Privacy Steps to Take Now – Compliance Checklist

by: Foram Dmytryk with contributions by Justine Young Gottshall

2023 has been a breakout year for privacy in the United States.  From several states approving comprehensive privacy laws, numerous states enacting “sectoral” laws to protect children’s data and health data, to an increase in investigation/enforcement activity in multiple states, the stakes in the privacy world continue to rise.

It may be tempting to scale the focus back from privacy after CO and CT compliance on July 1, 2023.  However, given the current regulatory environment and patch work of complex laws, businesses should continue to prioritize privacy and evaluate data practices on an ongoing basis.  Doing so will not only help take real time measures to mitigate risks but also provide opportunities to obtain key stakeholders’ buy in and collaboration to operationalize onerous requirements in upcoming laws.

With new privacy developments seemingly occurring every day, it can be hard to determine which laws include requirements that are subsumed within your current privacy program and which laws may catch you off guard. Below is a curated checklist of six key laws/areas that are not as straightforward as they appear or present quite some imminent risk warranting a close look today:

1.     Employee and Applicant Data Matters – CCPA/CPRA Compliance – The CA Attorney General just sent inquiry letters to CA employers seeking information related to compliance efforts for employee and applicant information.  Although, the enforcement of the regulations by the California Privacy Protection Agency was recently extended until March 2024 by the CA Superior Court, the CCPA statute (as amended by CPRA) is still in effect and requires compliance related to employee, contractor, and applicant data -- making this area ripe for investigation. Key compliance requirements include, amongst others, notice, privacy policies, and providing applicable statutory rights. To the extent, your business has not operationalized compliance for personnel information, it should do so now. 

2.     CoPilot, Summarize this document for me – Artificial Intelligence (“AI”) Governance Policy – With the increased prevalence of AI-powered tools in the workplace such as ChatGPT, Bing and CoPilot, every industry is enthused to capitalize on this technology to maximize efficiency. The use of AI has also come with some very embarrassing news headlines. It is no surprise that the use of AI as a “work companion” presents a myriad of ethical concerns, legal issues and privacy risks. These include data breaches, copyright ownership issues, confidentiality concerns, fact hallucinations, discrimination/bias, and high risk of reputational damage. Although the need for comprehensive AI regulation is being heavily debated, AI is already subject to a number of existing regulations, but the exact requirements are not clearly set forth, making it difficult for companies to draw clear boundaries on use. Nevertheless, given the propensity of employees to use these tools and the significant consequences that can result from misuse, companies should prioritize having an internal AI governance policy.

The benefits of an AI governance policy are: 1) ensure use of such tools is known to the company.  The company can institute the right parameters based on its risk tolerance. Remember the lack of such a policy in itself may be viewed as a policy to proceed from your employee/vendor’s perspective, 2) the ability to update contract provisions with employees and vendors (as applicable) to address use and protection of pre-existing company IP and ownership of new IP generated using authorized AI tools, confidentiality and other corporate rights, 3) course correct AI use if/when needed. Using AI tools can have unintended consequences, continuously evaluating authorized tools and promptly taking action to mitigate risks will go a long way in demonstrating good faith in use, and 4) lay the foundation to work with when AI compliance requirements are enacted. For more information on AI, see our article 11 Tasks to do Today to Prepare for the Use of AI in Your Business.

3.     Don’t Judge a Law by Its Name – Washington’s My Health My Data Act (effective date March 31, 2024, June 30, 2024, for “small businesses” as defined in the Act) – At first blush it may appear that this sectoral law is targeting traditional health data and is unlikely to apply to companies outside the medical field, however, beware, this title is deceiving. As explained below, many businesses who do not generally consider themselves as collecting traditional health data or providing health care services may be subject to this law.  The biggest risk is that this law contains a seemingly non-restrictive private cause of action that is bound to be very attractive to plaintiffs’ counsel making the prospects of class action lawsuits very real.  

This law does not include any revenue, volume of processing consumers’ data requirement, or sale thresholds, thereby potentially impacting entities of all sizes. The very broad definitions of “health data” and “health care services” add to its expansive reach. “Health data” means personal information that is “linked or reasonably linkable” to a consumer and identifies the consumer’s “past, present or future physical or mental health status.” Practically speaking, this includes information about medications purchased or used, queries, browsing history/research about services and products related to gender-affirming care or reproductive or sexual health information and even precise geolocation data that could indicate attempts to receive health services or supplies. Similarly, “health care services” means “any service provided to a person to assess, measure, improve, or learn about a person’s health.” From a general perspective, this can cover any number of businesses including those in the fitness and wellness space such as gyms, wellness supplement retailers or general retailers. In addition, take specific note of the definition of “biometrics data,” which includes “keystroke patterns.” Many companies record keystrokes for analytics and website improvement purposes, and sometimes to safeguard against fraud.  Since “keystroke patterns” are “biometric data” under this Act, companies that use this technology should carefully vet whether their use triggers this statute, particularly if you would not otherwise.

