Omer Tene’s Post

Don't miss Goodwin superstar Federica De Santis explaining this year's trends in US privacy - state and fed laws, litigation trends, regulatory focus, kids, health, data brokers, AI and much more! (Yikes) With Kathryn "Kate" Helin, Val Ilchenko & Paul Iagnocco. Tuesday, July 9, at noon Eastern (Free). https://lnkd.in/eDGazbw2

Starting tomorrow, July 1, Texas - the second largest US state (in population, area and GDP) - will have and enforce a general privacy law. No longer is it just "California and several smaller states" - Texas is a heavy hitting addition to the "state privacy law" column. Our Goodwin privacy/cyber team covers it here, w Jacqueline Klosek, Federica De Santis, Gabe Maldoff, Dena Kia, Jud Welle, Mark David McPherson, Kyle Tayman. https://lnkd.in/eknZunD5 *** Attorney General Ken Paxton is already doubling down on enforcement, announcing a special new taskforce and warning companies that any violations "will be met with the full force of the law" and that "I am doubling down to protect privacy rights.” Message heard loud and clear! https://lnkd.in/ef35gevG *** Indeed, the Texas AG has already emerged as a leading enforcer of privacy laws, bringing actions under the state's biometric privacy statute (CUBI) as well as the data broker legislation. See here about the recent enforcement sweep, including letters sent to 100 data brokers: https://lnkd.in/eR8jBnHy

Today’s momentous decision of the Supreme Court in Loper Bright, ending Chevron deference, is a major blow to agency rulemaking, particularly powered by vague statutes such as the FTC Act. (In addition to agencies such as the CFPB or HHS OCR). In fact, it could potentially apply not only the FTC’s ambitious rulemaking program but also to its enforcement program, which Solove and Hartzog characterized as a “common law”. https://lnkd.in/e4XbDRAC If even needed, it’s yet another reason the US should advance federal privacy legislation. Rulemaking of such detail and magnitude belongs with the legislative branch. *** ✅ Interestingly for privacy pros, the decision quickly follows last week’s U.S. District Court decision in Texas in American Hospital Association v. Becerra, vacating parts of the HHS OCR guidance under HIPAA about use of online tracking tools by covered entities and business associates. https://lnkd.in/eHUT5Vx4 In that decision, the Court held that even with Chevron Deference, HHS OCR exceeded its authority by essentially outlawing a practice based on “an unknowable subjective-intent element.” (Specifically, why is a user visiting, for example, a hospital site – for cancer treatment or to apply for a job….?) *** ✅ Regardless of your position on the allocation of responsibilities between the legislature, courts and administrative agencies, these decisions show a stark difference between U.S. and EU law. In the U.S., law is ultimately made by courts through case-by-case judicial interpretation. In Europe, administrative agencies make law. In the privacy context, this has led to incredibly strict DPA interpretations of GDPR, which have rendered major portions of that law unworkable and detached from market/technological realities.

✳ Is data minimization compatible with AI? More APRA analysis. ✳ A couple of weeks ago, I was asked to debate this question at the grand launch of the FPF Center for Artificial Intelligence https://lnkd.in/eRbkYKj9. (Full program here: https://lnkd.in/e3c8Z6V6). I was charged with arguing the proposition that “data minimization is *not* compatible with AI.” Samir Jain from CDT argued that it was. Samir beat me handily (the audience voted at the beginning and end of the debate). But I share my arguments here given their relevancy to the APRA. *** APRA has a strong data minimization mandate, which I think is wrongly structured and far too strict to allow economic progress and innovation. In short, I think a privacy law should allow legitimate business activity and provide guardrails around the edges; whereas APRA prohibits all business activity except for a list of permitted exceptions. *** In the debate, I made 3 arguments: factual, policy and legal. *** ✅ Factual argument: Not only is data minimization incompatible with the development of AI, it’s anathema to the development of *intelligence*. The very essence of AI, indeed of intelligence, is the ability to discover new patterns, correlations and trends in data. Limiting data (think, the Catholic church’s geocentric model) = limiting intelligence (Gallileo looking out to the stars). *** ✅ Policy argument: A strong data minimization mandate assumes privacy is more important than any other societal value, including innovation, safety, national security, medical research, efficiency, anything really! Maybe it is and maybe it isn’t. But I don’t think we’ve publicly debated and come around to the conclusion that privacy is more important than everything else. *** ✅ Legal argument: APRA states companies may not collect/process PII beyond what is necessary, proportionate and limited to provide a specific product or service requested by an individual. That’s incredibly harsh. Even GDPR, which is considered strict, has the important safety valves of “consent” and “legitimate interests”. APRA doesn’t. Instead, it provides a list of exemptions, enumerated permitted uses. But what about the *un*enumerated uses? That’s where progress and innovation takes place. Years before they “arrived”, would we have enumerated mobile phones, social media, gig economy, crypto, AI itself? Indeed, APRA’s data minimization language flips the law on its head: instead of providing that everything is allowed except what’s forbidden, it says everything is forbidden unless allowed. That’s not the structure of U.S. law.  

