Privacy Landscape In A Flash Presentation

Privacy Landscape In A Flash by Shereen El Domeiri and Nicola Hobeiche

Why are data privacy laws important?

Mainly we need privacy laws for protection.

And most people don’t care about their personal info being out there until it’s too late.

Or some people simply think their data is safe but data breaches and improper handling of data can have disastrous consequences.

The current fed privacy laws we have are far and few between – we will take you through the current ones in the next slide.  (include the Privacy Act of 1974, the FTC Act, the GLBA, the FCRA, HIPAA, FERPA, and COPPA)

  1. Efforts at federal level to pass US privacy legislation has been going on for years. Dozens of bills have worked their way through.
  2. Two of the most contentious and closely watched issues with the fed privacy law debate are (1) which bills would preempt state law and (2) which bills would enable enforcement of a private right of action.
  3. The IAPP website (www.iapp.org) has a great US federal privacy legislation tracker you can reference. It includes a consumer privacy tracker (23 bills), a health privacy tracker (13 bills), a financial privacy tracker (8 bills), a children’s and educational privacy tracker (5 bills), a FTC Authority and Enforcement tracker (7 bills), a Government Restrictions and obligations trackers (11 bills), and a Cybersecurity tracker (2 bills).

For state legislation, we have five states with comprehensive privacy laws that have passed and are either already in effect (like CA) or coming into effect 2023 and business dealing in personal information need to be preparing for these now to the extent they conduct business in those states.

 

The current fed privacy laws we have are far and few between – we will take you through the current ones here shortly.  (include the Privacy Act of 1974, the FTC Act, the GLBA, the FCRA, HIPAA, FERPA, and COPPA)

  • Overview of the current laws from the 1970s – 1990s (no major updates since 1990s)
  • GLBA – financial services
  • HIPPA – healthcare
  • FCRA – finance/consumer protection
  • DPPA – States protection of sensitive data
  • COPPA – Children’s privacy
  • FERPA – Family Educational rights

 

American Data Privacy Protection Act (ADPPA) (NH)

  • Currently pending comprehensive Federal Privacy Bill
  • Key points
  • California is opposed to preemption  

COPPA (SE)

  • 5/19/2022 FTC Issued a Statement regarding increased scrutiny of COPPA, specifically with regard to limiting collection, use, retention and security requirements for children’s data
  • The FTC has also put out several guidance statements for ED tech in particularly after the pandemic shifted many students online and increasing children’s data being shared
  • 7/27/2022 Senate committee approved new bills to move forward
  • COPPA update & Kids Online Safety Act (KOSA)
  • The major update to COPPA is the Children and Teens Online Privacy Protection Act, which extends the law’s rule to children through age 17.
  • “This bill would close a loophole that has been allowing companies to abuse the data of children with little accountability
  • KOSA features a duty of loyalty clause requiring technology companies to prevent harm to minors while mandating more transparency in their algorithms for users and researchers.

GLBA new Safe Guard Rule

  • 10/27/2021 FT issued a new Safe Guards Rule for financial institutions focused on cybersecurity safeguards to protect personal data & requires the appointment of a single individual at an organization to be responsible with annual report requirement to the board

Data Transfer Agreement w/EU

  • U.S. and EU are again trying to formulate a data transfer agreement that will meet the privacy requirements of Europeans under the GDPR
  • Current status  = will talk through current status later in the presentation

Protecting American’s Data From Foreign Surveillance Act of 2022 (SE)

  • This bill  centers around restricting data transfers to “high risk countries” i.e. China
  • Export control law – this bill adds authority to Secretary of Commerce re: exports of U.S. personal data
  • Secretary will compile list of high risk and low risk countries
  • For those countries not on the low risk list, licenses will be required
  • Recent breach of U.S. Court System
  • OPM breach in 2000s

Are you doing business here?

Then you should be following this and helping guide your client on steps they should be taking. 

CA – updates effective 1/2023

  • also CPRA includes a 12-month look back period, which requires businesses to respond to consumer requests based on information collected during the preceding 12 months – including back to Jan. 1, 2022, “unless doing so proves impossible or would involve a disproportionate effort.”
  • Impacts any information a business collects, uses, or shares.
  • Businesses must also disclosure the length of time it intends to retain each category of information it collects from a consumer.
  • Businesses must also provide a robust notice of their collection of sensitive data & an opportunity for consumers to opt out of the sale or sharing of that data.

