Flash Cards 2
Consumer report, Furnishers are obligated to..
correct and update information, provide notice of disputes, notice of account closures, notice of delinquency within 90 days of being given to collectors, notice of identity theft
Consumer report, Financial institution, negative info to CRA, must also..
Give notice to the cusumer within 30 days ; there is a safe harbor if they have reasonable practices for doing so
Consumer report, Furnishers to provide a dispute process to consumers, T or F
t
Consumer report, Furnishers, dispute, re-investigation to be completed within..
30 days
Consumer report, Furnishers must have this in place, policies…
and procedures in place to handle disputes and ensure accuracy and integrity of information provided by CRAs
Who regulates the Consumer Report stuff, FACTA stuff
FTC and CFPB
Red Flags rule is for what..
Identity theft
Investigative consumer report is what
a consumer report that includes information on your character and reputation; done through personal interviews
Investigative consumer reports, consumer has to be notified, and within 3 days of the request, T or F
t
Investigative consumer reports, users of it must..
must certify to the CRA that disclosures have been made and upon written request by consumer provide them with disclosures
Investigative consumer reports, safe harbor..
yes, if they have reasonable procedures in place to comply with the law
Investigative consumer reports, CRAs have to what before they start one..
get the required certifications and not violate the equal opportunity laws
Investigative consumer report, CRAs, negative info rules..
verify, can’t be included in subsequent reports unless re-verified
FCRA rule making outline
Dodd-Frank law transferred rule making to the Consumer Financial Protection Bureau
FCRA enforce outline
Enforcement is shared between the Consumer Financial Protection Bureau and the FTC
FCRA may also be enforced by whom
Functional regulators
FCRA and State Attorneys General have
State attorney generals have investigative and enforcement for consumers in their state
FCRA identity theft pre-emption
State laws aren’t pre-emptedy the FCRA for identity theft IF they are consistent with the FCRA
FCRA civil liability
yes, if found to knowingly and willingly done it, but Furnishers are generally exempt
What is FERPA
Family education rights and privacy act
FERPA is also called what
Buckley amendment
FERPA applies to what schools
Any school taking federal education funding
FERPA applies to what records
Education records
FERPA exceptions
Ancillary, Campus Police, Employment, Health Treatment, Alumni, Application, Peer Reviewed Papers
FERPA, access, how many days from the time of the request
Access granted within 45 days
FERPA, access exceptions
parent’s financial information, letters of recommendation
FERPA, access student signs waiver
admission or enrollment at another school, application for employment, honorary recommendation
FERPA, innacurate records to be fixed within..
a reasonable time
FERPA, what piece of information is never Directory Information
SSN
FERPA, how much time before publishing director information
a reasonable period of time
FERPA, directory info of former students may be disclosed without notice, T or F
t
FERPA, directory info, pior opt opt wishes to be honored after student graduates, T or F
t
FERPA, def of personal info
Name, names of family members, student or family addresses, SSN, student Id#, dates of birth, any other info that could be linked to a student with reasonable certainty
FERPA, how to long to maintain records records requesting access
for as long as the educational records themselves are maintained
FERPA, notice of rights, how often is the notice sent
At least annually
FERPA, who has enforcement authority
DOE, department of education
FERPA, funding can be pulled when..
compliance can’t be secured by voluntary means
FERPA, where to send complaints
Office of the Chief Privacy Officer, within 180 days of the violation
As a general rule, a student’s school health records are subject to FERPA not HIPAA, T or F
t
What is the TSR
Telemarketing Sales Rule, a phone, interstate call, purchase goods
The telemarketing industry is regulated by both..
