close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

View Webinar

Thank you for your interest!

View/Download webinar slides here

Please click below to view the on-demand webinar.

Gartner predicts that 75% of the world’s population will be protected by data privacy laws in 2024.

Ensuring that your business practices and processes that use sensitive data are compliant will put you well ahead of the curve on adapting to current and future state-level regulations as they develop.

So, how do you stay ahead when data privacy is quickly evolving?

Join the privacy experts to learn:

  • Why understanding privacy laws is essential to maintain and elevate your privacy program
  • What you need to know about 12 U.S. data privacy laws
  • How to empower your team to focus on strategy, not tedious tasks

Panelists

headshot
Alicia diVittorio
Moderator, DataGrail
headshot
Marykaren Ripple
Carvana
headshot
Robert Bateman
Privacy and Data Protection Writer
View Transcript

Good morning, everyone. I hope everyone's doing okay. Thank you for joining us. We will we will start the webinar in just a couple moments. I'll be introducing our speakers.

In the meantime, I would really love to get, acquainted with our audience. We are going to take a quick poll, and we'd love to know, are you joining us from 1 of the 15 states with the privacy law either in place or about to go into effect? Alright. I don't know if we see some numbers coming in. Now okay.

Let's see if we can pull up the data here and see how everything turned out. It looks like oh, it's about 5050. Okay. So 50%, nearly 50% covered by a regulation or soon to be, and, 50%, not yet. Interesting.

Good to see that we were it kind of matches what I would expect. We'll we'll dive a little bit more into the details of who's covered or not. Very interesting to see that. Thank you for participating. But why don't we go ahead and get started?

Today's quick agenda. 1st, we're gonna take a moment to get to know our panelists, and I wanna set the stage for why we're starting to see these distinct, laws emerge across the country. But and but before we do that, we're gonna spend a quick moment on talking about the commonalities across the regulations, and then we'll talk about the what's notable notable about each law and what are those different through lines. I don't plan to take questions state by state in, to save some time, but please put your questions in the chat, and we will save them for q and a towards the end of the conversation so we can have both Mary, Karen, and or Robert address them when we get to that point. Without further ado, I would like to introduce our panelists.

I also would like to give the perfunctory disclaimer that this information in this session is for education educational and discussion purposes only and cannot be considered, intended as legal advice. Alright. So here to unpack the details of each of the state laws, we are joined by Robert Bateman and Mary Karen Ripple and myself, Alicia Divittorio. I have been with DataGrow since 2019, the early days of data privacy, working to understand and unpack these different laws and regulations and really help foster dialogue on how we get businesses more privacy centric over time. Robert Bateman fell into the world of governance back in 2017, where he started writing about privacy and governance for a variety of publications.

Since then, he's kept a very close pulse on all things privacy related, helping people like you and me decipher the latest laws and enforcements. Mary Karen Ripple is the senior manager of compliance at Carvana. For those who aren't familiar with Carvana, it's an online used card marketplace, and you could imagine that does require someone thinking about data privacy full time behind the scenes. But before moving on, I'd love to give, a chance for our panelists to introduce themselves and tell the audience how they got into privacy. Mary Karen, why don't we start with you?

Oh, I think you're on mute. Sorry. Technical difficulties. Sorry about that. Yeah.

So I'm Mary Karen Ripple. I, actually went to law school midlife after my son graduated from high school. And that's kind of how I got into privacy was in law school, and I have been focusing on it, for the last 5 years. So, yeah, love it. Great.

And, Robert, how did you get, involved in privacy? Well, actually, doing a law degree as well. So kinda quite a typical route, I guess, but I take interest in, the UK's Data Protection Act and one provision that I found particularly disgusting and decided to write a project on it and then started to write for various publications, like you say. And, now I do training as well and and some consultancy, and I've been focusing more on the US recently. As you can tell by my accent, I am not from the US, but it is more interesting than Europe and the UK right now.

So, yeah, I look forward to to talking all through. Well, in 2018, Europe was the more interesting one. We're just catching up with United States, I would say. Yeah. It's definitely more complicated across the pond as we say.

Yes. That is right. Alright. Let me take oh. Alright.

Looking ahead. Okay. So I wanna set the stage for why we're seeing these new laws emerge nearly every month or every few months. I wanted to share this data that Datagrill did last year that shows just how much consumer expectations are changing. And I think this data point is particularly impactful.

In just 1 year, we saw the number of data privacy requests submitted by consumers go up by 72%. And when you look at deletion requests alone, that number, actually doubled what from 1 year to the next. And in total, we saw that number of privacy requests go from 400 nearly 400, requests per 1000000 identities up to 650 requests per 1000000 identities into 2022. That's a huge increase, and that signals to us that consumers around the globe are are more aware about privacy. They're really trying to understand how they can rein in where they have data online.

And to me, I think a huge portion of of why these we're seeing this increase of DSARs, is because this heightened awareness around privacy related issues. The new enforcements, Roe v Wade, you name it. All of these new privacy issues are are coming top of mind to consumers. I did wanna do one another quick poll before we move on. Has your company seen an increase in data subject requests over the past couple years?

