Search right to access

On October 3, 2022, the White House Office of Science and Technology Policy published its “Blueprint for an AI Bill of Rights.” This adds to prior federal guidance released by the EEOC and DOJ regarding the use of AI in employment decisions.

The framework published by the White House is intended to apply to automated systems that have an impact on individuals’ “rights, opportunities, or access to critical resources or services.”

The blueprint sets forth five protections to which individuals should be entitled:

  • Safe and effective systems
  • Protection from algorithmic discrimination
  • Data Privacy
  • Notice and explain when an automated system is being used and how it impacts the individual
  • Ability to opt out of automated systems and have access to people who can remedy issues

The framework is intended to assist in putting guardrails in place in the use of AI and automated systems. In conjunction with the publishing of the blueprint, the Biden-Harris Administration announced actions across the federal government to advance protections for workers and employers, students, patients, and more.

These initiatives include the Department of Labor’s release of “What the Blueprint for AI Bill of Rights Means for Workers” and its ramping of enforcement of required surveillance reporting to protect worker organizing. There are also consumer protections noted such as the Federal Trade Commission’s recent consideration of rulemaking on consumer privacy and data. And many others related to education and health care.

The Administration’s announcement is consistent with steps taken during the Trump Administration. It also is generally consistent with principles for AI established by the Organization for Economic Cooperation and Development (OECD). The OECD is a global organization established in 1961 to promote economic cooperation and development with nearly 40 members, including the United States. In 2019, U.S. National Telecommunications and Information Administration joined OECD in adopting global AI principles. Among other things, the OECD’s Principles on Artificial Intelligence provide that AI actors should:

“respect the rule of law, human rights, and democratic values, throughout the AI system lifecycle. These include freedom, dignity, and autonomy, privacy and data protection, nondiscrimination and equality, diversity, fairness, social justice, and internationally recognized labour rights.”

“provide meaningful information… (i) to foster a general understanding of AI systems, (ii) to make stakeholders aware of their interactions with AI systems, including in the workplace, (iii) to enable those affected…to understand the outcome, and (iv) to enable those adversely affected… to challenge its outcome”

While this latest blueprint for use of AI is only guidance at this time, it signals the direction the federal government intends to take with future regulation and legislation when it comes to automated systems and related technology. And, it builds on a set of principles emerging globally that seek to ensure the appropriate use of AI, principles that we are seeing embedded in laws in the U.S. such as the law regulating “automated employment decision tools” going into effect in New York City in 2023.

Businesses and employers who use AI and automated systems need to consider the Administration’s guidance along with emerging laws, regulations, and principles to guide their adoption and application of AI. This includes developing policies and procedures that establish protections to avoid potential discrimination or breaches of privacy.

If you have questions about developing policies and procedures around the use of AI and automated systems contact the Jackson Lewis attorney with whom you regularly work or a member of our Privacy, Data, and Cybersecurity practice group.

California’s Governor signed Assembly Bill (AB) 2273, the first of its kind state legislation that requires businesses that provide online services, products, or features likely to be accessed by children to comply with specified standards.

Building on federal protections for children online under the Children’s Online Privacy Protection Act (COPPA), AB 2273 enacts the California Age-Appropriate Design Code Act, which starting on July 1, 2024, would require a business that provides an online service, product, or feature likely to be accessed by children to comply with a significant number of specified requirements. For example, under the Act, such businesses must:

  • Configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children;
  • Provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature;
  • Provide an obvious signal to the child when the child is being monitored or tracked when the online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location;
  • Provide prominent, accessible, and responsive tools to help children, or if applicable their parents or guardians, exercise their privacy rights and report concerns;
  • Not (i) use the personal information of any child in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child; (ii) profile a child by default unless certain criteria are satisfied; or (iii) collect, sell, share, or retain any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, or according to certain legal requirement unless the business can demonstrate a compelling reason that the collecting, selling, sharing, or retaining of the personal information is in the best interests of children likely to access the online service, product, or feature.

