State Privacy Law Workshop...notice law goes into effect 2012: 46 states, DC, Puerto Rico and Guam...
Transcript of State Privacy Law Workshop...notice law goes into effect 2012: 46 states, DC, Puerto Rico and Guam...
State Privacy Law Workshop
October 21, 2020Libbie Canter, Kate Goodloe, Kristen Hilton and Tanya Madison
Presenters
2
Libbie CanterCovington & Burling LLP
Kate GoodloeBSA | The Software
Alliance
Kristen HiltonOregon Department of
Justice
Tanya MadisonAristocrat
Technologies
Agenda
Comprehensive Privacy Laws Where Are We? Key Battlegrounds Case Study: Oregon What Comes Next?
Other Privacy Topics – Legislation and Enforcement Contract Tracing and COVID Biometrics IoT Artificial Intelligence Health and Genetic Privacy Cybersecurity
3
Part IComprehensive Privacy Laws
4
CCPA and CPRA
5
Key Dates
June 2018:Ballot initiative qualifies for state-wide vote
June 2018:Governor signs compromise statute
September 2019: Substantive amendments
January 1, 2020: CCPA takes effect
July 2020: Attorney General enforcement begins
August 2020: AG regulations finalized and take effect
November 2020: Ballot initiative 2.0
New Consumer Rights Under the CCPA
TransparencyPortability
Access Deletion
Non-Discrimination
SaleCCPA Rights
CPRA Ballot Initiative Timeline
Proposed CPRAsubmitted to AG with request for title and summary
October 9, 2019
Amended version of ballot initiative filed
November 13, 2019
AG issued official title and summary
December 17, 2019
Deadline for Qualification
June 25, 2020
Title / SummaryDepartment of Justice; 30-day comment period
QualificationSecretary of State review (623,212 signatures)
Potential To Challenge
California Privacy Rights Act of 2020
Prohibits Selling or Sharing Personal Information
Defines Sensitive Personal Information and Limit Its Use
Creates Right to Correct Inaccurate Information
Requires Disclosure of Profiling and “Logic” Involved In Some Contexts
Prohibits Collection of Data of Children Under 16 Unless Affirmatively Authorized Collection
California Privacy Rights Act of 2020
Creates of a New Regulatory Agency to Enforce Consumers’ Rights
Eliminates the 30-Day Cure Period
Creates New Class of Regulated Entities (Contractors)
Broadens Types of Personal Information Covered By Private Right of Action
Limits Future Amendment
Nevada
11
Nevada Approach
12
Scope• Applies only to operators of Internet websites and online services
Sale• Narrower opt out right (requires monetary consideration; narrow scope of information)• No opt-in requirements, regardless of age• Opt-out requests can be processed by email, telephone, or website
DSRs• No right to access, data portability, deletion, or non-discrimination
Other States
13
ffsdf
2019 Privacy Proposals
Signed into law
Introduced
Passed one chamber
14
Task force or study formed
ffsdf
2020 Privacy Proposals
Introduced
15
Signed into law
Passed one or more chamber
Hearings held
Ballot initiative
Key Legislative Models
16
Examples of States Basing Proposals off CCPA Framework
*Right to opt out of “disclosure” of personal information and expansive private right of action
CCPA-Like Approach
Arizona SB 1614
Connecticut SB 134
Illinois SB 3299/HB 5603
Minnesota HF 3096
Nebraska LB 746
New Hampshire HB 1680
CCPA-Plus Approach*
Illinois SB 2330
Maryland SB 937
Massachusetts S. 120*
Other Proposals
18
GDPR-Light Approach
Wisconsin AB 870, 871, 872
Arizona HB 2729
Minnesota SF 2912
Virginia HB 473
Nevada Approach
Florida SB 1670
Louisiana HB 654
Idiosyncratic Approach
New YorkPrivacy Act S. 5642
Vermont H. 899
Rhode Island H. 7778
Washington State
19
Key Dates
January 2019:Washington
Privacy Act (SB 5376) introduced
in Senate
March 2019:Washington Privacy Act
(SB 5376) passed in Senate
January 2020: Washington Privacy
Act (SB 6281) introduced in Senate
February 2020:
SB 6281 passed in Senate
March 2020:SB 6281 passed
in House
August 2020: Senator Carlyle introduces 2021 discussion draft of Washington
Privacy Act
The Battle in Washington State
21
August 2020 Draft Released by Sen. CarlyleFactors Content of Law
Personal Data Covered Commercial/Employment exceptionsTransparency
Access and Portability Rights
Deletion
Sale/Disclosure Restrictions Opt out of sale and processing for targeted advertising
