State Privacy Law Workshop May 6, 2020 Libbie Canter, Kate Goodloe - - PowerPoint PPT Presentation

State Privacy Law Workshop

May 6, 2020 Libbie Canter, Kate Goodloe and Maggie Martin

Presenters

2

Libbie Canter ECanter@cov.com Kate Goodloe kateg@bsa.org Maggie Martin

m aggie.m artin@capitalone.com

Agenda

 Comprehensive Privacy Laws  Where Are We?  The Substance  The Battlegrounds  Other Privacy Topics  Biometrics  IoT  Artificial Intelligence  Health and Genetic Privacy  Cybersecurity

3

Part I

Comprehensive Privacy Laws

4

Where Are We?

5

ffsdf

2019 Privacy Proposals

Signed into law Introduced Passed one chamber

6

Task force or study formed

ffsdf

2020 Privacy Proposals

Introduced

7

Signed into law Passed one or more chamber Hearings held Ballot initiative

The Battle in Washington State

8

The Battle in Washington State

9

Coronavirus Impact

10

The Substance

11

Key Battleground Issues

12

 Enforcement, including private right of action  Scope of personal information covered

 How “identifying” is it? To whom?  Application to employee and household data  Exclusions for de-identified or pseudonymous data  Exemptions for federally regulated entities

Key Battleground Issues

13

 Scope of rights with regard to sharing of data

 Rights with respect to targeted advertising  Right to opt out of any disclosure of personal

information

 Additional consumer rights  “Other” issues (e.g. facial recognition)  Distinguishing between “controllers”/businesses and

“processors”/third parties or service providers

Key Legislative Models

14

Minnesota HF 3096

Factors Content of Law Personal Data Covered All state residents Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale Other Rights Non-discrimination Accountability Other Features Enforcement AG & PROA

15

New Hampshire HB 1680

Factors Content of Law Personal Data Covered All state residents Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale (opt-in for minors) Other Rights Accountability Other Features Enforcement AG only (except PRA for data breaches)

16

Connecticut SB 134

Factors Content of Law Personal Data Covered All state residents Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale (opt-in for minors) Other Rights Accountability Other Features Enforcement AG only (except PRA for data breaches)

17

Nebraska LB 746

Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale (opt-in for minors) Other Rights Accountability Other Features Enforcement AG only

18

Illinois SB 3299/ HB 5603

Factors Content of Law Personal Data Covered All state residents Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale Other Rights Accountability Other Features Enforcement AG only

19

Arizona SB 1614

Factors Content of Law Personal Data Covered All consumers when any aspect of commercial conduct takes place in AZ Transparency  (but only if business sells data) Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale (opt-in for minors) Other Rights Accountability Other Features HCR 2013 expresses preference for federal standard Enforcement AG only (except PRA for data breaches)

20

Maryland SB 957

Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale and disclosure Other Rights Accountability Other Features Enforcement AG, PRA (violation of CPA)

21

Illinois SB 2330

Factors Content of Law Personal Data Covered Employee exception Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from sale and disclosures Other Rights  Correction and opt out of processing Accountability Risk assessments Other Features Enforcement AG only (except PRA for data breaches)

22

Massachusetts S. 120

Factors Content of Law Personal Data Covered Narrow Employee Exception Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt-out from third-party disclosure Other Rights Accountability Other Features Prohibits disclosure of PI if a business knows/willfully disregards under 18 Enforcement AG Enforcement & PRA

23

Florida SB 1670

Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency  Access Rights  (contemplated, but not clear) Deletion X Sale/Disclosure Restrictions  Opt-out from sale Other Rights  Correction right contemplated Accountability Other Features Enforcement Dep’t of Legal Affairs only (no PRA)

24

Louisiana HB 617, HB 654

Factors Content of Law Personal Data Covered All state residents Transparency  Access Rights  Deletion X Sale/Disclosure Restrictions  Opt-out from sale Other Rights  Correction right contemplated Accountability Other Features Restrictions on use of public records data for marketing/solicitations Enforcement DOJ only

25

Washington PSSB 6281

Factors Content of Law Personal Data Covered Commercial/Employment exceptions Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt out of sale Other Rights  Rights to correction; opt out of targeted advertising and profiling Accountability Data protection assessments Other Features Facial recognition regulation Enforcement Initially AG only; PRA added