FTC and FCC
TSR, seller definition
provides or arranges for others to provide services
TSR, telemarketer
initiatives or receives telephone calls
TSR exception
A non-profit making calls on its own behalf isn’t subject to the TSR
Telephone solicitation exception
someone gave express consent, established business relationship, non profit
Who must access the don not call list
both sellers and marketers
Call lists must be updated every x days
31 days
TSR, what practice is prohibited
abusive
Don not call list exceptions
Express consent, Established business relationship
Established business relationship def
transaction with 18 months, consumer inquirey or submitted an application within 3 months
Who may access the Do Not Call registry
Sellers, Telemarketers, Service Providers, Law Enforcement
TSR does have a safe harbor if..
procedures, trained, own DCL, downloaded DLC within 31 days, compliance checks, call made in error
Enforcement of the TSR is done by..
FTC at federal level, both private litigants and state attorney general at state level but must notify FTC
What is the TCPA
Telephone Consumer Protection Act
TSR, when to call
Between 8am - 9pm, unless they have permission/consent to do otherwise
Prompt disclosure
idmust be made ad the beginning of the call, entity of the seller, purpose for call, nature of good or service, no purchas necessary if prize involved
Prompt disclosure upsell
If upsell happens after the initial transaction, the upsell is considered a new call so all the disclosures have to be said again
Deceptive telemarketing practice if..
accept payment without disclosing the terms
Material terms can be communicated how..
orally or in writing, must be clear and conspicous
For charitable donations, telemarketers may not misrepresent
nature, purpose, mission, tax deductability, contribution, %, prize, affiliations, endorsements
When accepting payment for a charitiable donation other than credit or debit card, you must get ..
express verifiable authorization, written or oral, signature, voided check
Abandoned call..
live person within 2 seconds
Call abandon safe harbor
< 3% of calls abaondon, ring 4 times or 15 seconds, pre-recorded message, maintain records of compliance
TSR prohibits pre-recorded messages called robo calls, T or F
TRUE , unless there is express written consent
TSR consent applicability
it’s to a specific seller, does not extend to affiliates or marketing partners
Robo calls with epress written consent rules
ring 4 times or 15 seconds, recorded message within 2 seconds, opt out mechanism, terminate call once invoked, answering machine or vmail service
Robo call exception
made by a covered entity or business associate under HIPAA privacy rule
Robo texts are also prohibited, T or F
t
TSR, billing information, consent
Billing information can’t be sent without express informed consent
TSR, free to pay rules
Telemarketer to get at least 4 digits of the account number to be charged
TSR fradulent practices
unencrypted account numbers; payment for repair services unless time has already expired and seller proves results were achieved; payment for asset recovery less than 7 days…; advanced fee loans; payment for debt relief
TSR, caller Id
must include accurate caller ID
TSR, deceptive practice, credit card transaction
record a credit card not linked to a sale
TSR record keeping requirements
keep for a period of 2 years after produced / created
TSR record keeping, how many copies
just one, either by seller or telemarketer
TCPA is enforced by
FCC at federal level, private litigants and the states attorney general at state level but must notify FCC
State laws are not preempted by TCPA, T or F
True, they are not
State laws are not preempted by TSR, T or F
True, they are not
The right to financial privacy act doesn’t apply to …
Corporations or Partnerships larger than 5 people
The right to financial privacy act is suposed to ..
restrict government access to personal financial information
Right to financial privacy disclosure rules
consent, subpoena, warrant, formaly request from a federal agency
Right to financial privacy act, consent rules
not in excess of 3 months, authorization can be revoked prior to disclosure, to a specific document, identify the government authority, purpose for disclosure, customer’s rights
Right to financial privacy act, subpoena rules
quash in 10 days, 14 if mailing, government must have reason to believe the informaiton is relevant to a ligitimate law enforcement inquiry, customer gets a copy
Right to financial privacy act, warrant rules,
mail a copy of the search warrant to the customer within 90 days, court may delay the notification for 180 days
Right to financial privacy act, formal written request rules
is an option when no summons or subpoena is available
Right to financial privacy act, exemptions that apply to financial institutions
the exceptions are called suspicious activty reports (SARs)
Right to financial privacy act, exemptions in addition to SARs
A bank can give up your records to perfect a security interest, for bankruptcy, collect a debt, or for a government loan or benefit
The right to financial privacy act was ammended by the US Patriot Act
Right to financial privacy act, US Patriot Act, private cause of action heard in what court..
