Search biometric

On June 6, 2023, Governor DeSantis signed Senate Bill (SB) 2262, legislation intended to create a “Digital Bill of Rights” for Floridians. While Florida’s new law provides similar privacy rights to consumers as other states’ comprehensive privacy laws passed in recent months, the law is narrower in the businesses that are regulated.

Generally, the requirements of the law take effect on July 1, 2024, with certain sections taking effect sooner.

Covered Businesses

The new legislation applies to businesses that collect consumers’ personal information, make in excess of $1 billion in gross revenues, and meet one of the following thresholds:

  • Derive 50% or more of its global annual revenues from providing targeted advertising or the sale of ads online; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation.

Consumer Rights

Like many of the comprehensive privacy laws passed in recent months, the new law provides Florida consumers the right to:

  • Access their personal information;
  • Delete or correct personal information; and,
  • Opt out of the sale or sharing of their personal information.

In addition to these rights, the law adds biometric data and geolocation information to the definition of personal data, for purposes of protecting consumers.

Covered Business Obligations

Under the new law, covered businesses and their processors are required to implement a retention schedule for the deletion of personal data. Controllers or processors may only retain personal data until:

  • The initial purpose of the collection was satisfied;
  • The contract for which the data was collected or obtained has expired or terminated; or
  • Two years after the consumer’s last interaction with the covered business.

Covered businesses will be required to provide reasonably accessible and clear privacy notices, and such notices will need to be updated annually, including disclosures to consumers regarding data collection, processing, and use practices.  

The law also requires covered businesses to develop and implement reasonable data security practices.

If you have questions about Florida’s new Digital Bill of Rights or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.

If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.

When would the law apply?

A “regulated entity” for purposes of the law is defined as:

  • Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
  • Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.

The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Who is protected by the law?

Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.

A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.

What data is protected by the law?

The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:

  • Individual health conditions, treatment, diseases, or diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
  • Data that identifies a consumer seeking health care services.

What are the rights of consumers?

Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
  • Consent to or deny collection or sharing of health data.
  • Withdraw consent from a regulated entity or small business to collect or share health data.
  • Delete health data collected by a regulated entity or small business, including on archived or backup systems.
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.

The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.

What obligations do businesses have?

The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:

  • Categories of consumer health data collected and the purpose for which the data is collected.
  • Categories of sources from which the consumer health data is collected
  • Categories of consumer health data that are shared.
  • A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
  • How a consumer can exercise the rights provided under the law.

This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.

Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

How is the law enforced?

Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and  Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a comprehensive consumer privacy statute.

Covered Businesses

Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.

Consumer Defined

Under the statute, a consumer is defined as a natural person who is a resident of Iowa and acting only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.

Personal Data

The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.

Consumer Data Rights

 The statute provides consumers with the following rights:

  • To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
  • To delete personal data provided by the consumer.
  • To port the personal data.
  • To obtain a copy of the consumer’s personal data with certain limitations.
  • To opt out of processing for the sale of personal data or targeted advertising.

Covered Business Obligations

Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:

  • Respond to consumer requests without undue delay, but in all cases within 90 days of receipt of the request. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
  • If the covered business declines to take action, it must inform the consumer.
  • Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.

In addition to complying with consumer requests covered businesses must:

  • Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Protect sensitive data, which is a broad category under the statute that includes racial information, biometric data, and even geolocation under the statute but not processing such data without the consumer having been presented clear notice and an opportunity to opt-out of such processing.
  • Avoid processing data in such a way as to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute including denying goods or services or changing the prices or rates.
  • Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.  
  • Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.

Enforcement

The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.

For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

To celebrate Data Privacy Day, we present our top ten data privacy and cybersecurity predictions for 2023.

1. Healthcare and Medical Data Security and Tracking

The healthcare industry has been facing increased scrutiny for the protection of healthcare information both online and on apps.

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further. 

Businesses in the healthcare industry should continue to work with counsel to review new ways of delivering healthcare services, including new technologies, with an eye toward the protection of medical information and privacy for patients. Building in protections from the outset can have significant advantages. Of course, medical device and technology companies also will need to consider how their devices and technologies could capture or affect medical information and the corresponding regulatory requirements and best practices.

2. A Patchwork of Legislation and Regulations Pertaining to Privacy and Cybersecurity

Currently, nine states are considering consumer privacy bills; Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. This is already a complicated arena with California, Colorado, Connecticut, Utah, and Virginia that have laws on the books.