Quick thoughts on APRA v3, the draft federal privacy law percolating in House E&C. *** The new draft omits a major part of APRA v1 & 2, namely the provisions on civil rights, algorithm assessments and consequential decision making. I wonder if Sen. Cantwell will support these changes. *** At the same time, the draft maintains the very strong data minimization mandate. And on the most widely debated issue, targeted advertising, it remains circular and IMHO incoherent. It introduces a new term, “online activity profile”, which essentially means browsing data, and categorizes it as “sensitive”. It then proceeds to permit first party and targeted advertising (including measurement and attribution) *except* with respect to sensitive data. But since sensitive data includes the online activity profile, the exclusion gives with one hand what it taketh away with the other.    *** Will businesses support APRA? On the one hand, state privacy laws are proliferating, exerting increasing pressure on businesses to strike a deal on preemption. It’s no longer just “California and several small states”. Companies will need to comply with Texas’ law, which goes into effect in a couple of weeks. And New York just passed two strict children’s privacy laws today. It's becoming complicated and messy. *** On the other hand, APRA is still incomparably tougher than any state privacy law. It’s not just the strict data minimization; it’s also novel concepts such as executive responsibility (a SarbOx-type executive certification of privacy governance). And more than anything – it features a relatively broad private right of action, which so far none of the state privacy laws have (except Washington’s sectoral MHMDA). So businesses may prefer complying with even the strictest state laws than with APRA.   *** The final balance shows both sides losing issues that are near and dear, which is the hallmark of a good bargain. Despite that, in today’s climate, don’t hold your breath.

APRA 3.0: The two corner bill becomes three corners as Pallone and CMR reach agreement on text. It's now likely the bill will get a floor vote. And pass resoundingly. Federal privacy law takes another big stride.

CCPA enforcement action #3: And here comes the California AG together with the LA City Attorney with the third CCPA enforcement action (after Sephora and DoorDash), this time against Tilting Point Media, a game maker. The attorneys allege violations of COPPA and CCPA. *** Tl;dr The company developed a SpongeBob game and allegedly didn't obtain (a) parental consent for under 13 users or (b) users' affirmative opt in consent for sharing data of users 13-17. *** A couple of interesting points: ✅ Children's data: Every policymaker/ regulator is focused on children's data these days. And by children I mean under 18 = no longer just COPPA's U13. Frank Pallone held up the APRA because in his opinion it lacked sufficient punch on kids' data. Perhaps we'll see a breakthrough there at some point. https://lnkd.in/eNJeVsHW Maryland passed an age appropriate design code last month https://lnkd.in/edsqFNRW. And last week New York passed two children's data laws, which await the governor's signature. https://lnkd.in/e6QW4adS. ✅ OUT: AI governance; IN: SDK governance: The AG focuses on the allegation that the company "incorrectly configured software development kits (SDKs)" on its app. Indeed, the stipulated judgment it requires the company to "implement and maintain an SDK governance framework". This should serve as a wakeup call to apps (and websites) that are unaware of what SDKs (or cookies, pixels, scripts) are embedded in their product and what data they collect or share. ✅ Opt in for under 18: In California, if children under 18 use your site, you *must* get affirmative opt-in consent if you integrate trackers for advertising purposes. Per Sephora and DoorDash, the AG considers this a "sell or share"'; and for "selling or sharing" U18 data in California, the rule is *opt in* and not opt out. ✅ It's getting hot in here: As expected, CCPA enforcement is just gearing up, and 16 more state laws are coming into force in the near future. If you haven't already, get your data practices in order, or else......

