State Privacy Law Workshop

October 21, 2020Libbie Canter, Kate Goodloe, Kristen Hilton and Tanya Madison

Presenters

2

Libbie CanterCovington & Burling LLP

Kate GoodloeBSA | The Software

Alliance

Kristen HiltonOregon Department of

Justice

Tanya MadisonAristocrat

Technologies

Agenda

Comprehensive Privacy Laws Where Are We? Key Battlegrounds Case Study: Oregon What Comes Next?

Other Privacy Topics – Legislation and Enforcement Contract Tracing and COVID Biometrics IoT Artificial Intelligence Health and Genetic Privacy Cybersecurity

3

Part IComprehensive Privacy Laws

4

CCPA and CPRA

5

Key Dates

June 2018:Ballot initiative qualifies for state-wide vote

June 2018:Governor signs compromise statute

September 2019: Substantive amendments

January 1, 2020: CCPA takes effect

July 2020: Attorney General enforcement begins

August 2020: AG regulations finalized and take effect

November 2020: Ballot initiative 2.0

New Consumer Rights Under the CCPA

TransparencyPortability

Access Deletion

Non-Discrimination

SaleCCPA Rights

CPRA Ballot Initiative Timeline

Proposed CPRAsubmitted to AG with request for title and summary

October 9, 2019

Amended version of ballot initiative filed

November 13, 2019

AG issued official title and summary

December 17, 2019

Deadline for Qualification

June 25, 2020

Title / SummaryDepartment of Justice; 30-day comment period

QualificationSecretary of State review (623,212 signatures)

Potential To Challenge

California Privacy Rights Act of 2020

Prohibits Selling or Sharing Personal Information

Defines Sensitive Personal Information and Limit Its Use

Creates Right to Correct Inaccurate Information

Requires Disclosure of Profiling and “Logic” Involved In Some Contexts

Prohibits Collection of Data of Children Under 16 Unless Affirmatively Authorized Collection

California Privacy Rights Act of 2020

Creates of a New Regulatory Agency to Enforce Consumers’ Rights

Eliminates the 30-Day Cure Period

Creates New Class of Regulated Entities (Contractors)

Broadens Types of Personal Information Covered By Private Right of Action

Limits Future Amendment

Nevada

11

Nevada Approach

12

Scope• Applies only to operators of Internet websites and online services

Sale• Narrower opt out right (requires monetary consideration; narrow scope of information)• No opt-in requirements, regardless of age• Opt-out requests can be processed by email, telephone, or website

DSRs• No right to access, data portability, deletion, or non-discrimination

Other States

13

ffsdf

2019 Privacy Proposals

Signed into law

Introduced

Passed one chamber

14

Task force or study formed

ffsdf

2020 Privacy Proposals

Introduced

15

Signed into law

Passed one or more chamber

Hearings held

Ballot initiative

Key Legislative Models

16

Examples of States Basing Proposals off CCPA Framework

*Right to opt out of “disclosure” of personal information and expansive private right of action

CCPA-Like Approach

Arizona SB 1614

Connecticut SB 134

Illinois SB 3299/HB 5603

Minnesota HF 3096

Nebraska LB 746

New Hampshire HB 1680

CCPA-Plus Approach*

Illinois SB 2330

Maryland SB 937

Massachusetts S. 120*

Other Proposals

18

GDPR-Light Approach

Wisconsin AB 870, 871, 872

Arizona HB 2729

Minnesota SF 2912

Virginia HB 473

Nevada Approach

Florida SB 1670

Louisiana HB 654

Idiosyncratic Approach

New YorkPrivacy Act S. 5642

Vermont H. 899

Rhode Island H. 7778

Washington State

19

Key Dates

January 2019:Washington

Privacy Act (SB 5376) introduced

in Senate

March 2019:Washington Privacy Act

(SB 5376) passed in Senate

January 2020: Washington Privacy

Act (SB 6281) introduced in Senate

February 2020:

