Quels changements ont été apportés à la définition des données biométriques ?

La définition exclut désormais les photographies, enregistrements audio ou vidéo et leurs dérivés, sauf s'ils sont générés pour identifier une personne spécifique.

Qu'indique le projet de loi sur la collecte de données de mineurs ?

Il exige le consentement pour toute collecte ou traitement de données provenant de mineurs identifiés.

Comment le projet de loi traite-t-il la vente de données sensibles ?

La vente de données sensibles est interdite, même avec consentement.

Y a-t-il des exceptions à la déclaration publique de certaines informations ?

Les données biométriques collectées par une entreprise à l'insu du consommateur ne sont pas considérées comme des informations publiquement disponibles.

Comment le projet de loi définit-il le ciblage publicitaire ?

Le ciblage publicitaire basé sur les interactions avec des sites distincts d'une entreprise nécessite un consentement, sauf pour la publicité du premier parti.

Quelles modifications ont été apportées au seuil d'applicabilité de la loi ?

Les seuils ont été augmentés initialement et seront réduits progressivement sur plusieurs années.

Quel est le statut de la vente de données des mineurs ?

La vente des données des mineurs est interdite lorsque l'entreprise sait ou évite délibérément de savoir que l'utilisateur est mineur.

Quelles sont les nouvelles obligations pour les courtiers en données ?

Ils doivent s'assurer que les informations personnelles sont utilisées à des fins légitimes et ne pas les fournir s'ils ont des raisons de croire qu'elles seront utilisées illégalement.

Comment le projet de loi aborde-t-il le droit privé d'action ?

Il introduit des dommages-intérêts statutaires disponibles après notification et échec à corriger une violation.

Quand les exemptions et nouvelles règles prendront-elles effet ?

Les changements s'appliqueront progressivement à partir de juillet 2025, avec des étapes d'ajustement jusqu'en 2029.

House Commerce - 2024-05-06 - 8:30AM

01:15:55

https://www.youtube.com/watch?v=y4D_ZAUKKC0

概要

TLDRLe document détaille les délibérations de la commission sur le projet de loi h121 relatif à la confidentialité des données. Parmi les principaux points abordés, on note des modifications sur la définition des données biométriques, qui n'incluent plus les photographies et enregistrements sauf s'ils servent à identifier une personne. Le projet renforce la protection des données des mineurs, exigeant un consentement explicite pour leur collecte et traitement. Un point majeur est l'interdiction de la vente des données sensibles, même avec consentement. Le ciblage publicitaire est également abordé, limitant les publicités ciblées aux interactions avec le site même d'une entreprise, sauf consentement. Les seuils d'applicabilité de la loi sont augmentés initialement puis réduits progressivement. Une attention particulière est portée sur les courtiers en données, insistant sur l'utilisation légitime des informations. Enfin, le projet de loi introduit un droit d'action privée permettant des dommages-intérêts statutaires sous certaines conditions, avec une application progressive des modifications jusqu'en 2029.

収穫

🔍 La définition des données biométriques exclut les simples photographies à moins qu'elles ne soient utilisées pour identifier.
🛑 La vente de données sensibles est totalement interdite.
👶 Le consentement est requis pour le traitement des données de mineurs.
📊 Les seuils pour appliquer la loi augmentent puis sont réduits progressivement.
🛡️ La loi impose des obligations de vérification de l'utilisation légitime aux courtiers en données.
📈 Le ciblage publicitaire doit être basé sur la première partie, sauf consentement.
⚖️ Le droit d'action privée inclut des dommages-intérêts statutaires après des violations non corrigées.
📑 Les nouvelles règles seront implémentées progressivement de 2025 à 2029.
🔄 Les modifications apportées par le Sénat sont partiellement acceptées dans le projet final.
🕒 Un échéancier progressif est établi pour les nouvelles obligations de conformité.

タイムライン

00:00:00 - 00:05:00
Introduction des discussions du comité sur la confidentialité des données avec l'Attorney John Gray. Il présente une version modifiée du projet de loi h121, mettant en lumière les changements récents liés à la confidentialité des données par rapport à la version du Sénat, notamment des modifications non substantielles concernant les définitions.
00:05:00 - 00:10:00
Spécifications sur les données biométriques : les photographies et enregistrements ne sont plus inclus à moins qu'ils ne soient utilisés pour identifier un individu, clarifiant ainsi les données sensibles. Accent sur une meilleure protection consistant à harmoniser les législations nationales tout en permettant des transferts d'images sans entrave. Changements relatifs au traitement des données des mineurs pour minimiser les risques.
00:10:00 - 00:15:00
Clarification sur l'information de géolocalisation, reformulée pour se conformer aux pratiques des autres États tout en étant plus protectrice. Vérification des exclusions concernant les informations disponibles publiquement et confirmation que la génération de données biométriques sans consentement ne sera pas considérée comme publique.
00:15:00 - 00:20:00
Discussion sur la nécessité d'inclure des tatouages et autres caractéristiques physiques dans les données biométriques. L'accent est mis sur la distinction entre identification passive par photo et collecte active d'informations sensibles. Préoccupation sur la suppression des blessures mentales dans la protection des données des mineurs.
00:20:00 - 00:25:00
Suppression des blessures mentales de la section concernant le préjudice aux mineurs. Discussion sur l'implication de l'exclusion des résidents temporaires des protections. Continuité sur les exigences de protection pour les mineurs connus. Ajustements mineurs sur les catégories de données sensibles et les pratiques de commerce.
00:25:00 - 00:30:00
On discute de la commercialisation des données personnelles, s'inspirant des propositions du Sénat mais gardant des protections importantes pour éviter les échanges non monétaires de données. Inclusion des déclarations fiscales dans les informations financières sensibles, et élargissement de la protection pour les mineurs.
00:30:00 - 00:35:00
Modification majeure pour inclure les données des mineurs de plus de 13 ans comme sensibles et requérant un consentement direct, sans nécessiter celui des parents, pour se conformer à d'autres législations récentes. Ajustement des publicités ciblées pour autoriser celles de première partie mais avec restrictions pour les mineurs avec consentement opt-in.
00:35:00 - 00:40:00
Limitations de l'applicabilité des lois avec des seuils augmentés progressivement pour permettre une mise en œuvre phasée de la réglementation sur la confidentialité des données. Ajustements des exemptions pour les organisations à but non lucratif suivant le modèle du Sénat, concentré sur l'utilisation institutionnelle des données.
00:40:00 - 00:45:00
Les droits des consommateurs sur les données sont clarifiés avec une note sur la non-obligation de suppression en cas d'exigence légale. Les obligations des contrôleurs sont précisées, notamment en matière de limitation de la collecte des données selon les nécessités raisonnables, éliminant les publicités ciblées de première partie nécessitant un opt-in.
00:45:00 - 00:50:00
Changement majeur impliquant l'interdiction de la vente de données sensibles, s'alignant sur les pratiques du Maryland et créant des implications significatives pour la conformité des entreprises. Discussions sur les implications d'interdiction ou de consentement en matière de publicité et de vente de données de mineurs.
00:50:00 - 00:55:00
Révision des obligations des contrôleurs concernant les données des mineurs, intégration de principes plus stricts liés à la durée et à la finalité de la conservation des données. Clarifications sur l'authentification et la localisation IP pour vérifier la résidence pour les droits de données régionales.
00:55:00 - 01:00:00
Ajustements linguistiques pour rendre la législation plus cohérente, notamment en ce qui concerne la connaissance délibérée des consommateurs mineurs, renforçant l'alignement avec d'autres lois existantes. Maintien des exclusions de géolocalisation et de la collecte de données non essentielles dans d'autres sections législatives pour d'autres lois comme le Kids Code.
01:00:00 - 01:05:00
Adaptation de la réglementation du courtage de données avec la suppression des options d'opt-out individuelles pour favoriser les études et recommandations futures sur la faisabilité d'un opt-out général facilité par l'État, impliquant différentes agences pour établir rapport et recommandations.
01:05:00 - 01:10:00
Démonstration des changements des pénalités pour le non-respect de l'enregistrement des courtiers en données avec des amendes accrues mais avec une période d'attente étendue à 30 jours pour des ajustements. Nouvelle obligation de vérification des licences d'utilisation pour les courtiers en données avant la diffusion des informations.
01:10:00 - 01:15:55
Implémentation phasée des seuils d'applicabilité et des droits d'action privés : initialement basés sur la protection des consommateurs déjà en place, évoluant vers des dommages-intérêts potentiels statutaires pour les violations de données sensibles et des mineurs. L'analyse de ces nouveaux cadres commence en 2027 avec un suivi complet requis.

よくある質問

Quels changements ont été apportés à la définition des données biométriques ?
La définition exclut désormais les photographies, enregistrements audio ou vidéo et leurs dérivés, sauf s'ils sont générés pour identifier une personne spécifique.
Qu'indique le projet de loi sur la collecte de données de mineurs ?
Il exige le consentement pour toute collecte ou traitement de données provenant de mineurs identifiés.
Comment le projet de loi traite-t-il la vente de données sensibles ?
La vente de données sensibles est interdite, même avec consentement.
Y a-t-il des exceptions à la déclaration publique de certaines informations ?
Les données biométriques collectées par une entreprise à l'insu du consommateur ne sont pas considérées comme des informations publiquement disponibles.
Comment le projet de loi définit-il le ciblage publicitaire ?
Le ciblage publicitaire basé sur les interactions avec des sites distincts d'une entreprise nécessite un consentement, sauf pour la publicité du premier parti.
Quelles modifications ont été apportées au seuil d'applicabilité de la loi ?
Les seuils ont été augmentés initialement et seront réduits progressivement sur plusieurs années.
Quel est le statut de la vente de données des mineurs ?
La vente des données des mineurs est interdite lorsque l'entreprise sait ou évite délibérément de savoir que l'utilisateur est mineur.
Quelles sont les nouvelles obligations pour les courtiers en données ?
Ils doivent s'assurer que les informations personnelles sont utilisées à des fins légitimes et ne pas les fournir s'ils ont des raisons de croire qu'elles seront utilisées illégalement.
Comment le projet de loi aborde-t-il le droit privé d'action ?
Il introduit des dommages-intérêts statutaires disponibles après notification et échec à corriger une violation.
Quand les exemptions et nouvelles règles prendront-elles effet ?
Les changements s'appliqueront progressivement à partir de juillet 2025, avec des étapes d'ajustement jusqu'en 2029.