You can either say yes for increase or if it stayed steady or, a decrease. I feel like I need some jeopardy music while we're letting everyone answer the poll because it's so quiet. But maybe we'll get that next time for our next webinar. Oh, there we are. Okay.

So we're either seeing most people say they're seeing an increase or staying steady from the previous year. Interesting to see that. Yeah. I can ex I would expect that to be the same. And then as we these laws go into effect, it'll probably be even more.

Okay. Looking ahead, this I share I wanna share this slide because I do find it very fascinating to see who's actually submitting these quest requests. Last year, Datagraph saw that more than half of privacy requests came from states that were not protected by any sort of law. This is particularly, it signals that, again, people are aware of what's happening and want these rights. Mary Karen, I did wanna ask you, how do you handle this?

How do you handle, taking in requests from different different, jurisdictions that may not be covered yet? So, I'm gonna speak from my background, not just from Carvana. So That's great. But I think you it depends on where you are in your privacy journey. So if you are automated and you're able to do it, I think at least giving some of those privacy rights to people outside of that jurisdiction is great for the business and for your trust brand or your brand trust.

When you're less automated, you have to really kind of pick and choose. So, you know, like, deletion requests, those are a little bit easier to comply with, I think, than at least as I've seen them in play when it comes to manual kind of things, not as automated. Deletion requests are easier so you can, you know, grant those kind of however you feel the need to, and then, you know, access request limit that. So because you don't have the capability to really fulfill that in a big giant way is kind of how I've seen it approached. Yeah.

No. That's helpful. That's helpful. I have one more data pie data point, and then we're gonna get get right into all these different laws and how complex they are. The last thing I wanted to share is so we saw the previous slide that 52% of people submitting requests came from jurisdiction jurisdictions not covered.

Contrast that to what the future holds. Privacy laws are catching up to consumer expectations. In 2026, nearly half of all residents will be protected by a privacy law. And, you know, we don't know what to expect over the next couple years, but I can only assume we're gonna see more laws be passed across the different news other states. So in 2022, only 40,000,000 people were were protected, and that was primarily California.

And in 2026, that'll jump to a 162,000,000 people will be protected by a law. This is a massive shift, and I think we all know as practitioners in the space that this is gonna require some changes for businesses to accommodate. Alrighty. So what I wanna do now is spend, a quick few moments reviewing the core tenants of each privacy law. What are the, the core, excuse me, the cube the commonalities across them?

Mary, Karen, help me unpack the and Robert, of course. Help me unpack these 6 core tenets that most privacy laws have. Robert, do you mind taking the top top few that we we see here on the slide and and unpacking what they actually mean and what that means for a business? Sure. So, number 1, the application.

Normally these laws have a threshold as most people probably know, whereby you need to be processing or controlling the personal data of a given number of consumers in that state to be covered by the law. Now, this kind of sounds like a carve out for smaller businesses, which it is, but it really makes things complicated because you figuring out which laws apply to which businesses is one of the most complicated and time consuming things, I think, with, with US privacy law at the moment. There's a lot of exemptions as well if you're covered by other laws like HIPAA or the Gramm Leach Bliley Act. So that's the first thing. The application is a headache in itself or can be.

Second, we've got the consumer rights here. So the right to access data, delete it, and to object to certain things, always the selling of personal data. And I think most businesses don't realize how broadly that selling definition is defined. So it can cover things like, using third party cookies, and, of course, targeted advertising is also specifically mentioned in most of these new laws too. So you've got rights of access deletion, usually correction as well, but a couple of states miss that out and objecting to certain types of data processing.

Thirdly, the scope of these laws is inspired by European law. And the most important thing, I think the biggest shift for, for US is moving away from this personally identifiable information concept where you used to have, you know, a list of types of information that were covered by the law. Now you have this much broader conception of personal data. So data that you do have the word reasonably in there in the US, which we don't have in the EU, or they, I should say, since, since Brexit, or the UK. So it's a very broad definition of personal data.

It can cover all sorts of things, depending on the context, could be IP addresses, for example, which you can't help but collect in some circumstances, and it covers much more than names and email addresses and so on. Yeah. And we'll talk a little bit more about the broad definition of sensitive data and how to handle that across jurisdictions. And I do think it is interesting that you hit on selling of data and the broad context of that, and we can also talk about how that also varies across jurisdictions as well. Mary, Karen, do you wanna take us through the the second four kind of commonalities across the regulations and laws?

Sure. So most of them require organizations to disclose your privacy practice practices. So what you're collecting, why you're collecting it, who you're sharing it with, if you're selling it, those kind of things, have to be clearly laid out online. Consent for sensitive data use and opt outs for cookies. So most of them have some kind of consent mechanism in there, whether it's, you know, implied consent or, you know, straight up.

I before they collect it, I'm giving you this data and I know it. And then many states are starting to require privacy impact assessments. So, fingers crossed. You know, most of them say if you've already like, in Oregon and California, if you've already done one and the, there are pieces missing, you can just kind of do an addendum. So fingers crossed that that's that's how they're gonna keep going on those.