VA – comes into effect 1/2023 

  • Similarities/differences with CA law – USE Chart on Slide 8
  • VCDPA does not include a revenue threshold for applicability. Instead, businesses that conduct business in Virginia or provide products or services that are targeted to Virginia residents are subject to the VCDPA

Several requirements under VDCPA, ColoPA, and CPRA are based on whether the business processes “sensitive” data.

Under VCDPA and ColoPA, companies cannot process sensitive data without obtaining affirmative consent from the consumer. An email is not enough, a click wrap agreement is not enough – it has to be affirmative and a true opt-in.

CO & CT – effective date 7/1/2023

  • Similarities and differences w/CA Law – USE chart on Slide 8
  • CTDPA applies to entities that (i) conduct business in Connecticut or produce products or services targeted to Connecticut residents, and (ii) during the proceeding calendar year, either processed the personal data of at least 100,000 Connecticut residents or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of their gross revenue from the “sale” of personal data.
  • CPA applies to companies that conduct business in Colorado, or deliver commercial products or services that intentionally target Colorado residents, when the company processes data of at least 100,000 consumers or derives revenue from the sale of personal data of at least 25,000 consumers each year.

UT – effective date 12/31/2023

  • Similarities and differences w/CA law – use chart on slide 8
  • UCPA applies to businesses involved in data processing that conduct business in Utah or produce a product or service that is targeted to Utah residents if the business has an annual revenue of $25 million or more in the preceding calendar year and either: (i) controls or processes personal data of 100,000 or more consumers a year or (ii) processes personal data of 25,000 or more consumers and derives over 50% of the entity’s gross revenue from the sale of personal data.

These are states to watch. 

They are all in committee right now. 

But a good resource to track and see how the states are progressing on their consumer privacy bills.

If your company is operating in these states and is dealing in personal or sensitive data, this should be on your radar. 

These are the upcoming deadlines

We will provide with takeaways at the end to help guide you on what you need to be doing between now and the end of the year. If you haven’t started, it should be the first thing you do when you get back to your offices.  

For the federal bills, it’s just a matter of continuing to watch all the bills.

The question is whether anything is going to happen between now and the end of the year, but I have little faith that it will.  From an efficiency perspective, businesses would benefit from a consistent standard – if you are preparing for these new state laws already, then you know it’s a struggle trying to figure out which standard to meet and whether your strategies check the box for all the requirements. 

For CCPA,

many businesses were implementing manual processes – you hear of companies having dedicated persons responding to data requests, but with the additional state laws being implemented, manual is no longer manageable and companies need to be talking about implementing technology and partnering with third party vendors to streamline processes for responding to requests and making sure it’s tailored state by state.  

As you can see from this map, we are a big yellow blob on the map in a sea of blue.  

Even underdeveloped countries understand the importance of privacy laws in today’s age.

That said, there are some countries that recognize privacy but have yet to implement mechanisms to protect it (e.g., India) and they may only protect it in certain circumstances (like the US) and certain sectors/certain types of data.  

Perspective: the difference between EU and the US when it comes to privacy is that in EU it is a human right. That’s not the case in the US – the US approach is more on the consumer protection side but not necessarily a human right (great example is the ruling of Dobbs and the impacts it has on precedence involving the privacy of individuals – all genders).

Dobbs: Biden statement on human rights – Kansas is the first state (this week) to vote on abortion laws and waiting to see how that impacts privacy rights as well. There are a lot of businesses in health care and a lot of health related apps. Health and Human Services issued a statement as well on this point. 

EU/US Data Transfer Agreements: 

  • have been working for a year to replace the Privacy Shield (which had replaced Safe Harbor), which was invalidated in July 2020
  • Meta had even said it may shut down FB and Insta in Europe over uncertainty surrounding EU/US data flows.
  • the new agreement will “enable predictable and trustworthy data flows bw the EU and US, safeguarding privacy and civil liberties (but few details have been released) but this will most likely get challenge and Schrems is gearing up to push on it and challenge it (human right v. not a human right and two countries with very differing approaches)

GDPR:

Standard contractual clauses are considered one of the best ways to implement safeguards around protecting data being sent outside the EU to the same standard as the GDPR.

  • the new version was created after GDPR and better aligns with the requirements.
  • the new version includes a larger range of different types of transfers
  • the new version’s clauses work as a data processing agreement (they now include all the items needed to be put in place bw a controller and processor for data processing)
  • also provide extra protections re local laws and access by public authorities (and gives guidance on how to work through those requests)

UK:

Children’s privacy went into effect Sept. 2021

  • includes 15 age-appropriate design standards that covered entities must adopt and implement
  • for children under the age of 18, even if those services are not targeted at children.
  • includes ANY online service (really broad and covers all types of medium)

AI legislation currently pending

  • The U.K. government is proposing a second set of rules and regulations for AI and machine learning. Part of its national strategy on AI, the new AI proposals are meant to live alongside the data protection bill and involve regulators like Ofcom and the Competition and Markets Authority
  • AI proposal features six core principles: ensure AI is used safely, that it’s technically secure as designed, transparent and explainable, considers fairness, identifies “a legal person to be responsible for AI,” and clarifies avenues for redress.

