2. 2
2
Thank You for Joining “U.S. Quarterly Privacy Update”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
6. 6
6
Poll Question
How many do you think will pass in 2021 - in total?
● Only the two which have passed
● 3-5
● 5-7
● More than 7 (which is only 5 more)
US State Laws
7. 7
7
Poll Question
Will Washington pass an omnibus consumer privacy law?
● Yes, 2022 is the year for Washington
● Yes, eventually, not in the next year
● Never
8. 8
8
Colorado Consumer Privacy Act
Already announced changes to be made in the signing statement
Privacy Notice
Consumer rights - standard 45 day response time, but right to appeal
Opt out of sales (Sale = money or other valuable consideration)
Opt out of targeted advertising (with exceptions) and profiling
Processor obligations
Minors under age 13 (aligns with COPPA)
Does not apply to B2B or employment context
Includes sensitive data
No private right of action
No consumer privacy oversight agency
Enforcement by Attorney General, with an optional 60 day cure period until January 1, 2025
Interesting - universal opt out mechanism to be determined
Signed by Governor July 7, 2021
9. 9
9
Ohio Personal Privacy Act - HB 376
Privacy Notice
Consumer rights
Opt out of sales (Sale = money or other valuable consideration)
Processor obligations
Minors under age 13 (aligns with COPPA)
Does not apply to B2B or employment context
No definition of sensitive data
No private right of action
No consumer privacy oversight agency
Enforcement by Attorney General after 30 day cure period
Can seek civil penalties
Interesting - safe harbor for NIST security program
July 12, 2021
11. 11
11
US State Laws Currently Alive & Well
Massachusetts S46 Massachusetts Information Privacy Act (MIPA)
● Full year session - Jan 6 - Dec 31, 2021
● Referred to Committee
New Jersey AB 3283 Disclosure and Accountability Transparency Act (NJ DaTA)
● Session January 14, 2020 - January 1, 2021 (introduced 2/25/2020)
● Referred to Assembly Science, Innovation and Technology Committee
New York A 680 / S 6701 New York Privacy Act (NYPA) & A 6042 Digital Fairness Act
● 2 year sessions 2021 - 2022
North Carolina SB 569 Consumer Privacy Act (NCCPA)
● 2 year sessions 2021 - 2022
● First reading, referred to committee on rules and operations of the senate
Ohio HB 376 Personal Privacy Act (OPPA)
● New July 12, 2021
Pennsylvania HB 1126 Consumer Data Privacy Act (PCPA)
● Full year session - January 5 - Dec 31, 2021
● Referred to committee on consumer affairs
13. 13
13
Sensitive Personal Data
CPA Virginia
CDPA
CPRA GDPR
Racial or ethnic origin X X X X
Religious beliefs X X X X
Philosophical beliefs X X
Political opinions X
Union membership X X
Mental or physical health X X (diagnosis) X X
Sex life or sexual orientation X X X (+sex life) X (+sex life)
Citizenship or immigration status X X
Genetic data X
Genetic / biometric data to identify a person X X X
Personal data from a known child X X Art. 8 for child
Precise geolocation X
15. 15
15
Recipe for Success
Trends
Include Debatable / Discussable Exclude / Don’t Include
● Privacy notice (consumable)
● Individual rights
● Access | Know (confirm) |
Delete
● 45 day response time
● Right to appeal
● Define sensitive data
● Minors < 13
● Vendor contract
requirements
● DPIAs / PIAs
● 30 days cure period
● Security requirements
● Individual right to portability
● Controller / processor
concepts
● Security audits
● Allow cure period for certain
time
● Universal opt-out
mechanism
● Security program safe
harbor
● Consumer privacy agency
● Private right of action
● Lookback period
● Business-to-Business -
explicit exemption
● Employment context -
explicit exemption
● Reporting metrics
16. 16
16
Poll Question
Should states have a private right of action or a state regulatory agency for
privacy?
● Yes to a private right of action
● Yes to a privacy agency
● Both of the Above
● Neither of the Above
18. 18
18
Federal Focus
● EU - US trade
○ Privacy Shield replacement
● HIPAA / Healthcare
○ Information blocking
○ Strong enforcement on individual rights to access (“Right to Access Initiative”)
○ Closed on the public comment period for strengthening HIPAA
● TCPA Amendments Seek Prison Time for Violations
● COPPA: Major Changes to Children's Online Privacy Rules proposed
● Court decision: FCRA: US Supreme Court Finds No Concrete Harm, No Standing
What is happening on the federal level
19. 19
19
Federal Regulation
● Several promising bills have been introduced in the past, with most disagreement
centering on private rights of action and federal preemption
● Once again, current proposed legislation seems promising
○ Information Transparency and Personal Data Control Act - Rep DelBene
■ HR 1816
○ Most bills target specific areas of privacy - contact tracing, research, etc.
● How many state laws will it take to encourage Congress to pass legislation?
○ Are the differences among the states operationally impactful?
○ Keep in mind, every state has a data breach notification law
● Would other federal laws simply be expanded and strengthened?
● Consider global implications and impact
What’s next?
20. 20
20
Poll Question
What do you think the time frame is for getting a US federal privacy law in place?
● This year
● Within the next 4 years
● Not anytime in predictable future
● There shouldn't be one
21. 21
21
From Washinton post, July 19 - referring to July 14
● The quest for federal rules to govern companies that deal in citizens’ personal information has delivered nothing but
disappointments. Nonetheless, a commitment last week by key legislators to get comprehensive regulations on the books
by the end of 2022, even if doing so requires some compromise, is promising. Reps. Jan Schakowsky (D-Ill.) and Gus M.
Bilirakis (R-Fla.) and Sen. Richard Blumenthal (D-Conn.), all chairs or ranking members of relevant subcommittees in
their chambers, agreed in a public event on Wednesday that it’s past time to overcome the pesky points of impasse that
have doomed past proposals. Key industry and consumer groups made the same pledge.
● More contentious all along have been the topics of preemption and a private right of action. Mr. Blumenthal on
Wednesday signaled a possible breakthrough on the first: A strong federal standard, he said, would be preferable to a
patchwork of state standards — but a patchwork of state standards would be preferable to a weak federal standard. The
best solution is probably a form of preemption that overrides only state laws inconsistent with the federal rules, and
allows others to stand. The problem of the private right of action is trickier to resolve but resolvable nonetheless. A
Brookings report last year mentioned a possible route that involves limiting liability to especially egregious violations, as
well as setting a higher bar for violations.
● Congress’s aim to do by the end of 2022 what it should have done as long ago as 2012 may be described as unambitious;
more generously, it could be described as realistic. Another failure to deliver, however, would surely be embarrassing.
https://www.washingtonpost.com/opinions/congress-has-another-chance-at-privacy-legislation-it-cant-afford-to-fail-again/2021/05/08/9409fa28-af5c-
11eb-ab4c-986555a1c511_story.html
Statements on point?
23. 23
23
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.