ビデオをもっと見る

AIを活用したYouTubeの無料動画要約に即アクセス！

字幕

オートスクロール:

00:00:00
of May
00:00:02
6 house Commerce and committee on the
00:00:06
committee on Commerce and economic
00:00:08
development um
00:00:11
8:30ish and we'll start with
00:00:15
um Attorney John gr do a walkthrough of
00:00:23
h121 uh John Gray office of legislative
00:00:26
Council I will screen share
00:00:30
yeah that's pretty
00:00:33
good okay
00:00:35
so you guys have seen this many times
00:00:38
but it's been a little while um we're
00:00:41
jumping back into Data privacy the
00:00:44
highlighting that you're going to see
00:00:45
here is the changes relative to the
00:00:46
version as passed out by you guys passed
00:00:49
out by the house um not against what the
00:00:53
Senate has done and obviously that's
00:00:54
still ongoing my understanding is that
00:00:57
this language is being considered and
00:00:58
this is what you see in the Stream range
00:01:00
head at the top um for inclusion in s289
00:01:05
so with that I will jump in and I will
00:01:06
call out where there are changes some of
00:01:08
it you won't see and I will try to call
00:01:10
that out others should be in
00:01:12
highlighting when I say that you won't
00:01:14
see it it's a deletion so the first
00:01:17
piece is just the first definition
00:01:18
previously was abortion this is a
00:01:20
cleanup change to remove that because
00:01:22
there were no other references that
00:01:23
pulled in that term so it wasn't
00:01:25
necessary to call it out it's not a
00:01:27
substantive change this doesn't affect
00:01:29
anything about reproductive health or
00:01:30
the like this is just cleanliness
00:01:33
basically tidiness for the document
00:01:36
um there is a change to biometric data
00:01:39
so this is a fairly substantive one this
00:01:42
is essentially accepting what Senate
00:01:45
Economic Development proposed um to the
00:01:48
definition of biometric data you may
00:01:49
recall that previously this list of and
00:01:52
just to reorient biometric data is a
00:01:54
kind of sensitive data so we're talking
00:01:55
about opin consent for this kind of
00:01:57
processing uh previously biometric data
00:02:00
included as
00:02:01
subdivisions seven or romanet 7 and 8 uh
00:02:05
photographs depictions images recordings
00:02:07
and then data derived from those pieces
00:02:10
what you see now is those have been
00:02:11
pulled out um and replaced with
00:02:13
biometric data does not include those
00:02:15
digital or physical physical photographs
00:02:17
audio or video recordings or any data
00:02:19
generated from those photographs or
00:02:21
recordings unless and this is key unless
00:02:24
such data is generated to identify a
00:02:25
specific individual so what this is
00:02:26
meant to say is just regular images and
00:02:30
the like are not meant to be picked up
00:02:31
by the definition of biometric data
00:02:33
that's not going to be sensitive data
00:02:34
that requires opt-in however if people
00:02:36
are generating the face templates that
00:02:39
you see above um or other things from
00:02:41
those photographs or recordings that
00:02:43
would be a kind of biometric data so
00:02:44
this is a nice separation um aligned
00:02:48
with other states allows you to get at
00:02:49
the kind of harm that you were trying to
00:02:51
get at I think with those previous
00:02:53
categories but avoids essentially
00:02:56
cutting off um a lot of transfers of
00:03:00
images depictions recording so I think
00:03:02
that this is a safer position a Le a
00:03:05
more defensible position to be in and
00:03:06
still lets you get at the same kinds of
00:03:08
harms that you were trying to get
00:03:11
at we'll jump down to uh heightened risk
00:03:15
of harm to miners there's one change
00:03:17
here which you won't
00:03:19
see yes heighten risk of harm to a minor
00:03:22
um in speaking with others this
00:03:25
subdivision B about processing personal
00:03:28
data of a minor in a manner presents a
00:03:30
reasonably foreseeable risk of financial
00:03:32
physical or reputational injury uh this
00:03:35
is previously contemplated emotional and
00:03:37
mental injury to the minor out of a
00:03:40
concern that uh these might be too
00:03:43
expansive uh to put you kind of in a
00:03:45
more defensible place those have been
00:03:47
removed and to align with the approach
00:03:48
in other stacees and I think that this
00:03:49
is also aligning with kids code although
00:03:52
admittedly I don't know as much about
00:03:54
hit code to say um but this is kind of a
00:03:57
a safety type change it still preserves
00:03:59
other kinds of injury here including
00:04:03
importantly reputational injury which is
00:04:06
sort of in the same vein but more
00:04:07
precise than just what is mental injury
00:04:10
to a minor
00:04:13
sure uh I can jump down
00:04:16
to precise geolocation data uh this
00:04:20
aligns essentially with the approach
00:04:22
taken in other states except that we use
00:04:24
a radius of 1,850 Ft which is broader uh
00:04:28
so it's more protective than than what
00:04:30
other states use it's from Toy 1750 I
00:04:33
think that California uses 1850 um
00:04:36
basically the previous definition you
00:04:37
had captured this same content except
00:04:40
that had it had a line that um in effect
00:04:44
and it's interesting that no one really
00:04:46
went into this uh there was a line in
00:04:48
the previous draft that essentially made
00:04:50
any data generated from a phone uh
00:04:53
precise gation data whether or not it
00:04:56
was used or could be used to identify
00:04:58
specific location of a consumer so that
00:05:00
has been pulled out I don't think that
00:05:02
was probably anyone's actual intent so
00:05:05
this aligns with other states this is um
00:05:08
still getting at the same kind of data
00:05:09
that you want to get
00:05:15
it publicly available information this
00:05:18
is
00:05:19
a
00:05:22
change um to add in a new piece to make
00:05:26
clear that biometric data that is
00:05:27
collected by a business about a consumer
00:05:30
without that consumer's knowledge would
00:05:32
not be publicly available information so
00:05:33
this is you know someone's just taking a
00:05:35
picture you're sitting in a cafeteria
00:05:37
whatever it is it's you can be seen
00:05:39
there but if people start generating
00:05:41
biometric data from that um that would
00:05:44
not be considered publicly available
00:05:45
information just because you happen to
00:05:46
be sitting um out in public they had to
00:05:49
take that step to create the biometric
00:05:51
data and this is a way of ensuring that
00:05:54
because as you'll recall publicly
00:05:55
available information is not part of the
00:05:57
category of personal data which means it
00:05:59
is not not regulated under the act so if
00:06:02
biometric
00:06:03
data otherwise met the common sense uh
00:06:07
understanding what publicly available
00:06:08
information was you can imagine that all
00:06:10
kinds of bace scraping and just people
00:06:12
sitting out on a sidewalk and and
00:06:14
capturing folks would be not picked up
00:06:17
at all by the act so this is a way um of
00:06:20
making sure that you do get at those
00:06:22
kinds of biometric data and this is
00:06:24
consistent with I know that Maryland
00:06:26
just did this it may be that other
00:06:28
states are taking this approach but this
00:06:31
is a newer piece I believe but one that
00:06:34
is consistent with the intent that you
00:06:36
guys have had and I think is more
00:06:37
protective of
00:06:40
consumers can I ask as we're going along
00:06:42
or do we need to wait until we get
00:06:45
through the
00:06:46
document I think it's fine to address it
00:06:48
go ahead y okay thanks so on the on the
00:06:52
publicly available information does not
00:06:54
include biometric data collected could
00:06:57
it do we need the word biometric there
00:06:59
does not include data collected by a
00:07:01
business about a consumer without the
00:07:03
consumer's knowledge or is that we do
00:07:05
need Biometrics because if you have just
00:07:08
generally data collected without the
00:07:10
consumer's knowledge that really is kind
00:07:12
of Common Sense understanding of what
00:07:14
publicly available is so we're not
00:07:16
trying to restrict um people can take
00:07:20
pictures
00:07:21
or capture folks out in public you don't
00:07:24
have an expectation of privacy in public
00:07:27
in that sense so we're not trying to
00:07:29
disrupt it so that anywhere you go
00:07:31
people
00:07:32
cannot do things you know about you they
00:07:35
can't uh capture your speech or the like
00:07:37
we just don't want them to use that
00:07:39
information in particular ways I'm
00:07:42
saying we it's you guys you guys don't
00:07:43
want them to use information in
00:07:45
particular ways that are threatening to
00:07:47
Consumers um but we don't want to run
00:07:50
into Free Speech concerns with just
00:07:52
folks um out and about regularly
00:07:55
understood publicly available
00:07:56
information they can no longer collect
00:07:58
it they can no longer trans we're not
00:08:00
trying to cause that huge alteration in
00:08:03
how um public interaction works that's
00:08:06
not what this is meant to do this is
00:08:07
just meant to get at a specific kind of
00:08:10
heightened uh harm and as we talked
00:08:13
about with the category of biometric
00:08:14
data we're also talking about something
00:08:16
that requires a little bit of a step
00:08:18
right um those facial templates and
00:08:20
fingerprinting and the like that's not
00:08:22
something that you just immediately have
00:08:25
by virtue of being out in public that's
00:08:27
a step taken to identif by someone on
00:08:30
the basis of information does that make
00:08:31
sense yeah that's much thank you I
00:08:34
appreciate that j a question um as long
00:08:38
as we're jumping in I was looking at the
00:08:40
biometric data and the things that
00:08:42
you're collecting and it struck me that
00:08:45
maybe included in that we should include
00:08:48
tattoos and other body
00:08:51
decorations H
00:08:54
um so that's interesting uh it's
00:08:58
definitely something that could be used
00:08:59
to identify a person
00:09:01
ums do it all the
00:09:04
time right
00:09:08
um data generated from the technological
00:09:10
processing of an individual's unique
00:09:12
biological physical
00:09:14
characteristics that's linked or Reason
00:09:20
linkable so I think it would depend uh I
00:09:23
get like as this is set up the tattoos
00:09:26
would not be picked up as just
00:09:29
physical photographs a physical
00:09:31
photograph but
00:09:34
um trying to think of What technological
00:09:36
processing of that would be that allows
00:09:40
for reasonable linking that's beyond
00:09:41
just a photograph because we are trying
00:09:44
to accept the syic compromise here of
00:09:47
excluding those photographs and I think
00:09:49
it's clear from a from a photograph that
00:09:51
you can just look um and make an
00:09:54
identification of tattoos if it was
00:09:56
something that went beyond that um
00:10:01
so I I guess maybe the third piece here
00:10:02
is to your point any data generated from
00:10:04
that photographs um to identify a
00:10:07
specific individual so if that was the
00:10:09
purpose of doing it then I think there
00:10:11
is an argument that it's not excluded
00:10:12
under this
00:10:14
B3 um but we're not trying to prohibit
00:10:17
the photograph itself it's just meant to
00:10:20
be
00:10:21
if people are essentially setting up a
00:10:23
database of identification on those
00:10:26
purposes I think that's what we're
00:10:27
excluding but we're not otherwise
00:10:29
excluding including the
00:10:30
photograph I don't know if that's a
00:10:33
satisfactory
00:10:34
answer wouldn't tattoo be the same thing
00:10:37
as like um normally identifiable things
00:10:40
like hair color eye color right it is a
00:10:43
kind of physical characteristic that is
00:10:45
reasonably linkable to an individual so
00:10:46
that's it's captured in the concept I'm
00:10:48
just trying to like this right here it's