SB 6281 passed in Senate

March 2020:SB 6281 passed

in House

August 2020: Senator Carlyle introduces 2021 discussion draft of Washington

Privacy Act

The Battle in Washington State

21

August 2020 Draft Released by Sen. CarlyleFactors Content of Law

Personal Data Covered Commercial/Employment exceptionsTransparency

Access and Portability Rights

Deletion

Sale/Disclosure Restrictions Opt out of sale and processing for targeted advertising

Other Rights Rights to correction; opt out of profiling that produces significant effects; sensitive data

Accountability Data protection assessmentsOther Features Processor responsibilities; contact

tracing/COVID privacy provisionsEnforcement Initially AG only; no new PRA 22

Key Battlegrounds

23

Key Battleground Issues

24

Enforcement, including private right of action Scope of personal information covered

How “identifying” is it? To whom? Application to employee and household data Exclusions for de-identified or pseudonymous data Exemptions for federally regulated entities

Heightened concerns for sensitive data (e.g., children’s data, health data)

Key Battleground Issues

25

Scope of rights with regard to sharing of data Rights with respect to targeted advertising Right to opt out of any disclosure of personal

information Additional consumer rights (e.g. correction) “Other” issues (e.g. facial recognition, contact tracing) Distinguishing between “controllers”/businesses and

“processors”/third parties or service providers

Data Broker Regulation

26

State Key Elements Status

Washington Registration HB 1503 House passed 87-11

HawaiiRegistration and opt-in consentfor sale of browser information or geolocation data

HB 2572

Minnesota Additional disclosures SF 2912/HF 2917

ULC Process

27

Uniform Law Commission

28

ULC – Timeline

Winter/Spring 2020 Drafting sessions

Summer 2020 First reading draft to full ULC

Fall/Winter 2020, Spring 2021 Drafting sessions

Summer 2021 Final draft to full ULC

Summer 2022 Available for adoption by states

Uniform Law Commission

29

October Draft Content of Law

Transparency Privacy Policy

Consumer Rights Copy, Correction

Use Restrictions Compatible/Incompatible/Prohibited Data Practices

Accountability Data Privacy and Security Assessments

Enforcement AG, PRA

Other Features Voluntary Consensus Standards

A Case Study: Oregon

30

A Case Study: Oregon

31

Federal Interplay

32

Federal Developments

33

What Comes Next?

34

Coronavirus Impact

35

When States are Back in Session

36

Timeline

December 2020 CA, ME

January 2021 AK, AZ, AR, CO, CT, DE, GA, HI, ID, IL, IN, IA, KS, KY, MD, MA, MI, MN, MI, MO, MT, NE, NH, NJ, NM, NY, NC, ND, OH, OR, PA, RI, SC, SD, TN, TX, UT, VT, VA, WA, WI WY

February 2021 AL, NV, OK, WV

March 2021 FL

April 2021 LA

Election Impact

37

ffsdf

States to Watch

38

Future Proofing Your Privacy Programs

39

What to expect: Right to opt-out of any

disclosures of PI Additional consumer rights,

e.g., correction, profiling Additional protections for

sensitive personal data Risk assessment

requirements

Key uncertainties: Application to HR data and

B2B data Broader right to restrict or

opt-out of processing PI Litigation risk

Part IIOther Privacy Topics

40

Contact Tracing and COVID

41

Other State Proposals• Restrictions applicable to commercial

entities and private employers• Consent to collect health and location

data for COVID-related purposes and right to revoke consent

• Requirement for officials to delete/destroy data after COVID-19 emergency

• Prohibit, or require opt-in for, sale• Specific technical design requirements

and policy limitations of Apple-Google Exposure Notification API

• Private right of action

New Laws in Kansas, South Carolina, and New York• Govern data collection/use by

public health officials and government

• Require that use of contact tracing apps is voluntary

• Purpose limitations against uses unrelated to COVID-19

• Enforcement by state attorneys general

Contact Tracing and COVID

42

June 16, 2020 Letter to Apple and Google from more than 30 State Attorneys General urged:

