chevron-down Created with Sketch Beta.

ARTICLE

Updates in Privacy and Information Security, July 2023

Sasha Hondagneu-Messner and Varun Prasad

Updates in Privacy and Information Security, July 2023
Reza Estakhrian via Getty Images

Connecticut Amends its Data Privacy Act, Effective July 1, 2023

The Connecticut Data Privacy Act (“CTDPA”) will become effective on July 1, 2023. Last month, Connecticut enacted an amendment which will provide additional protections for “consumer health data,” and children’s data. The amendment expands the definition of “sensitive data” to include “consumer health data” which is defined as “personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis” and explicitly includes information about reproductive or sexual health and gender-affirming health data. The amendments also expand the CTDPA’s opt-in consent requirements, requiring such opt-ins prior to selling or sharing consumer health data. In addition, controllers are now required to ensure that employees with access to consumer health data be subject to contractual or statutory duties of confidentiality. The amendment also includes provisions related to children’s online data. From July 1, 2023, social medial platforms are required to comply with children’s requests to delete or unpublish social media accounts. Other related provisions, which will go in effect on October 1, 2024, include a ban on the processing of a minor’s personal data for the purposes of targeted advertising, selling personal data, or profiling, as well as a ban on the collection of a minor’s geolocation data, subject to certain exceptions (such as consent, and the action being reasonably necessary for the controller to provide services, products, or features). The CTDPA does not have a private right of action and includes a 60-day cure period through the Connecticut Attorney General.

Nevada and Washington Enact Consumer Health Privacy Laws, Effective March 31, 2024

Nevada and Washington each recently enacted similar consumer health privacy laws. The Nevada and Washington consumer health laws each define consumer health data far more broadly than the Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines protected health information. Among other things, the laws introduce: (1) opt-in consent to collect, share, or sell such information (with specific requirements on how to obtain consent); (2) data subject rights for consumer health information; and (3) contractual requirements for service providers. However, there are two key differences between the Nevada and Washington laws. First, Nevada’s definition of consumer health data is narrower as it applies to data “that a regulated entity uses to identify the past, present or future health status of the consumer,” whereas Washington’s law applies to all data “that identifies the consumer's past, present, or future physical or mental health status,” (whether or not a regulated entity uses it). Second, while both the Nevada’s and Washington’s consumer health privacy laws will be enforced by their respective attorneys general, the Washington law will also be enforceable through a private right of action. Both laws go into effect on March 31, 2024 (and for Washington small businesses, the law goes into effect on June 30, 2024).

UK Information Commissioner’s Office Addresses Privacy Risks of Generative AI

On June 15, 2023, the UK Information Commissioner’s Office (“ICO”) issued a blog post that called for “businesses to address the privacy risks generative AI” before “rushing to adopt the technology.” This blog post is just one of several efforts by the ICO with respect to AI. The blog post emphasized that existing data protection and privacy laws will apply to generative AI and emerging technologies, and cited another ICO guidance from April 2023: Generative AI: eight questions that developers and users need to ask. The ICO’s increasing focus on generative AI risks follows the UK Department for Science, Innovation and Technology (DSIT)’s publication of a white paper earlier this year proposing a context-specific approach to AI regulation. The white paper outlined five guiding principles for AI used in the United Kingdom including: safety, security and robustness; transparency and explainability; fairness; accountability and governance; contestability and redress. The white paper had also called for a flexible approach, allowing existing expert regulators such as the ICO to use the tools currently available to them and issue practical guidance to organizations. For further information, the ICO indicated it can provide advice through its Regulatory Sandbox and Innovation Advice service. For further information, Stephen Almond, the Executive Director of Regulatory Risk, spoke on a panel concerning generative AI on June 15, 2023 at Politico’s Global Tech Day.

Texas passes data privacy act, effective July 1, 2024

On June 18, 2023, Texas enacted the Texas Data Privacy and Security Act (TDPSA),following in the footsteps of a number of other states such as Virginia, Nevada, Connecticut, and Oregon, which have recently passed similar data privacy legislation.

The act seeks to provide consumers with more control over the storage and use of their personal data. Specifically, controllers of data must now comply with consumers’ requests to: (1) confirm whether the controller is processing the consumer’s personal data and access said data; (2) correct inaccuracies in the personal data; (3) delete personal data; (4) obtain a copy of any digital data; (5) opt out of the processing of personal data to be sold, used in advertising, or used for legal or other impactful causes. The act defines “personal data” broadly to include any information, including sensitive data, that is linked or reasonably linked to an identifiable individual. The act requires consent for the processing of personal data that is “sensitive” i.e.

data revealing: (1) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; (4) precise geolocation data. The act’s scope of application is unusually broad, extending (subject to certain exemptions) to any entity that conducts business in Texas or creates products for Texas consumers, irrespective of the revenue generated. Broad exemptions apply including e.g. for nonprofits or higher education institutions. Businesses regulated by the TDPSA have until July 1, 2024 to ensure compliance with the law. The TDPSA will be enforced by the Texas attorney general who shall have the power to impose monetary penalties of up to $7,500 in respect of any violations. The TDPSA does not provide for a private right of enforcement

FCC establishes a privacy and data protection task force

The Federal Communications Commission announced on June 14, 2023, the establishment of a “Privacy and Data Protection Task Force.” Loyaan A. Egal, the FCC Enforcement Bureau Chief, was appointed to lead the Task Force. The task force will coordinate across the agency on “rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors”, including data breaches and vulnerabilities with third-party vendors that service regulated communications providers. The role of protecting data privacy and security for consumers is shared amongst multiple agencies including the FTC and CFPB. It is not clear whether the new task force will serve a role in collaborating data privacy and security efforts with the other agencies, however the agencies share a common interest in building out these protections.

The African Union’s Malabo Convention enters into force

The African Union’s Convention on Cyber Security and Personal Data Protection (known as the “Malabo Convention”) went into effect on June 8, 2023, nearly nine years after it was adopted on June 27, 2014 by 55 African heads of state. The convention creates a regional standard for cybersecurity and data protection focused on three main pillars: (1) free exercise of e-commerce; (2) personal data protection; and (3) promoting cybersecurity and combating cybercrime. With respect to personal data, the convention requires its signatories to adopt legal frameworks for the protection of personal data including for example: (a) restrictions on the processing of sensitive data; (b) restrictions on the transfer to data outside of the African Union unless a state ensures an adequate level of protection; (c) the creation of data protection authorities to enforce data protection laws. The convention also introduces data subjects rights such as the right to access own information and request it be erased, though the convention does not explicitly state who are guaranteed rights as “data subjects”. The cybersecurity provisions of the convention mandate that member states develop national cybersecurity policies, encourage states to sign agreements of mutual legal assistance, and promote the exchange of information and data with other member states. They also outline what actions related to communication and information should be deemed criminal. While providing a broad outline for how member states should structure their data privacy and cybersecurity policy, the convention does not detail how these rules should be enacted and enforced and does not specify milestones for compliance. To-date, the convention has been ratified by) only 15 African countries including Angola, Benin, Chad, Congo, Egypt, Gabon, Gambia, Guinea-Bissau, Lesotho, Mauritania, Namibia, Niger, Sao Tome and Principe, Senegal, and Zambia.

    Authors