AB 2273 requires a business, before any new online services, products, or features are offered to the public, to complete a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children and maintain documentation of this assessment as long as the online service, product, or feature is likely to be accessed by children. The Impact Assessment must address several aspects of the online service, product, or feature, such as

  • Whether its design could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature.
  • Whether its design could lead to children experiencing or being targeted by harmful, or potentially harmful, contacts.
  • Whether algorithms used could harm children.
  • Whether the targeted advertising systems used could harm children.

Moreover, a business would need to make a Data Protection Impact Assessment available, within 5 business days, to the Attorney General pursuant to a written request. The bill also exempts a Data Protection Impact Assessment from public disclosure

AB 2273 also authorizes the Attorney General to seek an injunction or civil penalty against any business that violates its provisions. The bill would hold violators liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation.

If you have questions about AB 2273 or related issues contact the Jackson Lewis attorney with whom you regularly work or reach out to a member of our Privacy, Data, and Cybersecurity practice group

A $300,640 settlement announced yesterday by the Office for Civil Rights (OCR) provides important reminders about HIPAA Privacy Rule and data privacy practices generally: robust data disposal practices are critical and “protected health information” (PHI) is not limited to diagnosis or particularly sensitive information.

The OCR’s settlement involved a New England dermatology practice that reported a HIPAA breach last year which resulted when empty specimen containers with PHI on the labels were placed in a garbage bin of the practice’s parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. Accordingly to the Resolution Agreement, the practice

regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster…without alteration to the PHI containing label.

Data Disposal

The disposal practice described above may be more common that we think, and it raises risks well beyond HIPAA and PHI. The OCR announcement reminds covered entities and business associate of HIPAA FAQs addressing data disposal. Here are some key points from those FAQs:

  • Reasonable safeguards must be implemented to limit incidental, and avoid prohibited, uses and disclosures of PHI. This includes procedures for electronic PHI and/or the hardware or electronic media on which it is stored, as well as to removal of electronic PHI from electronic media before the media are made available for re-use.
  • Workforce members must be trained on and follow the disposal policies and procedures.
  • HIPAA does not specify a particular disposal method, but covered entities and business associates “are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” This includes paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, etc. Examples of disposal methods include:
    • Paper records with PHI: shred, burn, pulp, or pulverize the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintain labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
    • Electronic media with PHI: clear (using software or hardware products to overwrite media with non-sensitive data), purge (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Of course, these best practices can be applied beyond HIPAA PHI to personal information as well as confidential company data.

Protected Health Information

A common and not necessarily unreasonable first reaction when considering the response to a potential data breach is that the compromised data is not PHI because it does not include diagnosis information. In cases like the one above, one might surmise that patient names, dates of birth, dates of sample collection, and name of provider who took the specimen are not PHI, or at least not sufficiently sensitive to warrant notification.

The definition of PHI starts with the definition of “individually identifiable health information,” which generally means identifiable health information transmitted or maintained in electronic media or any other form or medium that:

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.   

 See 45 CFR 160.103. See also 42 U.S.C. 1320d(6). This includes demographic information which likely includes information such as name, address and other contact information, age, gender, and insurance status.

When dealing with information of a personal nature, it is important to understand the different buckets into which that information may fall. It might not seem intuitive that certain categories of information, if compromised, could trigger a notification obligation.

 

For covered entities and business associates under HIPAA, and just about any other organization that handles confidential personal and business information, completely and securely disposing that information when it is no longer needed is an important step in limiting information risk. Additionally, it can be risky to make assumptions about the regulatory obligations concerning certain data without doing the homework or seeking experienced counsel.

While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.

The legislation signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues including information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.

While businesses consider how to comply with Connecticut’s new privacy law, they should also be taking into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other laws to keep in mind.

Obligation to Safeguard Personal Information and SSNs

Connecticut law already obligates businesses possessing “personal information” to

safeguard the data, computer files, and documents containing the information from misuse by third parties.