00:10:51
it is a unique characteristic that can
00:10:54
be linked to them very obviously I'm
00:10:55
just trying to draw out how that would
00:10:57
be different than a fingerprint a
00:11:00
fingerprint you take an active Step
00:11:02
Beyond taking a picture of someone right
00:11:04
and we're saying the picture is excluded
00:11:06
the fingerprint it's obvious that we
00:11:08
take a step to do that I'm trying to
00:11:09
think about what the extra Step Beyond
00:11:11
photograph is for tattoos because it's
00:11:14
so obvious that from a t from a picture
00:11:16
we can just identify a particular person
00:11:19
um so I think it goes to something like
00:11:22
are we
00:11:23
generating similar to face mapping
00:11:25
geometry or templates uh are we
00:11:28
generating data for the specific
00:11:30
purposes of identification I think this
00:11:32
is what this concept does pick up if
00:11:35
you're generating for the specific
00:11:37
purposes of identification but doesn't
00:11:39
otherwise limit just the photograph
00:11:42
person who happens to have tattoos
00:11:44
that's a non-exhaustive list right this
00:11:46
is just it is it is non exhaustive but I
00:11:48
think it is important to say B does
00:11:50
definitively exclude from the concept
00:11:52
digital or physical photographs and
00:11:54
audio or video reporing so we're not
00:11:55
saying it might fit under the
00:11:58
non-exhaust of list it is excluded under
00:12:01
B definitively and we're just talking
00:12:03
about picking up that extra step taken
00:12:06
to identify a specific
00:12:09
individual um I don't know where this
00:12:11
was now I lost my place but we took out
00:12:14
mental and um psychological injuries
00:12:18
you're talking about heighten risk of
00:12:20
harm to a minor sorry you're
00:12:26
good yes from B and I'd just like to
00:12:31
flag for future reference that we're
00:12:34
doing a whole lot in um Health Care to
00:12:37
have parity between mental health and
00:12:40
physical health and from my
00:12:43
perspective that takes away some of the
00:12:47
mental
00:12:48
injury and the significance of that so
00:12:52
no I I totally took the point um and and
00:12:55
if we're working so hard in one area
00:12:59
it's unfortunate that we can't also have
00:13:03
parody in this and I'd like that to be
00:13:05
flagged them on the record and uh to to
00:13:09
your point um what we're talking about
00:13:11
when we talk about hiding risk of har to
00:13:12
a minor is that controllers offering
00:13:15
online product Services um to known
00:13:18
miners or reason that they should know
00:13:20
essentially um are minor so when they're
00:13:22
reaching out to those miners we're
00:13:24
talking about them needing to take steps
00:13:25
to taking reasonable care to avoid this
00:13:28
kind of harm
00:13:30
um and it's very clear that emotional
00:13:33
kinds of harm are major pieces of what
00:13:36
goes on with kids if not the major thing
00:13:39
that happens for kids so I think that's
00:13:42
completely fair I hope that the
00:13:43
reputational injury Point um can take up
00:13:47
some of those same pieces but within a
00:13:48
more cabined area but that's completely
00:13:52
Fair
00:13:54
mental that's one of the most dramatic
00:13:56
impacts that you can have from these
00:13:57
pieces I'm guessing kids probably are
00:14:00
more concerned about that than the
00:14:01
financial impacts of them so so I don't
00:14:04
I don't know what else to do besides
00:14:07
shout it out yep I I think this is for
00:14:10
alignment purposes um I understand I I
00:14:15
just want people to know how I feel
00:14:17
about that and one more thing at the
00:14:21
very very beginning and I'm just going
00:14:23
backwards because I thought we were
00:14:24
waiting to the end but I don't um we
00:14:27
initially had just
00:14:30
residents right that it covered residen
00:14:33
MH and um could we also include
00:14:37
temporary resident it was just another
00:14:40
thing I'd like to just bring up so we
00:14:42
had I think months ago we went through
00:14:44
the process of considering this and
00:14:46
there was concerned
00:14:47
about
00:14:50
essentially businesses then needing to
00:14:52
check as people the compliance piece of
00:14:55
it seemed unclear how people would be
00:14:57
aware when someone's going in in and out
00:14:59
and the regular kind of check-ins that
00:15:01
would be required and additionally some
00:15:03
concern about well I don't really think
00:15:05
you have extr territorial application
00:15:07
there which could raise constitutional
00:15:08
concerns because they're in the state
00:15:10
we're talking about conduct that affects
00:15:12
them here I think that the committee had
00:15:14
reasonably decided to back away from
00:15:16
that out of fears about practical
00:15:18
implementation and those kind of well if
00:15:21
you started accidentally having extra
00:15:22
territorial application raising those
00:15:25
constitutional implications so I think
00:15:27
it was a nice decision on the commit
00:15:29
like a conservative decision on the
00:15:31
committee's part not to embark on that
00:15:34
and no other state is doing it but it is
00:15:36
definitely a cool idea yeah just fly
00:15:39
again it okay thank
00:15:46
you um we can jump so we were talking
00:15:49
about publicly available information I
00:15:50
think that we got through this piece
00:15:51
about excluding biometric data um again
00:15:54
that's making sure that biometric data
00:15:56
uh that's collected without a consumer's
00:15:58
consent without their knowledge um sorry
00:16:00
not without consent without their
00:16:01
knowledge um is picked up by the
00:16:04
protections of the ACT that's the idea
00:16:06
behind
00:16:07
this the change that you see here to
00:16:09
sale of personal
00:16:11
data is one concession
00:16:13
to what Senate Economic Development
00:16:17
proposed uh you guys previously had
00:16:19
language here that's much more extensive
00:16:21
as to what exchange is and it
00:16:23
specifically called out oral
00:16:25
communication as one of the means by
00:16:27
which personal data could be trans
00:16:29
transferred so this is a concession to
00:16:31
Senate Economic Development I will say I
00:16:34
think that substantively this is the
00:16:37
same thing um but I know that this has
00:16:39
been a back and forth between I know
00:16:42
that when Senate Economic Development
00:16:43
looked at this piece they were concerned
00:16:45
about it and they did not like that oral
00:16:47
communication was called out and I said
00:16:50
exchange encompasses oral communication
00:16:53
so you may think that you are not
00:16:55
getting that picked up but you should
00:16:59
um at least I think it is a reasonable
00:17:01
read to say that that would be picked up
00:17:03
under exchange um so this is a
00:17:06
concession and I guess what you could
00:17:07
say you're losing in doing this is that
00:17:10
you don't definitively state that that
00:17:12
is the case um but it is conceptually
00:17:15
possible under this it will be up to
00:17:16
courts as to how they read this so maybe
00:17:19
I overstated that it definitively should
00:17:21
be I think it is a defensible reading of
00:17:24
what exchange is um but this is a
00:17:26
concession to Senate Economic
00:17:28
Development apprach to this um but we
00:17:30
otherwise do maintain a piece that
00:17:32
Senate Economic Development cut which is
00:17:35
this commercial purposes piece uh which
00:17:38
I think we've talked about this before
00:17:39
this was related to approaches taken in
00:17:42
California about concerns that folks
00:17:45
were exchanging consumers personal data
00:17:47
to third parties for nonmonetary
00:17:51
consideration
00:17:53
um things like what you see here such as
00:17:56
inducing another person to rent
00:17:57
subscribe to
00:17:59
certain things exchange products or
00:18:01
enabling certain commercial transactions
00:18:03
I still take the position that I took
00:18:06
last time I talked about this which is I
00:18:08
think that these pieces should be picked
00:18:10
up under other valuable
00:18:12
consideration um but given that other
00:18:15
states felt necessary to call this out I
00:18:18
take it that there is a real problem
00:18:19
with this piece and that's why we've
00:18:21
included that here that is not disrupted
00:18:23
this was dropped Inc economic
00:18:24
development but it is maintained here in
00:18:26
you guys' tra so I would say the
00:18:29
definition that you now have for sale of
00:18:30
personal data reflects one concession to
00:18:32
Senate economic development but not a
00:18:34
full concession on this piece it's very
00:18:37
anthropological reading
00:18:42
J me would be
00:18:45
proud I don't see why it would yeah but
00:18:49
I you know as I've said many times I
00:18:51
just live in a world of words and not
00:18:54
out there in reality I guess
00:18:58
fine
00:18:59
reality very much how I
00:19:01
feel particularly when this is how I'm
00:19:04
spending my
00:19:08
time reality
00:19:12
uh
00:19:15
uh yes sensitive data one tweak here um
00:19:19
this is the approach so we're talking
00:19:21
about opin consent for processing of
00:19:23
sensitive data this is the deemed list
00:19:25
of categories um Financial information
00:19:29
and we've added here this is what Senate
00:19:30
Economic Development did including a
00:19:32
consumer's tax return so this would be
00:19:34
deemed financial information
00:19:38
um so you can say concession but I'm
00:19:40
assuming this is consistent with you
00:19:42
with what you guys would want to do here
00:19:43
as
00:19:46
well uh another change here and this is
00:19:50
pretty substantive uh this previously
00:19:53
was personal data collected from a known
00:19:55
child so under 13 sensitive data this is
00:19:58
now personal data collected from a known
00:19:59
minor this is the approach that Maryland
00:20:02
just took in their most most recently
00:20:04
passed bill um to
00:20:07
protect all data of minor um so
00:20:09
requiring opt-in consent for processing
00:20:11
of these pieces I should say that of all
00:20:14
the states that we've seen pass uh
00:20:16
Maryland is the one I think has kind of
00:20:19
generated the most controversy so there
00:20:21
are many things we did not pick up from
00:20:23
Maryland's approaches and I can talk
00:20:25
about those when we get here but those
00:20:26
that we thought were nice additions from
00:20:29
a consumer protective angle we've tried
00:20:31
to add here um and I think that this is
00:20:33
a nice one the piece that we needed to
00:20:35
ensure we did not disrupt in doing this
00:20:37
is uh one of the big constitutional
00:20:40
concerns is ensuring that you don't
00:20:41
require parental consent for teenagers
00:20:44
to do particular pieces and so if what
00:20:46
you had was a mechanism that requires
00:20:49
consent um for minors by parents that
00:20:51
would be problematic but what we have is
00:20:53
parental consent required for children
00:20:56
but not for minors who are not children
00:20:59
so that's kids 13 to 17 through 17 so in
00:21:04
this case they can provide their own
00:21:05
consent they don't have to have parental
00:21:06
consent if they did require parental
00:21:09
consent that would really complicate
00:21:10
doing this piece but I think that we're
00:21:12
in a safe place to do
00:21:17
this John we we dropped Jay from
00:21:21
sensitive yes sorry thank you um we
00:21:24
previously had uh a call out here for
00:21:29
uh sensitive data that essentially
00:21:31
photographs depictions of people naked
00:21:35
or undergarment cloud is I think the
00:21:38
language that we had which was based on
00:21:39
federal language because we've added
00:21:41
some new data minimization language
00:21:43
which will I guess it's beyond data
00:21:45
minimization language because we've
00:21:46
added new principles at controller
00:21:48
obligations related to the sell of
00:21:50
sensitive data we have dropped this
00:21:52
piece otherwise you would be prohibiting
00:21:55
all kinds of potential you might Free
00:21:58
