Issuu

The 2025 Class of Data Privacy Laws: What They Are and How to

December 11, 2024

Presenters

Alfred R. Brunetti, Esq., CIPP/US, CIPM

Principal

Phoebe T. Clewley, Esq.

Associate

Brian C. Clarke

Cybersecurity Manager

Where Are We Today?

As we approach 2025, the landscape of data privacy laws in the United States continues to shift and rapidly expand with 8 new comprehensive state data privacy laws, posing increasing compliance requirements for businesses while offering consumers more control over their personal data

The use and governance of personal information

It manifests in:

Rights given to Data Subjects

Obligations placed upon Businesses

Attendant Risk Management

By year end 2026…

50% of the U.S. Population

75% of World Population

Falling in SCOPE of State Comprehensive Consumer Privacy Laws

Context (personal/household or employment/B2B)

Number (of consumers)

Activity (with the data)

Revenue (total or specific to actions)

The 2025 Class – Applicability

Delaware - Control or process PD of at least 35,000 consumers (unless solely to process payment transaction) OR

Control or process personal data of 10,000 or more consumers AND derives more than 20% of gross revenue from sale of data

Iowa - Control or process PD of 100,000 or more consumers OR Control or process PD of 25,000 or more consumers AND derives more than 40% of gross revenue from sale of PD

New

Hampshire

- Control or process PD of at least 35,000 unique consumers (unless solely to complete payment transaction) OR

Control or process PD of at least 10,000 unique consumers AND derive more than 25% of gross revenue from sale of PD

Nebraska - n/a Process or engage in sale of PD (unless a Small Business per the SBA)

New Jersey - Control or process PD of at least 100,000 consumers (unless solely to complete a payment transaction) OR

Tennessee

Minnesota - Control or process PD of 100,000 or more consumers (excluding solely to process a payment transaction) OR

Maryland - Control or process PD of at least 35,000 consumer (unless solely to process a payment transaction) OR

Control or process PD of 25,000 or more consumers AND derives revenue or discount from the sale of data

Derive over 25% of gross revenue from the sale of PD AND process or control PD of at least 25,000 consumers

Control and process PD of at least 10,000 consumers AND derive more than 20% of gross revenue from sale of PD

Web Trackers: Real-World Hypo

Imagine you're browsing online, searching for a new pair of running shoes. Hours later, your phone and every site you visit shows ads for sneakers. Sound familiar? That’s the world of web trackers—tiny, invisible tools shaping our online experience, often without our full knowledge.

How do these trackers work? Are there ways to help us as consumers regain some control over our privacy?

What are Web Trackers?

What is a Web Tracker?

• Web trackers are akin to the paparazzi—they follow us everywhere! They are technologies that collect data about a user’s online behavior like browsing habits, location, and purchase history, often through cookies, pixels, or even device fingerprinting

• Can include cookies, pixels, fingerprinting, and other methods

Why do Web Trackers Matter?

• While some tracking can improve user experience, like remembering your online “shopping cart” or providing personalized recommendations, most web trackers are used for targeted advertising or even more invasive user “profiling”, sometimes jeopardizing users’ privacy and raising security concerns

What are Web Trackers?

Web Trackers and Privacy Concerns

Privacy Concerns:

• The data that is collected by web trackers can be broad and contain personal information

• Data can sometimes be collected without user consent/companies do not always disclose what they are tracking and why

• Data collected can be shared with third parties, creating increased opportunities for misuse or data breach issues

• Some web trackers follow users across different websites and can create detailed profiles about those users that may include sensitive information

Security Risks:

• Data collected by trackers, including personal and sensitive data, can sometimes be exposed or hacked, leading to identity theft or other forms of data exploitation

• Some trackers can be embedded in malicious ads or websites, which can infect a device or steal sensitive information

• Some web trackers can be categorized as spyware, which can record and transmit personal information without user consent

What Do We See Across the States?