Yeah. I I kinda wanted to go back to number 5 quickly, and you mentioned kind of implicit consent or not. I wanted to talk about the quickly, the opt in versus opt out and how that the subtle difference between GDPR and Robert weigh in here too on GDPR opting in versus opt out. Do you mind kind of giving the audience a little bit of definition between those two kind of methodologies, I guess? Oh, yeah.

So, yeah, when you, opt in, you have to actually opt into that data collection, piece of it. So before you can collect the data, you have to get consent from the consumer or the individual that you can collect that data and use it for whatever reason you're telling them you're gonna use it for. Opt out is you assume they're opting that they're allowing for it and that but they have the, the ability to opt out of that in some instances. So, let's say someone visits your website and you are collecting their data and you're gonna, you know, share it with someone for targeted advertising, you need to allow those people those individuals to opt out of that sharing for that targeted advertising. Yeah.

And I yeah. And there's some states that are opt in and some that are opt out. Robert will talk about that a little bit later. Right? Sure.

And, actually, the, well, I won't spoil it. But, it might be quite surprising which states are opt out and which are opt in. Yeah. No. And one thing also to add here is that there's another European influence, but the definition of consent is actually even stronger than in Europe in some of these states, because they seem to have learned from some of the ways that businesses have tried to get around kind of getting proper consent in the EU.

And they also list things that are not consent. So like agreeing to terms and conditions, that also reference other things. So that is really important. And, Mary Karen's right there with with with that distinction, you have to get permission beforehand, or you can assume that they want you to do it and they can tell you if they don't. But it's interesting that these states are moving towards that opt in model for for lots of stuff.

Yeah. Yeah. And I think the there's one interesting piece with Oregon is it specifically calls out that if you not doing anything is not consent. Yeah. So, you know, if you have one of those cookie pop ups and someone just ignores it, that's not consent in Oregon.

I found that interesting. Yeah. That is very interesting. Makes this very complex. Alright.

Let's keep moving, and we will we will get we will touch on these issues. I do see the question in here that I wanna I wanna clarify what I mean when I say privacy request. I'm using the word privacy request and data subject request interchangeably. Interchangeably. So it's when the consumer submits a request for their to access their their data, delete their data, or correct their data.

Yeah. I'm using that word interchangeably. Alright. Let's get into it. How are these laws the same or distinct?

So I took a moment, and I worked with Robert and Mary Karen to kind of find some themes, some commonalities across them, and I bucketed them into 4 different categories. The first one is, which I think is very important, and Robert will talk about this in a moment. There are 3 states where attorney generals can make regulations. You first have the law, and the attorney general can add some regulations on top of it to clarify that law. Then we have several states that really are modeled after Virginia.

We all talk a lot about California in this country, but, really, it's Virginia's law that most of the other states are following, and we'll talk about that extensively. The 3rd bucket we found is there are a couple states that are very focused on protecting health data and anything around biometrics or even gender or identity. And the last bucket is really there are some states that, may have a big name, but when you really dive into the details, they are not as they don't have as much teeth or strength as some of the other regulations we come across. So let's first tackle the first bucket. Attorney generals where they can, can make regulations.

So let's start with California. California is the the big the law we're most familiar with. It is very strict. Robert, do you mind giving us a quick rundown on what makes California unique and, here in the states? California is really different from the rest.

And, I think most people or many people assume that the other states will follow California, but I'm told that there was quite a lobbying effort after the CCPA passed, and the tech lobby kind of devised a new model. Now that's I think that's slightly unfair to characterize it that way because the other states have some pretty tough provisions too. The important differences in California, I think the most important difference is that employees are covered, from the beginning of last year. And also someone's asked about b to b in the questions. B to b processing is covered as well in some context.

So California doesn't distinguish between types of consumers. You know, a California resident is a consumer, and if that's one of your employees, then you extend the same rights to them. So that means it hits a lot of companies. So anyone really that falls under the thresholds, with employees in California is going to have to think about this law. Also it's, it has its own enforcement agency.

That's the California Privacy Protection Agency. And they've got off to a bit of a false start because they were very late with their 1st set of regulations. They had a core battle about that and it's still going on, but they are putting out some rules and they are really interesting. So there's one on automated decision making recently, AI driven decision making essentially, that, will really, I mean, I think it's a first for the US. It's it's a very broad conception of what you have to do, what safeguards to put in place if you're doing risky or important stuff with AI.

And this all derives from the California law. It is though opt out for pretty much everything. So to that extent, it's not as strict as some of the others, but it is more complicated. And also, I mean, I don't know if I'm alone in thinking this, but I don't like how it's written. I find the CCPA really hard to understand and, follow.

So it probably will take up more time for businesses than most of these other laws. Yeah. Mary, Karen, can you talk about some of the biggest changes you made at your organization to accommodate California and any other laws that have come on out? Well, I think, you know, early in my career, I was in a multinational organization. And and so lately, I've just been in US focused.

And so I think the biggest change, you know, if you're in if you have an organization that's already complying with GDPR, California really wasn't that I mean, it was a change, but it wasn't as big of a change as if you're only operating in the US or, you know, Canada, in North America. If you're only operating there, then it's, you know, California was a big step. And I think that just making sure that people understood that, people didn't panic within the organization, I think was the biggest the biggest step you could take, and then really understanding, who your stakeholders were and gaining those supports are are the best way to prepare you for these kinds of things. Yeah. Yeah.