See Section 42-471. The term “personal information” under this law means

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

This law also requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that (i) protects the confidentiality of SSNs, (ii) prohibits unlawful disclosure of SSNs, and (iii) limit access to SSNs.

Obligation to Destroy Personal Information

The same law discussed above that requires businesses to safeguard personal information, also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.”  For this reason, a record retention policy should address not only how long personal information (and other confidential business information) should be retained, but also a secure process for destroying it once the retention period has expired.

Data Breach Notification Law

When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information (a “breach of security”), Connecticut’s breach notification law is triggered, which was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.

Persons that own, license, or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut state residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:

  • Social security number;
  • driver’s license number or state identification card number;
  • financial account number in combination with any required security code, access code, password that would permit access to such financial account;
  • credit or debit card number;
  • individual taxpayer identification number;
  • identity protection personal identification number issued by the IRS;
  • passport number, military identification number, or other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual;
  • biometric information which consists of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
  • user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

In general, notice must be made without unreasonable delay but not later than 60 days after the discovery of a breach, which also must include notice to the State’s Attorney General. However, if, after an appropriate investigation the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed, notification is not required. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for not less than 24 months.

In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.

The long and short of the requirements above (which also exist in many other states) is that businesses need a comprehensive written information security program, which includes robust incident response and record retention and destruction plans. If you have questions about developing a privacy and data compliance plan for Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

In response to the United States Supreme Court decision in Dobbs vs. Jackson Women’s Health Organization, President Joe Biden signed an Executive Order on Friday, July 8, 2022, designed to protect access to reproductive health care services. In addition to measures seeking to safeguard access to abortion and contraception, the Executive Order includes provisions aimed at protecting the privacy of patients and their access to accurate information, which will likely build on guidance from the Secretary of Health and Human Services issued June 29, 2022, addressing related concerns.

When individuals think about the privacy and security of their health information moving through U.S. health care system, their first stop usually is the complex set of rules under “HIPAA” – referring to the Privacy, Security and related rules under the Health Insurance Portability and Accountability Act of 1996. For nearly 20 years, the HIPAA rules applicable to most healthcare providers and health plans have worked to safeguard “protected health information” or “PHI.” During that time, a debate has raged over the effectiveness of the rules; some arguing the rules are too stringent, others arguing they are not stringent enough, and still others believing HIPAA is just right.

Of course, the protection of medical information does not begin or end with HIPAA. There is a myriad of other federal, state, and local laws that potentially impact the privacy and security of individual identifiable medical information generated in connection with the provision and payment for reproductive health care services. Here, we address the Executive Order and recent OCR guidance. However, organizations must also consider these other laws when making decisions concerning the collection, use, disclosure, retention, and security of such information.

Executive Order.

With regard to protecting the privacy of patients and their access to accurate information, the Executive Order focuses on potential threats to patient privacy caused by (i) the transfer and sale of sensitive health-related data, and (ii) digital surveillance related to reproductive healthcare services. Related measures in the Order call for efforts to protect people seeking reproductive health services from fraudulent schemes or deceptive practices. To these ends, the Order directs:

  • the Secretary of Health and Human Services (HHS) to consider actions, including additional guidance under HIPAA, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality. The Secretary also must work with the US Attorney General to consider actions designed to educate consumers on protecting privacy and limiting the collection and sharing of their sensitive health information.
  • the Chair of the Federal Trade Commission (FTC) to consider actions, including under the Federal Trade Commission Act, to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.
  • the Secretary to consult with the FTC Chair and Attorney General on ways to address deceptive and fraudulent practices related to reproductive healthcare services, including online, and to protect access to accurate information.

It remains to be seen what steps these agencies will take in response to the Executive Order. As noted above and summarized below, the Secretary has already issued guidance concerning patient privacy following Dobbs.

OCR Guidance Regarding Patient Privacy Following Dobbs.