Federal court
Katz v. United States
warrant for a wire tap
Plamondon (Keith case)
4th ammendment warrant requirements intersected with national security
Artical II Constitution, President has …
Plenary power or foreign affairs
Domestic surveillance is subject to what..
4th amendment warrant requirements, only applies to US citizens
What is FISA
Foreign intelligence serveillance act, engage in surveillance for national security
FISA revised by US Patriot Act
to fight terrorism, demanded more detailed reporting, more transparency
Edward Snowden released documents led to what..
US Freedom Act which ended bulk record collecting
FISC is what
Foreign intelligence surveillance court
FISC is composed of what
11 judges appointed by the chief justice, judges serve for 7 years
FISC friend of the cour
amicus curiae, US Freedom Act
Attorney General to review every application for what
a FISA order before it is submitted to the FISC
FISA order needs what to be issued
probable cause, foreign power or agent of a foreign power
FISA application process
minimization procedures, significant purpose
FISA order also permit..
pen registers, trap and trace
FISA application denials can be appealed to ..
court of review, if that is denied then the supreme court
Color of law is what..
appearance of lawful power when you don’t have it, it’s a criminal offense
US Patriot Act, any tangible thing
anyting that would advance the investigation into foreign intelligence
Any tangible thing, recipients of the order..
are prohibited to disclose they have the order
Any tangible thing,
people complying are immune from liability
US Patriot Act, intercept computer communications if..
owner gives consent, official investigation, content relevant to investigation, interception doesn’t get comms other than those transmitted
Foreign intelligence info of persons outside the US..
Can be done, 1 year, Attorney General and Dir of National Intelligence must authorize it
Foreign intelligence info of persons outside the US, once approved..
FISC to review and approve, has to meet minimization and targeting rules
Upstream surveillance is what
information from internet backbone, the physical infrastructure
PRISM or Downstream surveillance is what
information from internet companies
After the fact surveillance disclosures aren’t permitted, T or F
t
Amicus curiae from the US Patriot Act was permitted to what..
increase transparency
Surveillance reporting…
Congress mandated a bunch of reporting around the number of FISA orders and NSLs; this was added as a requirement to the US Freedom Act
Civil proceedings rules are called..
Federal Rules of Civil Procedure (FRCP)
Discovery devices
Requests for production, Depositions, Interrogatories, Requests for admission, Subpoena
Subpoena must have
the court, title, person, rules to challenge
All discovery devices must be personally served, T or F
T
What is privilege
Not to disclose information
Discovery rule changes.. why
for electronic information
New discovery rules now include what
emails, databases, server logs, text messages, voicemails, thumb drives, etc.
Sedona conference
best practices for e-discovery, data management, data retention, information governance
Aerospaciale, comity analysis
importance, specificity, originated in the U.S., alternative means, non compliance undermine U.S. interests
Filing suite in a U.S. court means..
subject yourself to U.S. rules
Sedona conference, act in good faith
get out of jail free card
Lewy v. Remington Arms
Sedona conference, good example of good faith
Sedona conf, business judgement rule
corp decisions are made in the best interests of the corporation
Attorney’s eyes only
prevent private information from being disclosed
What is a protective order
prevents information disclosure
Rule 26 of Federal Rules of Civil Procedure (FRCP)
permits a protective order, annoyance, embarrassment, etc.
