Data Privacy and Security Laws Flashcards
6-8 questions
What states have state comprehensive privacy laws?
California, Colorado, Connecticut, Utah and Virginia
What are distinctions of CA’s comprehensive state privacy law?
- defines several terms using a broad brushstroke, similar to EU approach
- automatically regulates companies that do business in its state that meet a threshold for annual gross revenue
- alone to include employees in definition of consumer
- only state to take expansive view of regulated behavior of businesses by including both selling and sharing PI
- provides consumer rights and imposes business obligations structured in manner similar to GDPR
- lacks certain rights found in CO, CT and VA, including explicit right of appealing to the decision to reconsider its decision of denying a request
How do CO, CT, VA and UT’s comprehensive state privacy laws compare?
CO, CT and VA have numerous similarities
- similar key terms, consumer rights and business obligations
- provides rights not explicitly provided by CA, including right to opt in to sale of sensitive PI and right to appeal
UT similar framework but its definition of business is narrower, and it provides fewer rights to consumers and puts fewer obligations on businesses
What are the types of exemption under state privacy laws?
entity-level exemption: exempt entities subject to specific federal law
data-based exemption: exempt only data that is protected by federal law
What are the entity-level exemptions under state privacy laws?
- HIPAA entities → CT, UT, VA
- GLBA entities → CO, CT, UT, VA
- FCRA entities → all 5 states
- governments and nonprofits → all 5 states
- institutions of higher ed → CT, UT, VA
- registered national security associations → CO, CT
What are the data-level exemptions under state privacy laws?
- HIPAA data → CA, CO, UT, VA
- GLBA data → all 5 states
- FCRA data → all 5 states
- deidentified data → all 5 states
- publicly available data → all 5 states
- aggregate data → CA, UT, VA
- employee data → CO, CT, UT, VA
How do the definitions of “business” compare under state privacy laws?
- annual revenue threshold: CA ($25m)
- # of customers in state whose data is processed: CA, CO, CT, VA (10k customers)
- gross revenues from selling or sharing data threshold: CA, CO, CT and VA
- combination of above: UT
What is the threshold that includes gross revenues from selling or sharing data for each state?
- CA: if company derives at least 50% of gross revenues from selling or sharing data
- CO: if company processes data of at least 25k consumers and derives any revenue or receives any discount on goods or services from selling personal data
- CT: if company processes data of at least 25k consumers and derives at least 25% of gross revenues from selling data
- VA: if company processes data of at least 25k consumers and derives at least 50% of gross revenues from selling data
How does Utah define a “business” under its state privacy law?
if company has at least $25 million in annual gross revenue and meets one of following: (1) processes data of at least 100k Utah consumers or (2) processes data of at least 25k Utah consumers and derives at least 50% of gross revenues from selling data
How do the state privacy laws define “consumer”?
- all 5 states define their own residents to be protected by their respective laws
- CA includes employees in definition of consumer
- CO, CT, UT, VA exclude individuals “acting in a commercial or employment context”
Define:
personal information
under state privacy laws
any data that can be associated or linked with a particular individual
How is CA’s definition of “personal information” different?
CA extends definition to include information of consumer and consumer’s household, and is the only state to include employment data
What does “personal information” typically exclude?
under state privacy law
- deidentified data: data that cannot reasonably fall within definition of personal data
- data that is publicly available: info that is lawfully made available by federal, state or local governments
- aggregate data: info relating to a group of consumers where the identities of individual consumers have been removed (CA, UT, VA)
- employee data: records kept by businesses related to applicants, employees and contractors (CT, UT, VA, CO limited to employment records)
- data subject to specific federal privacy requirements
Define:
sensitive personal information
under state privacy law
- citizenship; genetic and/or biometric info; physical or mental health conditions; race or ethnicity; religion; sexual orientation → all 5 states
- children’s data → CO, CT, VA
- geolocation data → CA, CT, UT, VA
- union membership, philosophical beliefs, content of mail, email and text messages → CA
What kinds of business activities are regulated under state privacy laws?
sale of personal data + sharing of data (only for CA)
How do states define “sale”?
under state privacy law
- UT, VA restrict regulation of sale to transactions involving monetary compensation
- CA, CO, CT also include bartering for the data (any exchange for value)
What is typically excluded from the definition of “sale”?
under state privacy law
- disclosures of personal data to processor for purpose of processing data for business
- disclosures of personal data to a 3P for purposes of providing services or products that are requested by the consumer
- disclosures of personal data where consumer directs the business to disclose the personal data or intentionally uses business to interact with 3P
- disclosures or transfer of personal data, considered to be an asset, for purposes of M&A or bankruptcy, where 3P assumes control of business’s stake in the asset
What is defined as “sharing” under CA privacy law?
sharing or otherwise communicating … a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration
What are the nine consumer rights under state privacy laws?
- right to access
- right to correction (not UT)
- right to delete
- right to data portability
- right to opt out of sales
- right to opt out of targeting/cross-contextual behavioral advertising
- right against automated decision-making (not UT)
- right concerning sensitive personal information
- right to nondiscrimination
How do consumers exercise their rights under state privacy laws?
