Data Privacy and Security Laws Flashcards

6-8 questions

You may prefer our related Brainscape-certified flashcards:
1
Q

What states have state comprehensive privacy laws?

A

California, Colorado, Connecticut, Utah and Virginia

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are distinctions of CA’s comprehensive state privacy law?

A
  • defines several terms using a broad brushstroke, similar to EU approach
  • automatically regulates companies that do business in its state that meet a threshold for annual gross revenue
  • alone to include employees in definition of consumer
  • only state to take expansive view of regulated behavior of businesses by including both selling and sharing PI
  • provides consumer rights and imposes business obligations structured in manner similar to GDPR
  • lacks certain rights found in CO, CT and VA, including explicit right of appealing to the decision to reconsider its decision of denying a request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do CO, CT, VA and UT’s comprehensive state privacy laws compare?

A

CO, CT and VA have numerous similarities
* similar key terms, consumer rights and business obligations
* provides rights not explicitly provided by CA, including right to opt in to sale of sensitive PI and right to appeal

UT similar framework but its definition of business is narrower, and it provides fewer rights to consumers and puts fewer obligations on businesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the types of exemption under state privacy laws?

A

entity-level exemption: exempt entities subject to specific federal law)

data-based exemption: exempt only data that is protected by federal law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HIPAA exemption under state privacy law

A
  • CT, UT and VA’s privacy laws exempt HIPAA entities
  • CA, CO, UT, and VA generally exempt data regulated under HIPAA (protected health information held by covered entities)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

GLBA exemption under state privacy laws

A
  • CO, CT, UT and VA’s laws exempt GLBA entities
  • CA, CO, CT, UT and VA generally exempt data regulated under GLBA (nonpublic personal information used by financial institutions)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

FCRA exemption under state privacy law

A
  • all 5 states exempt entities covered by FCRA and data regulated under law (consumer reports)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define:

Driver’s Protection Protection Act

A

prohibits DMVs from releasing PI of drivers without their express permission, except in situation where permissible use exists
* all 5 states provide exemption for personal data that is “collected, sold or disclosed” pursuant to DPPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define:

business

under state privacy laws

A

delineates which entities that conduct business in the state are subject to the requirements of the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do the definitions of “business” compare under state privacy laws?

A
  • annual revenue threshold of $25 million for CA only
  • # of customers in state whose data is processed: CA, CO, CT, VA (10,000 customers)
  • gross revenues from selling or sharing data threshold: CA, CO, CT and VA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the threshold that includes gross revenues from selling or sharing data for each state?

A
  • CA: if company derives at least 50% of gross revenues from selling or sharing data
  • CO: if company processes data of at least 25k consumers and derives any revenue or receives any discount on goods or services from selling personal data
  • CT: if company processes data of at least 25k consumers and derives at least 25% of gross revenues from selling data
  • VA: if company processes data of at least 25k consumers and derives at least 50% of gross revenues from selling data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How does Utah define a “business” under its state privacy law?

A

if company has at least $25 million in annual gross revenue and meets one of following: (1) processes data of at least 100k Utah consumers or (2) processes data of at least 25k Utah consumers and derives at least 50% of gross revenues from selling data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What entities are exempted from the state privacy laws?

A
  • entities covered by the FCRA
  • governments and nonprofits
  • institutions of higher ed (CT, UT, VA)
  • HIPAA entities (CT, UT, VA)
  • GLBA entities (CO, UT, CO, VA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define:

consumer

under state privacy laws

A

explains which individuals are covered under the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do the state privacy laws define “consumer”?

A
  • all 5 states define their own residents to be protected by their respective laws
  • CA includes employees in definition of consumer
  • CO, CT, UT, VA exclude individuals “acting in a commercial or employment context”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define:

personal information

under state privacy laws

A

any data that can be associated or linked with a particular individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How is CA’s definition of “personal information” different?