Speech concerns in including this
00:22:00
particular piece so we've dropped that
00:22:02
and I think this is a more defensible
00:22:03
place to be um and it's tied to the
00:22:06
changes that you're going to see at the
00:22:07
controller
00:22:09
obligations before you go on can I go
00:22:11
back to that minor thing I couldn't find
00:22:13
my U mute button fast enough before you
00:22:16
jump to J sorry um in kids code I know
00:22:21
this is what you were just talking about
00:22:22
I think but I just want to
00:22:25
confirm who consents or to what in the
00:22:30
in the
00:22:32
um in the data collection piece is that
00:22:36
what we were talking about aligning with
00:22:37
the two
00:22:39
bills so I I don't honestly know the
00:22:42
latest on kids code but what's required
00:22:44
under this is that um opin consent is
00:22:48
required for known miners um so anyone
00:22:52
under 18 but it is important the known
00:22:54
qualifier this is not saying that people
00:22:56
need to start taking a ative steps to
00:22:59
determine whether or not someone is a
00:23:00
minor that's that would be impermissible
00:23:04
um what's what's happening is if the
00:23:07
business already knows um that the
00:23:09
person is a minor they will need to have
00:23:11
consent for that um
00:23:15
collection or any kind of processing of
00:23:17
this instu data which includes
00:23:19
collection yeah and and I I I guess I
00:23:23
took away you were saying like 13 14 15
00:23:27
year olds can opt in on their own that's
00:23:31
apparent is not required to do you know
00:23:34
16 17 18 like that makes perfect sense
00:23:36
to me it's that 13 14 15 that I okay
00:23:40
okay just wanted to be fully
00:23:42
understanding this one thank you yep yep
00:23:44
it's from 13 through yeah 13 and older
00:23:47
is someone who will provide their own
00:23:49
consent under the ACT
00:24:00
I think we did so we did make changes to
00:24:02
targeted advertising um we previously
00:24:04
had a more restrictive piece related to
00:24:09
um a concept of targeted advertising to
00:24:11
miners that
00:24:14
um basically prohibited or required
00:24:17
consent for even first party uh targeted
00:24:20
advertising we have dropped that this is
00:24:22
a concession we still do have a more
00:24:25
fome more robust concept of what
00:24:27
targeted advertising is here than what's
00:24:30
in say Connecticut um so what we have
00:24:33
here is um and I can talk about this
00:24:35
again targeting of an advertisement to a
00:24:37
consumer based on consumer's activity
00:24:39
with one of our businesses distinctly
00:24:40
branded websites Etc other than that
00:24:44
controller distinctly branded website um
00:24:46
with which the consumer is intentionally
00:24:48
interacting so what this permits is
00:24:49
essentially first-party
00:24:51
advertising um but it does not it also
00:24:55
prohib it I say prohibits it requires
00:24:57
opt down this is a kind of advertising
00:25:00
that requires sorry opt out for any
00:25:03
consumer under the ACT opt in for minor
00:25:06
so there's a difference between the two
00:25:07
sets of categories for this kind of
00:25:10
advertising what is stronger here than
00:25:13
in say Connecticut is we have this
00:25:15
reference to distinctly branded websites
00:25:18
and what this means is a company
00:25:21
theoretically under Connecticut's could
00:25:24
own a host of different websites right
00:25:27
but their brand bred differently I think
00:25:30
that theoretically under Connecticut's
00:25:32
um Advertising based on any of the
00:25:35
activity across their different
00:25:36
Affiliated websites regardless of The
00:25:38
Branding um would not constitute
00:25:40
targeted advertising because we have
00:25:42
this specific language about distinctly
00:25:44
branded website if a group owned a bunch
00:25:47
of websites but they were distinctly
00:25:49
branded uh if you started
00:25:52
using the activity of the consumer
00:25:54
across those different branded websites
00:25:56
they're still owned by the same group
00:25:57
but they're different ly branded um that
00:26:00
could not be used to generate targeted
00:26:01
advertising so basically this is meant
00:26:03
to get at businesses you can Target
00:26:06
Advertising based on what a consumer
00:26:08
would readily understand to be a
00:26:10
first-party interaction they go to a
00:26:12
website they see that your name is on it
00:26:14
they go to another website maybe it's
00:26:16
slightly different but they still see
00:26:17
that you know your logo is there so they
00:26:19
know who they're dealing with that's the
00:26:21
idea behind this concept is it preserves
00:26:24
um businesses ability to Target
00:26:26
advertising on the basis of consumer
00:26:28
visiting them but otherwise is not meant
00:26:30
to facilitate just broad uh reach
00:26:33
targeted
00:26:37
advertising and this is I I should say
00:26:39
so this is a just to reorient this is a
00:26:43
concession in part but maintaining some
00:26:46
of the stronger Provisions that you guys
00:26:48
had when you passed this out relative to
00:26:50
other states um and when we get to the
00:26:52
data minimization principle I will make
00:26:54
clear how the changes there mean that
00:26:58
there is no disruption to targeted
00:27:00
advertising uh RIT
00:27:04
large okay we are on the applicability
00:27:07
section page
00:27:09
15
00:27:11
uh what you guys had when you passed out
00:27:14
uh this bill you had control or process
00:27:18
the personal data of not fewer than
00:27:19
6,000
00:27:21
uh 500 yeah
00:27:24
6,000 and uh half of that for your
00:27:28
second uh piece related to gross revenue
00:27:31
what we've done is to start with
00:27:34
expanded uh or raise the numerical
00:27:37
threshold so fewer businesses are
00:27:38
subject to the ACT it's going to be a
00:27:40
step down over a number of years and
00:27:42
we'll come to those at the very end but
00:27:43
the idea is that when this first goes
00:27:45
into effect higher thresholds a year out
00:27:48
lower thresholds and then a year out
00:27:49
from that the lowest thresholds kind of
00:27:52
getting closer to where you guys first
00:27:54
had passed the bill um and a change from
00:27:57
20% to 20 5% of gross
00:27:59
revenue and I should call out when
00:28:01
Senate Economic Development made these
00:28:03
changes they did land on this 25,000
00:28:05
figure so this is again a concession to
00:28:08
them but they had a different structure
00:28:10
here to just say any business regardless
00:28:12
of excuse me numerical threshold um that
00:28:15
derives more than 50% of gross revenue
00:28:17
which may be a small bucket of
00:28:20
businesses that actually made that does
00:28:23
this impact data Brokers at
00:28:25
all so um
00:28:30
yes I mean it affects them in the same
00:28:32
way that it affects anyone um if you had
00:28:36
a I I think the key piece will
00:28:38
be the gross revenue threshold but it
00:28:41
just depends on how many consumers data
00:28:45
Brokers are processing the data of those
00:28:48
consumers without an empirical picture
00:28:50
of how big those are um it's the same
00:28:54
question that would apply to anyone else
00:28:56
right it's do they meet these thresholds
00:28:58
and so the the easiest answer is just to
00:29:00
say in year one fewer folks are going to
00:29:02
be subject to this whether that means
00:29:04
fewer data Brokers are subject to this
00:29:06
I'm not sure it could that was my
00:29:09
question I should have asked it
00:29:10
differently does it ease restrictions on
00:29:12
data Brokers e easier than what we have
00:29:15
right now on them that's my question but
00:29:17
we probably don't have that information
00:29:19
yeah so it doesn't ease the restrictions
00:29:21
it's just whether or not they're subject
00:29:24
and without knowing the picture
00:29:26
of how many they process now I'm
00:29:28
guessing someone who's a data broker
00:29:29
probably processes a lot of consumers so
00:29:32
they may in every instance be subject to
00:29:34
this um but it is theoretically the case
00:29:37
that fewer data Brokers will be subject
00:29:39
to this in year one and I think that
00:29:40
that is the compromise that you guys are
00:29:42
striking is a a phase in approach in
00:29:45
recognition of the claims folks have
00:29:48
raised and the approach that the Senate
00:29:50
has taken to how are we rolling this out
00:29:52
I think this is a concession in
00:29:56
part thank you
00:30:01
uh exemptions I think that we only have
00:30:03
one addition here and this is a
00:30:07
essentially a slight modification to an
00:30:09
exemption that was accepted in Senate
00:30:11
economic development in the Senate there
00:30:14
had been a entity level exemption for
00:30:16
what is the equivalent of this new
00:30:18
exemption this is an exemption for
00:30:20
information so it's data level that is
00:30:23
processed for purposes of compliance
00:30:25
enrollment or degree degree verification
00:30:27
or research Services by and this is
00:30:29
important it's a nonprofit organization
00:30:31
that is established to provide
00:30:33
enrollment data reporting services on
00:30:34
behalf of postsecondary schools um so
00:30:38
there are two pieces that make this
00:30:41
exemption restrictive one is the kind of
00:30:44
nonprofit to which this is available
00:30:46
it's only for those that are established
00:30:47
for this particular purpose so I don't
00:30:49
imagine this is picking up a lot of
00:30:50
nonprofits these are folks who are
00:30:52
established to provide enrollment data
00:30:53
reporting to postsecondary schools they
00:30:56
may do other things as well but Ong
00:30:58
their purposes they're established to
00:30:59
provide that enrollment data reporting
00:31:01
services and it's only data level it's
00:31:04
for information that is processed for
00:31:06
specific purposes as well so those are
00:31:07
the two restrictions kind of nonprofit
00:31:09
and what the information is processed
00:31:11
for admittedly Research Services is a
00:31:15
broad category so I I will flag that but
00:31:18
I think given that you have the two
00:31:20
pieces together for particular purposes
00:31:23
and only a narrow set of nonprofits the
00:31:27
hope is that this is restrictive enough
00:31:28
to permit those folks who are providing
00:31:31
degree verification to jobs and schools
00:31:34
to continue to operate without needing
00:31:36
to worry about um this piece um and this
00:31:39
was a concession
00:31:46
uh we jump down to Consumer personal
00:31:50
data rights um this is really cleanup
00:31:52
changes that you see here in two this is
00:31:54
the same content as what was here before
00:31:56
but I think it's worded a bit more clear
00:31:58
I'm happy to talk about this if you want
00:31:59
to but it's the same as what's before so
00:32:01
I don't know that we need to go into
00:32:02
this it's just easier to read
00:32:05
now uh there is a substantive change to
00:32:09
this subdivision 4 on line six but I
00:32:10
think this is consistent with everyone's
00:32:12
expectation this is making clear uh and
00:32:14
this should be comforting to Industry
00:32:16
that if they have a requirement under
00:32:18
law to retain personal data um they are
00:32:21
not required to delete the personal data
00:32:22
at consumer
00:32:24
request but I think that was probably
00:32:26
already in the ACT elsewhere this just
00:32:29
makes it clear in the consumer data
00:32:31
rights that that's the case uh
00:32:33
subdivision 5 again this is just
00:32:35
reordering this is not a substantive
00:32:37
change this is just making it a bit
00:32:38
easier to read this particular
00:32:42
section the real biggest substantive
00:32:44
changes come in the next section so this
00:32:47
is the heart of the updates that have
00:32:48
been made
00:32:50
here uh I this is not a substantive
00:32:54
change this is just making it easier to
00:32:55
read the
00:32:56
section d duties of controllers this is
00:32:58
where the real meat of the changes are
00:33:02
um the first
00:33:03
piece when you guys sent
00:33:06
out the section 2419 you had data