Balance Sheets

Virginia

Utah

Iowa

Indiana

Kentucky

Colorado

New Jersey

Delaware*

Oregon*** "Sale" is… Monetary or other valuable consideration Monetary only

Minnesota**

Non-Profits Exemption

Activities

Exemptions

GLBA Exemption Types

Some Outliers to Know

Regulations

• California

• Colorado

• New Jersey (soon?)

Specific 3Ps shared with

• Oregon

• Minnesota

• Maryland*

• Delaware*

Small Business Exempt

• Texas

• Nebraska

• Minnesota

NIST = affirmative defense

• Tennessee

Sale

Targeted Advertising

Profiling

Right to Opt OUT:

✓ Sale of personal data

(ALL STATES)

✓ Processing for Profiling (ALL STATES except Iowa)

✓ Some Automated Decision Making (ALL STATES except Iowa, Utah)

Sensitive Data

Right to Opt IN:

✓ Processing of Sensitive Data

(ALL STATES except California*, Iowa, Utah)

Sensitive Data

Categories of SENSITIVE DATA

vary by region & statute

Some unique categories:

Trade Union membership (CA only)

Crime victim status

Philosophical beliefs (CA only)

Contents of personal email, texts

Political Opinion (GDPR only)

Geolocation

Child

Biometrics

Sexuality

Race / Nationality

Biometrics (a category of sensitive data)

Expansion of Biometric / Sensitive Data

Neural and Biological Data

California

Sensitive personal information = personal information reveals a consumer’s neural data

Neural data = information that is generated by measuring the activity of a consumer’s central or peripheral nervous system and that is not inferred from other nonneural information

Colorado

Sensitive data = biological data Biological data = data generated by the technological processing, measurement or analysis of an individual’s biological, genetic, biochemical, physiological or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used [jointly or severally] with other personal data for identification purposes Biological data includes neural data.

Neural data = information that is generated by measuring the activity of a consumer’s central or peripheral nervous system and that can be processed by or with the assistance of a device

Eff: July 1, 2025 (HB 1130)

Can collect existing or prospective employee’s biometric identifier for security, safety, timekeeping or other if with consent

Maryland

Maryland (MODPA): arguably the strictest of the new class with respect to data minimization requirements.

Can only:

• Collect Personal Data to degree it is reasonably necessary to provide a specifically requested service or product

• Process Sensitive Data only to degree it is strictly necessary to provide or maintain a specifically requested product or service

CANNOT sell sensitive data, regardless of any consent to do so

New Jersey

New Jersey (SB 332- NJDPA) :

• includes certain kinds of financial data (like CA) in its definition of sensitive data and requires affirmative opt-in consent before it can be processed for purposes other than completing a transaction

• Transgender/nonbinary status is sensitive data (like DE, MD & OR)

• Regulations (like CA & CO)

• shorter opt-out period for processing (15 not 45 days)

Minnesota

Minnesota (MCDPA):

• Right to request list of 3Ps (like OR)

• Right to Opt Out or challenge Automated Decision Making (like CA, CO and under GDPR)

• Data Inventory is mandatory part of data security requirements

Rest of the Class

Iowa Consumer Data Protection Act (ICDPA)

• No Rights to Correct or to Opt Out of processing for profiling, targeted advertising or Automated Decision Making

• Need to Opt Out of sensitive data processing

Nebraska Data Privacy Act (NDPA)

• No minimum consumer # threshold (like Texas)

• Small Businesses not in scope

Delaware Personal Data Privacy Act (DPDPA)

• Sensitive data includes status as transgender or nonbinary

• Most non-profits and higher education institutions are in scope

Tennessee Information Protection Act (TIPA)

• NIST Privacy Framework as an affirmative defense

• Similar to Virginia

• $25M as revenue threshold element (Utah)

New Hampshire (SB 255 - NHPA)

• Similar to Connecticut

• Requires controllers to conduct data impact assessment prior to processing sensitive data

Business Obligations (the most common)

Notice

Transparency

Data Processing Agreements

Age-related limitations

No discrimination for exercising data rights

Processing limited to purpose

Data Protection (Impact) Assessments

Consumer Rights (the most common)

Access

Correct

Delete Portability Against Automated Decision Making

To Opt Out of certain processing (e.g. sale, profiling, sensitive data)

To Opt In to Sensitive Data Processing

What

We Have HEARD: Some FTC and State AG Public Statements on Privacy and Data Governance…

“Companies have a responsibility to secure data they maintain and to delete data they no longer need.” – February 2024, Blackbaud settlement

“Protecting consumers’ sensitive health data is a high priority for the FTC.”

