2022 – a busy year for privacy legislation has already started

0

In terms of confidentiality, 2022 is already shaping up to be a busy legislative year. During the first week of January, a number of national and federal privacy bills were announced or introduced for the current legislative session. While it is too early to say where these bills will end up, this vast activity certainly signals another busy privacy legislative year. Below we highlight some of these bills.

Kentucky HB32

Kentucky introduced a new biometric privacy bill, which would require companies to obtain the prior written consent of individuals and provide them with notice regarding the purpose and duration of the collection, storage and use of their biometric information.

The bill would require companies to create and publicly disclose a written policy establishing retention schedules and guidelines for destroying biometric information if the purpose for which the information was collected has been met, or within three years, whichever comes first. The bill places restrictions on the sale, rental or exchange of biometric information, as well as the disclosure of biometric information. In addition, the bill requires companies to apply a standard of due diligence (within their industry) to biometric information.

The current version of this bill would also provide for a private right of action which, if passed, would make Kentucky the second state to adopt such a right; Illinois is the only current state to offer a private right of action for violations of its biometric privacy law, the Biometric Information Privacy Act (740 ILCS 14/1).

Kentucky HB75

DNA testing is also the subject of a bill in Kentucky, the Protecting DNA Privacy Act. This bill would limit DNA testing to situations where the subject has given express consent, subject to certain exceptions (such as criminal investigations and compliance with the law).

The bill states that the results of these tests are the property of the person tested and cannot be disclosed without their express consent. The bill would also restrict the collection of DNA samples without express consent if the purpose is to test, place limits on the sale or disclosure of DNA results, and restrict the submission of DNA to a company. other person for testing, and the bill provides for criminal penalties.

Maryland SB11

This bill would enact Maryland’s Online Consumer Protection and Child Safety Act and allow the attorney general to pass regulations to enforce the law. The bill would impose a number of requirements on certain businesses, including, but not limited to, the following:

  • Notify consumers before or when collecting certain information, including: the categories of personal information collected; for commercial purposes for which the categories of personal information may be used; categories of third parties to whom the company may disclose personal information; for commercial purposes for disclosures to third parties; and consumer rights. If the company has an online privacy policy or website, this information should be provided there.
  • Subject to certain exceptions, provide two or more methods for submitting consumer rights requests (eg, delete, right to know, and deny third party disclosure) and respond to verifiable consumer requests.
  • Provide a clear and visible link on its Internet home page that allows consumers or authorized persons to refuse third party disclosure of personal information.
  • Do not discriminate against consumers for exercising their rights under the law.

Please note that this law does not apply to certain employee information. A violation of the law is considered an unfair, abusive or deceptive business practice.

Maryland SB207

This bill would impose cybersecurity standards on carriers, including insurance companies, health maintenance organizations and third-party administrators, with the stated purpose of establishing data security standards and requirements. investigation and notification of cybersecurity events.

The bill would require carriers to meet certain cybersecurity requirements, including:

  • Develop, implement and maintain a comprehensive information security program and security measures based on carrier risk assessment and meeting certain requirements.
  • Designate a resource person responsible for the information security program.
  • Identify certain internal and external threats, assess the likelihood and potential damage from such threats, and assess the adequacy of policies, procedures, information systems and other protective measures in place to manage these threats.
  • Stay up to date on emerging threats or vulnerabilities and use reasonable security measures when sharing information.
  • Provide cybersecurity awareness training to staff.
  • Require third-party service providers to implement appropriate administrative, technical and physical measures to protect and secure information systems and non-public information accessible or held by them.
  • Establish a written incident response plan that meets certain requirements.
  • Certify annually that an information security program has been adopted and that the carrier complies with the SB207 standard.
  • Investigate when a cybersecurity event has or may have occurred, and in certain circumstances, notify the Maryland Insurance Commissioner of the cybersecurity event.

Oklahoma HB2968 / HB2969

This bill would enact the Oklahoma Computer Data Protection Act of 2022, which would be enforced by the attorney general. The bill would impose a number of requirements on certain businesses, including, but not limited to, the following:

  • Provide certain information to consumers in its privacy policies, including how long the company retains personal information.
  • Collect and / or share consumer personal information with third parties only to the extent reasonably necessary to provide a good or service to consumers, or to the extent reasonably necessary for security or fraud detection purposes.
  • Limit the use and retention of consumers’ personal information to what is reasonably necessary to provide the requested service or for related operational purposes.
  • Educate consumers about their right to opt out of personalized ads.
  • Subject to certain exceptions, provide at least two methods for submitting consumer rights requests (e.g., delete, right to know, and correction) and respond to verifiable consumer requests.
  • Do not discriminate against consumers for exercising their rights under the law.
  • Not to design, modify or manipulate a user interface to obscure, subvert or alter the autonomy, decision making or choice of the user.
  • Implement and maintain reasonable security procedures and practices.
  • Enforce compliance requirements with service providers (who must also implement and maintain reasonable security procedures and practices).

Please note that the Act would not apply to certain business information, as the Act does not apply to “an employee or contractor of a business acting in his role of employee or contractor”.

The bill, if passed, would be enforced by the attorney general with penalties ranging from $ 2,500 to $ 7,500 per violation.

Vermont H515

This bill would enact the Vermont Insurance Data Security Act, which largely mirrors the Maryland SB207 (discussed above), and sets cybersecurity standards as well as reporting requirements for certain regulated entities. However, it should be noted that the bill contains an exception to compliance if the entity complies with the requirements of the New York Department of Financial Services and submits a certificate to that effect to the Commissioner.

The bill would require regulated entities to meet certain requirements, including:

  • Develop, implement and maintain a comprehensive written information security program and security measures based on the entity’s risk assessment and meeting certain requirements.
  • Designate a resource person responsible for the information security program.
  • Identify certain internal and external threats, assess the likelihood and potential damage from such threats, and assess the adequacy of policies, procedures, information systems and other protective measures in place to manage these threats.
  • Stay up to date on emerging threats or vulnerabilities and use reasonable security measures when sharing information.
  • Provide cybersecurity awareness training to staff.
  • Require third-party service providers to implement appropriate administrative, technical and physical measures to protect and secure information systems and non-public information accessible or held by them.
  • Establish a written incident response plan that meets certain requirements.
  • Certify annually that an information security program has been adopted and that the entity is in compliance with the Insurance Data Security Act.
  • Investigate when a cybersecurity event has or may have occurred and, in certain circumstances, notify the commissioner of the cybersecurity event.

Florida SB1864

This bill proposes the Florida Privacy Protection Act and, if enacted, would introduce a number of requirements for supervisors similar to those applicable under the California Privacy Rights Act (which takes effect January 1, 2023). These obligations include notification at or before the collection of personal information, consent requirements related to the collection of sensitive data and requirements to respond to verified consumer inquiries, as well as minimum contractual requirements and other obligations related to sub -treaters.

The bill would also introduce a number of rights for residents of Florida, including rights to opt out of sales and targeted advertising, rights of access, correction and deletion. Similar to the Virginia Consumer Data Protection Act and Colorado Privacy Act (both of which came into force on January 1, 2023), it would generally not apply to personal information collected in the context of employment or related to communications and transactions. commercial.

The law would be enforced by the Consumer Data Privacy Unit within the Florida Department of Legal Affairs, which could bring actions against the controller and contractors for alleged violations, but does not provide for a private right of action.

Go forward

Many more invoices will certainly follow, and we will post alerts on these new invoices as well as the progress of the ones we discussed above in the future.

Share.

About Author

Comments are closed.