Prior to the President’s Executive Order, the HHS Office for Civil Rights issued post-Dobbs guidance to help protect patients seeking reproductive care. The guidance comes in the form of reminders to providers and patients:

  • Reminder to providers about disclosures to third parties. In short, this guidance reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule. It reiterates some of the HIPAA Privacy Rule’s existing restrictions on disclosures of PHI (i) when required by law, (ii) for law enforcement purposes, and (iii) to avert a serious threat to health or safety. For example, the guidance makes clear that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. Further, the guidance reminds covered entities and business associates that the permission to disclose as “required by law” requires a mandate in the law that compels disclosure which is enforceable in court, explained through the following example:

An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. (emphasis added)

The guidance includes a similar analysis when considering law enforcement requests made through legal processes such as court orders or subpoenas.

  • Reminders to patients to protect medical information when using period trackers and other health information apps. In general, PHI accessed or stored on individuals’ personal devices is not protected under the HIPAA rules. The OCR cites recent reports about patients expressing concerns that period trackers and other health information apps threaten privacy by disclosing geolocation data which may be misused by those seeking to deny care.

To help address these concerns, the guidance provides steps to limit how certain devices collect and share health and other personal information without the knowledge of the device’s owner. This includes instructions for turning off location services and best practices for selecting apps, browsers, and search engines. It also provides a list of several resources for protecting privacy when using apps and other electronic products, including from the FTC and Consumer Reports.

 

What all this means for healthcare providers, health plans, and business associates is heightened attention when handling individual identifiable health information related to reproductive health care services, including when it is permissible to disclose HIPAA protected health information, particularly without the authorization of the individual to whom it relates. Such organizations also will need to consider more stringent state law that may provide stronger protections for privacy, while health plans covered by the Employee Retirement Income Security Act will have to assess whether state laws might be preempted by ERISA. These are not easy tasks in a world with growing privacy protections, data breaches, labor shortages, and rapidly advancing technologies.

On June 8, 2022, the California Privacy Protection Agency (CPPA) Board, will meet to discuss and take potential action regarding a draft of its proposed regulations. The June 8th public meeting includes an agenda item where the CPPA Board will consider “possible action regarding proposed regulations … including possible notice of proposed action.”

In advance of the meeting, the CPPA posted on its website draft redline regulations for discussion purposes on the issue of revising the current regulations released by the California Attorney General (recently renumbered by the CPPA). The quietly released 66-page draft regulations, are intended to implement and interpret the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). While the draft redline regulations address topics such as implementing “easy to understand” language for consumer CCPA requests, the draft does not address all of the 22 regulatory topics required under the CPRA. For example, the draft does not cover the opt-in/opt-out of automated decision making technology.

Here are some of the highlights of the proposed draft regulations:

  • Adds a definition of “disproportionate effort” within the context of responding to a consumer requests. For example, disproportionate effort might be involved when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner;
  • Adds a new section on the restrictions on the collection and use of personal information that contains illustrative examples. One example is a business that offers a mobile flashlight app. That business would need the consumer’s explicit consent to collect a consumer geolocation information because that personal information is incompatible with the context in which the personal information is collected in connection with the app;
  • Adds requirements for disclosures and communications to consumers. This includes making sure communications are reasonably accessible to consumers with disabilities whether online or offline;
  • Adds requirements for methods for submitting CCPA requests and obtaining consumer consent. A key principle here is to ensure that the process for consumers to select a more privacy-protective options should not be more difficult or longer than a less protective option. Symmetry is the goal; and
  • Makes substantial revisions to the requirements for the privacy policy that a business is required to provide to consumers detailing the business’s online and offline practices regarding collection, use, sale, sharing, and retention of personal information. This includes new provisions concerning the right to limit the use and disclosure of sensitive personal information and the right to correct personal information.