Rule 5.2 of Federal Rules of Civil Procedure (FRCP)
Redaction of specific information
At will
relationship between employee and employer
At will, can be modified with
a contract
Contract between the employer and the labor union
collective bargaining agreement
Governament employers have to worry about
constitutional provisions in the workplace
SEC law, disclose salaries of..
certain C-level executives, public companies
Consumer reports and the workplace…
Fair and Accurate Credit Transactions Act (FACTA), how consumer reports are used
Background checks are included in what law
Fair Credit Reporting Act (FCRA), regulated by the FTC
Depart of Labor (DOL) developed what..
welfare of the wage
Department of Labor (DOL) rule making for
Fair Labor Standards Act (FLSA), Employment Retirement Income Security Act (ERISA), Occupational Safety and Health Administration (OSHA)
Equal Employment Opportunity Commission (EEOC)
Antidiscrimination laws, Title VII of Civil Rights Act, American Disabilities Act, Age Discrimination Employment Act,
Equal Employment Opportunity Commission (EEOC) stats
5 members, no more than 3 of the same political party, appointed by the President for no more than 5 years, separate General Counsel serves 4 years and conducts litigation
National Labor Relations Board (NLRB) does what
Right to join unions, negotiates collective bargaining agreements
Title VII Civil Rights Act significan revisions
Civil Rights Act of 1991 and Lilly Ledbetter Fair Pay Act
Equal Employment Opportunity Commission (EEOC) applies to companies with how many employees
15 or more
Title VII Civil Rights Act created what
Equal Employment Opportunity Commission (EEOC)
EEOC has broad authority to prohibit what
unlawful employment practices, given to them by Title VII
EEOC, how many days to serve a charge
10 days
EEOC investigative threshold
reasonable cause
EEOC may file a civil action, T or F
T
EEOC general public importance, how many judges
3
American Disabilities Act (ADA) applies to what companies
15 or more people
Civil Rights Act Title I does what
Covered entities can’t discriminate based on disability
ADA, Toyota v. Williams
carpal tunnel not a disability
ADA, Sutton v. United Airlines
Myopia not a disability
ADA, medical exams
can be required as a condition of a job offer if, all entering employees are subject to it, medical condition results are kept separate, results only used in accordance with the ADA
ADA, medical exams .. another fact
medical exams are permitted if both job related and consistent with business necessity
ADA, drug testing is not considered a medical exam, T or F
T
Genetic Information Nondiscrimination Act (GINA) is overseen by
HHS
GINA is tied to what other laws
Employement Retirement Income Security Act (ERISA), Social Security Act, HIPAA
GINA protected under Chapter 21 of Title 42 which is enforced by
EEOC
Civil Rights Act Title II and GINA
prohibits discrimination for genetic info, but age and sex are excluded
GINA, Employers requesting info, exceptions, they can request if
inadvertent, voluntary wellness program, to comply with Family Medical Leave Act, commercially publically available, for law enforcement
GINA rules also apply to
employment agencies, labor unions, training programs
GINA info has to be kept…
in a separate file and treated as confidential medical information
Places with laws about automated employment decision tools
Illinois, Maryland, New York City
Automated employment tooling, Illinois
Video Interview Act
Automated employment tooling, Maryland
Facial recognition
Automated employment tooling, New York City
Bias audit
ADA issues, automated employment tooling
reasonable accommodations, screens out poeple with disabilities,
ADA guidance, automated employement tooling
transparent, provide notice, essential functions, a company’s vendors comply with the same guidance
EEOC, iTutor Group, automated employment tooling
excluded females over 55, men over 60
National Child Protection Act permits access to the National Crime Information Center… why
Background checks
Why do background checks
protects the employer
ADA medical testing in Pre Offer stage is
prohibitted
Far reaching law impacting hiring process
Fair Credit Reporting Act (FCRA) , governs the use of Consumer Reports
FCRA left certain state laws in place
California Investigative Consumer Reporting Agencies Act which limits the use of credit information
9 states that copied Californias ICRAA
Colorado, Connecticut, Hawaii, Illinois, Maryland ,Nevada, Oregon, Vermont, Washington; and DC, Chicago, NYC, and Philadelphia
Methods of pre-employment screening
Personality, Psychological Evals, Polygraph
