US Privacy: So Many Laws; So Little Time

The US Privacy landscape is... complex.. What do you need to know for a basic overview of where are we and where are we headed?? Below are the key points (with lots of links to deeper dives) from my Presentation for the DPO Course in the Technion, led by Eyal Roy Sage

Privacy Ghost of Christmas Past: Sectoral laws

The US Privacy Scene has been regulated by Federal Sectoral laws:

Financial data:

• GLBA, FCRA: If you are a financial institution.
• Enforced by FTC and CFPB
• CFPB has been very vocal: expanding the scope of credit reports to AI for employees; chatbots; unfair and deceptive for pricing; surveillance?

Health Data: HIPAA BUT

• HIPAA is strictly enforced for security and privacy (new OCR Notice of Proposed Rulemaking issued
• Big fines for breaches
• Recent focus on trackers and cookies; even unauthenticated
• Focus on reproductive info - new amendment requires oversight of data sharing?

Kids data (on federal level)

• Children’s information is a big point of focus among all regulators.?
• COPPA - strictly enforced by FTC and will continues
• Multi million dollar fines
• Includes third party trackers
• Targeted to kids (but also teens)
• Scope expanding into teens - KOSA and COPPA 2.0 likely to pass?

Kids data (on state level)

• State laws: mostly under 13; considered sensitive (i.e consent; DPIA)
• New AADC type laws in MD and CT - require detailed disclosure and DPIA + apply to "likely to be accessed by under 18s".
• Colorado on Minor’s information and here

Biometric data - BIPA, CUBI

• Laws requiring consent; written authorization (see: here)?
• High fines
• Apply to service providcers too

Federal Privacy Law:

• TBD but not likely in 2025; new FTC Commissioner supports it
• Two attempts: ADPPA (here and here) and APRA

State level:

New State Privacy Laws - 19 and counting

• Laws in effect in 2024: CA, CO, VA, CT, UT, TX, OR, MT
• Laws going into effect in 2025: : TN; DE, IA, NJ NH, NE, MD MN
• Washington My Health My Data - with a private right of action?
• Similar but different - need to check and consult a lawyer?
• Main differences:

State UDAP:

• Unfair and deceptive acts and practices; in all 50 states
• NY guidance stating that it is coming after website privacy

Class action litigation (see here)

• Website pixels (Wiretapping causes of action, CA, PA, etc)
• Email pixels?

How to approach??

Start with CA:

• High standard for privacy notice [CPPA enforcement; now also seen in Texas enforcement]
• Focus on sale: what is sale; what is share - Sephora, Doordash
• California is the only state law to comprehensively apply to employees = employee sweep (more on employee here)
• Focus on rights: similar to GDPR BUT: sale; limit use of sensitive data; opt out of AI profiling TBD
• Definition of service providers (every GDPR processor is a service provider but not every service provider is a data processor)?
• Extra requirements for C2P contracts (Need to amend your Art 28 agreement)
• Extra requirement for C2C contracts (Need to have one)
• Definition of de-identify requires extra actions not just no reidentifiability
• “My DPIA is bigger than your DPIA” - more cases than GDPR in which DPIA is triggered and more requirements for what is needed in a DPIA (see here and here)
• ADMT regs: Regulations on DPIA and additional requirements for automated decision making.?
• Data brokers (need to register; provide an opt out and information and enforcement)? and here
• Employer sweep; connected vehicle sweep
• Neural privacy?
• Dark patterns

Continue with Colorado: (here, here)?

• Opt in for sensitive data
• AI Act (similar to EU AIA but with focus on discrimination)
• Profiling? - requires a DPIA- for “legally significant decisions” - this includes decisions that impact employment?
• Includes Non profits
• Detailed regulations on how to conduct DPIAs
• Special provisions on biometrics?

Continue with Texas and and Connecticut and other

• Strict enforcement - see here, and here and here?
• Biometrics, kids, privacy disclosures
• Oregon: AI enforcement?
• Michigan: data minimization

FTC:?

That was then:

• De-facto regulator
• Strong Focus on sensitive information and sharing
• Location information (Premom ); InMarket ( ); X-mode (here and here)
• Health information (BetterHelp, GoodRx);
• Browsing data (Avast)
• Biometrics and genetics (here and here)?
• Employee surveillance?
• Connected vehicles:
• Children's information (here and here)?
• Data clean rooms
• Hashing
• Chatbots

This is now:

Chair of the Commission: Republican Andrew Ferguson and a Republican Majority.?

Expected changes: (see here for deep dive)

• more choosy enforcement
• no more regulation by blog or guidance;
• continued enforcement of deception including in AI
• continued enforcement of unfair within the bounds