Section 5 Flashcards
Which city banned employment based on credit history in 2015?
New York City
When was the California Financial Information Privacy Act passed and what is the other name by which it is known?
2004 and known as SB-1
How does the CFIPA (CA Financial Info Privacy Act) add to GLBA?
- Shifts the requirement for financial institution data sharing from an opt-out under GLBA to an OPT-IN under CFIPA.
- requires that financial institutions provide a SEPARATE DOCUMENT that is prominently titled “Important Privacy Choices for Consumers.”
In what two days does the Cal ECPA (Electronic Communications Privacy Act) restrict law enforcement in access to electronic comms?
- Service Provider Records
- criminal: search warrant or court order
- non-criminal: subpoena - Electronic Devices
- search warrant, wiretap order, consent of the customer or certification of an emergency situation
What rights does the CCPA (CA Consumer Privacy Act) of 2018 provide?
Right to: KKHOORD
- know what information is collected
- know how the information is shared
- opt out of information sharing
- review information
- request deletion of information
Does the CCPA include a private right of action?
Yes
How does the CA Privacy Rights Act update the CCPA?
- Creates a new category of information: Sensitive PI
- Adds new rights like:
- correct inaccurate information
- limit use and disclosure of SPI
- access information on automated decision-making
- to opt out of that automated decision-making
What law created the California Privacy Protection Agency?
CPRA (2023)
When did CA pass the CA Data Broker Law?
2019
What does the CA Data Broker Law require?
- annual registration with the AG
- AG publishes list of registered broker on its website
When does the CA Age Appropriate Design Code go into effect?
was set to go into effect July 2024 but was litigated
What does the CAADCA (California Age Appropriate Design Code Act) require that companies do?
- Annual Data Protection Impact Assessment (DPIA)
- Document risks and develop remediation plans
- Comply with AG requests
- Estimate age of child visitors
- Use strong default privacy settings
- Write privacy notices that children can understand
- Notify children they may be tracked
- Provide tools + info that parents and children can use to enforce privacy rights
What websites does the CAADCA apply to?
Those that are already subject to the CCPA AND
- are directed at children (as defined by COPPA)
- are routinely accessed by children
- are similar to another website directed at children
- have advertisements marketed to children
- have design elements interesting to children
- a significant amount of the audience is children
What are the possible fines under the CAADCA?
Negligent: $2500 per child
Intentional: $7500 per child
Is there a private right of action under the CAADCA?
No
What entities does the Colorado Privacy Act apply to?
If the business handles PI of 100K or more CO residents or handles PI of 25K or more residents and earns revenue from sharing that info
Does not apply to PI for your own employees
Does the CO law apply to non-profits?
Yes. CA does not.
Does CO Privacy Law have a private right of action?
No
What companies does the Connecticut Data Privacy Act (CTDPA) apply to?
If the business handles PI of 100K or more CT residents or derives over 25% of revenue from selling data AND control or process data of 25K or more CT residents annually
What does the CTDPA not apply to?
governments, non-profits, higher education or entities regulated by GLBA, HIPAA and FCRA
What rights does the CTDPA provide?
access, correction and deletion of data
data portability
opt out
appeal denial of requests
designate an authorized agent
Does the CTDPA have a private right of action?
No
When did the Delaware Online Privacy and Protection Act (DOPPA) go into effect?
2016
What are the three main categories of DOPPA?
Privacy policies
Protections for children (expands to under 18)
Protections for the privacy of users’ reading habits
How does the DOPPA definition of website operators affect a service like Amazon Web Servies?
It does not include web hosting services that have nothing to do with operating the actual site so AWS would be excluded
What are the Nevada SB 538 requirements?
Disclose clear privacy policies
What is the subject matter of the New Jersey Personal Information and Privacy Protection Act?
Customer identity/customer ID cards
What are the eight purposes that the NJ law allows retailers to collect customer IDs?
Validate customer identities for refunds
Verify customer age if needed
Prevent fraud in product returns
Prevent identity fraud in retain credit accounts
Creating and continuing customer contracts
Comply with laws that compel collection or disclosure
Disclose records to financial regulation
Compliance with HIPAA
What kinds of data does the WA Biometric law exclude?
Photographs, videos and audio recordings
What does the WA Biometric law require for biometric data?
Notice and consent before data can be “enrolled” in a database for commercial purposes with an exception for data needed to complete a transaction or to comply with other legal obligations
What does the NYDFS Cybersecurity Regulation do?
Makes financial institutions operating in NY follow cybersecurity infrastructure under NIST
What does WA HB 1149 do?
Requires businesses that manage electronic payment transactions liable to help cover the costs involved in issuing new bank cards if their negligence causes a breach
What are the DOPPA conspicuous privacy policy posting options?
- On the homepage or first significant page of a site
- Accesible through a textl ink or icon containing the word “privacy”
- For non-websites, reasonably accessible
IL Student Online Personal Protection Act (SOPPA)
Grants parents rights to control student info
Data breach notification
Applies to govt agencies and educational technology companies
What must be in a Privacy Policy under DOPPA?
PII collected
Third parties that get the PII
How it handles “do not track” requests
Policy change notification procedures
What must be included on a privacy policy under NV SB 538?
Categories of PII
Process to review and correct
Notification process for policy changes
Use of third party tracking
Effective date
What did NV SB 260 do?
Expanded 538 to included data brokers
What are the cybersecurity controls that NY requires?