00:33:09
minimization principles here that said
00:33:11
something like shall process only as
00:33:14
reasonbly necessary and proportionate to
00:33:15
provide products or
00:33:17
services or for another disclosed
00:33:19
purpose that is compatible with those
00:33:21
disclosed purposes or if they obtain
00:33:23
consent they could do it for another
00:33:25
purpose the point that folks raised
00:33:28
fairly uh when this reached the Senate
00:33:31
was that because the processing is tied
00:33:34
to that restriction on what is reasonbly
00:33:37
necessary and proportionate is tied to
00:33:40
the product or service offered because
00:33:42
someone's going to a website not to
00:33:43
receive targeted advertising that
00:33:46
technically uh businesses would could
00:33:49
require opin to to engage in targeted
00:33:52
advertising I don't think that that was
00:33:54
you guys' intention so this was
00:33:55
something that was uh resolved on the
00:33:58
Senate side in a different manner than
00:33:59
you see here I don't necessarily have to
00:34:01
go into it but they changed away from
00:34:03
products or services to go toward what
00:34:06
is reasonbly necessary reasonbly
00:34:07
necessary and proportionate to um
00:34:10
disclosed purposes now what I would say
00:34:12
about that is they did solve the concern
00:34:14
about requiring opin for targeted
00:34:16
advertising but what that regime
00:34:19
produces is basically as long as a
00:34:21
business discloses their set of purposes
00:34:23
to
00:34:24
you they can do what they want for those
00:34:27
purposes now it's meant to be what's
00:34:28
reasonbly necessary and proportionate to
00:34:30
those purposes
00:34:32
um but I don't know how strong of a
00:34:35
restriction that is um to me that
00:34:37
language about what is reasonbly
00:34:39
necessary and proportionate and I can
00:34:40
talk about this language now what is
00:34:42
reasonbly necessary and proportionate
00:34:43
makes more sense when we talk about
00:34:44
limiting
00:34:45
collection um it's easier to say what is
00:34:48
recently necessary to collect the data
00:34:50
to provide a particular service than to
00:34:51
say what is really been necessary to
00:34:53
process for a particular purpose so what
00:34:55
we have here is a slightly different
00:34:58
data minimization principle but I think
00:35:00
this is the most intuitive one that I
00:35:03
have seen uh yet and this is in part
00:35:06
pulled from Maryland but we do not
00:35:08
accept all of their changes um because
00:35:11
they do have some uh Stronger
00:35:14
prohibitions that we did not want to
00:35:15
adopt here so what does this say this
00:35:17
says a controller shall limit the
00:35:18
collection of personal data to what is
00:35:20
reasonably necessary and proportionate
00:35:21
to provide or maintain a specific
00:35:23
product or service requested by the
00:35:25
consumer to the data pertains so this is
00:35:28
saying uh a consumer goes to a business
00:35:30
they go to their website they purchase
00:35:32
something something they offer up their
00:35:34
data to that business now what the
00:35:37
business has to do is limit the
00:35:39
collection of that data only to what's
00:35:40
required what is reasonably necessary
00:35:42
and it allows them to make that
00:35:43
determination it's not a strictly
00:35:45
necessary bar it's what's reasonably
00:35:47
necessary to provide that product or
00:35:49
service so that's the consumer making an
00:35:52
exchange with the business saying I'm
00:35:53
handing over information and I receive
00:35:55
what I want in return and now the cap
00:35:58
the restriction on the business is not
00:36:00
what was in the previous draft that it
00:36:02
the Restriction is on the
00:36:04
processing what's reasonbly necessary
00:36:06
and proportionate to those purposes now
00:36:08
that they have that limited data they
00:36:10
can do not as they please but they can
00:36:12
process that data for the purposes that
00:36:14
they disclose and we'll come to the
00:36:16
restriction on that piece but I think
00:36:18
that this is a more intuitive concept of
00:36:20
data minimization consumer engages in
00:36:23
consensual exchange of information for a
00:36:25
particular product or service and the
00:36:26
business now that they receed that data
00:36:28
can use the data for the purposes that
00:36:30
they have
00:36:32
disclosed
00:36:34
um the I can pause so that's
00:36:38
like I can use this example in the past
00:36:40
like the Walgreens your you free to give
00:36:44
them your shop there they have your
00:36:47
information they know what you like so
00:36:49
you get cou funds an online coupon
00:36:52
that's might be yep
00:36:55
yep um
00:36:58
yeah and I will talk more about this
00:37:00
when we get to the Shell Nots which
00:37:01
we'll get to shortly because there's a
00:37:03
there's an interaction with that piece
00:37:05
but I think that this is fairly clear
00:37:08
language as to what businesses are
00:37:09
restricted and doing here um and is
00:37:13
avoids the targeted advertising problem
00:37:15
this does not produce you know they can
00:37:17
collect data and then they can engage in
00:37:19
targeted advertising on that basis they
00:37:21
may collect less data than they were
00:37:22
going to collect before because now they
00:37:24
have to limit that to what is necessary
00:37:26
to provide the product or service but
00:37:27
they can continue to engage in targeted
00:37:29
advertising and given that they're going
00:37:31
to engage in targeted advertising on the
00:37:33
basis of what you went there to purchase
00:37:35
or receive the information that they
00:37:37
receive from that exchange is going to
00:37:39
be what they need to engage in targeted
00:37:41
advertising so I think this is a fair
00:37:44
compromise from my
00:37:46
perspective um the changes you see here
00:37:49
at 3 and four this is again kind of a
00:37:50
tidiness change this used to be one big
00:37:54
subdivision broken it out to make it a
00:37:55
little bit clearer how the revocation of
00:37:58
consent is a separate
00:38:00
piece so what shall a controller not do
00:38:03
um this is the other data minimization
00:38:05
principle tied to this they shall not
00:38:06
process personal data for a purpose not
00:38:08
disclosed in the Privacy notice unless
00:38:11
the controller obtains the consumer's
00:38:12
consent or the purpose is reasonbly
00:38:14
necessary to and compatible with the
00:38:15
disclosed purpose so this means the
00:38:18
business can engage in the processing of
00:38:20
any disclosed purpose um that's in that
00:38:23
privacy notice if they want to go beyond
00:38:26
that they need to obtain consent unless
00:38:28
essentially the purpose they want to go
00:38:30
to that's not disclosed is sort of
00:38:32
already implied it's reasonably
00:38:34
necessary to and compatible with a
00:38:35
disclosed purpose so what businesses
00:38:38
will do they're going to provide the
00:38:39
Privacy notice they can process with the
00:38:42
limited data that they collect for the
00:38:44
purposes that are set out in that
00:38:45
privacy notice and then if they want to
00:38:47
go beyond that they'll obtain consent
00:38:49
for another piece and that is just a way
00:38:51
of maintaining the notice provisions of
00:38:53
the ACT a consumer just needs to be on
00:38:55
notice what their data is being protect
00:38:57
uh processed for but otherwise it's sort
00:38:59
of business as usual and the constraints
00:39:02
are on selection and then specific
00:39:05
restraints on what can be done with
00:39:06
sensitive data so I would say the broad
00:39:08
effect of this is that for personal data
00:39:11
writ large what the ACT does is create a
00:39:14
notice regime for consumers and then for
00:39:17
sensitive data special kinds of
00:39:19
restrictions apply that's kind of the
00:39:20
idea here is that businesses can operate
00:39:23
with set of personal data without
00:39:25
needing to make large modifications what
00:39:27
they do but they do have to take
00:39:29
different steps for sensitive
00:39:33
data okay so maintain from the previous
00:39:36
draft controllers shall not process sens
00:39:38
of data without first obtaining consent
00:39:40
um or if cons is a child uh processing
00:39:43
in accordance with
00:39:45
CA here is a this is probably the
00:39:48
biggest update of this change um and
00:39:52
this is you know beyond just cleanup
00:39:55
changes or compromise struct with the
00:39:57
Senate this is a real step out this is
00:40:00
something that Maryland does this is a
00:40:02
Prohibition on selling sensitive data
00:40:04
full stop this is uh for processing
00:40:06
sensitive data in so all kinds of
00:40:09
processing of sensitive data require
00:40:11
consent um but for sensitive data we're
00:40:13
selling saying if you sell it that's
00:40:16
just prohibited under this act so that's
00:40:18
part of why we dropped one of the
00:40:20
categories that we had under sensitive
00:40:21
data um and tightened up the other
00:40:24
pieces but this is a big step so I just
00:40:27
want to pause here and say that this is
00:40:28
the
00:40:29
biggest change I think in this draft um
00:40:33
and if you guys want to talk about it
00:40:35
you know go for it but just wanted to
00:40:37
recognize that and not speed through
00:40:40
this Stephanie is it okay I keep jumping
00:40:43
in sorry go ahead go ahead Ed I was just
00:40:46
gonna say I like this a lot and I
00:40:48
appreciate the
00:40:49
um the understanding of what we were
00:40:52
asking for and figuring out how to get
00:40:54
it onto language
00:40:58
Y and there's a way of seeing this as
00:41:00
you know selling is a kind of processing
00:41:03
so basically what you're saying is two
00:41:04
tells you that consent is required but
00:41:07
for this one Cate for this one kind of
00:41:10
processing uh we go a step further and
00:41:12
just say even in this case consent is
00:41:14
insufficient and I think it makes sense
00:41:16
intuitively if we think about it that we
00:41:18
don't want our biometric data our um tax
00:41:22
returns or our account numbers with
00:41:24
their passwords sold to people it's an
00:41:26
in concept that I think is not hard to
00:41:29
understand um but I do just want to flag
00:41:31
that this is a new kind of uh
00:41:34
prohibition that again Maryland is doing
00:41:36
this um but it is to be seen how this
00:41:39
will I don't think it's confusing how it
00:41:41
works but it will be seen how folks
00:41:42
react to
00:41:45
this um the piece that you see here in
00:41:48
four is
00:41:49
substantively the same as what's in the
00:41:52
draft that you guys passed out um
00:41:55
Marilyn goes further than this and had a
00:41:56
full prohibition on processing uh miners
00:42:00
data for these purposes I think you
00:42:02
could have real first amendment concerns
00:42:05
for the targeted advertising piece um
00:42:08
and the point about selling the
00:42:10
consumer's personal data this is in a
00:42:12
way
00:42:16
already actually this is a good point
00:42:21
um we could conceivably drop C here uh
00:42:25
because it should already be picked up
00:42:26
by three what four is saying is without
00:42:29
cons you have to get consent to process
00:42:31
personal data of a known minor for the
00:42:33
purposes of Target advertising profiling
00:42:35
or selling that consumer's personal data
00:42:37
but we already have a Prohibition on
00:42:39
selling sensitive data which includes
00:42:42
the data of minors so I think we
00:42:45
actually should do that drop 4 C does
00:42:47
that make sense to you guys just
00:42:49
to yeah
00:42:52
uh we aren't trying to permit selling of
00:42:55
minor data with consent and I think that
00:42:58
you could read this to say
00:43:03
that the the the one difference I would
00:43:06
say here is there is a slight difference
00:43:09
in sensitive data we
00:43:11
say selling
00:43:13
the uh we
00:43:15
say data of a known minor and in this
00:43:19
case we say the controller knows or
00:43:22
consciously avoids knowing is a minor so
00:43:24
there could technically be a broader
