Cracking the Code of Data Privacy:
Ethical Approaches to Handling Sensitive Information
Michelle D. Axelrod, Esq.
Principal, Porzio, Bromberg & Newman, P.C.
Alfred R. Brunetti, Esq., CIPP/US, CIPM
Principal, Porzio, Bromberg & Newman, P.C.
Please download and install the Slido app on all computers you use
Does your organization have a privacy compliance program (either stand alone or as part of your overall compliance program)?
ⓘ Start presenting to display the poll results on this slide.
Please download and install the Slido app on all computers you use
Who is responsible for privacy compliance at your organization?
ⓘ Start presenting to display the poll results on this slide.
Types of Privacy
Information Privacy - collecting & processing of personal information
Bodily Privacy - physical, biological, behavioral being & activity
Territorial Privacy - intrusion on physical environment, tracking
Communications Privacy - written, electronic, audio
Data Privacy is…
The use and governance of Personal Data (i.e. information linked or reasonably linkable to an identified or identifiable person)
Concept based upon autonomy and having control over your personal information; how it is collected and how it is used or disseminated.
Rights given to Data Subjects
Obligations placed upon Businesses
Attendant Risk Management
Initially Sectoral and Now, ‘Comprehensive’
Some federal ‘sectoral’ data laws you may know:
➢ Health Insurance Portability and Accountability Act of 1996 (HIPAA) - healthcare
➢ Gramm-Leach Bliley Act (GLBA) - financial institutions
➢ Children’s Online Privacy Protection Act (COPPA) - privacy of children u13
➢ Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) - commercial email including opt-outs
➢ Telephone Consumer Protection Act (TCPA) - telemarketing
➢ Family Educational Rights and Privacy Act (FERPA) - student education records
➢ Genetic Information Nondiscrimination Act (GINA) - job related decision discrimination
The Building Blocks of Domestic Data Privacy Enforcement
‘Comprehensive’ consumer privacy laws (45% of U.S. population) + consumer health data laws
Biometric-specific data privacy laws (e.g. Illinois, Washington, Texas)
Federal Agencies enforcing by sector – FTC, the de facto privacy regulator, applying its unfair & deceptive powers as ‘gap fillers’
State Attorneys General; Privacy Agency (CPPA); HHS/OCR and DOJ enforcements
Class Actions (e.g. VPPA / BIPA / wiretap laws, e.g. CIPA, PA)
State laws complementary to sectoral federal privacy laws (e.g. baby HIPAAs, financial regs, etc.)
Common Requirements of Domestic DP laws
Privacy Notices
Purpose Limitation / Data Minimization
Rights to Access, Delete, Correct, Non-discrimination, opt out of certain processing
Consent Protocols
Data Processing Agreements
Right to Opt-Out of certain processing (e.g., sale, profiling, sensitive data)
Reasons for Compliance
The Flow of Personal Data
Applicants & Employees–submitting data
Employee & HR – updating & managing data
Payroll & Benefits –managing data
Personal Data
Customers / Consumers –providing / collecting data
Vendors & Business partners –transmitting & processing data
Please download and install the Slido app on all computers you use
I know my organization:
ⓘ Start presenting to display the poll results on this slide.
Common Ethical Points of Friction
Balancing business objectives with data minimization
Balancing business innovation with transparency
Consumer Expectations versus Corporate Practices
Negotiating and Navigating data-touching agreements & relationships
Navigating the mitigation of risk in data processing activities
Categories of Sensitive Data
Financial
Health Religion
Geolocation
Child
Biometrics
Sexuality
Race / Nationality
Some rarer categories:
Trade Union membership (CA)
Crime victim status
Philosophical beliefs
Contents of personal comms
Political Opinion (GDPR)
New Jersey’s Categories of Sensitive Data
Sensitive Data under the NJDPA: Personal data revealing…
Racial or ethnic origin
Religious beliefs
Mental or physical health condition, treatment or diagnosis
Financial information (account no., account log-in, financial account or credit or debit card number + access info to permit access)
Sex life or orientation
Citizenship or immigration status
Transgender / non-binary status
Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;
Personal data from a known child
Precise geolocation
(YELLOW = sets NJ apart)
The Best of Intentions
John, a HR rep for retailer Spatulas n’ More, was advised that Joan - the long-time manager at its Morristown shop - has been diagnosed with a serious medical condition and will need to go on an immediate leave of absence. Because the manager’s medical condition is complicated and Joan is beloved by her co-workers, John wants to be transparent and strike the right tone when he explains to the other store employees why they’ll need to being picking up extra shifts.
To craft the perfect memo and be as accurate as possible about Joan’s condition, John turns to a popular free generative AI assistant to draft an internal memo to store employees about Joan. Without reviewing the tool’s Privacy Notice or Terms of Service, he copies the contents of several emails with Joan and the company’s internal SOPs on employee medical leave into the AI tool and it pumps out a memo that John immediately forwards for distribution.
