State Privacy Law Workshop May 6, 2020 Libbie Canter, Kate Goodloe and Maggie Martin
Presenters Libbie Canter Kate Goodloe Maggie Martin ECanter@cov.com m aggie.m artin@capitalone.com kateg@bsa.org 2
Agenda Comprehensive Privacy Laws Where Are We? The Substance The Battlegrounds Other Privacy Topics Biometrics IoT Artificial Intelligence Health and Genetic Privacy Cybersecurity 3
Part I Comprehensive Privacy Laws 4
Where Are We? 5
2019 Privacy Proposals Introduced Passed one chamber Task force or study formed Signed into law ffsdf 6
2020 Privacy Proposals Introduced Passed one or more chamber Hearings held Signed into law Ballot initiative ffsdf 7
The Battle in Washington State 8
The Battle in Washington State 9
Coronavirus Impact 10
The Substance 11
Key Battleground Issues Enforcement, including private right of action Scope of personal information covered How “identifying” is it? To whom? Application to employee and household data Exclusions for de-identified or pseudonymous data Exemptions for federally regulated entities 12
Key Battleground Issues Scope of rights with regard to sharing of data Rights with respect to targeted advertising Right to opt out of any disclosure of personal information Additional consumer rights “Other” issues (e.g. facial recognition) Distinguishing between “controllers”/businesses and “processors”/third parties or service providers 13
Key Legislative Models 14
Minnesota HF 3096 Factors Content of Law Personal Data Covered All state residents Transparency Access Rights Deletion Opt-out from sale Sale/Disclosure Restrictions Other Rights Non-discrimination Accountability Other Features Enforcement AG & PROA 15
New Hampshire HB 1680 Factors Content of Law Personal Data Covered All state residents Transparency Access Rights Deletion Opt-out from sale (opt-in for minors) Sale/Disclosure Restrictions Other Rights Accountability Other Features Enforcement AG only (except PRA for data breaches) 16
Connecticut SB 134 Factors Content of Law Personal Data Covered All state residents Transparency Access Rights Deletion Opt-out from sale (opt-in for minors) Sale/Disclosure Restrictions Other Rights Accountability Other Features Enforcement AG only (except PRA for data breaches) 17
Nebraska LB 746 Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency Access Rights Deletion Opt-out from sale (opt-in for minors) Sale/Disclosure Restrictions Other Rights Accountability Other Features Enforcement AG only 18
Illinois SB 3299/ HB 5603 Factors Content of Law Personal Data Covered All state residents Transparency Access Rights Deletion Opt-out from sale Sale/Disclosure Restrictions Other Rights Accountability Other Features Enforcement AG only 19
Arizona SB 1614 Factors Content of Law Personal Data Covered All consumers when any aspect of commercial conduct takes place in AZ (but only if business sells data) Transparency Access Rights Deletion Opt-out from sale (opt-in for minors) Sale/Disclosure Restrictions Other Rights Accountability Other Features HCR 2013 expresses preference for federal standard Enforcement AG only (except PRA for data breaches) 20
Maryland SB 957 Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency Access Rights Deletion Opt-out from sale and disclosure Sale/Disclosure Restrictions Other Rights Accountability Other Features Enforcement AG, PRA (violation of CPA) 21
Illinois SB 2330 Factors Content of Law Personal Data Covered Employee exception Transparency Access Rights Deletion Opt-out from sale and disclosures Sale/Disclosure Restrictions Correction and opt out of processing Other Rights Accountability Risk assessments Other Features Enforcement AG only (except PRA for data breaches) 22
Massachusetts S. 120 Factors Content of Law Personal Data Covered Narrow Employee Exception Transparency Access Rights Deletion Opt-out from third-party disclosure Sale/Disclosure Restrictions Other Rights Accountability Other Features Prohibits disclosure of PI if a business knows/willfully disregards under 18 Enforcement AG Enforcement & PRA 23
Florida SB 1670 Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency (contemplated, but not clear) Access Rights Deletion X Opt-out from sale Sale/Disclosure Restrictions Correction right contemplated Other Rights Accountability Other Features Enforcement Dep’t of Legal Affairs only (no PRA) 24
Louisiana HB 617, HB 654 Factors Content of Law Personal Data Covered All state residents Transparency Access Rights Deletion X Opt-out from sale Sale/Disclosure Restrictions Correction right contemplated Other Rights Accountability Other Features Restrictions on use of public records data for marketing/solicitations Enforcement DOJ only 25
Washington PSSB 6281 Factors Content of Law Personal Data Covered Commercial/Employment exceptions Transparency Access Rights Deletion Opt out of sale Sale/Disclosure Restrictions Rights to correction; opt out of targeted Other Rights advertising and profiling Accountability Data protection assessments Other Features Facial recognition regulation Enforcement Initially AG only; PRA added 26
Wisconsin AB 870, 871, 872 Factors Content of Law Personal Data Covered All Wisconsin residents Transparency Access Rights Deletion Sale/Disclosure Restrictions Via right to restrict processing Right to restrict processing and Other Rights nondiscrimination Accountability Recordkeeping requirements Other Features Requires basis to process personal data; further limits sensitive personal data Enforcement AG only 27
Arizona HB 2729 Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency Access Rights Deletion Opt out of sale Sale/Disclosure Restrictions Rights to correction; restriction of Other Rights processing Accountability Other Features Enforcement AG only 28
Minnesota SF 2912 Factors Content of Law Personal Data Covered Employee exception Transparency Access Rights Deletion Objection to targeted advertising Sale/Disclosure Restrictions (includes sale) Objection to Processing, Rectification, Other Rights Profiling Accountability Risk Assessments Other Features Enforcement AG only 29
Virginia HB 473 Factors Content of Law Personal Data Covered Employee/B2B exceptions Transparency Access Rights Deletion Opt out of sale for targeted ads Sale/Disclosure Restrictions Rights to correction and to object to Other Rights processing and/or targeted advertising Accountability Risk assessments Other Features Enforcement Broad PRA 30
New York Privacy Act – S 5642 Factors Content of Law Personal Data Covered Broad definition, but excludes employees and contractors Privacy notice Transparency Access, Correction, Deletion, Restrict Consumer Rights processing, Portability, Object to processing, Profiling restriction Opt-in (sale and processing) Sales/ Disclosure Restrictions Likely an indirect requirement Accountability Other Features No minimum company revenue threshold, Fiduciary duty, Pass through Enforcement AG, PRA: injunction/ damages (+atty’s fees) 31
Vermont H. 899 Factors Content of Law Personal Data Covered Not clearly defined (must include monetary value of data) Transparency Access Rights X (social networking services only) Deletion Sale/Disclosure Restrictions X Other Rights Accountability Other Features Facial recognition restrictions Enforcement AG only 32
Rhode Island H. 7778 Factors Content of Law Personal Data Covered All State Residents Transparency Access Rights X Deletion X Sale/Disclosure Restrictions X Other Rights X Accountability X Other Features Enforcement AG only 33
Uniform Law Commission ULC – Timeline Winter/Spring 2020 Drafting sessions Summer 2020 First reading draft to full ULC Summer 2021 Final draft to full ULC Summer 2022 Available for adoption by states 34
Uniform Law Commission Factors Content of Law Personal Data Covered Excludes employees + “privacy commitment” Transparency Access, Correction, Deletion, Confirmation Consumer Rights of Processing Sales/ Disclosure Restrictions Opt-out of targeted advertising, profiling Accountability Privacy impact assessments, privacy officers Other Features Duties of: loyalty, data minimization, purpose limitation, nondiscrimination, data security Enforcement AG, PRA 35
Recommend
More recommend