To date, the Agency has not issued a Notice of Proposed Rulemaking to start the formal rulemaking process, but the timeframe associated with the draft regulations is still unclear – especially when the CPRA requires the CPPA to finalize regulations by July 1, 2022. It is expected that the June 8th meeting will provide details on the process.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group

When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states adopted their own statutes intending to enhance privacy rights and consumer protection for their residents. After overwhelming support in the state legislature, Connecticut is about to become the fifth state with a comprehensive privacy law, as SB 6 awaits signature by Governor Ned Lamont.

If signed, the “Act Concerning Personal Data Privacy and Online Monitoring” (Act) will take effect July 1, 2023, the same day as the Colorado Consumer Privacy Act.

Key Elements

As noted, the Act largely tracks the Virginia Consumer Data Protection Act (VCDPA) and has the following key elements:

  • Jurisdictional Scope. The Act would apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (i) controlled or processed personal data of at least 75,000 consumers (under the VCDPA this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived over 25 percent of gross revenue from the sale of personal data (50 percent under the VCDPA).
  • Exemptions. The Act provides exemptions at two levels, the entity level and the data level. Entities exempted from the Act include (i) agencies, commissions, districts, etc. of the state or political subdivisions, (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA), and (vi) covered entities and business associates as defined under HIPAA.

The Act also exempts a long list of categories of information including protected health information under HIPAA and certain identifiable private information in connection with human subject research. The Act also exempts certain personal information under the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, and other laws. In general, exempt data also includes data processed or maintained (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor to the extent that the data is collected and used within the context of that role, (ii) as emergency contact information, or (iii) that is necessary to retain to administer benefits for another individual relating to the individual in (i) above.

  • Personal Data. Similar to the CCPA and GDPR, the Act defines personal data broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information. However, maintaining deidentified information is not without obligation under the Act. Controllers that maintain such information must take reasonable measures to ensure that the data cannot be reidentified. They must also publicly commit to maintaining and using de-identified data without attempting to reidentify it. Finally, the controller must contractually obligate any recipients of the de-identified data to comply with the Act.
  • Sensitive Data. Similar to the VCDPA, the Act includes a category for “sensitive data.” This is defined as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (ii) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, or (iv) precise geolocation data.  Notably, sensitive data cannot be processed without consumer consent. In the case of sensitive data of a known child, the data must be processed according to the federal Children’s Online Privacy Protection Act (COPPA).  Also, controllers must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Consumer. The Act defines “consumer” as “an individual who is a resident of” Connecticut. Consumers under the Act do not include individuals acting (i) in a commercial or employment context or (ii) as employee, owner, director, officer or contractor of certain entities including a government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with that entity.
  • Consumer Rights. Consumers under the Act would be afforded the following personal data rights:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
    • To delete personal data provided by or obtained about them;
    • To obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means and without revealing trade secrets; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
  • Reasonable Data Security Requirement. The Act affirmatively requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  • Data Protection AssessmentsThe Act imposes a new requirement for controllers: conduct data protection assessments (as mentioned above regarding sensitive data). Controllers must conduct and document data protection assessments for specific processing activities involving personal data that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, profiling, processing of sensitive data. Profiling activities will require a data protection assessment when it would present a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers. When conducting such assessments controllers must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer. Controllers also can consider how those risks are mitigated by safeguards that can be employed by the controller. Factors controllers must consider include the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
  • Enforcement. The Connecticut Attorney General’s office would have exclusive enforcement over the Act. During the first eighteen months the Act is effective, until December 31, 2024, controllers would be provided notice of a violation and will have a 60-day cure period. After that, the opportunity to cure may be granted depending on the Attorney General’s assessment of factors such as the number of violations, the size of the controller or processor, the nature of the processing activities, among others. Violations of the Act constitute an unfair trade practice under Connecticut’s Unfair and Deceptive Acts and Practices (UDAP) law. Under the UDAP, violations are subject to civil penalties of up to $5,000, plus actual and punitive damages and attorneys’ fees. The Act expressly excludes a private right of action.