• Verification of affiliation with public health authority (or affiliated hospital/university)

• Removal of apps without verified affiliation with public health authority

• Removal of all apps when COVID-19 national emergency ends (or explain decision not to remove)

ffsdf

2020 Biometric Legislation

Existing Biometric Law

Introduced

43

Litigation Risk

44

Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186

“[A]n individual need not allege someactual injury or adverse effect, beyondviolation of his or her rights under theAct, in order to qualify as an‘aggrieved’ person and be entitled toseek liquidated damages andinjunctive relief pursuant to the Act.”

Facial Recognition Technology

45

Bans on city use of facial recognition technology San Francisco Boston

Portland, OR: banned use of facial recognition technology by private companies in public areas

What Counts as Biometric?

46

Common elements: DNA, retina or iris scan,

fingerprint, voiceprint, hand or face geometry

Tied to identifying an individual Exceptions Photographs, video/audio

recording, health care, writing samples, human samples for scientific research

Internet of Things Legislative Proposals

47

Data Collection• Requiring stickers on

physical connected devices that gather data and transmit it to third parties (Washington)

• Prohibit smart speaker data to be used for ad purposes or shared with or sold to third parties (California)

Vehicle Data• Would require

disclosure of data recording devices in vehicles (New Jersey)

• Would provide owners ownership rights over vehicle data (Maryland)

• Would regulate collection or disclosure of precise geolocation generally (Maryland, New Jersey, Illinois, New Hampshire)

Reasonable Security Features

• Would require connected device manufactures to equip devices with reasonable security features (Maryland)

Artificial Intelligence and Other Proposals

48

Bot Regulation• Prohibiting deceptive

uses of “bots” and requiring regulation of bot communications (Washington)

Miscellaneous Proposals• Would require ISPs to keep personal information

confidential and not disclose without consent (New York)

• Would require consent to share audio or video data with third parties (Minnesota)

• Would require search engines to remove content of minimal value upon request (Iowa)

• Would require social networking services to give users who close accounts option of removal of personal information (Iowa)

Profiling• Restricts AI-enabled

profiling, including for businesses operating in public spaces (Washington)

Health and Genetics

49

Genetic Testing• Provides that results of

genetic tests are exclusive property of the individual (Arizona)

• Regulates companies that provide direct-to-consumer genetic testing (California, Washington, Illinois)

• Biometric proposal would require consent to process genetic data (South Carolina)

Online Activities• Requires consent and

security safeguards for websites that collect data that could infer health or medical condition (Wash.)

Data Security• Would amend security

and breach notice laws to include genetic test and activity tracking data (Maryland)

• In 2019, three states amended breach notice laws to cover biometric and/or health info (Arkansas, New York, Wash.)

State Data Breach Laws

50

July 1, 2003:California’s data security breach notice law goes

into effect2012: 46 states, DC, Puerto Rico and Guam have adopted breach

notice laws

2018: South Dakota and Alabama enact breach

notice laws, becoming last of 50 states to enact such laws (and at least 6 other states

strengthen laws) 2019 and 2020: Illinois, New York,

Texas, Washington, and other states continue to

strengthen breach notice laws

Breach Notification and Data Security

51

Data Breach Notification

States have been expanding definitions of PII (e.g., biometric data, online account info).

States increasingly require notification to state Attorney General and other regulators.

States have been implementing specific timing requirements for notification (e.g., 30 days, 45 days).

New York Shield Act

Companies must develop, implement, and maintain reasonable safeguards

Two primary means to achieve compliance: (1) comply with listed regulated frameworks (e.g., GLBA) or (2) implement a data security program with specific, enumerated elements

Expands breach notification requirements

Questions?

52