4.     Small Business? Houston, We Have a Problem – Texas Data Privacy and Security Act (effective July 1, 2024) – If your business has successfully escaped the comprehensive state privacy laws so far based on the minimum thresholds, take a close look, as your luck may have run out if you conduct business in the Lone Star State.

Unlike other comprehensive state privacy laws, this law has no revenue figure or minimum volume of processing consumers’ data requirement, making it fair game for entities of all size. Next, while the law includes a first-of-its-kind carveout for “small businesses,” this is not as helpful as it may appear because “small business” is defined by the U.S. Small Business Administration (“SBA”) – spoiler alert – the SBA does not have a single definition for “small business” instead its definition varies by industry making it a complicated and fact-specific inquiry that will take time and resources to asses. Lastly, even if you determine that you are a “small business” under the convoluted SBA definition, if your business sells sensitive personal data, you are still required to obtain opt-in consent from consumers. They key word “sale” here is a bit of a trap, the definition, as those who are familiar with CCPA will vividly know, does not just capture selling personal data for money but also any type of benefit received in exchange for the personal being provided.  For example, having third party ad-tech on your website or sharing email addresses to create custom or look-alike audiences for advertising campaigns can constitute “sales.”  Operationalizing opt-in consent procedures and sorting through which internal practices trigger a “sale” are tasks that are more onerous than they may seem, especially for a business that has not previously dealt with these issues. For more information, see our article, The Texas Data Privacy and Security Act: What Small Businesses Need to Know.  For larger businesses, the law includes otherwise familiar provisions such as statutory privacy rights, data protection assessments, vendor contract requirements, opt-in consent, and notice but with some verbatim disclosures related to sale.

5.     *Scanning* Identity Confirmed … Or Not – FTC’s New Guidance on “Biometric Information” – In a recent policy statement the FTC provided guidance on “biometric information.” While most businesses are not strangers to biometric information given IL’s Biometric Information Privacy Act (“BIPA”) litigation regularly dominating headlines, what is noteworthy here is that the FTC significantly expanded the definition of “biometric information” beyond what we have seen under BIPA (including interpretations in litigation), other specific state laws (such as TX’s Capture or Use of Biometric Information), and the 2023 comprehensive state privacy laws.  As a result, even if you so far determined that your business does not collect “biometric information” under existing laws, the new FTC definition begs a second look as the agency is committed to enforce on this topic. 

If you find that your business collects “biometric information” under the FTC’s definition, you should provide: 1) notice – clearly, conspicuously, and completely disclose collection and use to consumers. Also, exercise caution when making statements about biometric technologies and their capabilities; 2) assessment prior to collection – conduct a holistic assessment of risks to consumers associated with collection and use, 3) security – implement reasonable privacy and security measures to protect against unauthorized access; 4) ongoing assessment and course correcting – monitor technologies being used in connection with such data are functioning as anticipated and promptly address known or foreseeable risks by implementing organizational or technical measures, 5) third party oversight – require vendors, affiliates and any users who have access to such information to take steps to minimize risks to consumers. The FTC guidance suggests going beyond contractual assurances and taking steps to oversee third parties’ compliance, 6) training – train employees and contractors that deal with such information or technologies.

6.     Got videos? You May also have Video Privacy Protection Act (“VPPA”) liability – Many may recall VPPA in connection with Robert Bork’s Supreme Court confirmation hearing where the nominee’s video rental history, “The Bork Tapes,” was leaked by a clerk. VPPA was then enacted significantly restricting the sharing of any “video materials or services” with third parties by a “video tape service provider.”  One would imagine only streaming and similar services are subject to liability under VPPA, however, in today’s world, online news outlets, movie studios, professional sports organizations and e-commerce companies, notably companies that are not primarily intended to stream videos or rent, sell, or deliver video media, are all amongst the types of companies facing VPPA liability. The plaintiffs’ bar has filed numerous class actions over alleged unauthorized sharing of video viewership information through social media pixels or in connection with online advertising.  While a novel theory, at this point, it is too early to tell what this wave of VPPA litigation means as decisions related to early dismissal have been mixed and jurisdiction dependent. 

However, since most companies use tracking technology for advertising and violations of VPPA include statutory fees ($2500 per violation), punitive damages and attorneys’ fee), if your business website has videos, it is worthwhile to check if VPPA is triggered.  For further insight, see our article “VPPA Claims: Could Your Site Be Next.”

In conclusion, while July 1 was a big deadline to overcome in privacy, it is not over.  At a minimum, the above laws and developments have the potential to pose substantial liability to your business and should be on your radar particularly as you look to budget for ongoing compliance in 2024 and beyond.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.