More cities and states will implement cybersecurity regulations with a view toward data protection and privacy, including in specific industries. In 2022, for example, we saw government entities such as the Nevada Gaming Commission issue security regulations for regulated entities in the gaming industry. The  New York State Bar is now requiring its members, lawyers practicing in New York, to have annual continuing legal education in cybersecurity.

The Biden Administration released its regulatory agenda which aimed at new cybersecurity requirements for government contractors, the maritime industry, public companies, and others. The Securities and Exchange Commission has also set goals to enact new cybersecurity regulations.

It will be important in 2023 for businesses to be more aware than ever about the data they are collecting, why it is processed, and how it is stored and safeguarded in order to comply with the myriad of privacy laws around the country.

3. California, California, California

California will continue to be a leader in the privacy data space, with both the implementation of its first-in-the-nation comprehensive consumer privacy law and further enforcement actions under that law. California will be sure to shape both state and national viewpoints on privacy requirements.

The California Privacy Protection Agency (CPPA) continues to work on revisions to regulations for the California Privacy Rights Act (CPRA). These changes are critical for covered organizations with respect to both their commercial activities and when functioning as an employer.

It does not stop there. Another first for California is that it is the first state to adopt a comprehensive law, AB 2273, addressing children’s online privacy.

4. Employee Privacy and Monitoring

As remote working remains mainstream, we will see more regulation on the monitoring of and privacy protections for employees. Last year, the NLRB’s General Counsel issued a memo on the electronic monitoring of employees. In the memo, the General Counsel suggested employers establish “narrowly tailored” practices to address “legitimate business needs” as to whether the practices outweigh employees’ Section 7 interests. If the employer establishes that its narrowly tailored business needs outweigh those rights, the General Counsel nonetheless will “urge the Board to require the employer to disclose to employees the technologies it uses to monitor and manage them, its reasons for doing so, and how it is using the information it obtains,” unless the employer can establish special circumstances.

In some industries, “workplace” monitoring goes beyond the home office. Consider transportation and logistics. An increasing number of states are advancing legislation on digital license plates, which could include related vehicle tracking and related telematics technologies. California’s recent statute on vehicle tracking and fleet management creates significant obligations for employers monitoring their fleets using these technologies.

5. Federal Government to Join in Privacy Regulation

We’re going out on a bit of a limb here as there have been predictions year after year that the federal government would enact a national privacy standard. Of course, none of those predictions turned out.  For sure, the federal government is on a much slower path toward joining states in privacy regulation, but we definitely see the federal government continuing its efforts whether via administrative regulations by the Federal Trade Commission or proposed legislation toward national privacy protection. Perhaps this is the year!

6. AI, Automated Decision Systems and Privacy

2022 saw a tremendous uptick in the attention to and use of AI and Automated Decision Systems, along with the potential effects of both in employment and related circumstances. Naturally, this raises significant privacy concerns among many stakeholders, including the Biden Administration. According to the framework issued by the White House in 2022 pertaining to the use of AI, data privacy was one of the five protections that individuals should be entitled to when using AI.

As the use of AI and automated decision systems continues to spread through industries and everyday life, how individuals’ privacy will be safeguarded will be a growing concern.

7. More privacy-related lawsuits

2023 will see more privacy-related lawsuits as privacy laws proliferate across the country.

We will continue to see more litigation under Illinois’ Biometric Information Privacy Act (BIPA) as plaintiff’s attorneys find more places that the law could apply from dash cams to timekeeping. Other states may enact laws that fuel more litigation, as several states including Maryland, Mississippi, and New York are considering biometric privacy laws. The facial recognition ban in the city of Portland a few years ago is beginning to see lawsuits filed under the ordinance.

While BIPA and the Telephone Consumer Protection Act (TCPA) continue to drive a significant amount of litigation, there is an emerging trend in cases seeking to apply newer technologies to privacy statutes such as the California Invasion of Privacy Act (CIPA), the Florida Telephone Solicitation Act (FTSA), the Video Privacy Protection Act (VPPA), and the Genetic Information Privacy Act (GIPA).

8. EU Continued Enforcement of Privacy Laws

Companies transferring personal data from the EEA (European Economic Area) to the U.S. may soon have an opportunity to leverage a new transfer mechanism. In October, President Biden signed Executive Order 14086 as part of the process to implement the EU-U.S. Data Privacy Framework (DPF), successor to the invalidated EU-U.S. Privacy Shield framework. The EU Commission has issued a draft decision that, upon adoption, will enable the DPF to proceed. In the meantime, the U.S. Department of Commerce announced it will help current U.S. Privacy Shield participants prepare to transition to the new framework.

