Serious Privacy

The Big U.S. State Law Overview (with Joanne Furtsch)

December 17, 2023 Paul Breitbarth and dr. K Royal Season 4 Episode 45
The Big U.S. State Law Overview (with Joanne Furtsch)
Serious Privacy
More Info
Serious Privacy
The Big U.S. State Law Overview (with Joanne Furtsch)
Dec 17, 2023 Season 4 Episode 45
Paul Breitbarth and dr. K Royal

You have been promised this episode for months, but finally at the end of the year, on this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal give you an overview of the U.S. State Law developments in 2023. What are the most important parts to understand State consumer privacy laws and how do you comply with them? Luckily, Paul and K don’t have to do this all by themselves, but they can rely upon the expertise of Joanne Furtsch, VP Privacy Knowledge at TrustArc

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Show Notes Transcript

You have been promised this episode for months, but finally at the end of the year, on this week of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal give you an overview of the U.S. State Law developments in 2023. What are the most important parts to understand State consumer privacy laws and how do you comply with them? Luckily, Paul and K don’t have to do this all by themselves, but they can rely upon the expertise of Joanne Furtsch, VP Privacy Knowledge at TrustArc

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO

Please note that this is largely an automated transcript. For accuracy, listen to the audio.

[00:00:00] Paul Breitbarth: 

K has been promising you this episode since Easter or thereabouts, but right at the end of the year, there you have it. Today is all about the U. S. state legislative developments in privacy and data protection. We still have not seen major movement on the federal stage, but at the state level, a lot has happened in 23.

New drafts, new adopted laws, new regulatory guidelines, you name it. And we don't have to discuss this topic with just the two of us, because our sponsor TrustArc was so kind to lend us one of their own to join us. Joanne Furch has been with TrustArc, and previously with Trustee, since 2007, believe it or not, and currently serves as Vice President of Privacy Knowledge.

Chili's Trustarc combined privacy intelligence and research teams, which also includes the former NMDII team, based out of Toronto. My name is Paul Breitbart.

[00:01:01] K Royal: And I'm K Royal and welcome to Serious Privacy.

[00:01:05] Paul Breitbarth: K, were you counting on your hands there?

[00:01:08] K Royal: I was because she's been there over 20 years.

[00:01:12] Joanne Furtsch: Yes actually started in 1999.

[00:01:15] K Royal: That's what I thought.

[00:01:17] Joanne Furtsch: yeah, the LinkedIn profile cut it off in 2007. 

[00:01:21] Paul Breitbarth: Even longer. It's almost 25

[00:01:23] Joanne Furtsch: than necessary, but,

[00:01:25] K Royal: She's the longest running employee there. She's been there almost since it first started. I think it started in 98, right? And you joined in

[00:01:32] Joanne Furtsch: 90, I, it started in 97 and I joined in 99.

Yeah, we were

[00:01:38] Paul Breitbarth: in the Netherlands, in the Houses of Parliament, if you work there for 25 years, you get a special silver statuette when you reach the 25 year mark. So I'm very curious what Trust Ark has in store for you for the 25 years, Joanne.

[00:01:54] K Royal: We're going to get her a

[00:01:54] Joanne Furtsch: know.

[00:01:58] K Royal: We'll get her a Serious Privacy bobblehead. There we go. But no. OK. So unexpected question. Should be. Who's the longest running person at TrustArc, you know. No, let's go with, since we're on state laws, let's go with unexpected question. Which state passing, not passing, or considering state laws surprised you the most?

[00:02:21] Joanne Furtsch: Surpris me the most. I Think on the passing side it would be


[00:02:35] K Royal: OK. OK.

[00:02:36] Joanne Furtsch: and one that has not passed would be New York.

[00:02:40] K Royal: Yeah. Right.

OK. Paul, what about you? Any surprises?