00:43:26
category captured here right
00:43:31
um so we could say in this this is
00:43:35
interesting
00:43:39
uh maybe that's a fair compromise to
00:43:43
take but does does that difference make
00:43:44
sense that if we dropped C it would mean
00:43:49
that uh folks could sell the data of
00:43:53
minors if they did not definitively know
00:43:56
that that consumer was a
00:43:58
minor under what we have here in four
00:44:01
we're saying they have to obtain consent
00:44:03
to sell minor if
00:44:05
they consciously avoid knowing which is
00:44:08
slightly different than if they do
00:44:10
definitively
00:44:12
know um but that you know given that
00:44:16
you're outright prohibiting the sell the
00:44:18
selling
00:44:20
of known minors maybe that's a fair
00:44:24
compromise to strike but I will let you
00:44:25
guys figure that out
00:44:29
does that concern make
00:44:31
sense the categories aren't exactly the
00:44:34
same technically you're you have a
00:44:36
smaller category of consumers who going
00:44:38
to fit into that known
00:44:41
minor prohibition selective
00:44:46
data so is it okay Stephanie go ahead
00:44:51
yeah so we've been talking about a full
00:44:54
prohibition on selling
00:44:58
data of a minor right throughout two
00:45:00
different bills I guess we've been
00:45:02
talking about that and I know you're not
00:45:04
an expert on your on both of
00:45:07
them but just for the committee and what
00:45:09
you're saying is if we drop
00:45:12
C A A Minor's data could be sold if the
00:45:17
minor agreed to
00:45:19
it no so if we drop C uh what it what it
00:45:24
means is a business could sell the data
00:45:27
of a minor that they did not
00:45:28
definitively know was a minor um that
00:45:32
that's what it means uh but they are
00:45:34
prohibited from selling the data of a
00:45:36
minor that they know to be a minor a
00:45:38
consumer that they know to be a minor
00:45:41
okay and then sorry go ahead yeah the
00:45:44
the the ostrich defense that we've been
00:45:46
talking about right should have known is
00:45:49
that anywhere else I know that it's here
00:45:52
consciously avoids knowing but because
00:45:55
that I think that's important I think
00:45:58
that's an important piece of this that
00:46:01
we use a lot in Vermont and that
00:46:05
um because we don't want to require data
00:46:08
collection to figure out if somebody for
00:46:11
sure is a minor we know that they
00:46:13
collect the data enough to know who
00:46:16
they're targeting and roughly what age
00:46:18
they are if not exactly what age they
00:46:20
are by their birthday and all of that we
00:46:22
know that that's already happening in a
00:46:23
lot of instances
00:46:25
so I want to make sure that that
00:46:27
consciously avoids knowing stays in
00:46:31
there so so that piece is staying the
00:46:33
question is whether or not to drop C and
00:46:36
I would say if you just include c as is
00:46:39
right now I think it would be a
00:46:41
defensible position for a business to
00:46:43
say I mean they might lose this but I
00:46:46
could see the argument that they say
00:46:48
look you prohibit selling sensitive dat
00:46:49
in three but then in four you say that
00:46:51
we
00:46:52
can obtain consent essentially to sell
00:46:55
some minor yeah yeah so they're at the
00:46:58
very least they intention I mean you
00:47:01
could
00:47:02
so I think it's easier to drop C and
00:47:06
maybe uh that will be a happier place
00:47:10
for businesses to be given the other
00:47:13
pieces here um because then they know
00:47:15
that they aren't going to be on a
00:47:17
violation for selling the data of a
00:47:19
minor that they don't know to be a minor
00:47:20
it's only in cases where they definiely
00:47:22
do know them to be um the other I'm
00:47:25
trying to think of a way if you wanted
00:47:26
to oberved exactly this you could say
00:47:29
something like selling the consumer
00:47:31
personal data
00:47:34
of of a
00:47:36
minor that is not dependably known to be
00:47:40
a minor but it just starts to read very
00:47:42
oddly and produce like
00:47:44
strange it's almost like you're
00:47:46
incentivizing them to take steps not to
00:47:48
know if someone is a minor um so that
00:47:51
they can then continue to sell the data
00:47:54
so I don't think we want to have that
00:47:56
intent
00:47:58
umone agree to take yeah yeah I think
00:48:01
it's g toct with 289 to so okay so let's
00:48:04
just cleaner to pull it it's definitely
00:48:06
easier to drop it we don't want to
00:48:09
conflict with
00:48:16
289 um do you have a comment what did
00:48:19
you have a comment kind but not
00:48:22
yet I'm thinking
00:48:25
okay uh the
00:48:27
what you see here in six we had this in
00:48:29
an earlier draft and then deleted this
00:48:32
on the basis that what we currently have
00:48:34
is seven probably captures a lot of this
00:48:37
um but this is an easy piece to include
00:48:40
I don't think it makes a huge Su to the
00:48:42
dis the difference that it does make is
00:48:44
it's saying if someone violates uh stor
00:48:47
federal laws that prohibit unlawful
00:48:48
discrimination uh that would be picked
00:48:50
up as a violation of this act if they're
00:48:52
processing personal data in violation of
00:48:53
those pieces I don't really see this is
00:48:56
a huge substance of addition uh this is
00:48:58
largely captured by whatson 7 but for
00:49:00
consistent consistency with other states
00:49:03
maybe it's worth maintaining this call
00:49:05
out um clean up flow through changes in
00:49:09
seven that's that's really your biggest
00:49:11
changes here we will get down to other
00:49:13
pieces
00:49:15
um we're talking here on page 33 about
00:49:20
what a controller needs to do to provide
00:49:22
mechanisms for consumers to exercise
00:49:25
their rights this this is
00:49:28
uh authentic authentication of a
00:49:31
consumer's request and what the new
00:49:33
language that you see here is is
00:49:35
clarifying is that use of an IP address
00:49:38
to estimate the consumer's location is
00:49:40
sufficient to determine their residency
00:49:42
and that's a piece that you would want
00:49:43
for those authentication requests if
00:49:46
they're in fact a Vermont resident and
00:49:48
can exercise this act so this is a just
00:49:50
to make clear um what businesses can do
00:49:53
to authenticate
00:49:58
on 34
00:50:00
um we've updated language throughout the
00:50:03
draft that used to say actually knows or
00:50:05
willfully disregards to instead say
00:50:07
knows or consciously avoids knowing
00:50:09
that's meant to be conceptually the
00:50:11
equivalent of that language this is
00:50:13
language you see here that's already in
00:50:15
Title 9 so that's one of the reasons for
00:50:16
the changes and also um the willfully
00:50:20
disregards uh just a plain English
00:50:23
reading of it not a legal reading to me
00:50:26
would seem to imply potentially a
00:50:28
knowledge standard and therefore not
00:50:31
be adding anything beyond actually NOS
00:50:34
um so I think this is also a bit clearer
00:50:36
than what actually knows or willfully
00:50:38
disregards means um but at the very
00:50:40
least it's conceptually the same as what
00:50:42
other states are doing it's just using
00:50:43
Vermont language to describe the same
00:50:47
piece so this is your duties of
00:50:49
controllers to miners the changes that
00:50:51
you see here or that you won't see here
00:50:54
because they're
00:50:55
deletion um relate to alignment with
00:50:58
kids
00:51:00
code uh so the first piece here this
00:51:03
used to say sh not process a minor
00:51:05
personal data for any purose other than
00:51:07
a processing purpose that is reasonably
00:51:08
necessary for this has been upgraded to
00:51:10
strictly necessary and the same piece
00:51:12
you see in three processing a minor
00:51:15
personal data for longer than is
00:51:16
strictly necessary to provide the online
00:51:17
service product for feature so in both
00:51:20
cases making it more restrictive as to
00:51:22
what is required in dealing with minor
00:51:23
personal data for these online platforms
00:51:26
um what is not visible here is previous
00:51:29
subdivisions four and five this is for
00:51:32
alignment with kids code I think that
00:51:33
you guys are dealing with this be so
00:51:35
they've been dropped here but previously
00:51:37
four
00:51:38
said um there's either geolocation or uh
00:51:44
processing gosh
00:51:47
um I can find it um
00:51:57
yes uh the previous rep yes using system
00:52:01
design features to extend use and
00:52:03
collecting a minor precise geolocation
00:52:05
data I understand that those are being
00:52:07
taken up in 289 and so they don't need
00:52:10
to be dealt with here so they've been
00:52:11
dropped here not to
00:52:14
duplicate otherwise this section is
00:52:16
largely the same as before do these are
00:52:19
processors this Remains the
00:52:23
Same uh you're almost there same updates
00:52:29
for actually knows or willly disregards
00:52:31
to knows or consciously avoids knowing
00:52:32
throughout the
00:52:35
draft this is a cleanup change you're
00:52:38
seeing uh on Section 2425 G identified
00:52:42
data uh the intent was to have this take
00:52:46
reasonable measures language in the
00:52:47
draft as passed out we' made this update
00:52:49
to the definition of deidentified data
00:52:51
and then I forgot to add this here so
00:52:53
this is just cleaning up uh to make
00:52:56
clear there is no difference between the
00:52:58
definition of deidentified data and
00:52:59
what's required under this particular
00:53:01
section this is consistent with the
00:53:03
intent that you guys had as passed
00:53:07
out
00:53:09
um okay construction of duties of
00:53:11
controllers and processors there is a
00:53:15
couple changes here we used to have a
00:53:16
subdivision four this is what we're
00:53:18
saying this chapter shall not be conr to
00:53:20
restrict entities abilities to engage in
00:53:23
particular ordinary course or internal
00:53:25
purposes
00:53:27
we previously had a subdivision 4 that
00:53:28
said shall not be construed to restrict
00:53:30
um the ability to essentially act in
00:53:32
accordance with a contract under
00:53:36
2421b with a state or local government
00:53:40
entity um the reason that this is been
00:53:42
deleted and I think this is included at
00:53:44
lobbyist request is that language
00:53:47
technically doesn't
00:53:49
accomplish anything for them even uh so
00:53:54
it's Superfluous uh technically just to
00:53:57
explain why it is Superfluous those
00:53:59
local government entities would be
00:54:01
exempt from the act under our exemptions
00:54:03
and therefore there would be no contract
00:54:05
under
00:54:07
2421b by which a entity would need to
00:54:11
comply um in addition because anyone
00:54:14
acting under a contract with the local
00:54:16
government or government entity would
00:54:21
um not be acting as a controller even if
00:54:24
you think of that government entity as
00:54:26
being exempt and and they're asking
00:54:27
themselves well the person I'm working
00:54:29
with is exempt but I may not be because
00:54:32
they're under a contract working with
00:54:33
that person they're not determining the
00:54:34
purposes of processing they're therefore
00:54:36
not a controller um and if they're not a
00:54:39
controller then they aren't going to be
00:54:41
subject to the obligations of this act
00:54:43
so I think that language is just a perlu
00:54:45
it's not needed here the change you see
00:54:48
at five is in relation to the changes we
00:54:51
just talked about with um data
00:54:54
minimization so this says sh be to
00:54:56
restrict ability to provide a product or
00:54:58
service specifically requested by the
00:54:59
consumer um that's fine but we want to
00:55:02
make clear that the data minimization
00:55:04
principle that limits collection of data
00:55:06
to what is reasonably necessary and
00:55:08
proportionate to providing that product
00:55:09
or service is maintained so this call
00:55:11
out to consistent with subdivision 24/19
00:55:14