Getting those stakeholders on board. Very important. Let's take a look at Colorado. When when when taking a look at Colorado, Robert, what what kind of what makes you what what jumps out at you as unique or distinct? Well, this is another interesting one because the attorney general, can make rules and regulations deriving from the law.

So it's kinda still developing, and we're seeing news about this law, as we go along. So the attorney general's already put out some regulations on, the data protection assessment process or privacy impact assessment as as sometimes this this process is called. And the it's quite rigorous. So it's the, you know, there are no pushovers. It's not as detailed as some of the stuff coming out of California, but they also have this, universal opt out methods.

So if you're covered by Colorado's law from July, you're going to have to configure your website to recognize if people in that state have global privacy control installed in their browser. So lots of states have this. It's already in effect in California, although it was never, I think that's on slightly shaky ground with that one because it's not wasn't really in the law, but they have enforced on that. Yeah. And the the the attorney general is doing a lot, and it's one of the more kinda active states.

So although the law is not that different from others in California in, Virginia and and so on, it it I think they're taking it seriously. Yeah. So so, Robert, you touched on GPC and, a GPC. Yeah. I I sometimes I it was weird.

Did I just entertain switch the acronym around? But, Mary, Karen, can you talk to me a little bit more about how you, accommodate for this at Carvana and really kind of have implemented some sort of processes and technologies to make sure that you can follow GPC? Oh, mute. Oh, I think you're on mute again. Really?

You think after all these years, I'm trying to figure it out. It you can't be a webinar if there weren't any technical glitches. It's just the user errors. So, yeah, I think just getting understanding the technology involved, I think, is, the biggest step in implementing it, and then having a consent management platform is pretty much the best way to do it because it's the best way to capture all of it. So we use consent management platform.

We actually use Datagrail. I don't know if I'm allowed to say that. You are. It's okay. And so I think that, using that using that is is the best way, especially if you're not wanting to, grant that to every person on your that visits your website.

You know, having a consent management platform is the best way to do that. Yeah. And I just saw a question pop up while we're here talking about GPC. Mhmm. The question is, I see so many company privacy notices that give some reasons as to why they don't recognize the single signal.

Can is there a reason why, or is there, like, a legitimate reason why that might not be the case, or they're just not ready yet? So that comes from, Cal OPA, the old California law, California Online Privacy Protection Act, which didn't require you to actually do anything about these signals, but did require you to say whether you do anything about them. Oh, interesting. That's an just a bit of a relic, and it will probably stop over the next few years. Another thing to say about Colorado, just very quickly in the GPC thing, they did have a short list of other protocols that they were considering.

One's called like opt out code and opt out machine or something, but they didn't go with those. They just went with the GPC. So other states could ask, or require businesses to recognize other signals other than GPC. But I kinda hope that it'll go for GPC, because that will it will be very complicated if you have different states with different signals and and so on. Yeah.

No. Absolutely. What very com it's already complicated as enough as as it is. Okay. I wanted to take a quick moment to talk about New Jersey, the newest law that's on the books.

Another one that also has the where the attorney general has power to, issue regulations and enforcements. Robert, what what else stands out to you with New Jersey? Yes. So New Jersey is, fresh from this year. And, I mean, it's got most of the usual kind of stuff.

It strikes me that talking about US privacy law and the usual stuff is all quite, you know, quite robust kind of requirements, which I didn't think I would be saying a few years ago. It's got a relatively low threshold and it's got this regulation power for the attorney general. Apart from that, I mean, I think that what I took from it was that the states are not going soft because there was a time last year where I thought maybe states would, it would be a race to the bottom kind of thing, but that's not happened. I mean, New Jersey is up there with the the stricter laws. It's got everything you would expect to see in it from a Virginia style law.

And it has a bit of stuff about children that you don't see elsewhere, and we'll see the law develop a bit just like in California and Colorado because of these regulations. So, Mary Karen, since this is so new, would a new state when another state passes a bill or an act of some sort, what happens internally at Carvana? Is there any big changes that need to be happening? Do you kind of alert folks? What's your kind of process internally there?

Yeah. I mean, obviously, you kinda read through the bill, the law to make sure, you know, you understand what it is. And then if there are any weird, quirky things about it, which we'll touch on as we go through here, there are. You make sure you call out those pieces and then, you know, reach out to the people and the teams and the stakeholders that that is going to, affect the most. Yeah.

And is that typically people on your engineering teams? Is it typically people in legal or both or anywhere? All of all of the above? It's it's both. You know?

It's all of the above. So, you know, it could it could affect your call center. It could affect your engineering teams, marketing, you know, all those teams. So really just figuring out what the nuance is and who that's gonna affect the most internally and and going to those people. I think I I wanted to do a poll before we started, but I do wanna do it really quickly.

I think we have the question around what state law are you most concerned about, following? Yes. There it is. Thank you, Mallory, for getting me up about it. Before we move on, I wanted to get a quick snapshot here.

Alright. Let's see what the answer set is. Oop. California. I think that's fair.