A

CA extends definition to include information of consumer and consumer’s household, and is the only state to include employment data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does “personal information” typically exclude?

under state privacy law

A
  • deidentified data: data that cannot reasonably fall within definition of personal data
  • data that is publicly available: info that is lawfully made available by federal, state or local governments
  • aggregate data: info relating to a group of consumers where the identities of individual consumers have been removed (CA, UT, VA)
  • employee data: records kept by businesses related to applicants, employees and contractors (CT, UT, VA, CO limited to employment records)
  • data subject to specific federal privacy requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define:

sensitive personal information

under state privacy law

A

includes citizenship; genetic and/or biometric information; physical or mental health conditions, race or ethnicity; religion; and sexual orientation

  • can include children’s data (CO/CT/VA), geolocation data (CA/CT/UT/VA), union membership (CA), philosohical beliefs (CA), content of consumer’s mail (CA), email and text messages (CA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What kinds of business activities are regulated under state privacy laws?

A

sale of personal data + sharing of data (only for CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How do states define “sale”?

under state privacy law

A
  • UT, VA restrict regulation of sale to transactions involving monetary compensation
  • CA, CO, CT also include bartering for the data (any exchange for value)
22
Q

What is typically excluded from the definition of “sale”?

under state privacy law

A
  • disclosures of personal data to processor for purpose of processing data for business
  • disclosures of personal data to a 3P for purposes of providing services or products that are requested by the consumer
  • disclosures of personal data where consumer directs the business to disclose the personal data or intentionally uses business to interact with 3P
  • disclosures or transfer of personal data, considered to be an asset, for purposes of M&A or bankruptcy, where 3P assumes control of business’s stake in the asset
23
Q

What is defined as “sharing” under CA privacy law?

A

sharing, renting, leasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration

24
Q

What are the consumer rights under state privacy laws?

A
  • right to access
  • right to correction
  • right to delete
  • right to data portability
  • right to opt out of sales; right to opt out of targeting/cross-contextual behavioral advertising
  • right against automated decision-making
  • right concerning sensitive personal information
  • right to nondiscrimination
25
Q

How do consumers exercise their rights under state privacy laws?

A
  • by making request of business
  • business has defined period of time of time for a timely response (typically 45 days to respond and addt’l 45 days for response when “reasonably necessary” but in CA, 15 ays if consumer asks to opt out)
26
Q

Define:

the right to access

under state privacy laws

A

consumers have right to access specific pieces of PI collected or held by the business

27
Q

Define:

right to correction

under state privacy laws

A

consumers have right to correct inaccuracies in PI collected or held by business (except in UT)

28
Q

Define:

the right to delete

under state privacy laws

A

consumers have the right to delete PI held by a business, unless an exception applies
* in CA, must also notify 3Ps to delete PI

29
Q

Define:

right to data portability

under state privacy law

A

data, which is in a “readily useable format,” should be made available to the consumer to facilitate the consumer’s ability to provide the info to another entity

30
Q

Define:

right to opt out of sales

under state privacy law

A

consumer can choose to opt out of the sale of PI held by the business
* in CA, can also opt out of sharing of PI

31
Q

Define:

right to opt out of targeting/cross-context behavioral advertising

under state privacy law

A

consumer can choose to opt out of advertising selected based on personal information collected about the consumer over time from a variety of online sources

32
Q

Define:

right against automated decision-making:

under state privacy law

A

consumer can choose to opt out of automated processing of PI that results in decisions about the consumer and/or profiling of the consumer (not in UT)

33
Q

Define:

right concerning sensitive personal information

under state privacy law

A

consumer has a right related to how their sensitive PI is handled by businesses
* CO, CT, VA → business needs consent to process this data (opt-in) and sensitive PI includes children’s data
* UT → business must provide notice to process data and opportunity for consumers to opt out
* CA → complex approach, businesses can self-restrict to certain uses of sensitive PI or provide consumers notice and opportunity to opt out

34
Q

Define:

right to nondiscrimination

under state privacy law

A

businesses cannot discriminate against consumers for exercising their rights under these laws

35
Q

What are core business obligations under state privacy laws?