ADA, some psychological testing may be considered a medical eval, T or F
t
Employee Polygraph Protection Act (EPPA) does what
Employers prohibited from using lie detctor test unless, government, national defense, business provides security, transport of certain types of goods, companies that make or distribut controlled substances, investigations for economic loss, injury, theft
EPPA, keep statements for how long
3 years
EPPA, adverse action
brief the employee, give a copy of the results and questions asked, results only disclosed to the person, employer, or the court
EPPA, rule making authority
Secretary of Labor, also has subpoena power for investigations
Drug testing, Government employers, which ammendment
Fourth
Drug testing, private sector, which law
ADA
States, drug testing, reasonable suspicion
Iowa, Minnesota, Connecticut
Social media privacy
as long as the employee’s actions don’t negatively impact the employer
Employee monitoring written policy
purpose, what’s monitored, how, what’s info is stored, how being used, who disclosed to
Multi national companies may need different monitoring policies, T or F
t
Wiretap Act, Eletronic Communication Privacy Act (ECPA) enforce what
employee monitoring
One party consent
Wiretap Act, one party has to agree to being recorded
Two party consent
Wiretap Act, both parties on the call have to agree to being recorded
CCTV doesn’t record audio so it’s not subject to what
Wiretap act
State that prohibits CCTV
Michigan
Eletronic Communication Privacy Act (ECPA) Title II is what act
Stored Communication Act (SCA), email monitoring
Email monitoring is illegal unless
The person or entity providing the email service agrees
Two states with strict employer communication laws (email, phone, etc)
Deleware, Connecticut
When is mail considered delivered
when it reaches the business
GPS monitoring guidelines
during business hours, for business purposes, monitoring has been disclosed
States with additional GPS monitoring laws
California, Minnesota, Tennessee, Texas
BYOD can create what
security vulnerabilities
Data loss prevention (DLP) is a strategy for
unauthorized access or misuse of sensitive data
Collective bargaining agreements can
modify the obligations an employer has on its workforce
National Labor Relations Board (NLRB), Colgate
video surveillance
National Labor Relations Board (NLRB), Purple Communications
email monitoring, union organizing
Investigating employee misconduct guidelines
take seriously, fairness, follow laws and company policies, documentation
Important aspect of employmee investigation policies is
ensure a company properly documents employee performance problems
Fair Credit Reporting Act (FCRA) and employee misconduct investigations
If the investigation involves a consumer report, FTC provided an opinion in the Vail Letter
FTC Vail Letter said what
Third party investigations of employees were subject to the Fair Credit Reporting Act (FCRA) and needed to disclose this to the employee
FACTA and Vail Letter
Fair and Accurate Credit Transaction Act (FACTA) ammended FCRA, employers don’t need to disclose they are conducting an employee investigation
FACTA employee investigation disclosure rules
don’t need to disclose if investigating employee misconduct, related to compliance with laws or company policies, not investigating credit worthiness, communication only proivded to employer or agent, government, regulatory authority, required by law
HIPAA excludes what records
employment records held by a covered entity
Who enforces the Family Medical Leave Act
Department of Labor
HIPAA, employment records, ADA, GINA, FMLA stuff must be kept
All kept away from each other in separate files
State with a law to provide a reference after termination
Kansas
After termination
Restrict access, keep employee records, maintain good will
Jurisdictional nexus
Activities of the business or person and the intersect with the state
Tenth ammendment and state law
Tenth ammendment gives states the right to pass laws
What do federal regulations streamline
nationwide baseline compliance
State unfair and deceptive acts and practices (UDAP) and AG’s
UDAP give state attorney gernals authority to bring enforcement actions
Federal law can limit state law through..
preemption and limiting where federal claims may be filed
Federal courts hear cases about what
the constitution or federal law
State courts hear cases about what
states have a general jurisdiction
Removal jurisdiction
moving a case from state court to have it heard in federal court
States with laws like TCPA, TSR, CAN-SPAM
Alabama, plus all states got together to in-act 8 anti-robocall principles
California Online Privacy Protection Act (CalOPPA) requires ..