26

Wisconsin AB 870, 871, 872

Factors Content of Law Personal Data Covered All Wisconsin residents Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions Via right to restrict processing Other Rights  Right to restrict processing and nondiscrimination Accountability Recordkeeping requirements Other Features Requires basis to process personal data; further limits sensitive personal data Enforcement AG only

27

Arizona HB 2729

Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt out of sale Other Rights  Rights to correction; restriction of processing Accountability Other Features Enforcement AG only

28

Minnesota SF 2912

Factors Content of Law Personal Data Covered Employee exception Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Objection to targeted advertising (includes sale) Other Rights  Objection to Processing, Rectification, Profiling Accountability Risk Assessments Other Features Enforcement AG only

29

Virginia HB 473

Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency  Access Rights  Deletion  Sale/Disclosure Restrictions  Opt out of sale for targeted ads Other Rights  Rights to correction and to object to processing and/or targeted advertising Accountability Risk assessments Other Features Enforcement Broad PRA

30

New York Privacy Act – S 5642

Factors Content of Law Personal Data Covered Broad definition, but excludes employees and contractors Transparency  Privacy notice Consumer Rights  Access, Correction, Deletion, Restrict processing, Portability, Object to processing, Profiling restriction Sales/ Disclosure Restrictions  Opt-in (sale and processing) Accountability  Likely an indirect requirement Other Features No minimum company revenue threshold, Fiduciary duty, Pass through Enforcement AG, PRA: injunction/ damages (+atty’s fees)

31

Vermont H. 899

Factors Content of Law Personal Data Covered Not clearly defined Transparency  (must include monetary value of data) Access Rights X Deletion  (social networking services only) Sale/Disclosure Restrictions X Other Rights Accountability Other Features Facial recognition restrictions Enforcement AG only

32

Rhode Island H. 7778

Factors Content of Law Personal Data Covered All State Residents Transparency  Access Rights X Deletion X Sale/Disclosure Restrictions X Other Rights X Accountability X Other Features Enforcement AG only

33

Uniform Law Commission

34

ULC – Timeline Winter/Spring 2020 Drafting sessions Summer 2020 First reading draft to full ULC Summer 2021 Final draft to full ULC Summer 2022 Available for adoption by states

Uniform Law Commission

35

Factors Content of Law Personal Data Covered Excludes employees Transparency  + “privacy commitment” Consumer Rights  Access, Correction, Deletion, Confirmation

• f Processing

Sales/ Disclosure Restrictions Opt-out of targeted advertising, profiling Accountability Privacy impact assessments, privacy officers Other Features Duties of: loyalty, data minimization, purpose limitation, nondiscrimination, data security Enforcement AG, PRA

Practical Implications

 Internet- and profile-based companies driving the legislative

• conversation. But do we want to create consumer dossiers

where they don’t already exist?

 Outsourcing implications (cloud, CRM, ad agencies)  Different incentives and risk balancing when faced with PRA

versus AG enforcement.

 How broadly to apply exceptions?  Resourcing choices?  What does “do the right thing” mean?

 For national and international companies, single standard

ideal

36

Future Proofing Your Privacy Programs

37

What to expect:

 Right to opt-out of any

disclosures of PI

 Additional consumer rights,

e.g., correction, profiling

 Additional protections for

sensitive personal data

 Risk assessment

requirements Key uncertainties:

 Application to HR data and

B2B data

 Broader right to restrict or

• pt-out of processing PI

 Litigation risk

Extraterritoriality: Deep Dive

38

 What are limits on states’ ability to regulate interstate

commerce?

 Dormant Commerce Clause  Jurisdiction

 Other limits include:

 Federal preemption  First Amendment

Other Notable Proposals

39

Data Broker Regulation

40

State Key Elements Status Washington Registration HB 1503 House passed 87-11 Hawaii Registration and opt-in consent for sale of browser information or geolocation data HB 2572 Minnesota Additional disclosures SF 2912/HF 2917

CPRA Ballot Initiative Timeline

Proposed CPRA submitted to AG with request for title and summary October 9, 20 19 Amended version of ballot initiative filed Novem ber 13, 20 19 AG issued official title and summary Decem ber 17, 20 19 Deadline for Qualification June 25, 20 20 Title / Sum m ary Department of Justice; 30- day comment period Qualification Secretary of State review (623,212 signatures) Potential To Challenge