A
  • notice/transparency requirements
  • opt-in default for children’s data
  • purpose/processing limitations
  • risk assessments and security requirements
36
Q

Define:

notice/transparency obligation

under state privacy law

A

business required to provide consumers with notice of certain data practices, privacy programs and/or privacy operations
* privacy notice required under all five states

37
Q

What should a privacy notice explain?

under state privacy laws

A
  • categories of data
  • purpose for processing each category of data
  • any sale and how to opt out
  • categories of data shared with third parties
  • how to exercise consumer rights
  • for CA, duration and retention of each cateogry of personal data and categories of sensitive personal data
38
Q

Define:

notice of right to opt out

under state privacy laws

A

all 5 states require that businesses provide consumers with notice of the right to opt out and a conspicuous method to allow consumers to exercise these rights
* in CA, businesses that sell or share PI must provide a link on the business’s web pages that says “Do Not Sell or Share My Personal Information”
* for businesses that use or disclose sensitive PI, CA requires business to have a “Limit the Use of My Personal Information” link on websites

39
Q

Define:

notice at point of collection

under state privacy law

A

CA requires consumers be informed “at or before the point of collection” about the categories of personal data collected and the purposes of their use

40
Q

Define:

opt-in by default of children’s data

under state privacy law

A

type of age requirement where a business is obligated to obtain consent from a consumer under a certain age before handling their data in specific ways (often age 13 or 16)

41
Q

What are the specific opt-in by default of children’s data rules in each state?

A
  • CA requires businesses obtain opt-in consent to sell or share PI of consumers under age of 16
  • CT requires businesses obtain opt-in consent from consumers under age of 16 (but at least 13) to sell their PI or process their PI for targeted advertising
  • CT, CO, VA treat PI of consumers under age of 13 as sensitive PI and require opt-in consent from these consumers to process their data
  • UT requires op-tin consent for processing of personal information of consumers under age of 13
42
Q

Define:

purpose/processing limitations

under state privacy law

A

business is prohibited from collecting and/or processing personal information except for a specific purpose (except in UT)

43
Q

Define:

risk assessments obligation

under state privacy law

A

business is obligated to conduct a formal risk assessment related to privacy and/or cybersecurity (except in UT)

processing activities that can trigger need for a risk assessment include:
* processing PI for purpose of targeting ad
* selling personal data
* processing sensitive data
* processing personal data for profiling under certain circumstances

44
Q

Define:

security requirements

under state privacy law

A

business is obligated to ensure security measures are in place related to data, including “reasonable administrative, technical and physical data security practices” that are designed to protect the confidentiality and integrity of that data

45
Q

What does enforcement look like under state privacy laws?

A
  • all five states can impose penalties for noncompliance but amount per violation varies
  • state AG has either sole or joint enforcement power in each of these states
  • CA also provides limited private right of action related to security breaches that compromise personal information, as well as usernames and passwords that permit access to accounts
46
Q

What are civil penalties under each state law?

A
  • CA → civil penalties can be up to $2500 for typical violations and up to $7500 for intentional violations
  • UT, VA → civil penalties can reach $7500 per violation
  • CO → violations are treated as “deceptive trade practices” under CO’s Consumer Protection Act, where fines can be up to $20k per violation
  • CT → violations also treated as “unfair trade practices” under CT’s Unfair Protection Act, where fines can be up to $5k per willful violation
47
Q

Who does the state AG share enforcement power with in each state?

A
  • VA, UT → state AG solely responsible
  • CT → state AG works in conjunction with Division of Consumer Protection to enforce law
  • CO → both state AG and local DAs have power to enforce law
  • CA → both state AG and CPPA have power to enforce
48
Q

Define:

cure period

under state privacy law

A

specified number of days to address a violation without being subject to sanction
* UT, VA: 30 days
* CO, CT: cure period will sunset end of this year

49
Q

state data security laws

A
  • intended to ensure that companies develop and maintain appropriate data security practices
  • ~20 states have laws that impose a reasonableness standard for security but don’t provide specific cybersecurity requirements (e.g., CA)
50
Q

Define:

state data destruction laws

A
  • ensure data is handled appropriately at the end of the data life cycle
  • require companies to implement data minimization principle that data should only be kept as long as necessary to fulfill its purpose