website operators to conspiciously post its privacy policy on websites and mobile apps; also Do Not Track policy
States allow a free credit report more frequently
Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Vermont
States with laws about how credit scores are utilized
California, Colorado
California Financial Information Privacy Act did what
Called California SB-1, consumers to opt-in in writing, entitled to opt out
One entity with jurisdiction over many financial institutions
NYDFS, new york dept of financial services
NYDFS has strict cybersecurity requirements..
most strict of all states, far beyond GLBA
FTC upgraded the GLBA safeguards to match what..
NYDFS, new york dept of financial services cybersecurity requirements
There is no federal law that governs data security or imposes universal security standards, T or F
t
HIPAA governs what market sector
Healthcare
GLBA governs what market sector
Finance
FTC can bring enforcement for failure to adopt..
adequate security measures… under section 5 of unfair or deceptive trade
FTC enforcement, failure to adopt adequate security, against who
Uber, Lenovo, D-Link
NYDFS has become the ..
gold standard for government mandated security practices
Massachusetts minimum security standards
one employee to maintain an infosec program, risk mgmt, policies, disciplinary measures, terminated employee no access, vendor mgmt, physical access controls, monitoring, incident mgmt
What state codified PCI-DSS into law
Washington, similar to what Minnesota did
SSN Confidentiality Act did what
federal law, prohibits SSNs from being visible in the envelope window
California SSN law
Probhibit SSN from public display, printed on access cards, requiring it be transmitted over the internet, requiring it to be used to access a website, it being on printed materials mailed to homes, selling it
Colorado data destruction law
businesses using documents containing persnal information must develop data destruction and disposal policies
States require the implementation of minimum security standards, T or F
t
North Carolina data destruction law
defines reasonable data destruction measures as, can’t be read or reconstructed,
Subcontracting data destruction is permitted, T or F
True, think Iron Mountain
Vermont started to make data brokers register annually, why
to regulate them, California and Illinois are following suite
States that have cookie and online tracking laws
California and Virginia
Key definitions for data breach laws
who is covered, the term personal information, the term data breach
Data breach definition
When personal information is accessed or acquired without authorization
After a breach is determined, what is the next step
determine what notification obligations exist
State data breach notification laws require what..
any state resident that is affected be notified
If a data processor is breached they must what..
disclose the breach to the owner or licensee of the data
Data breach, States also require notification to govt agencies, california..
California Dept of Health Services
Data breach, States, also require notification to..
Attorney General, and Credit Reporting Agencies
Data breach, notification timing, common phrase..
the most expeditious time possible and without unreasonable delay, 8 states say within 45 days
Data breach, notification timing, Puerto Rico
10 days, then 24 hours
Data breach, notification standard, which state
North Carolina
Data breach, notification template
description, information type, steps to protect info,
Can a company draft one breach notice and send it nationwide
No, certain states have certain requirements
Is a written breach notice required to inform consumers in every state
No, some states allow for electronic communication if there is prior consent
Breach notification exceptions
Where more stringent law applies, an organization follows it’s own breach notification procedures, when data was encrypted, redacted, or otherwise unusable
Data breach notification enforement, State Attorney’s General
Can get involved when an organization fails to comply with the law
Data breach private cause of action
is possible under UDAP statutes in some states
Which state first adopted data breach notification law
California SB-1386
What is the first comprehensive data protection law in the U.S.