It's not I think It's it's it's really complicated, and you got employees as well. So Yeah. And we've got a, yeah, we've got a couple questions in here about that. And before we move on, I do wanna ask that question around why why do we think other states didn't include employees, in their policies or in their in their I have a theory, but I don't know if it's right. So I hope there's no California law makers watching, but I think it might've been an accident.

The CPA, the CCPA was quite rushed and it was one of these, I don't think it was actually, I think it was taken forward as a proper law. You've got California allows citizens to bring laws, you know, to, to, to, to be debated. And I just wonder if they just didn't, didn't really consider it. And they wrote consumer. The definition doesn't specifically exclude employees.

They put it off, put it off for years. So the CCPA took effect long before the employee bits did, but then they couldn't put it off any longer. And now it applies to employees. I think it's a good thing, to be honest, from a employee perspective. But, yeah, the the other states have not gone down that route.

Alright. Let's move on here. Let's look at the Virginia style states. Let's start with Virginia. Robert, do you mind giving us giving us the 1, 2, 3 on Virginia, why it's so unique, how it's distinct from California, and why do we think the other states followed this Virginia's lead versus California?

Yeah. So, it's actually I call it I call them Virginia style states. It's a bit unfair on Washington because they're all based on this Washington privacy act that never passed, up in up in Washington state. But we'll call we'll continue calling them Virginia style states. So they are simpler, shorter than California's law.

They're much easier to read and understand in my view. They don't have a private right of action like California does. That, that, that private right of action is quite limited, but none of these comprehensive laws have have that as far as I know. So you can't sue a company for violating the law. You just you can make a complaint.

They've got some things that California lacks though, such as a an opt in requirement for sensitive data. You don't need consent for a lot of stuff in California. You, you, you do need it for some things, including children reusing personal data in, in kind of different contexts. But, in, in the, in, in Virginia style states, generally with a couple of exceptions, you need consent before you do anything with sensitive data. So Just just on that one, would it be fair to say that's more like GDPR?

This is kind of. Yeah. Consent more like me. Actually, it's kind of almost you could say it's kind of stricter because the GDPR, you do have the options other than consent to process special category data as it's called. I think it's gonna cause some problems actually, because there are some times that you you might need to what if you've got an app that relies on sensitive data and people want to use it, but they say no to consent, then you have to stop using the app.

And then, you know, I think it's gonna cause some issues. But there we are. That that that's why I say they're not California is not necessarily stricter. And we've got, also the California did not have data protection assessments to start with. So there's quite a few bits that these states have, and Virginia has provided the model and other states are building on that.

Yeah. And, Mary Karen, did you have to change anything internally, when the law when the law went into effect last year? And by the way, this should not be strict less strict. This should be up here over here. Not sure.

Somehow my little marker got moved. You know, the consent piece was was big piece for sensitive data. We do, you know, I I work with fine I've only worked with financial institutions. So doing the sensitive data is something that you have to obtain consent for. So that was a little bit different.

But for the most part, I think it was it wasn't a big jump rate for that. Yeah. But that is, I think, the biggest thing, the biggest shift. If you were following California as only a state side company Yep. You suddenly have to enable opt in versus opt out.

That's a big shift for a business. Again, consent management platform then. If you don't have one, get one. Alright. Let's move on.

We we are let's get a let's take a quick look at Delaware here. We we were talking previously. Mary Karen, how are you managing through the various definitions of sensitive data? So we it's funny. We, actually are in the process of revamping our information classification system.

And I think when 1, make sure you have one of those. And 2, you kind of include everything from all of the states in that. And that way you're just covered, and people don't have to You don't have to worry about who's doing what with what state, and that kind of stuff. So, really, information classification, I think, is your key piece in making sure that it covers every single, definition of sensitive data possible. Yeah.

And are you using a system for that? Are you working hand in hand with your tech teams to kind of build this information classification system? How does that work? Yeah. So we're working with our, IT teams and our information security teams on that.

And then, you know, kind of flushing that out with other departments. Like, this is what you need to do. So yes. Robert, really quickly. You mentioned earlier that that Delaware has a carve out for the privacy impact assessments only being for larger controller companies.

Do you mind unpacking that for the for the audience? I think that's Oregon. Is it Delaware or Oregon? I did get those 2 mixed up. So it is it is Delaware.

You're right. So only larger so there's a requirement to carry out a data protection assessments as weighing up the risks and the benefits of what you want to do under certain circumstances. But in Delaware, that applies to larger controllers who process personal data about at least a 100000 consumers. So that's one slightly unique thing about Delaware. Cause we've tried to find little things that are different about all these laws.

So there's that. And, yeah, it's it's it's quite broad. It's quite new. It's got this transgender and non binary status in sensitive data, and, some other states have followed suit since then as well. Yeah.

Great. Looking ahead to Indiana, Indiana, it's a it appears to be a little bit more lenient. Why, Robert, in your opinion, is this this law a little bit more friendly to businesses, I would say? So there's a couple of things in there that, is is it well, you got a lot of time to prepare. I think it's a really long lead in time.