A1 is meant to do that it clarifies yes
00:55:18
of course you can provide the product or
00:55:19
service but that doesn't mean you can
00:55:20
just do whatever you want in terms of
00:55:21
data collection you've got to comply
00:55:23
with 2419 a I think even if if you
00:55:26
didn't include that that should be clear
00:55:30
intent um but this makes it even clearer
00:55:32
that that is the
00:55:35
case
00:55:36
uh guess I'm running out of time but we
00:55:39
are almost there we have you until
00:55:42
night okay great um that's great so we
00:55:47
have language here this is drawn from
00:55:49
Colorado um I don't think you have to
00:55:52
have this but this is nice to have this
00:55:54
so chapter shall not be construed to
00:55:55
require controller processor or consumer
00:55:57
health data controller to implement an
00:56:00
age verification or age gating system or
00:56:03
otherwise affirmatively collect the age
00:56:04
of consumers that first sentence this is
00:56:07
tied to that knows or consciously avoids
00:56:11
knowing we are not imposing a
00:56:13
requirement that businesses investigate
00:56:15
and determine folks's age um it's meant
00:56:18
to preserve basically do they have do
00:56:20
they already have knowledge or do they
00:56:22
have a reasonable basis already on which
00:56:24
they should know that someone's uh
00:56:27
a minor we're not asking them to take
00:56:28
additional steps for instance Maryland
00:56:31
is doing knows or should know is a minor
00:56:34
and that is potentially more dangerous
00:56:36
because that could be taken to mean that
00:56:39
businesses should engage in discovering
00:56:41
whether or not someone is a minor and so
00:56:43
you may have constitutional concerns
00:56:44
here this language is nice you are
00:56:46
limiting um you are protecting yourself
00:56:49
from liability including language like
00:56:50
this and then the second sentence goes
00:56:52
even further a controller processor
00:56:54
consumer health data controller that
00:56:55
chooses to conduct commercially
00:56:57
reasonable age estimation to determine
00:56:59
which consumers or miners is not liable
00:57:01
for an erroneous age estimation so if
00:57:03
they're doing commercially reasonable
00:57:05
efforts to determine age um they're not
00:57:07
going to be liable on that basis so this
00:57:09
is
00:57:11
again trying to protect businesses
00:57:14
ability to continue to operate as they
00:57:15
are and then just calling out that if
00:57:17
you do know or you have a strong basis
00:57:18
for knowing um in those cases apply the
00:57:21
extra
00:57:24
protections and again we be the first to
00:57:26
do this this is what Colorado is doing
00:57:28
as well
00:57:30
um although I should say I'm not sure
00:57:32
that the Colorado language is new I'm
00:57:35
not sure that it's actually uh passed or
00:57:38
been signed yet but this is consistent
00:57:40
with the approach that I think that they
00:57:41
are taking there so changes to the
00:57:44
enforcement section um what we have here
00:57:48
is an enforcement section that relies on
00:57:51
in subsection a the underlying Consumer
00:57:54
Fraud protection statute so this
00:57:55
provides for both AG enforcement and the
00:57:58
underlying private right of action
00:57:59
already existing in uh pedal 9 which is
00:58:03
under 2461 subsection
00:58:06
B uh and this language that you'll see
00:58:10
is consistent with what the kid kids
00:58:12
code language does so uh you have that
00:58:14
piece AG has the same authority to adopt
00:58:16
rules to implement this section as under
00:58:18
chapter 63 which is your consumer
00:58:20
protection um chapter we maintain the
00:58:24
Cure period 60-day cure period you guys
00:58:26
have seen this language before
00:58:29
um same pieces for consideration and a
00:58:32
requirement of reporting
00:58:34
on uh
00:58:39
notices I'll take a look at your email
00:58:41
and oh yeah you know how to do this for
00:58:45
um so this should be pretty familiar to
00:58:48
you guys but just to call out you had an
00:58:50
insection PR built out this you're going
00:58:54
to see multiple enforcement sections in
00:58:55
the Bill and we'll come to those but
00:58:57
this first one which is what's going to
00:58:58
be immediately in effect is just relying
00:59:00
on the underlying existing private right
00:59:03
of action in Title
00:59:05
9 last piece of the act confidentially
00:59:07
of consumer health data this is just a
00:59:10
cleanup change to subdivision 3 this
00:59:12
previously said any Healthcare facility
00:59:13
mental health facility or reproductive
00:59:15
or sexual health facility because those
00:59:18
facilities are kinds of healthcare
00:59:19
facility this is just adding them as
00:59:21
including any mental health facility so
00:59:23
it's a way of preserving the call out to
00:59:25
those particular pieces to say we are
00:59:27
definitively saying um establishing a
00:59:29
virtual boundary around mental health
00:59:31
facilities or reproductive or sexual
00:59:32
health facilities um is prohibited under
00:59:35
this section but just cleaning up to say
00:59:38
that is a kind of healthcare facility
00:59:39
that's what the including any language
00:59:41
is
00:59:42
for for publication and public education
00:59:45
and Outreach just one tweak to what you
00:59:47
guys passed out which is to say on page
00:59:50
58 that the Attorney General may have
00:59:52
the assistance sorry there's two changes
00:59:55
when you guys test this out you test the
00:59:58
attorney general and accd with engaging
01:00:00
in this effort the understanding is that
01:00:02
accd doesn't really want to be doing
01:00:04
this the references to accd um have been
01:00:07
pulled out and instead it's casting the
01:00:10
AG with that education Outreach however
01:00:13
under the subsection e that you see here
01:00:15
the AG may have the assistance of the
01:00:17
Vermont law and graduate school in
01:00:18
developing that education Outreach and
01:00:20
Assistance programs this was on the
01:00:22
basis that they I think want to do this
01:00:25
but I can't so much speak to that
01:00:27
piece and and again I think the
01:00:30
testimony throughout has been that the
01:00:32
AG has the capacity to engage in this
01:00:34
effort so I don't think that the removal
01:00:36
of ACD accd is a dramatic impact on
01:00:40
whether or not this is achievable I
01:00:41
think it's actually just aligning with
01:00:42
folks's actual intent like what they
01:00:44
want to
01:00:49
do good
01:00:52
um okay big changes in section three to
01:00:56
the data broker section this is
01:00:59
basically to accept essentially all of
01:01:01
the changes that Economic Development
01:01:03
made here um this is rolling
01:01:07
back I'll go through this to show what
01:01:10
happened
01:01:11
um
01:01:14
but the ultimate effect of the language
01:01:16
that you have here
01:01:18
is just to require additional civil
01:01:21
penalties and fees related to
01:01:24
registration and then to require one new
01:01:27
burden on data Brokers which is data
01:01:29
credentialing but does not include the
01:01:32
opt out language um that had been passed
01:01:34
out of here so and requires sorry also
01:01:38
notice a data broker security breach
01:01:39
which I think has been the kind of big
01:01:41
request all along from the AG's offices
01:01:43
to ensure that we capture notice of
01:01:45
these particular kinds of security
01:01:46
breaches so there are new substantive
01:01:48
Provisions if this act if this bill
01:01:51
passes there are new obligations imposed
01:01:53
on data Brokers by the section but we
01:01:55
are not rolling out um the individual
01:01:59
and general opt out pieces and the
01:02:01
reason for that
01:02:02
is one concession to Senate Economic
01:02:05
Development two folks's complaint um
01:02:08
that there's some tension between the
01:02:10
opt out in the data broker section and
01:02:12
the um language that's in the data
01:02:15
Privacy Act the ultimate place that that
01:02:18
landed was making the data broker
01:02:19
section look an awful lot like the pront
01:02:22
data privacy act at which point they
01:02:24
sort of become super
01:02:26
because if they're subject to the m data
01:02:27
Privacy Act they're already going to
01:02:29
have to comply with that so I have
01:02:31
another provision that does it um and
01:02:33
additionally from my perspective the
01:02:35
negotiation that was happening on the
01:02:37
optout piece was having substantive
01:02:40
effects on what was happening in the
01:02:41
Vermont data Privacy Act and I am
01:02:43
guessing that that was not the intent
01:02:45
was to allow the data broker negotiation
01:02:47
to drag down the data privacy act so
01:02:50
this is a a weighing of priorities as
01:02:53
well additionally given that you
01:02:56
prohibit the sell of sensitive selling
01:02:58
of sensitive data um that's a dramatic
01:03:01
impact on data Brokers and so I think
01:03:04
the changes that you made to the
01:03:05
controller obligations already has a
01:03:07
pretty dramatic impact
01:03:09
um for data Brokers you can see beyond
01:03:12
that data broker security breach uh
01:03:13
notice what's required
01:03:15
is these additional penalties for
01:03:18
failure to file information or emitting
01:03:20
required information or filing
01:03:22
materially false information this is uh
01:03:25
what you guys had accept one more
01:03:27
concession to Senate Economic
01:03:29
Development you guys had the penalties
01:03:32
um kick in after five business days and
01:03:35
what Senate Economic Development
01:03:36
proposed was after 30 business days so
01:03:38
significantly longer period given that
01:03:41
you are
01:03:42
including the substantive modifications
01:03:44
the prohibition on prohibiting selling
01:03:46
sensitive data in the data Privacy Act
01:03:48
and given that you have rolled
01:03:50
back uh
01:03:54
the there a choice for you guys but I
01:03:57
think if you're trying to make
01:03:58
concessions just in an economic
01:04:00
development to reflect a real compromise
01:04:01
here while you're still getting things
01:04:03
that you want I think that this is maybe
01:04:05
an easy one to do but it is worth saying
01:04:08
that those penalties wouldn't kick in
01:04:09
for failure for omission of required
01:04:11
information or for filing materially
01:04:13
incorrect information until a whole
01:04:15
month after that failure but I think
01:04:17
that I didn't understand anyone to be
01:04:19
taking objection to this particular
01:04:22
piece he that
01:04:29
I'll say I don't love it but I can be
01:04:30
okay with it is that
01:04:33
fair I mean the reality is once the
01:04:35
information is out there it's out there
01:04:37
and it's really hard to pull it back and
01:04:40
more damage can happen the longer it's
01:04:42
out there
01:04:43
but so to respond to that this is just
01:04:46
about registration pieces this is not
01:04:48
about um what data Brokers are actually
01:04:50
doing with your information this is if a
01:04:52
data broker emits required information
01:04:54
from their registration form or if they
01:04:56
file misleading information in the
01:04:58
registration form when do penalties for
01:05:00
those kinds of registration failures
01:05:02
kick in it's not about it's not related
01:05:04
to Consumers um except to the extent the
01:05:07
consumer is denied the information they
01:05:08
need by the registry essentially so this
01:05:12
this I don't think implicates those
01:05:14
concerns great thank you I appreciate
01:05:17
that
01:05:20
clarification so what what remains of
01:05:24
the
01:05:27
section we still have this credentialing
01:05:29
piece and what this is and I don't think
01:05:31
we ever really talked in substance about
01:05:33
this um so it was only recently that I
01:05:36
kind of realized the value ad of this
01:05:37
but maybe it's been apparent to you guys
01:05:39
all along um we focused so much on the
01:05:41
opt out we didn't talk much about this
01:05:43
particular
01:05:44
subsection this imposes on data Brokers
01:05:46
a requirement that they maintain