California Consumer Protection Act (CCPA)
Which law expands upon the California Consumer Protection Act (CCPA)
California Privacy Rights Act (CPRA)
California’s definition of personal information
First name and last name, or first initial and last name, in combination with other stuff
California’s data breach encryption exception
notification to consumers is necessary only if the data isn’t encrypted
California’s data breach notification timing
most expedient time without unreasonable delay, consistent with the legitimate needs of law enforcement
California’s data processor notification requirements
are placed on the data controller
California’s data breach notification content
disclosures in plain language, specificity, and a bunch of stuff
Any data breach disclosure complying with federal law will satisfy California requirement
t
California allows for both written and electronic data breach notificaitons
t
California data breach notification, if over 500K people
a substitute notice may be used
California data security law excludes what data
publically available and encrypted data
California data security law, disposal of data
shredding, erasing, make unreadable or undecipherable
Scope of California Consumer Protection Act (CCPA)
> 25M in revenue, personal info of 50K people, get 50% of its revenue from selling personal info
California Consumer Privacy Act (CCPA), Third Parties
Third parties are prohibited from selling personal information unless the consumer receives notice and the opportunity to opt out
The definition of a consumer under the CCPA
Any natural person who is a California resident
The California Consumer Privacy Act does not apply to what type of information
deidentified or aggregated information
The term Sale in the context of personal information
it’s a long definition but ends with “for monetary or other valuable consideration”
California Consumer Privacy Act (CCPA) and notice
provide notice at or before collection, what’s collected, how used, categories, rights, how to exercise the rights, etc.
California Consumer Privacy Act (CCPA) consumer rights
Notice, Opt Out, Request Disclosure, Access, Deletion, Not to be dscriminated against
Who enforces the CCPA
California attorney general
CCPA does provide a private cause of action for what
Data breach
What did the California Privacy Rights Act (CPRA) create
the California Privacy Protection Agency (CPPA)
California Privacy Protection Agency (CPPA) stats
5 member board, enforcement authority transferred from California Attorney General to the CPPA
California Privacy Protection Agency (CPPA) board members need
qualifications in privacy and technology
California Privacy Rights Act (CPRA) includes sensitive information
t
California Privacy Rights Act (CPRA) includes public records made available by the government
t
What did the California Privacy Rights Act (CPRA) strengthen
transparency and accountability requirements under the CCPA
California Privacy Rights Act (CPRA) security requirement
CPRA incorporated security requirements into the CCPA
California Privacy Rights Act (CPRA) mandates that controllers..
enter into written contracts with 3rd party data vendors
California Privacy Rights Act (CPRA) broadened rights
correct information, use of sensitive info, automated decision making, delete info, expanded access, expanded opt out
California Age Appropriate Design Code Act (AADC)
Prohibits advertising directed at children, profiling of children, dark patterns
California Age Appropriate Design Code Act (AADC) defines children as
anyone under 18
States adopting laws similar to the CCPA
Virginia, Colorado, Utah, Connecticut
Virginia Consumer Data Protection Act (VCDPA)
makes Virginia the only state to implement comprehensive privacy laws
Who is exempt from the Virginia Consumer Data Protection Act (VCDPA)
GLBA, HIPPA, and non profits
Virginia Consumer Data Protection Act (VCDPA) is close to the GDPR
t
Virginia Consumer Data Protection Act (VCDPA) time to respond to data subject request
without undue delay, no later than 45 days
Virginia Consumer Data Protection Act (VCDPA) private cause of action
No
Virginia Consumer Data Protection Act (VCDPA) enforced by
State attorney general
Virginia Consumer Data Protection Act (VCDPA) rule making authority
No rule making authority, Data Controllers have to rely on the text of the statute
Colorado Privacy Act (CPA) doesn’t include
HIPPA, GLBA, COPPA, FERPA
Colorado Privacy Act (CPA) includes what.. that no one else does
It applies to non profits
VCDPA and the CPA have a controller / processor framework and the CCPA has a
business / affiliate framework
Colorado Privacy Act (CPA) codifies that
a person not limitted in processing or fails to follow the instructions of the controller, now is considered the controller
