Data Privacy Highlights: March 20

This Week in Data Privacy, we're covering a variety of topics, including...

?? Utah's Groundbreaking Legislation: Private Sector Accountability in AI Deployment

?? European Parliament Greenlights AI Act

?? OCR Issues New Guidance on Tracking Pixels for HIPAA Regulated Entities

?? State Privacy Law Update from David Stauss at Husch Blackwell

?? US House Votes to Force TikTok Sale or Ban

??? Protecting Consumer Trust in the Age of AI

?? EU Breaches Data Protection Rules with Microsoft 365 Usage

? The Evolution of ROPA: Updates and Changes in Data Regulations

?? Navigating Data Privacy Shifts in Search Marketing

and tune in to the latest episode of the She Said Privacy/He Said Security podcast...

?? The Essentials of Privacy Engineering With Jay Averitt

---

Utah's Groundbreaking Legislation: Private Sector Accountability in AI Deployment

In a unanimous decision, the Utah legislature approved SB 149, a bill focused on regulating the use of generative artificial intelligence (AI) in the private sector. Although not as extensive as similar bills in other states, SB 149 imposes significant obligations on companies deploying generative AI, including mandatory disclosure requirements.

Key Highlights:

• Consumer Protection Laws Apply Equally: The bill integrates the use of generative AI into Utah's consumer protection statutes, emphasizing that companies must adhere to existing laws even when employing AI technology.
• Disclosure Obligations: Entities using generative AI must disclose its use, particularly when interacting with consumers or providing regulated services. Disclosure methods include verbal statements and electronic messaging.
• Creation of the Office of Artificial Intelligence Policy: A new regulatory body will oversee an artificial intelligence learning laboratory program, facilitating the development of future AI regulations and recommendations.

Read more .

European Parliament Greenlights AI Act

The European Parliament overwhelmingly approved the EU AI Act, setting a significant precedent for AI regulation worldwide. The Act categorizes AI systems by risk levels, mandates human oversight, data governance, and technical documentation.

• AI systems classified as high-risk include:
• Critical infrastructures (e.g., transportation)
• Educational and vocational training (e.g., exam scoring)
• Safety components of products (e.g., robot-assisted surgery)
• Employment (e.g., CV-sorting software)
• Essential services (e.g., credit scoring denying citizens opportunity to obtain a loan)
• Law enforcement (e.g., evidence evaluation)
• Migration and border control (e.g., visa application examination)
• Justice administration (e.g., court rulings search)

These systems undergo rigorous assessments due to their potential to impact citizens' lives, health, rights, and access to services and opportunities.

While it will be coming to effect soon, full implementation will be staggered over several years. Despite criticisms and unresolved issues, stakeholders celebrate the Act's passage as a crucial first step, while acknowledging the need for ongoing refinement and adaptation to evolving AI capabilities and societal concerns. The Act aims to balance innovation with safeguarding EU citizens' rights and safety. Read more.

OCR Issues New Guidance on Tracking Pixels for HIPAA Regulated Entities

The guidance stresses that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

OCR also said it is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.

Read more about the guidance here .

US State Privacy Law Update

Stay informed on the latest developments in state privacy legislation with this update from David Stauss!

What’s New:

Kentucky: HB 15, a consumer data privacy bill, passed the Senate with minor amendments.

Maryland: SB 541 and HB 567, consumer and children’s privacy bills, advanced with unique approaches to sensitive data.

Minnesota: HF 2309 progressed in the House, awaiting consideration by the Ways and Means Committee.

Vermont: H.121, featuring distinct provisions and a private right of action, passed out of committee.

Georgia: SB 473, modeled on Tennessee law, underwent amendment discussions in the House.

Maine: Work sessions continued on competing bills LD 1973 / LD 1977.

Children’s Privacy Bills:

Maryland: HB 603 / SB 571, Age-Appropriate Design Code Act bills, advanced in their respective chambers.

Vermont: S.289, an Age-Appropriate Design Code Act bill, progressed through two committees.

New York: S 70695 was amended and recommitted for further consideration.

For more detailed insights, updates, and full analysis read the article here .

US House Votes to Force TikTok Sale or Ban

The US House of Representatives has passed a bill that could lead to the forced sale or outright ban of TikTok in the United States. With a resounding 352 to 65 vote, lawmakers signal a strong stance against what they perceive as a national security threat posed by Chinese ownership of the popular video-sharing platform.

However, the fate of TikTok now lies in the hands of the Senate, where its prospects are less certain. Despite President Biden's potential support for the legislation, legal challenges are expected from TikTok and its supporters, raising questions about the future of the app and its impact on millions of Americans. Read more .

Protecting Consumer Trust in the Age of AI

In today's AI-driven landscape, maintaining customer trust is essential. As AI becomes more commonly used, customers are increasingly skeptical about the authenticity of content and interactions. A company's reputation hangs in the balance, making it essential to navigate AI implementation with caution.

