Ray Everett

Not another webinar on "it's complicated"! At 11 am EST today (and if you can't make it, register to get the recording from OneTrust!) I will be discussing, together with Alexandra Moylan, Esq., CIPP/US, Julia Jacobson, and Michael Halaiko Esq., CIPP/E what you need to know about the new new state privacy laws and how does the Federal privacy bill #APRA affect them. We will discuss key issues and differences and what are some steps that you need to take to move along with your privacy compliance without #patchworkparalysis (Keir Lamont inspired by you and feel free to re-use 😉) #dataprivacy #dataprotection #privacyFOMO https://lnkd.in/eqWMx2SA

29

2 Comments

Colorado leads the way in protecting neural data privacy with new legislation signed by Gov. Jared Polis. The bill expands the Colorado Privacy Act and sets a precedent for other states. Read more from Constangy Cyber Team member Amanda Novak in the link below. #coloradoprivacyact #cpa #dataprivacy #cybersecurity

2

What to expect from the California Privacy Protection Agency meeting today? Some highlights: Objection to preemptive Federal privacy law: The CPPA will discuss its position on this law, which objects to preemption - this is is also in a letter from Executive Director Soltani and a number of State AGs (https://lnkd.in/erQvhJuX) Discuss California Privacy/AI bills including: (https://lnkd.in/eHRpEzHQ) 🔹 Requiring browsers to honor opt out preference signals (OOPS) (AB 3048) 🔹 Removing the M&A carve out and making data sharing during an asset purchase - a potential sale (AB 1824) 🔹 Adding neural data to the definition of sensitive information (similar to Colorado) (SB 1223). 🔹 Prohibiting a developer from using personal information of an under 16 to train AI without authorization (AB 2877) 🔹 Requiring registration of data digesters (aka "providers" under EU AI Act) and giving AI enforcement authority to the CPPA (AB 3204) 🔹 Imposing requirements re: algorithmic discrimination on developers and deployers (AB 2930) 🔹 Requiring consent for selling or sharing of information of under 18s (AB 1949) [Staff recommended that the agency supports this subject to amendment] (https://lnkd.in/ePDm2uma) 🔹 Data Broker registry regulations (https://lnkd.in/eVqenp-J) (recommend to move to formal rulemaking: https://lnkd.in/eR_hzxJS) 🔹 Amendments to existing regs (https://lnkd.in/ejMng6Jn) #dataprivacy #dataprotection #privacyFOMO #AIFOMO

29

On April 7, 2024, US Senate Commerce Committee and House Energy and Commerce Committee unveiled the American Privacy Rights Act of 2024 (APRA), a comprehensive privacy bill that, if enacted, would set significant data privacy and security standards. The APRA would largely preempt similar comprehensive privacy laws enacted by individual states in the last few years. The APRA would also provide individuals with a limited private right of action to seek monetary and other relief for certain violations by covered entities. Although the APRA is not likely to pass in the current Congress, the bipartisan effort suggests future comprehensive federal legislation. #dataprivacy

4

The Massachusetts Attorney General released guidance on AI developers, suppliers, and users' obligations under Massachusetts consumer protection, anti-discrimination, and data security laws. Nothing earth-shattering in the advisory notice and another example of how existing laws are being used to regulate AI. The advisory presents the below non-exhaustive list of acts and practices that may be considered to be unfair and deceptive under the��Massachusetts Consumer Protection Act: - Falsely advertising the quality, value, or usability of AI systems - Supplying an AI system that is defective, unusable, or impractical for the purpose advertised - Misrepresenting the reliability, manner of performance, safety, or condition of an AI system - Offering for sale or use an AI system in breach of warranty, in that the system is not fit for the ordinary purposes for which such systems are used, or that is unfit for the specific purpose for which it is sold where the supplier knows of such purpose - Misrepresenting audio or video content of a person for the purpose of deceiving another to engage in a business transaction or supply personal information as if to a trusted business partner as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud  - Failing to comply with Massachusetts statutes, rules, regulations or laws, meant for the protection of the public’s health, safety or welfare 

27

Excited to speak as a panelist at CenterForce USA's conference on "Developing a Comprehensive Corporate AI Policy: Legal, Ethical, and Compliance Considerations." This Thursday, May 30 in Chicago, I'll be joining experts 👉 Michael Booden, JD, CIPP/US, CIPP/E, of HUB International 👉 Donna Haddad of IBM 👉 Julie Honor of Thompson Hine LLP and 👉 David Oberst of The Boler Company® for an insightful discussion of best practices for developing a sound corporate #AIPolicy! #AI #AIPolicy #LegalTech #Compliance #dataprotection #datasecurity #cybersecurity #riskmanagement