Colorado Privacy Act (CPA), processors can use subcontractors
No
Colorado Privacy Act (CPA) calls for adoption of
appropropriate technical and organizational safegaurds, data processing contracts, controllers to conduct data protection assessments where there is a hightened risk of harm
Colorado Privacy Act (CPA) rights
opt out, access, correct, delete, portability
Colorado Privacy Act (CPA) private cause of action
No
Colorado Privacy Act (CPA) enforcement
State attorney general, local district attorneys, covered under the state UDAP
Colorado Privacy Act (CPA) rule making
lies with the State attorney general
Utah Consumer Privacy Act (UCPA) excludes what from personal data
aggregated data
Utah Consumer Privacy Act (UCPA) enforcement
State attorney general
Utah Consumer Privacy Act (UCPA) time to fix a violation
30 days
Connecticut Personal Data Privacy and Online Monitoring Act does not apply to
publically available info and personal data solely used for payment transactions, i.e. completing a sale
Connecticut Personal Data Privacy and Online Monitoring Act list of rights
access, correct, delete, portability, universal opt out signals
Connecticut Personal Data Privacy and Online Monitoring Act enforcement
Attorney general, no private cause of action
Connecticut Personal Data Privacy and Online Monitoring Act days to fix a problem
60 days
California Electronic Communications Privacy Act
can’t search phones or online accounts without a court order or consent or an emergency
Deleware Online Personal Privacy Protection Act DOPPA)
Deleware’s version of COPPA but childeren are anyone under 18
Deleware Online Personal Privacy Protection Act DOPPA) advertising..
Prohibits ads for tobacco, firearms, tanning equipment..
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 exemptions
FCRA, fraud prevention, publically available, drivers privacy protection act, GLBA
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 primary requirement
to provide an online notice and designated request address to no sell data, have 60 days to process it
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 time to fix issues
30 days
Nevada Privacy of Information Collected on the Internet from Consumers Act SB 538 “sale” extends to
data brokers
Illinois Geolocation Privacy Protection Act and Right to Know Act
Vetoed by the governor, affirmative express consent before getting geolocation info from a consumer’s device
New Jersey Personal Information and Privacy Protection Act
when retailers can scan a person’s identification card, sale of the data is prohibited
Washington state Biometric Privacy Law
can’t put biometric data into a database for commercial purposes without adequate notice, consent obtained, and can prevent subsequent use
New York’s SHIELD Act expands
private information and data breach
New York’s SHIELD Act private information is
biometric data, account number, user names
New York’s SHIELD Act data breach..
when private information is accessed without authorization
New York’s SHIELD Act data breach exemption
when it was accessed by accident
New York’s SHIELD Act also requires
develop, implement, maintain reasonable safeguards to protect security and disposal
New York’s SHIELD Act requires safegaurds in line with a company’s
size and complexity
Illinois Student Online Personal Protection Act (SOPPA)
most comprehensive privacy for student records, info is called covered info, any personally identifiable information
Illinois Student Online Personal Protection Act (SOPPA) operators..
are prohibited from advertising, profiling, selling, or disclosing covered information
Illinois Student Online Personal Protection Act (SOPPA) school requirements and state board of education requirements
no selling, or disclosing, there are some exceptions, and the school needs a privacy officer
Tennessee SB 2005 data breach notification
encrypted data is no longer an excluded, you have to notify consumers
Illinois HB 1260 data breach notification
encrypted data is not excluded if there is a risk the key was compromised
Illinois HB 1260 data breach medical information
medical info, biometric info, health insurance info now in scope
Illinlois HB 1260 data breach notification to attorney general
HIPPA regulated entities have to notify the attorney general now if there is a breach
New Mexico HB 15 data breach laws
apply to encrypted and non encrypted data, biometric data, personal health information
South Dakota data breach law
don’t need to notify if there is no harm to consumers but you must notifiy the attorney general
Massachusetts HB 4806 data breach law
similar to the Fair Credit Reporting Act (FCRA) requirements, the data breach laws regulate the credit reporting agencies