California Privacy Rights Act of 2020

Prohibits Selling or Sharing Personal Inform ation Defines Sensitive Personal Inform ation and Lim it Its Use Creates Right to Correct Inaccurate Inform ation Requires Disclosure of Profiling and “ Logic” Involved In Som e Contexts Prohibits Collection of Data of Children Under 16 Unless Affirm atively Authorized Collection

California Privacy Rights Act of 2020

Creates of a New Regulatory Agency to Enforce Consum ers’ Rights Elim inates the 30-Day Cure Period Creates New Class of Regulated Entities (Contractors) Broadens Types of Personal Inform ation Covered By Private Right of Action Lim its Future Am endm ent

Part II

Other Privacy Topics

44

ffsdf

2019 Biometric Legislation

Existing Biometric Law Introduced Passed one chamber

45

ffsdf

2020 Biometric Legislation

Existing Biometric Law Introduced

46

What Counts as Biometric?

47

 Common elements:

 DNA, retina or iris scan,

fingerprint, voiceprint, hand or face geometry

 Tied to identifying an individual

 Exceptions

 Photographs, video/audio

recording, health care, writing samples, human samples for scientific research

Reading the Tea Leaves

48

 How does one develop a compliance approach with respect

to biometric data in light of the changing legal landscape?

 What is the risk profile for biometric data? Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186

“[A]n individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.”

Internet of Things Legislative Proposals

49

Data Collection

• Requiring stickers on

physical connected devices that gather data and transmit it to third parties (Washington)

• Prohibit smart

speaker data to be used for ad purposes

• r shared with or sold

to third parties (California) Vehicle Data

• Would require

disclosure of data recording devices in vehicles (New Jersey)

• Would provide owners
• wnership rights over

vehicle data (Maryland)

• Would regulate

collection or disclosure

• f precise geolocation

generally (Maryland, New Jersey, Illinois, New Hampshire) Reasonable Security Features

• Would require

connected device manufactures to equip devices with reasonable security features (Maryland)

Artificial Intelligence and Other Proposals

50

Bot Regulation

• Prohibiting deceptive

uses of “bots” and requiring regulation of bot communications (Washington) Miscellaneous Proposals

• Would require ISPs to keep personal information

confidential and not disclose without consent (New York)

• Would require consent to share audio or video

data with third parties (Minnesota)

• Would require search engines to remove content
• f minimal value upon request (Iowa)
• Would require social networking services to give

users who close accounts option of removal of personal information (Iowa) Profiling

• Restricts AI-enabled

profiling, including for businesses operating in public spaces (Washington)

Health and Genetics

51

Genetic Testing

• Provides that results of

genetic tests are exclusive property of the individual (Arizona)

• Regulates companies

that provide direct-to- consumer genetic testing (California, Washington, Illinois)

• Biometric proposal

would require consent to process genetic data (South Carolina) Online Activities

• Requires consent and

security safeguards for websites that collect data that could infer health or medical condition (Wash.) Data Security

• Would amend security

and breach notice laws to include genetic test and activity tracking data (Maryland)

• In 2019, three states

amended breach notice laws to cover biometric and/or health info (Arkansas, New York, Wash.)

New York SHIELD Act – Data Security Provisions

52

 Covered entities: own/license computerized data that includes

private information of NY residents

 Two main impacts on businesses:

 Expands breach notification requirements  Requires businesses to maintain “reasonable safeguards” to

protect “private information” of New York residents

 Enforcement: AG only

New York SHIELD Act – Data Security Provisions

53

 Must develop, implement, & maintain reasonable safeguards  Two primary means to achieve compliance:

 Comply with one of a list of regulatory frameworks (e.g., GLBA)  Implements a data security program with specific elements

Administrative

designating employees to coordinate program identifying reasonably foreseeable internal and external risks assessing the sufficiency of safeguards in place; training service provider oversight and management adjusting the security program in light of changes

Technical

assessing risks in network and software design assessing risks in information processing, transmission, and storage detecting, preventing, and responding to attacks or system failures regularly testing and monitoring the effectiveness of key controls, systems, and procedures

Physical

assessing risks of information storage and disposal detecting, preventing, and responding to intrusions protecting against unauthorized access to or use of private information disposing of private information within a reasonable amount of time

Questions?

54