Takeaway

Other states across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

On February 23, 2022, the EU Commission published a Proposal for a Regulation on harmonized rules on the access to and use of data as part of its strategy for making the EU a leader in the data-driven society. The “Data Act” addresses the access, use and porting of “industrial data” generated in the EU by connected objects and related services.  The Act further ensures this data will be shared, stored and processed in accordance with EU rules, including when the dataset contains personal data.

Scope

The proposed Regulation applies specifically to data from the usage of connected objects and related services (e.g., software). Data means any digital representation of acts, facts or information including in an audio, visual or audio-visual format. While the Regulation applies to data derived from usage and events, it does not apply to information derived or inferred from this data.

Connected devices (i.e., IoT) include vehicles, home equipment, consumer goods, medical and health devices, and agricultural or industrial machinery (i.e., IoT) that generate performance, usage or environmental data. Products designed primarily to display, play, record, or transmit content such as personal computers, servers, tablets, smart phones, cameras, webcams, sound recording systems, and text scanners are not covered by the Act.

The Regulation applies to (a) manufacturers of products and suppliers of related services placed on the market in the Union (b) users of such products or services; (b) data holders that make data available to data recipients in the Union; (c) data recipients in the Union to whom data are made available; (d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request; and (e) providers of data processing services offering such services to customers in the Union.

Relevant Provisions

  • Manufacturers and designers must provide consumers and businesses with access to and use of data derived from utilization of connected devices they own, rent or lease as well as related services. This is data that is traditionally captured and held by the manufacturer or designer and the device owner’s right to the data is often unclear. Under the Act, the device owner will be able to use the data for after-market purposes. For example, a car owner might share usage data with their insurance company, or a business owner might use data from a connected manufacturing device to perform its own maintenance in lieu of using the manufacturer’s services. In support of these measures, manufacturers and designers must disclose what data is accessible and design products and services so the data is easily accessible by default.
  • Data sharing agreements between parties must avoid contractual terms that place SMEs at a disadvantage. The Act includes a test to assess the fairness of the contractual terms. The EU Commission plans to develop and publish non-binding model contract terms to help achieve this goal.
  • Cloud service providers must adopt portability measures that permit consumers and businesses to move data and applications to another provider without incurring and costs. The Act also mandates implementation of safeguards to protect data held in cloud infrastructures in the EU.
  • Customers shall have the right to transfer data from one data processor to another, free of commercial, technical, contractual or organizational obstacles.
  • Businesses shall provide certain data to public sector bodies in exceptional situations (e.g., public emergencies), under key conditions.
  • Cloud service providers will be subject to certain restrictions on international data sharing or access.
  • The content of certain databases resulting from data generated or obtained by connected devices will be protected.

Next Steps

The proposed Regulation is designed to stimulate competition and create opportunities for data-driven innovation as part of the EU’s data strategy. In doing so, it complements the Data Governance Act, which facilitates data sharing across sectors and Members states. As the EU continues to strengthen its data strategy, U.S. businesses will want to monitor this space and consider preliminary steps towards potential compliance. The Regulation will apply to U.S. manufacturers and service providers who place connected objects and related services in the EU market. Compliance will necessitate appropriate policies, procedures, and mechanisms to meet the Regulation’s transparency, access, data minimization and safeguards mandates. At a minimum, this will involve designing and manufacturing products and services that incorporate user access mechanisms and protections by design and default.

Welcome to Utah - Life Elevated - Welcome Signs on Waymarking.comJust as businesses are preparing to ensure compliance with similar laws in California, Colorado, and Virginia, they soon will need to consider a fourth jurisdiction, Utah. On March 24, 2022, Governor Spencer Cox signed a measure enacting the Utah Consumer Privacy Act (UCPA). The UCPA is set to take effect December 31, 2023. Note, Georgia and Massachusetts may be the next states to enact similar laws.