In October, the European Data Protection Board approved Europrivacy, the first European Data Protection Seal. Europrivacy is a certification mechanism designed to help data controllers and processors demonstrate compliance with the GDPR.

Artificial Intelligence and data protection remain a top priority for the U.K. Information Commissioner’s Office. In November, the ICO published How to Use AI and Personal Data Appropriately and Lawfully. Earlier in the year, the EU Commission published an updated proposal for Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act). The proposal creates a legal framework and includes principle-based requirements for AI systems, harmonized rules for the development and use of AI systems, and a regulatory system.

9. Ransomware Attacks and Data Breaches Will Continue as Will Secondary Enforcement Actions

We will continue to see a flow of ransomware attacks, business email compromises, and other data breaches stemming from crafty hackers and cybersecurity lapses. In addition to business interruption costs and direct expenses incurred to respond to the incident, organizations will likely face more enforcement actions as states continue to tighten their data breach notification requirements.

Organizations cannot prevent all attacks from happening, but they can redouble their efforts around regulatory compliance, preparedness, and incident response planning. The stronger an organization is in these three areas, the more successful it likely will be in resolving a government agency enforcement action relating to a data breach.

10. More Focus on Critical Infrastructure Sector When it Comes to Cybersecurity and Privacy

In 2022, we saw the passage of federal legislation Cyber Incident Reporting for Critical Infrastructure of 2022 included within the Consolidated Appropriations Act, 2022. In short, the law requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):

  1. a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
  2. any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported)

Because of the ongoing threats to critical infrastructure, the Cybersecurity Infrastructure Security Agency (CISA) has started to focus more on this sector, as small to medium-sized providers have been under threat. Recently, CISA stated in its review of 2022, that the agency would narrow in on “target-rich, resource-poor entities” such as small water facilities that are part of critical infrastructure but don’t have large security teams.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2023.

Happy Privacy Day!

The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context. 

On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.

While not an exhaustive list, the Proposed Draft Rules:

  • provide an extensive list of defined terms;
  • set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
  • address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
  • require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
  • address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
  • detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
  • detail duties regarding processing sensitive data (i.e., obtaining consent);
  • outline the affirmative obligation to safeguard consumer personal data;
  • set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
  • detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).

The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes: 

  • add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers);  amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
  • permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
  • detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
  • provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
  • provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
  • list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
  • require that an interface used to request consumer consent include specific disclosures;
  • detail when the controller must refresh consent received from a consumer to process certain personal information;
  • prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
  • replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
  • permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.

The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022:

1. California Consumer Privacy Act FAQs: Employment Information

As the California Privacy Rights Act moves toward taking effect and exceptions applying to employment-related data expire, employers have questions about handling privacy when it comes to employee information.

2. “Get a Life” – Another Dentist Responds to Patient’s Online Review, This Time Faces a $50,000 OCR Penalty

The Office for Civil Rights (OCR) recently announced four enforcement actions, one against a small dental practice that imposed a $50,000 civil monetary penalty under HIPAA. The OCR alleged the dentist impermissibly disclosed a patient’s protected health information (PHI) when the dentist responded to a patient’s negative online review. 

3. California Tightens Rules on Vehicle Tracking, Fleet Management

In September 2022, Governor Gavin Newsom signed into law AB-984, which becomes effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person; however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

4. Does Your Cyber Insurance Policy Look More Like Health Insurance?

Many factors are driving up the cost of cyber insurance policies including increases in ransomware attacks and the cost of business interruption from those attacks. Moreover, carriers are giving more scrutiny to the practices and procedures of the companies they insure. As such, companies need to consider their cyber security controls to assist in obtaining and maintaining coverage.

5. $600,000 Reasons To Review Your SHIELD Act Compliance Program: NY Attorney General Announces Significant Settlement Stemming From Email Data Breach

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State

6. The RIPTA Data Breach May Provide Valuable Lessons About Data Collection and Retention

There is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

7. From Time Keeping to Dashcams, BIPA Litigation Continues

Litigation under the Illinois Biometric Information Privacy Act (BIPA) continues to heat up, encompassing litigation about timekeeping systems that use fingerprints to dashcams.

8. Utah Becomes Fourth State to Enact A Comprehensive Privacy Law

Utah joined California, Colorado, and Virginia in passing a consumer privacy statute, the Utah Consumer Privacy Act takes effect on December 31, 2023.