Other Rights Rights to correction; opt out of profiling that produces significant effects; sensitive data
Accountability Data protection assessmentsOther Features Processor responsibilities; contact
tracing/COVID privacy provisionsEnforcement Initially AG only; no new PRA 22
Key Battlegrounds
23
Key Battleground Issues
24
Enforcement, including private right of action Scope of personal information covered
How “identifying” is it? To whom? Application to employee and household data Exclusions for de-identified or pseudonymous data Exemptions for federally regulated entities
Heightened concerns for sensitive data (e.g., children’s data, health data)
Key Battleground Issues
25
Scope of rights with regard to sharing of data Rights with respect to targeted advertising Right to opt out of any disclosure of personal
information Additional consumer rights (e.g. correction) “Other” issues (e.g. facial recognition, contact tracing) Distinguishing between “controllers”/businesses and
“processors”/third parties or service providers
Data Broker Regulation
26
State Key Elements Status
Washington Registration HB 1503 House passed 87-11
HawaiiRegistration and opt-in consentfor sale of browser information or geolocation data
HB 2572
Minnesota Additional disclosures SF 2912/HF 2917
ULC Process
27
Uniform Law Commission
28
ULC – Timeline
Winter/Spring 2020 Drafting sessions
Summer 2020 First reading draft to full ULC
Fall/Winter 2020, Spring 2021 Drafting sessions
Summer 2021 Final draft to full ULC
Summer 2022 Available for adoption by states
Uniform Law Commission
29
October Draft Content of Law
Transparency Privacy Policy
Consumer Rights Copy, Correction
Use Restrictions Compatible/Incompatible/Prohibited Data Practices
Accountability Data Privacy and Security Assessments
Enforcement AG, PRA
Other Features Voluntary Consensus Standards
A Case Study: Oregon
30
A Case Study: Oregon
31
Federal Interplay
32
Federal Developments
33
What Comes Next?
34
Coronavirus Impact
35
When States are Back in Session
36
Timeline
December 2020 CA, ME
January 2021 AK, AZ, AR, CO, CT, DE, GA, HI, ID, IL, IN, IA, KS, KY, MD, MA, MI, MN, MI, MO, MT, NE, NH, NJ, NM, NY, NC, ND, OH, OR, PA, RI, SC, SD, TN, TX, UT, VT, VA, WA, WI WY
February 2021 AL, NV, OK, WV
March 2021 FL
April 2021 LA
Election Impact
37
ffsdf
States to Watch
38
Future Proofing Your Privacy Programs
39
What to expect: Right to opt-out of any
disclosures of PI Additional consumer rights,
e.g., correction, profiling Additional protections for
sensitive personal data Risk assessment
requirements
Key uncertainties: Application to HR data and
B2B data Broader right to restrict or
opt-out of processing PI Litigation risk
Part IIOther Privacy Topics
40
Contact Tracing and COVID
41
Other State Proposals• Restrictions applicable to commercial
entities and private employers• Consent to collect health and location
data for COVID-related purposes and right to revoke consent
• Requirement for officials to delete/destroy data after COVID-19 emergency
• Prohibit, or require opt-in for, sale• Specific technical design requirements
and policy limitations of Apple-Google Exposure Notification API
• Private right of action
New Laws in Kansas, South Carolina, and New York• Govern data collection/use by
public health officials and government
• Require that use of contact tracing apps is voluntary
• Purpose limitations against uses unrelated to COVID-19
• Enforcement by state attorneys general
Contact Tracing and COVID
42
June 16, 2020 Letter to Apple and Google from more than 30 State Attorneys General urged:
• Verification of affiliation with public health authority (or affiliated hospital/university)
• Removal of apps without verified affiliation with public health authority
• Removal of all apps when COVID-19 national emergency ends (or explain decision not to remove)
ffsdf
2020 Biometric Legislation
Existing Biometric Law
Introduced
43
Litigation Risk
44
Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186
“[A]n individual need not allege someactual injury or adverse effect, beyondviolation of his or her rights under theAct, in order to qualify as an‘aggrieved’ person and be entitled toseek liquidated damages andinjunctive relief pursuant to the Act.”