– April 2024, HBNR changes announced

“[Texas is committed] to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texan’s privacy rights. Any abuse of Texans’ sensitive data will be met with the full force of the law.” - July 2024, Texas A.G. Ken Patton, CUBI $1.4B settlement

Universal Opt-Outs: A New Trend?

• As 2024 draws to a close and we look ahead to the new class of data privacy laws in 2025, a clear emerging trend is the requirement that websites comply with universal opt-out mechanisms (UOOMs)

• Although there are currently only 2 state data privacy laws with current requirements to honor UOOMs, 2025 brings a new wave of state privacy laws that will recognize UOOMs

• January 1, 2025: Connecticut, Montana, Nebraska, New Hampshire, Texas (and Minnesota and Maryland thereafter)

• January 1, 2026: Delaware, Oregon New Jersey is the latest state to implement a requirement to recognize UOOMs into their comprehensive privacy law, with a requirement starting July 15, 2025

. . .a controller that processes personal data for purposes of targeted advertising, or the sale of personal data shall allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism

Universal Opt-Out Mechanisms: A Privacy Superhero?

What is a UOOM?

• These mechanisms allow users to opt-out of certain types of data collection or tracking across multiple websites and services, as opposed to individually managing settings on each website visited. UOOMs are primarily used for limiting tracking activities like targeted advertising, sale of data, and data collection for analytics purposes

• There are several UOOMs available to consumers:

Global Privacy Control (GPC)

Do Not Track (DNT)

Digital Advertising Alliance (DAA)

App-Based Opt-Out Tools

Effectiveness depends on Compliance

Universal Opt-Out Mechanisms: A

Privacy Superhero?

Universal Opt-Outs: Historical Privacy Context

• California’s CCPA was the first to recognize and enforce global opt-out signals, with Colorado following close behind with a requirement starting on July 1, 2024 to recognize and honor UUOMs

• The CCPA and CPA both require that any controller that possesses personal data for the purposes of targeted advertising or the sale of personal data acknowledge a user’s UOOM signal

UOOM Signals and Organizational Requirements

Under applicable state privacy laws, if a business receives a UOOM signal, it must stop selling or sharing personal information associated with:

• The browser or device that sent the signal;

• Any profile or identifier associated with the browser or device; and

• The consumer, if known, including when logged into an account with the organization

It is essential that businesses understand how they are utilizing web tracking technologies, including cookies and pixels, and that they are being transparent with consumers/users of their sites

Noncompliance, even if inadvertent, can lead to enforcement

The Building Blocks of Domestic Data Privacy Enforcement

‘Comprehensive’ consumer privacy laws (45% of U.S. population) + consumer health data laws

Biometric-specific data privacy laws (e.g. Illinois, Washington, Texas)

Federal Agencies enforcing by sector – FTC, the de facto privacy regulator, applying its unfair & deceptive powers as ‘gap fillers’

State Attorneys General; Privacy Agency (CPPA); HHS/OCR and DOJ enforcements

Class Actions (VPPA / BIPA / wiretap laws, e.g. CIPA, PA)

State laws complementary to sectoral federal privacy laws (e.g. baby HIPAAs, financial regs, etc)

What We Have SEEN: Some Enforcement Actions of Note

Enforcement Trends

UOOMs and Tracking

Sephora (August 2022) ($1.2M):

▪ Violated the CCPA by deceptively allowing third parties to track consumer information online in exchange for targeted advertisements