Yeah. And, also, they will accept so you you if you're doing a, a data protection assessment or a PIA for another state, you can simply recycle it for Indiana. That's explicit in the law, which is quite unusual. You wouldn't catch California saying something like that. So there might be some cost savings there.

I think they have that in mind, I guess. This was during the period where states were getting a bit more timid, with the with the privacy laws, and they're emboldened again now, I think. So we don't see as many of those little carve outs and and exceptions. Right. Looking ahead to Montana, I wanted to ask you again, Robert, here on this one.

What makes Montana a truly comprehensive law? Well, it's it's again, it's got a lot of the it's got a lot of the stuff. It's got the universal opt out, mechanisms as well that will that will catch a lot of businesses. It's got data protection assessments, consumer rights. Again, this was in that period when plenty of states were passing these comprehensive privacy laws, but many of them were leaving things out.

Montana, I think, features everything relatively low threshold and Montana. Well, you put the, you made reference to that TikTok thing there. So they banned, they've got some kind of a bill banning TikTok. I think something passed. So it might be that there's a bit of privacy showboating going on among the legislators there.

Maybe we'll see some sort of tough enforcement on that basis. But, yeah, Montana is a pretty kind of standard one. It takes effect this year, I think, yeah, October. So, it's a, it's a good one to start thinking about, you know, it's got everything you need to do for the others too. So it's it's a good one to prepare for.

Start preparing now, I guess Yeah. If you haven't already. Yeah. Let's look ahead to Oregon really quickly. Me or Karen, you and I you and I had talked about this one briefly earlier and about the the kind of strange exemptions that that Oregon has.

Can you talk to the to explain to the audience what do we mean by this third bullet over here? Data is exempt, but not the entity. Yeah. So most of the privacy laws in the states are, they have carve outs. So they have, entity level carve outs.

So if you are an institution that financial institution that falls under GLBA, then you don't have to comply with privacy law. If you fall under HIPAA, you don't have to apply with it. You don't have to comply with it. California and Oregon are have handled this a little bit differently, and it's a data level exemption. So data that it falls under GLBA or, I'm not sure if it's HIPAA, but, the Fair Credit Reporting Act.

If it falls under there, that data itself is exempt, but the entity isn't exempt. So if you process data for things other than specifically for GLBA reasons, that data is not covered under the law. You have to comply with the law. So that was kind of the weird carve out because California is the only other one that has something like that. Yeah.

Robert, talk to me quickly about this this this concept of being able to request the list of the 3rd parties. What does that mean exactly? So, yeah, Oregon's one of those states where it has quite a broad right to know, provision. I think a couple of other states have this. Maybe Texas was the first where you can request a list of the names of third parties to whom the company has shared your personal data.

So similar right in the EU, but worded quite strongly actually in these US laws. You you need to some of them even, I think, says you need to put their contact details there too. So for frivolous data sharing, that's gonna be a problem. If you present someone with a list of, you know, 300 companies or something, that's not gonna look great. That's right.

I think that people would not like to know that. Alright. Let's move ahead. We've got a lot of questions in the queue, so I wanna keep moving. Alright.

Texas. This one we talked about briefly. Mary, Karen, do you mind talking to me about talking to the audience about why this was could be particularly challenging for smaller businesses? I think that was the question you were gonna ask, Robert. Now Oh.

You know what? I'll ask Robert. Robert Don't, please. I can tell you that. That question then.

Well, this is the only law that doesn't well, the it it applies to every company, operating in Texas or with products and services directed to Texas residents, I think is the language or something like that. But small businesses only have to do one thing, which is to get consent before you sell someone's sensitive data. So that's not quite as nefarious as it sounds. There might be quite a few businesses doing that without realizing, but, small businesses defined by the US Small Business Association or something like that. I think it's under 500 employees.

So that's most businesses in the US by far, but they will have to do something. Well, many of them will have to do something if they're in Texas, operating in Texas. Yes. So so, basically, the millions of small businesses who haven't really had to comply with any regulations are suddenly gonna have to comply with Texas's law. They're gonna have to think about it at least and see if they need to comply.

Look at the definition of selling and sensitive data and see if that's what you're doing. Yeah. Alright. Let's take a quick look at the 2 states. Well, there's many states, but 2 of 2 of the focus points, that focus a lot on health data.

And I do see a couple questions in the queue related to this, so maybe we'll be able to to address them there. Robert, do you mind, unpacking Washington's law and why the health, like, carbon a really big deal that that these laws. So it's not what we call a comprehensive law, but it's actually not quite I mean, it's misleading to call it a health privacy law in a way because the definition of consumer health data is so broad that it will cover a lot of different processing. So any health company that's not covered by HIPAA doing anything in the health sphere, I think even fitness as well, stuff like, menstruation tracking apps, that kind of stuff. So not just doctors and nurses, you know, are going to have to think about this one because there's no thresholds as well.

It's, is any business processing consumer health data that does business in Washington, and consumer health data is super broad. It could be anything that even reveals anything about someone's health essentially, and it's got a private right of action. So that means I think we'll see lawsuits whether or not they succeed, people will try. They could be rubbish, but, there will definitely be attempts to sue under this law. Did you have anything to add on Washington?