Things to Think About…
Legal
• Sharing confidential / sensitive information
• Unrestricted sharing with AI
• Existence or violation of policies
Ethical
• Oversharing
• Expectation of privacy
• Transparency
• Supervision of AI production
Artificial Intelligence
AI OUTCOMES, WITHOUT SUPERVISION, CAN BE FLAWED, RESULTING IN BUSINESS RISK
CURRENT GENERATIVE AI PROGRAMS LEARN FROM INPUT DATA AND, THEREFORE, MAY NOT OFFER SECURITY FOR DATA
UTILIZE AI PROGRAMS IN A WAY THAT LIMITS THE RISK OF BIASES AND SHOULD MONITOR PROGRAMS ON A REGULAR BASIS
UNDERSTAND WHERE EMPLOYEES ARE UTILIZING AI PROGRAMS TO THEN UNDERSTAND WHAT CONTROLS AND TRAINING WILL BE APPROPRIATE
Right to Opt In or Opt Out
• Sale
• Targeted Advertising • Profiling
• Sensitive Data
Right to Opt OUT:
✓ Sale of personal data
(ALL STATES)
✓ Processing for Profiling (ALL STATES except Iowa)
✓ Some Automated Decision Making (ALL STATES except Iowa, Utah)
Right to Opt IN:
✓ Processing of Sensitive Data
(ALL STATES except California*, Iowa, Utah)
Easiest way to be Ethical (and not creepy)
DO WHAT YOU SAY (concerning
Data Privacy)
SAY WHAT YOU DO
(with Personal Data)
Ethical Guardrails to keep you on track
(preliminary guidance from NJ Supreme Court – January 2024)
Generative AI: a subset of AI where machine-based systems create materials based on predictive models derived from training with large datasets
If you can’t do it as an attorney, AI can’t do it for you
Truthfulness & Accuracy
▪ RPC 3.1
▪ Non frivolous assertions with a reasonable belief for basis in law or fact
▪ RPC 4.1
▪ No false statements of material facts or law
▪ RPC 8.4
▪ No conduct that is dishonest, fraudulent, deceitful or a misrepresentation
Honesty & Candor
▪ RPC 3.3
▪ No false statements of material fact
▪ RPC 1.2
▪ Cannot use AI to create or manipulate evidence
▪ RPC 1.4
▪ Comply with client’s reasonable request for information with sufficient explanation to make informed decisions
Confidentiality
▪ RPC 1.6 (also ABA Rule 1.6)
▪ Not reveal info relating to representation unless client consults after consultation
▪ Avoid intentional disclosure & make “reasonable efforts to prevent inadvertent or unauthorized access to information related to representation of client
Ethical Guardrails to keep you on track
(Fair Information Practice Principles (FIPPs) – 1973)
Shipment Emergency
Sarah is the chief operating officer at Pork Roll Universe, the most profitable distributor of porkrelated products in South Jersey. To stay profitable, the company keeps a very lean direct payroll and gets nearly all of its non-executive personnel from a temp staffing agency.
Sarah finds out that their regular monthly shipment of snouts and tails has been delayed from Friday to Sunday morning. Unfortunately, their lone forklift operator, Frank, never works on Sundays because of his religious beliefs.
In an attempt to find replacement operator for the delivery, Sarah frantically calls and emails a temporary staffing agency and fully explains why Frank is unavailable for the Sunday shift and pleads for a qualified fill-in to take over Frank’s Sunday shift.
Things to think about…
Legal
• Employee data
• Internal Privacy Policy terms
• Religious belief as sensitive data (opt in/out?)
Ethical
• Oversharing
• Expectation of privacy
• Transparency
Understanding Your Data Flow & Lifecycle
Work across functions to understand how data is collected, used, stored & shared in the Organization
• IT, HR, Finance, Business Affairs, Operations, Commercial, Others?
Leverage Existing Compliance Relationship
• Prioritize data gathering and understanding to create a more compliant organization
• Allow organization to see the value
• Staying within guidelines provides guards against enforcement/internal authority
Point Person(s)
• Each department doesn’t always need to have one
• Consider Privacy Champions or Chief Privacy Officer/Data Protection Officer
• Need constant communication with all the groups
Considerations for Business
• Proactive Prevention versus Reactive Remediation
• Leverage existing compliance infrastructure to adopt a proactive approach to data governance
• What Personal Data is being collected and how?
• Is Personal Data being processed for legitimate and lawful business purposes in accordance with policies, SOPs and applicable law?
• Consider what tools are already in place
• Policies related to how data is collected, used, and handled?
• Is the company already acting transparently?
• Notices and consents collected and maintained (consent management platforms)
• Opportunities to opt-out of certain processing activities
• Vendor Assessments / Contracts / Consents
Thoughtful data governance can protect the privacy of personal data and increase security to reduce the likelihood of misuse, breach and liability
Customer Synergy
Kevin is a tech-savvy marketing director for Break the Table, a small but growing chain of breakfast food trucks famous for their ridiculously large serving portions. BTT has relied upon loyalty program promotions and an easy-to-use mobile app to increase its customer volume by nearly 400% in the last few months.
After seeing the long lines at one of their trucks, the owner of a local gym - hungry to find a pool of potential new gym members - contacts Kevin and offers to purchase the listing of customers who have signed up for the BTT loyalty program and who have signed up to receive text updates about BTT truck locations. Seeing the opportunity to easily feed his marketing budget, Kevin jumps at the offer.
Things to think about…
Legal
• Consumer data rights
• What do individual states require?
• What does the Privacy Notice say?
• Breach of Contract?
• Selling phone numbers without consent?
(Telephone Consumer Protection Act (TCPA) issue)
Ethical
• Transparency
• Breach of Trust
• Brand impact
Building a Compliance Framework
POLICIES, PROCEDURES & EMPLOYEE
TRAINING
DOCUMENTING
COMPLIANCE
EFFORTS
KEEPING PACE WITH LEGAL UPDATES & EMERGING LAWS
Please download and install the Slido app on all computers you use
In the last 12 months, my organization has done the following:
ⓘ Start presenting to display the poll results on this slide.
How to Start
Pick the low hanging fruit first (Privacy Notices, tracking technologies)
Contract examination (Data Processing Addendums)
Informative & accessible internal Policies and SOPs
Website Evidence Collection Report
