Data Privacy and Security Laws Flashcards
6-8 questions
What states have state comprehensive privacy laws?
California, Colorado, Connecticut, Utah and Virginia
What are distinctions of CA’s comprehensive state privacy law?
- defines several terms using a broad brushstroke, similar to EU approach
- automatically regulates companies that do business in its state that meet a threshold for annual gross revenue
- alone to include employees in definition of consumer
- only state to take expansive view of regulated behavior of businesses by including both selling and sharing PI
- provides consumer rights and imposes business obligations structured in manner similar to GDPR
- lacks certain rights found in CO, CT and VA, including explicit right of appealing to the decision to reconsider its decision of denying a request
How do CO, CT, VA and UT’s comprehensive state privacy laws compare?
CO, CT and VA have numerous similarities
* similar key terms, consumer rights and business obligations
* provides rights not explicitly provided by CA, including right to opt in to sale of sensitive PI and right to appeal
UT similar framework but its definition of business is narrower, and it provides fewer rights to consumers and puts fewer obligations on businesses
What are the types of exemption under state privacy laws?
entity-level exemption: exempt entities subject to specific federal law)
data-based exemption: exempt only data that is protected by federal law
HIPAA exemption under state privacy law
- CT, UT and VA’s privacy laws exempt HIPAA entities
- CA, CO, UT, and VA generally exempt data regulated under HIPAA (protected health information held by covered entities)
GLBA exemption under state privacy laws
- CO, CT, UT and VA’s laws exempt GLBA entities
- CA, CO, CT, UT and VA generally exempt data regulated under GLBA (nonpublic personal information used by financial institutions)
FCRA exemption under state privacy law
- all 5 states exempt entities covered by FCRA and data regulated under law (consumer reports)
Define:
Driver’s Protection Protection Act
prohibits DMVs from releasing PI of drivers without their express permission, except in situation where permissible use exists
* all 5 states provide exemption for personal data that is “collected, sold or disclosed” pursuant to DPPA
Define:
business
under state privacy laws
delineates which entities that conduct business in the state are subject to the requirements of the law
How do the definitions of “business” compare under state privacy laws?
- annual revenue threshold of $25 million for CA only
- # of customers in state whose data is processed: CA, CO, CT, VA (10,000 customers)
- gross revenues from selling or sharing data threshold: CA, CO, CT and VA
What is the threshold that includes gross revenues from selling or sharing data for each state?
- CA: if company derives at least 50% of gross revenues from selling or sharing data
- CO: if company processes data of at least 25k consumers and derives any revenue or receives any discount on goods or services from selling personal data
- CT: if company processes data of at least 25k consumers and derives at least 25% of gross revenues from selling data
- VA: if company processes data of at least 25k consumers and derives at least 50% of gross revenues from selling data
How does Utah define a “business” under its state privacy law?
if company has at least $25 million in annual gross revenue and meets one of following: (1) processes data of at least 100k Utah consumers or (2) processes data of at least 25k Utah consumers and derives at least 50% of gross revenues from selling data
What entities are exempted from the state privacy laws?
- entities covered by the FCRA
- governments and nonprofits
- institutions of higher ed (CT, UT, VA)
- HIPAA entities (CT, UT, VA)
- GLBA entities (CO, UT, CO, VA)
Define:
consumer
under state privacy laws
explains which individuals are covered under the law
How do the state privacy laws define “consumer”?
- all 5 states define their own residents to be protected by their respective laws
- CA includes employees in definition of consumer
- CO, CT, UT, VA exclude individuals “acting in a commercial or employment context”
Define:
personal information
under state privacy laws
any data that can be associated or linked with a particular individual
How is CA’s definition of “personal information” different?
CA extends definition to include information of consumer and consumer’s household, and is the only state to include employment data
What does “personal information” typically exclude?
under state privacy law
- deidentified data: data that cannot reasonably fall within definition of personal data
- data that is publicly available: info that is lawfully made available by federal, state or local governments
- aggregate data: info relating to a group of consumers where the identities of individual consumers have been removed (CA, UT, VA)
- employee data: records kept by businesses related to applicants, employees and contractors (CT, UT, VA, CO limited to employment records)
- data subject to specific federal privacy requirements
Define:
sensitive personal information
under state privacy law
includes citizenship; genetic and/or biometric information; physical or mental health conditions, race or ethnicity; religion; and sexual orientation
- can include children’s data (CO/CT/VA), geolocation data (CA/CT/UT/VA), union membership (CA), philosohical beliefs (CA), content of consumer’s mail (CA), email and text messages (CA)
What kinds of business activities are regulated under state privacy laws?
sale of personal data + sharing of data (only for CA)