India:

  1. In 2017, the Supreme Court of India affirmed their constitution’s right to privacy but since that time, it’s been a struggle to get anything passed and implemented. There is currently no law protecting the personal data of Indian citizens. They are aligning with the EU – it’s a human right. US continues to be the outlier.

China:

In Nov. 2021, China’s first national privacy law came into effect. (Mirrors GDPR but is stricter in a few respects) Focus on protecting citizens’ data inside China – more of a protection as opposed to a human individual right. It’s designed to protect the government’s interest as opposed to their individual citizens.

Canada:

Foreign nationals can now request their personal data under Canada’s Privacy Act, according to the Office of the Privacy Commissioner. The Privacy Act Extension Order No. 3 permits foreign nationals obtain their personal data held by federal governmental institutions. Previously, foreign citizens had to hire a third party to make a request on their behalf.  As of July 13, 2022, foreign nationals outside Canada will have the right under the Privacy Act to access their personal information being held by federal government institutions. Privacy Act Extension Order No. 3 gives foreign nationals abroad the same access rights currently held by Canadian citizens and permanent residents, as well as federal inmates and anyone else physically located in Canada.

Children’s privacy:

Research examining default settings and terms & conditions offered to minors by social media giants TikTok, WhatsApp and Instagram across 14 different countries — including the U.S., Brazil, Indonesia and the U.K. — has found the three platforms do not offer the same level of privacy and safety protections for children across all the markets where they operate. The level of protection minors receive on a service can depend upon where in the world they happen to live. Notably, children in the global south and certain other regions were found to be exposed to more manipulative design than children in Europe — where legal frameworks have already been enacted to protect their online experience, requiring data processors to take extra care to bake in protections where services are processing minors’ information, with the risk of major fines for non-compliance

TikTok

  • $92M settlement approved in class action re: data protection, video privacy protection and Ill biometric info privacy act.
  • Among other mandates, TikTok must refrain from using its app to transmit data collect or store users’ biometric data, geolocation data and information in clipboards — unless the company discloses that it does so in its privacy policy

Snapchat

  • Class action lawsuit for violations of Ill BIPA  – Facial scan issue
  • Note other BIPA class actions currently pending against Amazon and Clearview AI (which has already been fined in UK for facial recognition tech violations)

ED Tech crackdown:

Statement 5/19 and new COPPA enhancements

FTC data protection actions:

Specify the types of security measures that need to be taken, i.e. Multi-Factor Authentication (MFA), and other technical safeguards to prevent unauthorized access  such as firewalls, and data minimization requirements

  • Café Press Settlement 5/2022 – Privacy and Data Security practices considered together instead of as distinct concerns (long held push by Commissioner Slaughter)
  • Zoom 2020 settlement – focused on data security
  • SkyMed & Ascension Data

GDPR:

Italy

  • Uber Case – Italy’s DPA filed Uber €4.2M for data processing violations – processed users personal data w/o consent and w/o notifying supervisory agencies.  Approx. 57 million users affected.

Ireland – Whatsapp/Meta/Twitter –

  • Twitter fined €450,000 because it failed to notify the regulator within 72 hours of discovering the breach
  • Meta (Instagram) Irish DPA considering large fine for Meta due to Children’s Privacy violations, The fine is notable because it’s the first time a US tech giant has been hit with a GDPR fine in a cross-border case, meaning one in which the Irish regulator consulted its EU counterparts as part of the decision. The investigation was headed by Ireland’s DPC because Ireland is where Twitter’s international headquarters are based.
  • Whatsapp – Sweden and Ireland leading CPC Network inquiry into Whatsapp business model and revenue stream related to users personal data and concerns of unfair practices relating to updates of their terms of service.  Tow letters have been sent requesting clarification about the following
    • How WhatsApp ensures that consumers can understand the consequences of accepting the updated terms of service;
    • How WhatsApp uses consumers’ personal data for commercial purposes and whether consumers understand that WhatsApp shares this data with other Facebook/Meta companies or third parties;
    • How WhatsApp ensures that consumers can reject the new terms of service, especially as persistent in-app notifications prompt consumers to accept the respective changes;
    • Which measures WhatsApp intends to take concerning those consumers who have already accepted the updated terms of service on the false presumption that this was required to be able to continue using the application.