Key Elements

Again, as with the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA), UCPA was modeled in part on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). But there are some variations. Key elements of the UCPA include:

  • Jurisdictional Scope. The UCPA apples to controllers or processors that
    • conduct business in Utah or produce a product or service that is targeted to consumers who reside in Utah; and
    • have annual revenue of $25 million or more; and
    • satisfy one or more of the following: (i) during a calendar year, control or process personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Notably, as indicated above, it is not required that a controller be located in Utah to be subject to the UCPA.

 

  • Exemptions. The UCPA has a long line of entities and data to which the law does not apply. Although not an exhaustive list, some examples of excluded entities include governmental entities and their contractors when working on their behalf, tribes, non-profit corporations, institutions of higher education, HIPAA covered entities and business associates, and financial institutions. The UCPA also excludes certain categories of personal information, such as protected health information under HIPAA, identifiable private information involved in certain human subject research, deidentified information, and personal data regulated by FERPA. The UCPA also exempts personal data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that collection and use of the data are related to the individual’s role. This last exemption generally includes employee and applicant data, including the administration of benefits for individuals relating to employees.

 

  • Personal Data. Using a simpler definition than the CCPA/CPRA, the UCPA defines personal data to mean, “information that is linked or reasonably linkable to an identified individual or an identifiable individual.”

 

  • Sensitive Data. Like both the GDPR and the CPRA, the UCPA addresses a subset of personal data referred to as “sensitive data.” This is defined as personal data that reveals such items as racial or ethnic origin (unless processed by a video communication service); religious beliefs; medical history, mental or physical health, and medical treatment (unless processed by certain health care providers); sexual orientation, or citizenship or immigration status. This category of personal data also includes genetic and biometric data, as well as geolocation data. In general, controllers may not process sensitive data without providing clear notice and an opportunity to opt-out.

 

  • Consumer. A “consumer” under the UCPA is “an individual who is a resident of Utah acting in an individual or household context.” Like the VCDPA, Utah’s law states a consumer does not include a “natural person acting in a commercial or employment context.”

 

  • Consumer Rights. Subject to the exemptions and other limitations set forth under the law, Utah residents will be afforded the following rights with respect to their personal data:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To delete personal data that the consumer provided to the controller. It is unclear whether this includes data provided to a processor or other third party with respect to the controller;
    • To obtain a copy of their personal data that they previously provided to the controller in a portable and readily usable format that allows them to transmit the data to another controller without impediment, where the processing is carried out by automated means; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, or (ii) sale.

 

  • Controllers. Similar to the CCPA/CPRA, CPA, and VCDPA, controllers must provide an accessible and clear privacy notice that includes, among other things, the categories of personal data collected by the controller and how consumers may exercise a right with respect to their personal data. As with the CPRA, controllers are required to establish, implement, and maintain reasonable administrative, physical, and technical safeguards.

 

  • ProcessorsProcessors are persons that “process” (collect, use, store, disclose analyze, delete, or modify) personal information on behalf of controllers. Before processors may do so, they must enter into a contract that (i) clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations; (ii) requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and (iii) requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data. Businesses with consumers in multiple states will have to compare these required provisions against those required under the CPRA, CPA, and VCDPA, as well as other privacy and security frameworks that may be applicable.

 

  • Enforcement. The Utah Attorney General’s office has exclusive enforcement over the UCPA. In addition, a controller or processor must be provided 30 days’ written notice of any violation, allowing the entity the opportunity to cure the violation. Failure to cure the violation allows the Attorney General to recover actual damages to the consumer and a fine of up to $7,500 per violation. A private right of action is not available under the UCPA.

Takeaway

States across the country are contemplating ways to enhance their data privacy and security protections. Accordingly, organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

The FTC recently settled its enforcement action involving data privacy and security allegations against an online seller of customized merchandise. In addition to agreeing to pay $500,000, the online merchant consented to multiyear compliance, recordkeeping, and FTC reporting requirements. The essence of the FTC’s seven count Complaint is that the merchant failed to properly disclose a data breach, misrepresented is data privacy and security practices, and did not maintain reasonable data security practices.