9. Does a Poor ESG, Social Responsibility Rating Increase an Organization’s Cyber Risk?

With ransomware and other cyber threats top of mind for most in the c-suite these days, a question frequently raised is whether a particular organization is a target for hackers. Of course, nowadays, any organization is at risk of an attack, but the question is whether some organizations are targeted more than others. An Insurance Journal article discusses a paper published in September 2021 that identifies a factor that could elevate the risk of being targeted, a factor many in cyber might not have expected, “greenwashing.”

10. Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law

Connecticut prepared and eventually passed the “Act Concerning Personal Data Privacy and Online Monitoring” Act which will take effect July 1, 2023.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on these topics, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.

The legislation signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues including information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.

While businesses consider how to comply with Connecticut’s new privacy law, they should also be taking into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other laws to keep in mind.

Obligation to Safeguard Personal Information and SSNs

Connecticut law already obligates businesses possessing “personal information” to

safeguard the data, computer files, and documents containing the information from misuse by third parties.

See Section 42-471. The term “personal information” under this law means

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

This law also requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that (i) protects the confidentiality of SSNs, (ii) prohibits unlawful disclosure of SSNs, and (iii) limit access to SSNs.

Obligation to Destroy Personal Information

The same law discussed above that requires businesses to safeguard personal information, also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.”  For this reason, a record retention policy should address not only how long personal information (and other confidential business information) should be retained, but also a secure process for destroying it once the retention period has expired.

Data Breach Notification Law

When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information (a “breach of security”), Connecticut’s breach notification law is triggered, which was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.

Persons that own, license, or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut state residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:

  • Social security number;
  • driver’s license number or state identification card number;
  • financial account number in combination with any required security code, access code, password that would permit access to such financial account;
  • credit or debit card number;
  • individual taxpayer identification number;
  • identity protection personal identification number issued by the IRS;
  • passport number, military identification number, or other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual;
  • biometric information which consists of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
  • user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

In general, notice must be made without unreasonable delay but not later than 60 days after the discovery of a breach, which also must include notice to the State’s Attorney General. However, if, after an appropriate investigation the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed, notification is not required. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for not less than 24 months.

In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.

The long and short of the requirements above (which also exist in many other states) is that businesses need a comprehensive written information security program, which includes robust incident response and record retention and destruction plans. If you have questions about developing a privacy and data compliance plan for Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The federal government has been trying to reach a consensus on data privacy and thus far has failed to pass legislation. On June 3, 2022, a bipartisan draft bill, titled the American Data Privacy and Protection Act was released by the Committee on Energy and Commerce. The bill intends to provide comprehensive data privacy legislation, including the development of a uniform, national data privacy framework and robust set of consumer privacy rights.

A covered entity for purposes of the draft bill is defined as “any entity or person that collects, processes, or transfers covered data” and is subject to the Federal Trade Commission Act, is a common carrier under the Communications Act of 1934, or is an organization not organized to carry on business for their own profit or that of their members.

Per the draft, the new act would be carried out by a new bureau within the Federal Trade Commission (FTC). Interestingly, the proposed legislation would preempt similar state laws, though excludes the CCPA/CPRA in California and the BIPA and the GIPA in Illinois from that preemption.

The draft bill covers a wide swath of data consumer privacy issues from data collection to civil rights and algorithms. The following are some highlights of note:

Data Collection Requirements

The draft legislation imposes a duty on all covered entities not to unnecessarily collect or use covered data with covered data being defined broadly as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers”.  The FTC would be charged with issuing additional guidance regarding what is reasonably necessary, proportionate, and limited for purposes of collecting data.

Covered entities would have a duty to implement reasonable policies, practices, and procedures for collecting processing, and transferring covered data. Further, covered entities would be required to provide individuals with privacy policies detailing data processing, transfer, and security activities in a readily available and understandable manner. The policies would need to include contact information, the affiliates of the covered entity that it transfers covered data to, and the purposes of each category of covered data the entitled collects, processes, and transfers.

Covered entities would be prohibited from conditioning or effectively conditioning the provision or termination of services or products to individuals by having individuals waive any privacy rights established under the law.

There would be additional executive responsibility for large data holders, including requiring CEOs and privacy officers to annually certify that their company maintains reasonable internal controls and reporting structures for compliance with the statute.

Individual Rights Created

Individuals would be granted the right to access, correct, delete, and portability of, covered data that pertains to them. These are similar to many of the rights California residents have under the CCPA/CPRA.  The right of access would include obtaining covered data in a human-readable and downloadable format that individuals can understand without expertise, the names of any other entities the data was transferred to, the categories of sources used to collect any covered data and the purposes for transferring the data.