7

This week, I'm sharing a few quick updates on important developments in the compliance landscape: California AI Bill (AB2930): This bill requires both the deployer and developer of automated decision tools—AI used for critical decisions like employment—to conduct an impact assessment before use and annually thereafter. It also mandates providing statements on the tool’s benefits, intended uses, and deployment methods. The bill has passed the Assembly and is now under Senate consideration. For more detailed insights on AI and employment decisions, check out my webinar: https://lnkd.in/gAy4Gg9E New York (S365B) & Rhode Island (HB7787) Data Privacy Laws: These states have advanced comprehensive data privacy laws, including exemptions for background checks conducted under the Fair Credit Reporting Act. Ohio Salary History Bill (HB398): A new bill has been introduced prohibiting employers from inquiring about a candidate’s past compensation to set future salaries. Denton, Texas: The City Council has opted for a “second chance hiring” ordinance (ID24-1108) instead of the proposed “ban the box” ordinance, incentivizing and protecting employers who hire individuals with criminal records. Stay tuned for more updates on background screening and compliance! #backgroundchecks #payequity #banthebox

54

8 Comments

Last night I attended the first of the California Privacy Protection Agency's Pre-Rulemaking Stakeholder sessions. The session provided an overview of the draft regulations on Risk Assessments, Cybersecurity Audits, and Automated Decision Making Tech. The Agency staff did a wonderful job walking through the regulations, and even created succinct fact sheets on each of them. I highly recommend catching one of the subsequent sessions! In attendance were various delegations of Chambers of Commerce, as well as a contingent of artists working in the entertainment industry. The latter group expressed concern that the very tools they use to create content were surreptitiously feeding their creations into training data sets for AI models. These sessions are designed to educate the public and solicit feedback, so it was reassuring to see various members of the public engage on matters of privacy. That said, I felt that many of the public commentators could have benefited from a pre-read of the excellent resources (including FAQs) on the agency's website. Their website is a treasure trove of useful info, including the aforementioned fact sheets. If you're interested in learning more about the California Privacy Protection Agency's Pre-Rulemaking Stakeholder sessions, be sure to check out their website for more information (link in comments).

34

1 Comment

Please enjoy this short piece by Mallory Acheson, CIPP-E, CIPM and me*. * Mallory is responsible for most of the creation of this. And by “most,” I mean “virtually all.”

1

For all the bored privacy, data sec and compliance folks lulled by the absence of any new laws or changes in the legal landscape (said with oozing sarcasm)- OCR plans to revisit the 20-year-old #HIPAA Security Rule and resurrect the agency’s compliance audits. #privacylaw #dataprotection

12

1 Comment

🇺🇸⚖️ The American Privacy Rights Act of 2024 (APRA) is a significant piece of legislation that aims to establish a unified federal framework for consumer data protection in the United States. As the bill progresses through US Congress, it has sparked a heated debate about the balance between safeguarding consumer privacy and fostering innovation, particularly in the realm of artificial intelligence and data-driven technologies. This article delves into the key provisions of APRA, the potential implications for businesses, and the divergent perspectives of proponents and critics. As the legislative process unfolds, it is crucial for stakeholders to closely monitor the developments and actively engage in the discourse to ensure that the final legislation strikes the right balance between consumer protection and the ability of American businesses to innovate and compete in the global marketplace. 🔎🔗 Read the complete article from Complex Discovery OÜ's data privacy and protection beat at https://buff.ly/3QemDAM. #Privacy #DataProtection #eDiscovery

2

1 Comment

Security threats are getting more sophisticated – and expensive – and this trajectory will continue, according to an article written by Epiq's Brandon Hollinder and published by Insurance Journal. "An outside consultant can help mitigate the risk of cyber incidents by reducing the volume of data stored in a legally defensible manner, data mapping and categorizing files, and advising best practices to follow from both a compliance and security perspective," said Brandon. Access the full article here: https://lnkd.in/gVbnknBi #cyberthreats #cybersecurity #cyberrisk #cyberlitigation #legaltech #inthenews

1

Make sure your ESI protocol gives special attention to Modern Attachments and your collection scope uses the the required tools and methodologies to include all attachments and not just the traditional ones.

11

1 Comment

How to Marie Kondo your DSAR authentication process: Just because data minimization guidance is simple doesn't mean it's easy. I spoke with Danny Bradbury for ISMS.online about the new California Privacy Protection Agency guidance on data minimization in consumer requests (see my summary here: https://lnkd.in/ewM9TpCG) and how it parallels previous EU DPA guidance on the topic ...and we have been advising clients to do about it. https://lnkd.in/e_5VxWBQ Pic by ChatGPT4o #dataprivacy #dataprotection #privacyFOMO

34

1 Comment

Available now: View our discussion on how #healthcare #AItesting can address accuracy, bias, and discrimination in healthcare #AI systems. Featuring speakers Micky Tripathi, Troy Tazbaz, Suresh Balu, Mark Sendak, Danny Tobey, and Sam Tyner-Monroe. #artificialintelligence

4

The California Privacy Protection Agency (CPPA) has released proposed regulations for the DELETE Act. Key points: 📋 Data brokers must register with CPPA and disclose certain information 🔍 New definitions for "direct relationship," "minor," and "reproductive health care data" 🏢 Each data broker business must register independently, regardless of subsidiary status Notable clarifications: • "Direct relationship" defined as intentional consumer interaction within the past 3 years • "Minor" means a consumer known to be under 16 • Detailed definition of "reproductive health care data" provided ❗️ The CPPA is accepting written comments until August 20, 2024. This could significantly impact businesses handling consumer data in California. Are you prepared for these changes? #CaliforniaPrivacy #DataProtection #DELETEAct #CPPA #DataBrokers

4