01:05:47
reasonable procedures to ensure that BPI
01:05:50
is used for legitimate purposes um
01:05:53
including requiring prospective users to
01:05:55
identify themselves certify the purposes
01:05:57
for which that information is sought and
01:05:59
certify that it won't be used for other
01:06:01
purposes that the data broker make
01:06:03
reasonable efforts to verify the
01:06:04
identity of new users and the uses
01:06:07
certified by those users prior to
01:06:09
Furnishing the information so this is
01:06:11
imposing obligations in advance of
01:06:12
turning over that information um and
01:06:14
requiring that data Brokers not furnish
01:06:16
the BPI if they have reasonable grounds
01:06:18
for believing that it will be not used
01:06:20
for a legitimate and legal purpose so
01:06:22
you can imagine if they have all kinds
01:06:24
of indications that
01:06:26
and it's like through the I don't know
01:06:28
exactly what the mechanism would be but
01:06:29
if they have strong indications that
01:06:31
someone is engaging in criminal Behavior
01:06:34
the like this would say you can't you're
01:06:35
prohibited from turning over that
01:06:37
information um so these are substance of
01:06:39
additions um but we don't have the opt
01:06:42
out pieces and previously there was an
01:06:45
exemption section in this section
01:06:47
2448 given that you have pulled back the
01:06:51
popped out we have eliminated the
01:06:54
exemptions I the exemptions to be a
01:06:56
request for exemption from the opt out
01:06:59
provisions and so in the absence of
01:07:00
those opt out Provisions I don't think
01:07:02
you need them anymore
01:07:06
um section four this is a data broker
01:07:09
study and this is tied to the removal of
01:07:11
that uh those opt out
01:07:14
pieces uh what this says is that the
01:07:16
Secretary of State on before January 1st
01:07:19
of next year shall in collaboration with
01:07:22
the with ads and the AG review and
01:07:24
report findings and recommendations to
01:07:26
Committees of jurisdiction um concerning
01:07:28
mechanisms for for my consumers to opt
01:07:30
out of the collection retention and sale
01:07:32
of broker personal information basically
01:07:34
this is a study to look at the previous
01:07:36
language that was in the section that
01:07:37
has now been pulled out um because some
01:07:39
of the testimony that's been purchased
01:07:40
at the secretary of state would not have
01:07:42
capacity to implement the general opt
01:07:43
out and if that's the case the opt out
01:07:47
section doesn't get you very far an
01:07:48
individual opt out is unlikely to be
01:07:50
particularly effective with data Brokers
01:07:52
because there is no direct relationship
01:07:54
between the consumer and the data broker
01:07:56
you really need the general opt out is
01:07:58
my understanding to achieve anything
01:08:00
with data Brokers and so this is a way
01:08:02
of gathering data and coming back with a
01:08:04
plan with the Secretary of State who
01:08:06
will be the one in position to say
01:08:09
whether or not essentially this is
01:08:10
achievable and what it would take to do
01:08:11
that so that's what the study is meant
01:08:12
to do they'll have to include um they'll
01:08:16
have to look to that individual opt out
01:08:18
um they have to consider rules
01:08:20
procedures and framework for
01:08:21
implementing the this is essentially the
01:08:23
general opt out the accessible deletion
01:08:25
mechanism that California is
01:08:27
offering um how to design and Implement
01:08:29
that state facilitated General optout
01:08:31
operational cost mitigation of security
01:08:33
risks which we understand is a large
01:08:35
portion of the cost that would be
01:08:37
incurred and other relevant
01:08:40
considerations uh section five so now
01:08:43
we're jumping into what you're going to
01:08:45
see is duplicative sections of pieces
01:08:46
before and these are sunsets of previous
01:08:49
Provisions so I'll walk through those
01:08:51
section five is a part of your tiered
01:08:53
roll out of the applicability threat
01:08:55
thresholds so um the first threshold is
01:08:59
going to come into effect when the ACT
01:09:00
comes into effect in 2025 so J uh July
01:09:03
1st 2025 this Section 5 would not go
01:09:06
into effect until a year later in 2026
01:09:08
and this is lowering the thresholds from
01:09:11
25k to
01:09:12
12.5k and then for the gross revenue
01:09:15
piece if a business has controlled to
01:09:17
process personal data of not fewer than
01:09:18
6250 consumers 6250 consumers and derive
01:09:22
more than 20% of first Revenue so that's
01:09:24
for your 2026 a middle step in your
01:09:27
applicability threshold so a step down
01:09:30
um where and where is the the the date
01:09:32
where are the dates they'll come at the
01:09:34
very end okay thanks good um the next
01:09:37
section you see section six this is
01:09:39
stepping down again and this is for
01:09:42
2027 um so you're going from those new
01:09:44
thresholds that we just walked through
01:09:46
to half of those um 6,250 consumers and
01:09:50
for your gross revenue piece
01:09:52
3,125 this is basically ending up in
01:09:55
2027 with the thresholds that you guys
01:09:58
had proposed starting with and just to
01:10:01
call out again the thresholds that you
01:10:03
proposed starting with in July 1 2025
01:10:05
that 25k threshold is what Senate
01:10:08
Economic Development has so you can see
01:10:10
this as in a way stepping starting with
01:10:13
what Senate Economic Development has
01:10:14
proposed for thresholds with some
01:10:16
modifications and then stepping down
01:10:18
over the course of two years to um the
01:10:21
thresholds that you guys had proposed on
01:10:22
this side
01:10:26
section seven this is another sunsetting
01:10:28
provision for the enforcement pieces so
01:10:31
the roll out first in July 1 2025 is for
01:10:35
Reliance on the Consumer Fraud statutes
01:10:37
meaning both AG enforcement and the
01:10:39
underlying private right of action and
01:10:41
then uh what this does is it removes the
01:10:44
Cure period um so when we start we're
01:10:48
going to have a cure period permissible
01:10:50
for AG
01:10:51
action that's what you see in subsection
01:10:53
C and we're going to have reporting from
01:10:55
the AG on that curing after 18 months so
01:10:59
this would come into effect January 1 of
01:11:03
uh
01:11:06
2027
01:11:10
um yes I need to check that I think I've
01:11:14
done this yep I'll need to check this
01:11:16
piece uh this will be after 18 months
01:11:20
this will be
01:11:22
removed and then in 20
01:11:26
20
01:11:29
see on July 1
01:11:32
2026 the private right of action in
01:11:35
statute uh so not Reliance on the
01:11:37
underlying statute but
01:11:40
and a specific developed private right
01:11:43
of action would be made available in
01:11:45
July 1 2026 let me walk through what
01:11:47
this does this is you already have the
01:11:50
underlying private R of action in the
01:11:52
Consumer Fraud statutes this is and and
01:11:54
what's important to call out about that
01:11:56
is the underlying right doesn't
01:11:58
contemplate statutory damages it
01:12:00
contemplates actual damages meaning the
01:12:02
folks need to prove their damages under
01:12:04
the underlying right if you have
01:12:06
statutory damages meaning that someone
01:12:07
can seek something like the greater of a
01:12:09
thousand or actual damages it means that
01:12:11
a consumer has more incentive to go to
01:12:12
court to enforce their rights so what
01:12:14
this private right of action coming into
01:12:16
effect in July 1 2026 would do is
01:12:20
to make statutory damages available so
01:12:23
folks could know that they're going to
01:12:24
get the Thousand if they win their case
01:12:27
um that or the or the actual damages but
01:12:30
to call out what you see here in C the P
01:12:33
would only be available for specific
01:12:34
kinds of violations and this is
01:12:37
reflecting the approach that Senate
01:12:38
Health and Welfare is taking which is a
01:12:40
consumer who is harmed by violations of
01:12:42
subdivisions 2419 B2 2419 B3 or section
01:12:46
2428 may bring in action for that
01:12:48
alleged violation so 2419 B2 is
01:12:51
processing sensitive data without
01:12:53
consent so if there's a violation of app
01:12:55
which is a big bucket that includes
01:12:56
things like Health Data biometric data
01:12:58
and the like or if there's a violation
01:13:00
of 2419 B3 which is uh selling sensitive
01:13:03
data or section 2428 which is your
01:13:07
consumer health data specific section
01:13:08
which is things like the prohibition on
01:13:10
geofencing violations for any of those
01:13:12
sections would trigger this private
01:13:14
right of would make this private right
01:13:15
of action available with statutory
01:13:17
damages um and that would be available
01:13:21
if the consumer notifies the consumer
01:13:23
the the business of that violation and
01:13:26
then within 60 days following receive of
01:13:27
the notice the business fails to cure
01:13:29
the violation or we're talking about a
01:13:31
situation where no cure is possible like
01:13:33
prohibitions on geofencing you may not
01:13:35
be able to cure that um and here's this
01:13:38
is the same language that you guys had
01:13:39
in the language that you passed out so
01:13:40
this is the statutory damages that I was
01:13:42
talking about the greater of a thousand
01:13:43
or actual damages and then a requirement
01:13:46
for a report on disclosure of those
01:13:50
pieces uh finally section nine is
01:13:53
rolling back this private right of
01:13:54
action after 3 years so this would
01:13:56
eliminate it after data collection could
01:13:58
happen and we could see what the effects
01:13:59
of it are so in
01:14:01
2029 that statutory damages private R
01:14:05
action would go away um I'm going to try
01:14:07
to just wrap up because I know Rick
01:14:08
needs to hop in the seat uh this is your
01:14:10
effective date section I will go through
01:14:12
this again when I go back to my office
01:14:14
because I think the Cure period phase
01:14:16
out may need one more year but I will
01:14:19
check that and uh if you have anything
01:14:21
please email me or I'm happy to answer
01:14:23
it now but do want to let Rick hop in
01:14:25
the chair if I can
01:14:27
okay thanks so much just fling uh
01:14:31
sometimes when we do these uh kind of um
01:14:34
you know like we're establishing the
01:14:35
private right of action and then we're
01:14:37
getting rid of it you know with
01:14:39
different effective bids we have like a
01:14:41
report back yes are we did I miss that
01:14:45
we're doing a report for the for the pr
01:14:47
here we're doing annually owner report
01:14:49
to submit a report disclosing number of
01:14:51
actions number of violations broken down
01:14:53
by statutory basis proportion proceeding
01:14:55
to trial most frequent violators um any
01:14:58
other matters STS relevant
01:15:00
yep what I'm sorry what's the date on
01:15:02
the report that would be an so once that
01:15:04
comes into effect which it comes into
01:15:06
effect July 1 2026 it's annually on oner
01:15:08
before February 1st so the first report
01:15:10
you would get is February 1st 2027 and
01:15:13
you would receive that until this is
01:15:14
phased out in
01:15:18
2029
01:15:20
perect thank you so much joh really
01:15:22
appreciate all your work on this
01:15:27
terrific I will uh drop the 4 C piece
01:15:30
that was intention and I will confirm
01:15:32
the Cure fiod phe out okay I can be back
01:15:35
with that later
01:15:36
today right thank you see you guys
01:15:40
appreciate okay so um
01:15:44
does I kind of feel like we should keep
01:15:46
plotting along if anyone needs to take a
01:15:47
break go ahead and um would I take a
01:15:50
five minute break yeah May let's take a
01:15:52
five minute break then

タグ

confidentialité des données
données biométriques
mineurs
vente de données
ciblage publicitaire
courtiers en données
droit privé d'action
législation
consentement
protection des consommateurs