AI governance and the Brussels Effect: It took *two years* after the 2016 passage of GDPR for a US state, California, to pass its own version of comprehensive privacy legislation (CCPA, 2018), rich with GDPR concepts such as controller/processor and a right to delete. It took barely *two months* for the EU AI Act to spill over to the US, with Colorado passing the Colorado AI Act (CAIA). See Tatiana Rice's Future of Privacy Forum definitive 2-page summary attached. Legislative text here: https://lnkd.in/eH9xGxsy *** Like the EU AI Act, CAIA distinguishes between providers and deployers. And focuses on high risk AI systems. Its definition of an AI system is quite similar to that of the EU. *** But being a US (state) law, CAIA is one-tenth the length of its EU relative, much less bureaucratic and more principle based. It focuses on eliminating “algorithmic discrimination” from “consequential decisions” defined as those that have “a material, legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (A) Education; (B) Employment; (C) Financial or lending services; (D) Essential government services; (E) Healthcare service; (F) Housing, (G) Insurance, or (H) Legal services.” ***   CAIA imposes a *duty of care* on providers and deployers to prevent algorithmic discrimination. It requires them to disclose the types of data used to train their AI, including “the data governance measures used to cover the training datasets and the measures used to examine the suitability of data sources, possible biases, and appropriate mitigation”.    *** Unlike the EU AI Act, the CAIA provides individuals with a set of rights, including the rights to understand, correct and appeal AI-driven adverse consequential decisions.   *** CAIA goes into effect February 1, 2026.

The privacy law canon: What are the top 5 privacy law articles of the past generation? There’s been so much spectacular scholarship, and a sea change in law and policies, that it’s really difficult to select. And I apologize in advance for the many, many great contributions not listed here. All are worthy, but here are a few to start: *** Daniel Solove, A Taxonomy of Privacy (Penn. L. Rev. 2006). No scholar has been as prolific – and has left such a mark on privacy law and policy – as Dan. I chose his taxonomy, which categorizes privacy harms, since it set forth a common nomenclature for our field that everyone uses today. It begins with the immortal words, “Privacy is a concept in disarray. Nobody can articulate what it means.” Thanks to Dan, we understand it much better. https://lnkd.in/eQQwVX-X *** James Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty (Yale L. J. 2004). This iconic piece set the stage for the epic clashes between the EU and US privacy frameworks. In short, Whitman explains that while Americans view privacy as an aspect of liberty (typically vs. government overreach), Europeans consider it part of human dignity (often vs. commodification by corporations). https://lnkd.in/ea3fF2ip *** Danielle Citron, Technological Due Process (Wash. U. L. Rev. 2008). Fifteen years ago, this piece presaged the emergence of AI law. It predicts the risks of algorithmic decision making and the “automated state” on individuals’ due process rights and – to use Whitman’s categories – liberty *and* dignity. https://lnkd.in/ettkv_Aq *** Joel Reidenberg, Privacy Wrongs in Search of Remedies (Hastings L. J. 2002). Reidenberg – who started writing about privacy and data protection in the mid 1990s – was incredibly prolific. I really like this article, since it cuts to the central challenge in US privacy law: articulating privacy harms and calibrating legal remedies. https://lnkd.in/emsRchrJ *** Julie Cohen, Examined Lives: Informational Privacy and the Subject as Object (Stan. L. Rev. 2000). Julie Cohen is the preeminent legal philosopher of privacy. For me personally, her 2000 article in a Stanford Law Review symposium was one of the reasons I decided to enter privacy. In it, Cohen unpacks some of the colossal power structures that intersect in privacy law, including liberty, property, speech, economic efficiency and technology.  https://lnkd.in/eEwQvQfS *** Paul Schwartz, Privacy and Democracy in Cyberspace (Vand. L. Rev. 1999). I know I said five…. But the privacy canon wouldn’t be what it is without Paul. This article charted a path for the next 20 years of scholarship on online privacy. https://lnkd.in/ewkBZxME