Facial Recognition Technology
45
Bans on city use of facial recognition technology San Francisco Boston
Portland, OR: banned use of facial recognition technology by private companies in public areas
What Counts as Biometric?
46
Common elements: DNA, retina or iris scan,
fingerprint, voiceprint, hand or face geometry
Tied to identifying an individual Exceptions Photographs, video/audio
recording, health care, writing samples, human samples for scientific research
Internet of Things Legislative Proposals
47
Data Collection• Requiring stickers on
physical connected devices that gather data and transmit it to third parties (Washington)
• Prohibit smart speaker data to be used for ad purposes or shared with or sold to third parties (California)
Vehicle Data• Would require
disclosure of data recording devices in vehicles (New Jersey)
• Would provide owners ownership rights over vehicle data (Maryland)
• Would regulate collection or disclosure of precise geolocation generally (Maryland, New Jersey, Illinois, New Hampshire)
Reasonable Security Features
• Would require connected device manufactures to equip devices with reasonable security features (Maryland)
Artificial Intelligence and Other Proposals
48
Bot Regulation• Prohibiting deceptive
uses of “bots” and requiring regulation of bot communications (Washington)
Miscellaneous Proposals• Would require ISPs to keep personal information
confidential and not disclose without consent (New York)
• Would require consent to share audio or video data with third parties (Minnesota)
• Would require search engines to remove content of minimal value upon request (Iowa)
• Would require social networking services to give users who close accounts option of removal of personal information (Iowa)
Profiling• Restricts AI-enabled
profiling, including for businesses operating in public spaces (Washington)
Health and Genetics
49
Genetic Testing• Provides that results of
genetic tests are exclusive property of the individual (Arizona)
• Regulates companies that provide direct-to-consumer genetic testing (California, Washington, Illinois)
• Biometric proposal would require consent to process genetic data (South Carolina)
Online Activities• Requires consent and
security safeguards for websites that collect data that could infer health or medical condition (Wash.)
Data Security• Would amend security
and breach notice laws to include genetic test and activity tracking data (Maryland)
• In 2019, three states amended breach notice laws to cover biometric and/or health info (Arkansas, New York, Wash.)
State Data Breach Laws
50
July 1, 2003:California’s data security breach notice law goes
into effect2012: 46 states, DC, Puerto Rico and Guam have adopted breach
notice laws
2018: South Dakota and Alabama enact breach
notice laws, becoming last of 50 states to enact such laws (and at least 6 other states
strengthen laws) 2019 and 2020: Illinois, New York,
Texas, Washington, and other states continue to
strengthen breach notice laws
Breach Notification and Data Security
51
Data Breach Notification
States have been expanding definitions of PII (e.g., biometric data, online account info).
States increasingly require notification to state Attorney General and other regulators.
States have been implementing specific timing requirements for notification (e.g., 30 days, 45 days).
New York Shield Act
Companies must develop, implement, and maintain reasonable safeguards
Two primary means to achieve compliance: (1) comply with listed regulated frameworks (e.g., GLBA) or (2) implement a data security program with specific, enumerated elements
Expands breach notification requirements
Questions?
52