▪ Failed to advised it sold personal data collected on its website and did not honor requests to opt out of sales

Door Dash (February 2024) ($375,000):

▪ Violated the CCPA by selling customer personal information without providing adequate notice or opportunities to opt out

▪ Engaged in marketing co-ops, i.e. provided customer personal information in exchange for an opportunity to advertise their products without contractual controls, i.e. data processing agreement, in place

Avast Software Service Provider (February 2024) ($16.5M):

▪ Used its browser extension and antivirus software to unfairly collect consumer browsing information, stored it indefinitely and sold it without notice or consent

▪ Deceptively claimed its software would protect consumers by blocking 3P tracking but used its own subsidiary to sell the data

Data Sharing and Consent

Sirius XM (November 2024):

▪ Texas recently sent a notice accusing Sirius XM of sharing users’ sensitive data, including location and vehicle data, with third parties without consent or notice

Minor Data

Tilting Point Game Publisher (June 2024) ($500,000):

▪ Violated CCPA and COPPA by collecting and sharing children’s data and selling customer personal information without parental consent

▪ Inadvertently misconfigured third-party software development kits (SDKs) to enable improper collection and did not request user’s age in a neutral manner

Where do we go from here?

Understanding Your Data, Its Flow & Its Lifecycle:

Proactive Prevention versus Reactive Remediation

Work across functions to understand how data is collected, used, stored & shared in the Organization

• IT, HR, Finance, Business Affairs, Operations, Commercial, Others?

Leverage Existing Compliance Relationship

• Prioritize data gathering and understanding to create a more compliant organization

• Allow organization to see the value

• Staying within guidelines provides guards against enforcement/internal authority

Point Person(s)

• Each department doesn’t always need to have one

• Consider Privacy Champions or Chief Privacy Officer/Data Protection Officer

• Need constant communication with all the groups

Integrating Privacy into an Existing Compliance Framework

Consider the Elements of an Effective Compliance Program:

• Written Policies and Procedures

• Effective Leadership and Oversight

• Training and Education

• Effective and Open Lines of Communication

• Enforcing Consistent Standards (Consequences and Incentives)

• Auditing, and Monitoring (Evaluate Risk)

• Responding to Detected Offenses and Developing Corrective Action Initiatives

BIG PICTURE

DO WHAT YOU SAY (concerning data privacy)

SAY WHAT YOU DO (with personal data)

Privacy Statement (Policy): Common Elements

Accessible, clear, and meaningful language

Categories of the personal data being processed

Purpose for processing personal data

Categories of all third parties to which personal data may be disclosed

Categories of personal data that is shared with third parties, if any

What Consumer Rights are and how they can be exercised

How will changes to the Statement be noticed

Effective date of Statement

How can be contacted with questions

Artificial Intelligence (AI)

AI OUTCOMES, WITHOUT SUPERVISION, CAN BE FLAWED, RESULTING IN BUSINESS RISK

CURRENT GENERATIVE AI PROGRAMS LEARN FROM INPUT DATA AND, THEREFORE, MAY NOT OFFER SECURITY FOR DATA

UTILIZE AI PROGRAMS IN A WAY THAT LIMITS THE RISK OF BIASES AND SHOULD MONITOR PROGRAMS ON A REGULAR BASIS

UNDERSTAND WHERE EMPLOYEES ARE UTILIZING AI PROGRAMS TO THEN UNDERSTAND WHAT CONTROLS AND TRAINING WILL BE APPROPRIATE

Mitigating Data Privacy Risks

Respect and maintain the privacy of personal data; consider whether data is sensitive data

Don’t use personal data in a manner not disclosed in a privacy policy/statement/notice

Know your data and what, where and how personal data is collected, used/processed, and shared

Don’t make misrepresentations in your privacy policy/statement/notice

Comply with the company’s privacy policy/statement/notice(s) and industry standards

Data Minimization

Data Retention Practices

Implement and maintain reasonable data security measures

Cross Border Transfer Mechanisms

Contract Management & Vendor Assessments

Thank You.