I mean, Mary Kay and I assume since you're not a health related company, you're you're not as as worried about Washington. No? No. No. Yeah.

Let's take a quick look at Connecticut. Talk to me, Robert, a little bit more around the difference with Connecticut versus Washington. Yeah. So this is a this is a comprehensive, health comprehensive privacy law. But since Washington took effect, they introduced some sort of Washington style provisions in there.

So they now have this consumer health data concept too. And if you operate in Connecticut or target Connecticut residents and you process consumer health data, there's no threshold. So you could be a one person business doing that, and Connecticut law will apply. So that really has quite big implications and you'll have to do all the other stuff as well in respect of your personal data. So if you do anything in the realm of health, I recommend you take a look at Washington and Connecticut and also Nevada, which we're not covering, but there's a slightly smaller law there as well.

Thank you. Alright. Now I wanna get to the last few laws, the the laws that have some chatter, some a little and then some have more teeth than others. Let's take a quick look at Florida. Robert, Mary Karen, anything to say here other than really Florida probably doesn't impact most people on this call unless you're working for the big tech firms?

All I say is they're clearly targeting about 3 companies. So unless your CEO's name rhymes with Clark Pluckerberg or you, you know, your name is a jungle, in South America, then don't worry about Florida. Yeah. Yeah. Iowa.

Talk to me about Iowa. Anything to call out here, whether American, have you made any changes or been watching it or probably not? And then, Robert, anything you'd wanna mention about Iowa? Yeah. It's quite a weak one.

So it's a bit like Utah. I think it's slightly less less weak than Utah, but, again, there's lots of stuff there. So if you operate in Iowa, then do pay attention to it. Right. Before I move on, I do wanna and then since we're so close to the health discussion, I wanna answer a question that just popped up.

Is there any example of processing PHI where it would be under Washington or Connecticut's law instead of HIPAA? Yeah. Yeah. I think so. I think it's broader than than percentage health information under HIPAA.

It's, it's if you take a look at the law, they set out some examples in the Washington My Health My Data Act. I think, I've written about it, so you can Google the law's name and and me. But, yeah, they they really spell out. They're really trying to cover as much data as they can. HIPAA is a little bit more refined.

Yeah. Tennessee, this one, why do we why did Robert, why do we put this in the, like, in the this category? Well, there's one thing. Actually, Mary Karen is, is, I believe, familiar with the NIST privacy framework. Yeah.

And I I'm not really, except in theory. And they let you, if you're compliant with that and you're doing a good job with it, then I think you're cut you can you don't have to worry about Tennessee. But I think the onus is on you to prove that you're you're doing it right. So if you're complying with NIST and you operate in Tennessee, then you might have one less law to worry about. And, Mary Karen, how are you thinking about adopting NIST, the NIST privacy framework at Carvana?

So we are, you know, it's just one of those very recognizable, and trusted kind of framework. So, you know, if you're following that or the pieces of it that apply most to your organization, then you're probably doing it well or at least well enough. So, yeah, that's kind of what we're using it for is that, you know, kind of a risk assessment piece of it. Right. Yeah.

And last, Utah, similar to to Iowa, has very high thresholds. You don't even have to be doing DPIAs or PIAs here in Utah. Anything else to add, Mary, Karen, or or Robert on Utah? For some reason, there's no right to correct your personal agency. One.

Yeah. Yeah. I don't know why that was left out. There's some typos as well in there, which is always fun. In actual law.

Great. Alright. Well, I wanna quickly turn it over to some tips for success and let Mary Karen kinda take us through this, and then we'll get into the q and a because I see quite a few questions. But, Mary Karen, do you mind taking us through kind of tips that you've done as a practitioner as you're thinking about applying some sort of, like, rigor and processes to all these different laws that are coming through on in the states over time? Yeah.

So, you know, the best way to do it if if you fall within all of these states, is to kind of pick a program that meets the strictest of them and, kind of go from there, you know, honoring privacy rights regardless of jurisdiction. We kind of talked about that. That I think just builds trust in your brand. And and if you have an automated way to do that, I think that's the best thing. If you're not automated, maybe not.

But, yeah, I think that's great for for consumer trust. Keep an eye out for AI best practices and regulations, especially at that federal level, along with the enforcement actions. I think, we're gonna see a lot more movement in that. And I think we're gonna see more movement at state level when it comes to AI. I'd like to say the feds are gonna do it, but we all know that's not true.

Yeah. And while you were talking I'm sorry to interrupt. But just, we did get a question in the q and a around that. Do either of you, while we're talking about AI, have any, you know, finger in the wind instincts on what states might be coming next or looking at, moderate, regulating AI next after California? There's a bill in New Hampshire, I think, that just also passed the, another law that we haven't covered, but it hasn't been signed yet.

So Okay. Oh, we'll wait to to get it signed before we add it to our guide. How's that sound? Okay. Sorry to interrupt, but keep going, Mary, Karen.

Yeah. Again, if you're not automating and you fall underneath more than one of these laws, automate, to manage the the volume and to reduce the errors. I highly, highly encourage you to do that. Additionally, you're gonna wanna uncover unknown systems and understand data collection and usage in your organization. So data mapping and data flow is one of those key pieces.