Penetration testing
vulnerability assessment
Audit trail
Access privileges
Application security
Risk assessments
Multifactor authentication
Encryption
Incident response plan
Secure disposal
What companies are subject to the Utah Consumer Privacy Act?
- Over 25M in annual revenue
- Process data of 100K or more Utah residents
- Process data of 25K or more Utah residents and sell it
How does CalECPA differ from federal telecoms laws?
Cal ECPA requires Cal state law enforcement get a warrant when requesting electronic data
Which states have an explicit right to privacy in their Constitution?
Alaska
Arizona
California
Florida
Hawaii
Illinois
Louisiana
Montana
New Hampshire
South Carolina
Washington
What types of personal information are omitted from the CCPA?
PHI and personal financial information regulated by GLBA
What is BIPA? Does it include a private right of action?
Illinois Biometric Information Privacy Act
Requires that companies get consent before collecting and using biometric data
YES - includes private right of action
What are the rights granted under the CCPA?
KADON
Know
Access
Delete
Opt out
Nondiscrimination
What rights does the CPRA add to the CCPA?
CKOR
Correction
Know about automated decision making
Opt out of automated decision making
Restrict sensitive personal information
What businesses are subject to the Virginia Consumer Data Protection Act (VCDPA) (2021)?
- Controls or processes the PI of 100K or more VA residents OR
- Controls or process the PI of 25K if the business earns of HALF ITS REVENUE from selling that PI
What are the five major exemptions from the VCDPA?
- Virginia government agencies
- Financial institutions regulated under GLBA
- Healthcare organizations regulated under HIPAA
- Non-profit organizations
- Institutions of higher education
Does the VCDPA have a private right of action?
No
Does the Colorado Privacy Act have a private right of action?
No
What entities does the Colorado Privacy Act apply to?
- 100K or more residents
- 25K or more if they earn ANY revenue from selling the PI
Does the Colorado Privacy Act apply to non-profits?
Yes (while CA and VA laws leave non-profits exempt from their Privacy Acts)
There is also an exception for businesses handling information about their employees or other businesses
What does Nevada’s SB 538 do?
Requires that websites post clear privacy policies (similar to DOPPA)
What is a Nevada SB 538 exception?
Website operators in NV with fewer than 20K unique visitors if their revenue is derived primarily from a source other than the sale or lease of goods, services or credit online
How does Nevada SB 260 amend Nevada SB 538?
Expands the regulation to cover data brokers who purchase information about NV residents
Is there a private right of action under the Connecticut Data Privacy Act?
No
What businesses does the Connecticut Data Privacy Act (CTDPA) apply to?
- 100K or more
- Derive 25% of gross revenue from selling PI and control or process the data of at least 25K CT residents
What does the CTDPA do?
Rights to: access, correction, deletion, data portability, and opt-out, appeals and authorized agent designation
Also controls geofencing around health facilities
What entities does the Utah Consumer Privacy Act (UCPA) apply to?
- Annual gross revenue over 5M OR
- 100K Utah residents OR
- 15K residents if they SELL AT ALL
How does the UCPA (Utah) differ from the Virginia and Colorado laws?
NO: (1) right to appeal denials
(2) opt-out of profiling
Does the UCPA have a private right of action?
No
Which state law makes businesses that manage electronic payment transactions liable for the costs associated with data breaches due to the negligence?
Washington HB 1149
What does the California Age-Appropriate Design Code Act (CAADCA) require?
Websites directed at children under the age of 18 must conduct protection impact assessments and take other measures to protect the privacy rights of children
NO private right of action
Which state law is similar to FERPA?
Illinois Student Online Personal Protection Act
What does Massachusetts 201 CMR 17.00 do?
Requires that all companies with info on MA residents have a written information security plan
What types of data are omitted from the Washington Biometric Privacy Law (HB1493)?
Photographs
Videos
Audio recordings
How did Illinois HB 1260 update data breach notification laws?
Expanded the definition of personal information to include usernames or email addresses combined with a password that would provide access to an account
How did Massachusetts HB 4806 update data breach notification laws?
Added requirements for allowing individuals to place security freezes on their credit reports AND required that companies suffering data breaches offer affected users free credit monitoring
Most states trigger breach notification when a business knowns there was a breach. Which do so when there is a reasonable belief of a breach?
Alaska and Kentucky
Which state does not require notification to regulators upon the event of a breach?
Indiana
How did Tennessee SB 2005 update prevailing state breach notification laws?
It updated to include even encrypted data
How did Illinois HB 1260 update prevailing state breach notification laws?
It made usernames or email addresses count as PI if they are disclosed in combination with any information, like a password, that would allow an unauthorized party to get access to someone’s account
How did California AB 2828 update prevailing state breach notification laws?
Added encrypted data if there is reason to believe the encryption keys were also compromised
How did New Mexico HB 15 update prevailing state breach notification laws?
Requires notification if encryption keys are compromised and also includes biometric information
What are the notice and choice rules under the CFIPA?
- Must be notified in advance
- Provided with time to opt-out
When sharing with unaffiliated third parties, there must be written consent
What entities does the CFIPA apply to?
Any financial institution doing business in California
What right does CAN SPAM grant to states?
Enforcement by state AGs
Which state’s privacy law applies to non-profits?
CO
What businesses are exempt from Nevada SB 538?
- Located in Nevada
- Revenue derived outside online
- Small business (less than 20K)
AND websites must have minimum contacts