The federal consumer protection agency has broad enforcement authority under Section 5 of the Federal Trade Commission Act (FTC Act) which prohibits ”unfair or deceptive acts or practices in or affecting commerce.” This enforcement action follows other recent FTC actions on similar issues, suggesting the agency ramping up consistent with the overall direction of the Biden Administration concerning cybersecurity. There are steps organizations can take to minimize FTC scrutiny, and one place to start might be website disclosures, perhaps in connection with addressing the imminent website privacy compliance obligations under the California Privacy Rights Act.

In reviewing the FTC enforcement action in this matter, it is interesting to see what the agency considered personal information:

names, email addresses, telephone numbers, birth dates, gender, photos, social media handles, security questions and answers, passwords, PayPal addresses, the last four digits and expiration dates of credit cards, and Social Security or tax identification numbers

Some are obvious, some not so much.

The FTC also examined the merchant’s public disclosures concerning privacy and security of personal information, including from its website privacy policy, as well as email responses to customers and checkout pages. Here’s an example:

[Company] also pledges to use the best and most accepted methods and technologies to insure [sic] your personal information is safe and secure

In addition, the agency pointed to practices its viewed as not providing reasonable security for personal information stored on a network, such as

  • Failing to implement “readily-available…low-cost protections,” against “well-known and reasonably foreseeable vulnerabilities,” such as “Structured Query Language” (“SQL”) injection, Cascading Style Sheets (“CSS”) and HTML injection, etc.
  • Storing personal information such as Social Security numbers and security questions and answers in clear, readable text
  • Using the SHA-1 hashing algorithm to protect passwords, a method deprecated by the National Institute of Standards and Technology in 2011
  • Failing to maintain a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public
  • Not implementing patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities
  • Maintaining lax password policies that allows, for example, users to select the same word, including common dictionary words, as both the password and user ID
  • Storing personal information indefinitely on a network without a business need
  • Failing to log sufficient information to adequately assess cybersecurity events
  • Failing to comply with existing written security policies
  • Failing to reasonably respond to security incidents, including timely disclosure of security incidents
  • Not adequately assessing the extent of and remediate malware infections after learning that devices on the network were infected with malware

The above list (including the additional items listed in the Complaint and the Consent Order) provide valuable insights into what measures the FTC might expect be in place to secure personal information.

The FTC also scrutinized the merchant’s disclosures on its website concerning the EU-U.S. Privacy Shield, alleging it failed to comply with some of the representations made in those disclosures. This aspect of the FTC’s enforcement action is notable because the agency acknowledged that the Privacy Shield had been invalidated by a decision of the European Court of Justice on July 16, 2020. But the FTC made clear that even if the Privacy Shield was determined to be insufficient under GDPR to permit the lawful transfer of personal data from the EU to the U.S., the merchant nonetheless represented that it would comply with the provisions of that framework.

The agreement reached in the Consent Order requires the merchant to take several steps, such as:

  • WISP. Within 60 days of the order, establish and implement a comprehensive written information security program (WISP) that protects the privacy, security, confidentiality, and integrity of personal information. To meet this requirement, the merchant must, among other things, (i) provide the WISP to its board or senior management every 12 months and not more than 30 days after a security incident, (ii) implement a range of specific safeguards and controls such as encryption, MFA, annual training, etc., (iii) consult with third-party experts concerning the WISP, and (iv) evaluate the capability of third party service providers to safeguard personal information and contractually require them to do so.
  • Independent WISP Assessment. The merchant must obtain independent third-party assessments of its WISP. The reporting period for these assessments is the first 180 days after the Consent Order, and each two-year period for 20 years following the Order.

To help survive FTC scrutiny, it is not enough to maintain reasonable safeguards to protect personal information. Companies also must ensure the statements that they make about those safeguards are consistent with the practices that they maintain. This includes statements in website privacy policies, customer receipts, and other correspondence. Additionally, companies must fully investigate inappropriately respond to potential security incidents that may have caused or could lead to in the future unauthorized access or acquisition of personal information.