Sensitive covered data, which includes items such as an individual’s health diagnosis, financial account information, biometric information, and government identifiers such as social security information, among other items, is prohibited from data collection without the individual’s affirmative consent.

Civil Rights and Algorithms

Unsurprisingly, algorithms, which were recently addressed by the EEOC and DOJ in guidance are also addressed in this draft legislation. Under the proposed legislation, covered entities may not collect, process, or transfer data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation, or disability. This section of the law would require those large data holders that use algorithms to assess their algorithms annually and submit annual impact assessments to the FTC.

While comprehensive national privacy legislation has previously faced difficulties being passed, Jackson Lewis will continue to track the status of this legislation as it moves through Congress. If you have questions about this proposed legislation or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states adopted their own statutes intending to enhance privacy rights and consumer protection for their residents. After overwhelming support in the state legislature, Connecticut is about to become the fifth state with a comprehensive privacy law, as SB 6 awaits signature by Governor Ned Lamont.

If signed, the “Act Concerning Personal Data Privacy and Online Monitoring” (Act) will take effect July 1, 2023, the same day as the Colorado Consumer Privacy Act.

Key Elements

As noted, the Act largely tracks the Virginia Consumer Data Protection Act (VCDPA) and has the following key elements:

  • Jurisdictional Scope. The Act would apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (i) controlled or processed personal data of at least 75,000 consumers (under the VCDPA this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived over 25 percent of gross revenue from the sale of personal data (50 percent under the VCDPA).
  • Exemptions. The Act provides exemptions at two levels, the entity level and the data level. Entities exempted from the Act include (i) agencies, commissions, districts, etc. of the state or political subdivisions, (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA), and (vi) covered entities and business associates as defined under HIPAA.

The Act also exempts a long list of categories of information including protected health information under HIPAA and certain identifiable private information in connection with human subject research. The Act also exempts certain personal information under the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, and other laws. In general, exempt data also includes data processed or maintained (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor to the extent that the data is collected and used within the context of that role, (ii) as emergency contact information, or (iii) that is necessary to retain to administer benefits for another individual relating to the individual in (i) above.

  • Personal Data. Similar to the CCPA and GDPR, the Act defines personal data broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information. However, maintaining deidentified information is not without obligation under the Act. Controllers that maintain such information must take reasonable measures to ensure that the data cannot be reidentified. They must also publicly commit to maintaining and using de-identified data without attempting to reidentify it. Finally, the controller must contractually obligate any recipients of the de-identified data to comply with the Act.
  • Sensitive Data. Similar to the VCDPA, the Act includes a category for “sensitive data.” This is defined as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (ii) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, or (iv) precise geolocation data.  Notably, sensitive data cannot be processed without consumer consent. In the case of sensitive data of a known child, the data must be processed according to the federal Children’s Online Privacy Protection Act (COPPA).  Also, controllers must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Consumer. The Act defines “consumer” as “an individual who is a resident of” Connecticut. Consumers under the Act do not include individuals acting (i) in a commercial or employment context or (ii) as employee, owner, director, officer or contractor of certain entities including a government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with that entity.
  • Consumer Rights. Consumers under the Act would be afforded the following personal data rights:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
    • To delete personal data provided by or obtained about them;
    • To obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means and without revealing trade secrets; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
  • Reasonable Data Security Requirement. The Act affirmatively requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  • Data Protection AssessmentsThe Act imposes a new requirement for controllers: conduct data protection assessments (as mentioned above regarding sensitive data). Controllers must conduct and document data protection assessments for specific processing activities involving personal data that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, profiling, processing of sensitive data. Profiling activities will require a data protection assessment when it would present a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers. When conducting such assessments controllers must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer. Controllers also can consider how those risks are mitigated by safeguards that can be employed by the controller. Factors controllers must consider include the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
  • Enforcement. The Connecticut Attorney General’s office would have exclusive enforcement over the Act. During the first eighteen months the Act is effective, until December 31, 2024, controllers would be provided notice of a violation and will have a 60-day cure period. After that, the opportunity to cure may be granted depending on the Attorney General’s assessment of factors such as the number of violations, the size of the controller or processor, the nature of the processing activities, among others. Violations of the Act constitute an unfair trade practice under Connecticut’s Unfair and Deceptive Acts and Practices (UDAP) law. Under the UDAP, violations are subject to civil penalties of up to $5,000, plus actual and punitive damages and attorneys’ fees. The Act expressly excludes a private right of action.

Takeaway

Other states across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.