- by making request of business
- business has defined period of time of time for a timely response (typically 45 days to respond and addt’l 45 days for response when “reasonably necessary” but in CA, 15 days if consumer asks to opt out)
Define:
the right to access
under state privacy laws
consumers have right to access specific pieces of PI collected or held by the business
Define:
right to correction
under state privacy laws
consumers have right to correct inaccuracies in PI collected or held by business (except in UT)
Define:
the right to delete
under state privacy laws
consumers have the right to delete PI held by a business, unless an exception applies
- in CA, must also notify 3Ps to delete PI
Define:
right to data portability
under state privacy law
data, which is in a “readily useable format,” should be made available to the consumer to facilitate the consumer’s ability to provide the info to another entity
Define:
right to opt out of sales
under state privacy law
consumer can choose to opt out of the sale of PI held by the business
- in CA, can also opt out of sharing of PI
Define:
right to opt out of targeting/cross-context behavioral advertising
under state privacy law
consumer can choose to opt out of advertising selected based on personal information collected about the consumer over time from a variety of online sources
Define:
right against automated decision-making
under state privacy law
consumer can choose to opt out of automated processing of PI that results in decisions about the consumer and/or profiling of the consumer (not in UT)
Define:
right concerning sensitive personal information
under state privacy law
consumer has a right related to how their sensitive PI is handled by businesses
- CO, CT, VA → business needs consent to process this data (opt-in) and sensitive PI includes children’s data
- UT → business must provide notice to process data and opportunity for consumers to opt out
- CA → complex approach, businesses can self-restrict to certain uses of sensitive PI or provide consumers notice and opportunity to opt out
Define:
right to nondiscrimination
under state privacy law
businesses cannot discriminate against consumers for exercising their rights under these laws
What are core business obligations under state privacy laws?
- notice/transparency
- notice or right to opt out and conspicuous method to exercise
- opt-in by default of children’s data
- security measures
- purpose/processing limitation (not UT)
- risk assessments (not UT)
Define:
notice/transparency obligation
under state privacy law
business required to provide consumers with notice of certain data practices, privacy programs and/or privacy operations via privacy notice
What should a privacy notice explain?
under state privacy laws
- categories of data
- purpose for processing each category of data
- any sale and how to opt out
- categories of data shared with third parties
- how to exercise consumer rights
- for CA, duration and retention of each cateogry of personal data and categories of sensitive personal data
Define:
notice of right to opt out
under state privacy laws
all 5 states require that businesses provide consumers with notice of the right to opt out and a conspicuous method to allow consumers to exercise these rights
- in CA, businesses that sell or share PI must provide a link on the business’s web pages that says “Do Not Sell or Share My Personal Information”
- for businesses that use or disclose sensitive PI, CA requires business to have a “Limit the Use of My Personal Information” link on websites
Define:
notice at point of collection
under state privacy law
CA requires consumers be informed “at or before the point of collection” about the categories of personal data collected and the purposes of their use
What are the specific opt-in by default of children’s data rules in each state?
- CA requires businesses obtain opt-in consent to sell or share PI of consumers under age of 16
- CT requires businesses obtain opt-in consent from consumers under age of 16 (but at least 13) to sell their PI or process their PI for targeted advertising
- CT, CO, VA treat PI of consumers under age of 13 as sensitive PI and require opt-in consent from these consumers to process their data
- UT requires opt-in consent for processing of personal information of consumers under age of 13
Define:
purpose/processing limitations
under state privacy law
business is prohibited from collecting and/or processing personal information except for a specific purpose (except in UT)
Define:
risk assessments obligation
under state privacy law
business is obligated to conduct a formal risk assessment related to privacy and/or cybersecurity (except in UT)
processing activities that can trigger need for a risk assessment include:
- processing PI for purpose of targeting ad
- selling personal data
- processing sensitive data
- processing personal data for profiling under certain circumstances
Define:
security requirements
under state privacy law
business is obligated to ensure security measures are in place related to data, including “reasonable administrative, technical and physical data security practices” that are designed to protect the confidentiality and integrity of that data
What does enforcement look like under state privacy laws?
- all five states can impose penalties for noncompliance but amount per violation varies
- state AG has either sole or joint enforcement power in each of these states
- CA also provides limited private right of action related to security breaches that compromise personal information, as well as usernames and passwords that permit access to accounts
What are civil penalties under each state law?
- CA → civil penalties can be up to $2500 for typical violations and up to $7500 for intentional violations
- UT, VA → civil penalties can reach $7500 per violation
- CO → violations are treated as “deceptive trade practices” under CO’s Consumer Protection Act, where fines can be up to $20k per violation
- CT → violations also treated as “unfair trade practices” under CT’s Unfair Protection Act, where fines can be up to $5k per willful violation
Who does the state AG share enforcement power with in each state?
- VA, UT → state AG solely responsible
- CT → state AG works in conjunction with Division of Consumer Protection to enforce law
- CO → both state AG and local DAs have power to enforce law
- CA → both state AG and CPPA have power to enforce
Define:
cure period
under state privacy law
specified number of days to address a violation without being subject to sanction
- UT, VA: 30 days
- CO, CT: cure period will sunset end of this year
state data security laws
- 2/3 of states have laws requiring companies to take data security measures to protect citizens’ personal information
- ~20 states have laws that impose a reasonableness standard for security but don’t provide specific cybersecurity requirements (e.g., CA)
- 10 states impose extensive cybersecurity requirements (MA strictest)
- four states (CT, IA, OH, UT) have “safe harbor” laws for cybersecurity instead of obligations
Define:
state data destruction laws
- ~2/3 of states have these
- typically require that companies destroy or dispose of PI in such a way that it is no longer readable or decipherable
- common elements of (1) to whom law applies; (2) required notice; (3) exemptions; (4) covered media; (5) penalties
