This Week in Data Privacy

This Week in Data Privacy we are covering a number of subjects, including...

?? Both Montana and Tennessee data privacy bills clear local legislatures

?? Meta is preparing for GDPR violation penalties

?? Washington's My Health My Data Act (MHMDA) comes into effect

?? Starbucks is facing a class-action lawsuit for cookie consent management

??Generative AI can impact your business’ data privacy policy...

??? And how to prepare your data inventory before selling your business!

If this is your first time seeing This Week in Data Privacy in your LinkedIn feed, check it out, give it a read, and subscribe if you like what you see!

Montana & Tennessee Comprehensive Privacy Bills Clear Legislatures

Tennessee and Montana have join the like one Indiana and Iowa as states that have successfully passed comprehensive state privacy legislation in 2023. Both bills are currently pending their respective governor’s signatures.?

If enacted the Montana bill will take force October 1, 2024 and Tennessee’s bill will follow July 1, 2025.?

More on this story here: https://iapp.org/news/a/two-for-one-special-montana-tennessee-comprehensive-privacy-bills-clear-legislatures/

Meta Braces for Data Transfers Suspension Order and GDPR Fine

Meta is preparing for a stop to its EU-US data flows and a looming GDPR fine as a result of the final decision made by Ireland’s Data Protection Commission on the legality of the tech company's EU-US transfers.?

The order by the DPC is slotted to be published on May 12, 2023, and can force a halt to Meta’s EU operations if an adequacy decision is not granted to the company before the order takes place.?

Meta is also expecting a big fine and the ask to execute corrective measures from the DPC.?

"We expect the Irish Data Protection Commission to issue a decision in May in its previously disclosed inquiry relating to transatlantic data transfers of Facebook EU/EEA user data, including a suspension order for such transfers and a fine," Meta explained in its earnings report to investors.

Read the full article here: https://iapp.org/news/a/meta-braces-for-eu-shutdown-gdpr-fine/

Going Beyond HIPAA – Washington Health Privacy Law Enacted

Washington has become the first state to enact a law protecting consumer health data that goes beyond HIPAA.

The "My Health My Data Act" (MHMDA) increases privacy protections around the collection, sharing, and selling of "consumer health data". The MHMDA:

1. Established consumer rights in regard to consumer health data
2. Define obligations of regulated entities and businesses that collect, process, share, and sell consumer health data
3. Prohibits the sale of consumer health data without consent
4. Prohibits the implementation of geofencing, used for the purposes of identifying and tracking consumers seeking healthcare services, around entities that provide in-person healthcare services
5. Gives the state attorney general enforcement power and grants consumers a private right to sue under the state's Consumer Protection Act

The Act will not become fully effective until June 30, 2024.

"The MHMDA is more than a health care privacy law. The Act will have a fundamental impact on the processing of personal information and will potentially have a more outsized impact than the California Consumer Privacy Act of 2018."

For more in-depth information on the MHMDA read the full article by the National Law Review here: https://www.natlawreview.com/article/going-beyond-hipaa-washington-health-privacy-law-enacted-broad-reach-amorphous-scope

Starbucks may face class-action lawsuit over cookie consent management

A group of attorneys is looking to bring a class action lawsuit against 星巴克 on behalf of residents of California, Pennsylvania, and Florida.?

Attorneys on the case “suspect that, even when consumers select the?“required cookies” option, the site may not actually be turning off all unnecessary cookies, possibly continuing to track users’ online activity. It’s now being investigated whether the company broke certain privacy and wiretapping laws.”

The attorneys are currently in the process of gathering consumers to take action over the alleged privacy regulations.?

Read more on the lawsuit here: https://www.classaction.org/starbucks-privacy-lawsuit

How Generative AI Can Affect Your Business’ Data Privacy - Forbes

Amassing 100 million active monthly users just two months after it went live, ChatGPT is now the fastest-growing consumer application ever. But private citizens and businesses alike are using the tool without fully understanding its data privacy and ownership consequences.

If you’re a privacy-minded business owner or professional, remember that most generative bots, including ChatGPT, do not guarantee data privacy.

This is especially important for businesses whose contracts are designed to ensure privacy or confidentiality for clients. If a business enters any client, customer, or partner information into a chatbot, that AI may use that information in ways that businesses can’t reliably predict.

The ramifications of generative AI programs like ChatGPT will continue to emerge over the next decade. Without a clear strategy that centers on privacy, businesses can put their profitability and reputation at risk.

But this risk can be preventable. Businesses that proactively address how their teams use generative AI and their privacy responsibilities can reap the benefits of AI—and establish themselves as a privacy leader.

Read all the new to-know information about ChatGPT for your business and get up to speed on how you can protect your organization's data: https://www.forbes.com/sites/forbesbusinesscouncil/2023/05/01/how-generative-ai-can-affect-your-business-data-privacy/?sh=2a13ee27702d

How to Prepare Your Company Data When Selling a Business - Red Clover Advisors

Data can be a valuable asset for your team. But if it’s not mapped, if your compliance is all over the place, or if you don’t have a transparent system, your data can end up looking like a horror-movie basement that scares off any potential buyers and damages consumer trust.?Here’s how to prepare your company data when you’re ready to sell your business.?

1: Conduct a Data Inventory

A data inventory accomplishes a number of purposes. It helps you understand what data your business has collected over time, how it has been (and is currently being) used, and how it is stored and shared.?

It can also help you assess whether your systems are in compliance with the plethora of data privacy laws that have been popping up in different countries and U.S. states.?

Serious buyers will request a data inventory for your company data and may even want to conduct one of their own, so it makes sense to start?mapping your data?now to know what to expect and where you may need to clean the house.?

2: Prepare the Paperwork

Think of clear and transparent reports like giant green flags for your business. They show potential buyers that your business is organized and that you’re honest with your financial records.

Take some time to collect:

1. All information related to your privacy and security policies
2. Individual rights requests procedures
3. Privacy training materials
4. Any privacy analyses that have been prepared
5. A report of all assets and their asset type
6. List of all active customers and relevant information
7. List of all affiliates, legal partners, or associated vendors
8. Other applicable metrics typical in your field

3. Review Applicable Data Privacy Regulations

Just as a house needs to be up-to-code and compliant with state and local laws, your data privacy policy and practices must also comply with all applicable regulations, which vary significantly by location.

Under most statutes, even if a business isn’t based in a specific location, if you collect data from a citizen in that state or country, you are legally required to comply with that government’s data privacy policy. This can make compliance a bit tricky.?

Businesses generally find that?the best data privacy policies are based on industry-wide best practices, rather than compliance with individual mandates. This strategy supports a business-friendly (and seller-friendly!) approach to privacy because it reassures interested buyers that your data privacy system won’t need an overhaul as soon as a new regulation comes into effect.?

Once you document your current compliance with data privacy regulations, review what policies may affect your data privacy in the event of a sale.?

4. Bring In an Expert to Help

Even if your business has an in-house IT team, this type of large-scale data inventory and organization can be an intimidating process.?

In the same way that a seller’s agent protects a home seller by providing property disclosures and screening buyers, an expert data advisor can help a business protect its assets, reduce risk, and present the best possible product to potential buyers. A privacy subject matter expert can review the flow of data, assess your privacy practices, and whether:?

1. Your practices are in compliance with privacy regulations
2. Any aspect of the sale would impact consumer trust and expectations

Read the full article on How to Prepare Your Company Data When Selling a Business here: https://redcloveradvisors.com/2023/05/02/how-to-prepare-your-company-data-when-selling-a-business/