Biometric proposal would require consent to process genetic data (South Carolina)
Online Activities• Requires consent and
security safeguards for websites that collect data that could infer health or medical condition (Wash.)
Data Security• Would amend security
and breach notice laws to include genetic test and activity tracking data (Maryland)
• In 2019, three states amended breach notice laws to cover biometric and/or health info (Arkansas, New York, Wash.)
![Page 52: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/52.jpg)
New York SHIELD Act – Data Security Provisions
52
Covered entities: own/license computerized data that includes private information of NY residents
Two main impacts on businesses: Expands breach notification requirements Requires businesses to maintain “reasonable safeguards” to
protect “private information” of New York residents Enforcement: AG only
![Page 53: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/53.jpg)
New York SHIELD Act – Data Security Provisions
53
Must develop, implement, & maintain reasonable safeguards Two primary means to achieve compliance: Comply with one of a list of regulatory frameworks (e.g., GLBA) Implements a data security program with specific elements
Adm
inis
trativ
e designating employees to coordinate programidentifying reasonably foreseeable internal and external risksassessing the sufficiency of safeguards in place;trainingservice provider oversight and managementadjusting the security program in light of changes
Tech
nica
l assessing risks in network and software designassessing risks in information processing, transmission, and storagedetecting, preventing, and responding to attacks or system failuresregularly testing and monitoring the effectiveness of key controls, systems, and procedures
Phys
ical assessing risks of information
storage and disposaldetecting, preventing, and responding to intrusionsprotecting against unauthorized access to or use of private informationdisposing of private information within a reasonable amount of time
![Page 54: State Privacy Law Workshop · 5/6/2020 · Sales/Disclosure Restrictions Opt-in (sale and processing) Accountability Likely an indirect requirement Other Features. No minimum company](https://reader036.fdocuments.in/reader036/viewer/2022063017/5fd95972fea4fe03be2e6bfd/html5/thumbnails/54.jpg)
Questions?
54