Brazil:

Large consumer protection settlement for fraudulent and abusive financial practices and improper use of elderly consumer data

India:

Challenges being brought: The Criminal Procedure (Identification) Act 2022 that was passed 18 April has been challenged via a Public Interest Litigation filed in the Delhi High Court.

The basic contention is that the act enabled law enforcement to collect personal data like finger, palm-print, and footprint impressions, photographs, iris and retina scans, physical and biological samples, as well as behavioral attributes like signatures, handwriting and the like from a large section of people including prisoners, arrested persons and detainees in the course of investigation and persons in protection homes. The earlier law limited the data that could be collected only to fingerprints, footprints and photographs. 

  • But India is stalled on a data protection law that would address these issues and more surveillance type tech is entering every day lives, such as facial recognition tech in railways.
  • There is also a fresh controversy re: Tata Group which launched its “siuper app” which collects users personal information to be used by all entities in the group, including for making offerings to consumers  -without consent.

Mexico:

Mexico’s Supreme Court on Monday ruled that a plan to create a national cellphone user registry with biometric data is unconstitutional., which would have included fingerprints or eye biometrics,.

Turkey:

  • Issuing fines to Whatsapp re: new terms of service and lack of consent.
  • Rental car case – Turkish DPA decision regarding rental car companies retaining “blacklist” consumer data. The ruling stated that personal data cannot be processed without explicit consent, except in exceptional cases and data controllers should take all necessary technical and administrative measures to ensure the appropriate level of security in order to process personal data in accordance with the DP Law and ensure the security of personal data

Steps to take in preparation for these upcoming law implementations:

  1. Digitally map and track data
  2. Implement a data retention schedule (or destruction)
  3. Determine whether sensitive data is being processed (sensitive data can include religious beliefs, ethnicity, mental health status, genetics, biometric data, etc.) —companies should also determine the collection points of sensitive data, and implement means for consumers to affirmatively consent to the processing (or for CCPA, opt of out)
  4. Assess the need to complete data protection impact assessments (if a co. uses consumer data for sensitive or risky activities (like targeted advertising), selling consumers’ personal data, and profiling, then the company must conduct a data protection assessment. (these are also required under GDPR, so if you are doing it there, it’s easy to also comply here and expand the current assessment protocol to cover this new requirement. Note that under VA and CO, the state attorneys general can request a copy and evaluate it for compliance. And under CPRA, companies will likely be required to submit their assessment to the California Privacy Protection Agency “on a regular basis.”
  5. Design an appeals process for data requests. Both VA and CO require (1) companies create a process for consumers to appeal any refusal to provide collected data, (2) that the appeals process be conspicuously available and easy to use, and (3) that the appeals process have fixed time periods within which the company must respond.
  6. Add an opt-out option for profiling and targeted advertising. Beginning in 2023, businesses will have to provide consumers with the rights to opt out of profiling and targeted advertising.
    • profiling is defined as “any form of automated processing” of personal data used to evaluate, analyze, or predict a person’s PI.
    • targeted advertising defined as displaying an ad to a consumer that is selected based on a consumer’s personal data obtained from a non-affiliated website.
  1. Review contracts with third parties with whom you share data.
    • under CO and VA, all data processing must be governed by a binding written contract that sets out (instructions which the processor is bound, the types of personal data subject to the processing and duration of processing, processor’s duty to delete or return all personal data, processor’s duty to provide all info to the controller necessary to demonstrate compliance with CO and VA, requirement that processors allow for and contribute to reasonable audits and inspections from the controller, and the processor’s duty to ensure each person processing the personal data is subject to a duty of confidentiality.

0 Comments

Submit a Comment

Would you like your own Law Firm Start-Up Checklist?

Copyright 2021 - 2024 Domeiri, PLLC.  All rights reserved | Website by Honey Bee Buzz Modern Marketing | Privacy Policy | Disclaimer

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

image of Law Firm Start-Up Checklist by Shereen El Domeiri

Register to Receive the Checklist

Sign up here to receive a PDF of the Law Firm Start-Up Checklist along with a handy follow-up email check-in a week from now.  There are 25 items covering all the basics you need to get your firm up and running.

Your checklist is on its way to your email inbox! Reply to the email if you have any questions and we'll get right back to you. Expect a follow-up email in 7 days. Emails sometimes get tangled in the spam filter, so check there and be sure to tell the filter we're legal. Have a beautiful day!