Key Concerns:

• Authenticity of Content: Customers question whether content is genuinely authored by humans or generated by AI, impacting trust and engagement.
• Quality of Interactions: Automated processes should enhance, not diminish, the customer experience. Lackluster interactions can lead to dissatisfaction and erode trust.
• Data Privacy: Concerns about data security and privacy arise when AI is used to leverage customer data for personalized experiences.
• Human vs. AI Interactions: Customers value the option to escalate complex issues to human support when necessary, emphasizing the importance of maintaining a human touch.

Strategies for Building Trust:

• Deliberate Deployment: Implement AI thoughtfully, focusing on helpfulness and transparency rather than solely on efficiency.
• Authenticity in Content: Ensure content reflects genuine human thought and perspective, avoiding overreliance on AI-generated material.
• Data Protection Measures: Safeguard customer data with robust cybersecurity measures and transparent data practices.
• Transparency and Explanation: Communicate openly about the use of AI, how it influences decisions, and the safeguards in place to protect customer interests.
• Human Oversight: Maintain a balance between AI automation and human intervention, particularly in critical decision-making processes.

Navigating the complexities of AI while preserving customer trust requires a strategic approach centered on customer needs and transparent communication. By prioritizing authenticity and human-centric values, businesses can navigate the AI landscape while maintaining customer trust and loyalty.

Read the full article here .

EU Breaches Data Protection Rules with Microsoft 365 Usage

In a recent investigation, the European Data Protection Supervisor (EDPS) has found that the European Commission violated key data protection regulations through its use of Microsoft 365. The Commission failed to specify the types of personal data collected and the explicit purposes for their use, raising serious compliance concerns.

The EDPS has issued corrective measures, demanding the Commission address these violations by December 9, 2024, if it continues to utilize Microsoft's cloud suite. This development underscores the critical importance of robust data protection safeguards in today's digital landscape. Read more .

The Evolution of ROPA: Updates and Changes in Data Regulations

Just like the rules handed out on the first day of school, businesses must navigate the evolving landscape of data regulations. The General Data Protection Regulation (GDPR) introduced Article 30, mandating a Record of Processing Activities (ROPA) for data management.

While the US lacks a direct equivalent, adhering to privacy laws demands meticulous documentation and understanding of data processing. ROPA aids in compliance and offers insights into data management practices.

?? Global Expansion of ROPA: As privacy laws proliferate worldwide, ROPA adoption becomes essential. Beyond legal requirements, ROPA identifies data management efficiencies, redundant data, and aids in prompt response to data subject requests.

?? Maintaining ROPA: ROPA upkeep involves data mapping, documentation, data minimization, and employee training. Regular updates and a mitigation plan are crucial for effective compliance.

?? Predictions for the Future: With more states enacting privacy laws, ROPA's role intensifies. Red Clover Advisors offers expertise in ROPA and broader data privacy compliance, ensuring organizations meet regulatory requirements.

Want to learn more? Read the full article here .

Navigating Data Privacy Shifts in Search Marketing

As data privacy concerns reshape search marketing, prompting a return to marketing fundamentals. Heavy reliance on user-level data has led to ad fatigue. Regulatory changes like GDPR signal a shift toward prioritizing privacy. With heightened user awareness and regulatory changes limiting data access, marketers must adapt their approaches. As reliance on deep user-level data diminishes, a holistic strategy emphasizing authenticity, trust, and meaningful connections with customers emerges. Rigorous market research, user journey analysis, and consistency are key. By embracing this hybrid approach, marketers can navigate evolving landscapes while fostering meaningful connections with audiences.

Actionable Tips:

• Thorough Market Research: Dive beyond digital data points to understand audience needs.
• Analyze User Journeys: Map customer interactions to tailor messaging and ad mediums.
• Maintain Consistency: Ensure messaging cohesion across all marketing channels.
• A/B Test Rigorously: Experiment with new strategies and adapt based on performance.
• Strike a Balance: Blend traditional marketing ethos with data-driven insights for holistic campaigns.

Read the full article here to learn more.

The Essentials of Privacy Engineering With Jay Averitt

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels interview Jay Averitt, Senior Privacy Product Manager and Privacy Engineer at Microsoft, to discuss the key points of privacy engineering. The three discuss the burgeoning field, AI and security, working with companies, and collaboration across unique teams. They also talk about how to highlight the importance of privacy to others.

Here’s a glimpse of what you’ll learn:

• Jay Averitt’s introduction to privacy through legal thrillers
• What is privacy engineering and how does it work?
• Implementing privacy engineering across diverse teams
• AI and maintaining security
• How privacy professionals can better work with companies
• Practices that every privacy pro should utilize
• Convincing people of the importance of privacy

Tune in to the latest episode here .