I can't stress that enough. And then I would, you know, I monitor the enforcements in California, along with state level, legislative sessions. You know, there are a couple of good places to do that. IAPP has one. But, yeah, just just keeping it your ear to the ground on on what people are focusing on, I think, is is the best practice.

Right. Alright. I'm gonna hop right into the q and a because we have a ton of questions. The first question we got was, what state do we believe will be the next to pass law? And I think we just heard the answer about possibly being New Hampshire.

Well, that was more AI related, but still But they they just they just passed a a comprehensive law actually, yeah, as well. So that that'll be the next one to to take effect, I think. Yeah. The next question I see here, which I think is good to clarify, is is is personal data that is already publicly avail available still covered across generally across the laws? Not really.

I don't know if Mary Karen, agrees, but, I think they all exclude it. They do, but I think you have to be careful Yeah. With that. If you're if you're collecting that data and you're not getting it from a public source, I would be a little leery about claiming the public information exemption there. Yeah.

For sure. So if you're asking for my email and my address in a form, that's just scraping the Internet and finding it on whatever Internet website. Correct. Or buying it from a data broker. Yeah.

You know? Or I'm sorry. Getting the list from, you know, the Census Bureau or whatever, wherever you get it. Yeah. This next one is is tied to opting out.

Opt out sometimes means no agreement. Are you opting out because of being our customer? Are you you are opting out of being our customer, I believe. Are there states that prohibit companies from stopping service to customers who want to opt out? So I think I know what the question is getting out there.

There are states where if you're asking for consent and the person says no, then you can't tie that to not being able to use your service. So this is a big thing in the EU at the moment because, Facebook and Instagram want to charge for people. If you don't want targeted ads, it's all about the definition of consent over in the states. You, you, you can look forward to that headache of how to define consent. But, yes, there are states that do not allow you to tie consent to providing your core services.

So you can't ask someone to consent to selling data, for example, if they want to use your app, if you if consent means proper voluntary agreement. Right. We did get a question which I can answer. Does Datagirl offer any services or templates to help with DPAs or PIAs? Yes.

We absolutely do. We have a product called risk monitor that does help with your PIAs or DPIAs. I think we covered this one, but I don't know if you wanna add any further clarification, Mary Karen. How are you managing through the different GPC requirements? I think we covered it.

But Yeah. I think, Consent management, really. Really, consent management. Absolutely. 100%.

Yeah. Robert, on that similar topic, someone asks, can what was the law that you've referenced that, made GPC signals unsettled? Oh, this a minute ago. Don't don't worry about my my card. I was I was I was, there's a frivolous speculation about California's, enforcement activity.

Look at the Sephora case, where they did enforce against someone for not having GPC, signal recognition. And it was a little bit earlier than than I expected. I didn't think it was very clear in the law at that point. So DPIA regulations are still being considered in California, or have they now been agreed? I know there were there was kind of some squishy language around that in California.

Can you guys clarify what's happening with PIAs in California? Yeah. So, the regulations are being, kind of debated right now. It's in, you know, draft form, but it's in the law. So the law is currently the law.

So you still have to technically comply with it. They just don't have the specifics about it. So, you know, how they choose to, enforce that is yet to be seen, but, yeah, the the regulations are out which tell you how to comply with the law, which is in effect. Yeah. I have room for one more question.

I'm so sorry that we weren't able to get to all of them, but we will do our best to maybe have a follow-up webinar, see if we can answer them later. But, lastly, I think this is pretty clear, but if for the Delaware law, if you're a registered company in Delaware, do you need to comply? And I think it's more about, do you have consumers who live in Delaware? Right? Yeah.

I think so. Yeah. It's it's so so it would always say, like, a 100,000 consumers. I think it's quite low in Delaware, but there's so many companies based in Delaware. But they all they all these states only care about people that live in those states.

So So if you're a Delaware company that doesn't have any Delaware customers or website visitors, then you don't have to worry about Delaware's laws. It's well, law. I shouldn't say laws. Yeah. The specific law.

Great. Alright. Well, thank you everyone for joining us today. We we really appreciate you joining us. We will make sure to send both the recording of this of this conversation as well as the full presentation to everyone, after in a in a today or later today.

If you're interested in learning more and joining our privacy community at Datagrill, please join us at datagrill.io/community. It's a Slack group where we have many privacy professionals such as yourself who ask these questions day to day, hear from their peers directly to really understand what's happening because things are always changing and evolving in data privacy. Or if you're really interested in learning more about how data growth can help you in your privacy program, we can certainly do that for you. You can you can you can, say yes. You'd like to learn more in this poll, and we will follow-up directly with you.

And we can be we can be sure to help you understand how we can help with automating DSARs, data subject rights requests, live data mapping, risk assessments, and consent management. Thank you. I wanna send a big a big thank you to both Mary, Karen, and Robert for being our panelists today. Your insights were very helpful. They've I've learned a ton from you today and before, and I'm very thankful for your time.

And I look forward to seeing everyone again soon. Thank you. Bye bye. Thank you. Thank you.

Bye.

expand_more Show all