[00:02:47] Paul Breitbarth: mean, this is, this is really your domain and not mine, but I think in, in, in not passing I would have to say Washington State because that has been so advanced for so many times and then still not making it to, to the final mark that really surprised me. Making it, I was probably surprised that Utah was so early on.

And I don't know why, that's probably because us Europeans have no appreciation or no understanding of Utah.

[00:03:15] K Royal: Hmm.

It's not big on the European radar, is that what you're saying?

[00:03:21] Paul Breitbarth: No, no, not really. I mean, Europe is focused on the East Coast, California, Texas, and Florida. Yeah, I mean, Florida is East Coast, so basically that.

[00:03:30] K Royal: Yeah, I'll say for not passing, Washington is one that keeps proposing it is not passed. The one that hasn't really entered the fray that I've been surprised at no motion is Massachusetts. Because they had, you know, what is it? 17, whatever it is that they had the security law that's been on the books for decades now.

So I would imagine that they would have had something a lot sooner than this and they keep pending. I will say Mississippi surprised me that it was a fast runner in the privacy law. Still didn't pass it. That part didn't surprise me. But the fact that it was a long standing contender surprised me. As for passing them No, I don't think any of, maybe when Montana passed, I was like, huh, interesting.

That was about it. So let's move with that. Let's move straight into it. So I've taken lots and lots of notes. Joanne has lots and lots of notes, as well as I saw TrustArc released a a resource on it as well. So we'll make sure to link to that, but let's go through some of the states. How would you like to do this, Joanne?

State by state, or maybe give some commonalities cause there's a lot of commonalities now across the, all the states. So there are eight states that pass laws. In 2023, they come into effect in various stages of 24, 25, and 26. So we'll point those out when they get here, but there are some very much some commonalities coming out.

[00:05:01] Joanne Furtsch: Yeah, on the comprehensive consumer side of the laws and looking at commonalities across the individual, right? And one of the things I first looked at when I, you know, start reviewing these, I go immediately. How are they defining the sale of data? OK.

[00:05:24] K Royal: Yes. Me too. Me too.

[00:05:26] Joanne Furtsch: because

[00:05:27] K Royal: them here.

[00:05:29] Joanne Furtsch: California, you know, it includes both, you know, monetary and other valuable consideration.

And then when the second law came out, which I believe was Virginia, it just focused on the monetary consideration. So it's like, oh, oK, we're going to have two different. definitions or schools of definitions on the sales data. And so looking at, you know, I think more states are going the California route and how they're defining it because they do realize that it's not just the monetary component.

You know, there's other considerations that organizations get, especially in the advertising side or tracking side of things and uh, realizing, you know, consumers really need choice and control over that, that piece as well.

[00:06:25] K Royal: they do. They do. And so I'll say of the new ones, Iowa, Tennessee, and Indiana have the traditional definition of sale for monetary consideration, Montana, Texas, Delaware, Florida, Oregon. have the monetary or other valuable consideration. A couple of them in there actually have definitions of share as well.

But I will say Florida in their digital bill of rights really surprised me. Hold on, let me pull this up. This is Florida. Let me pull up the actual word in their definition of sale. It's not just selling or other value, money or other valuable consideration. It means to sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally in writing or by electronic or other means.

This one is specifically to a child. A child's personal information or information that relates to a group or category of children by an online platform. So,

there's controlling the online social media for government moderation. But very much a very extensive definition,

[00:07:39] Joanne Furtsch: That is very extensive and probably, you know. Trying to address you know, some of the trends that we're seeing on the state privacy laws, um, you know, because not just, you know, what states are doing is not just limited to the comprehensive laws, but also if you're looking look at you know, Nevada and what Washington did with their My Health My Data Act, even Is addressing, you know, expanding what is meant by consumer health data.

Then you have the children's information, which arose out of, you know, COVID and concerns around the mental health. So, I think that's where Florida was going with their definition.

[00:08:30] K Royal: It is because their, their main law that they passed, not the digital rights. So I missed, misstated that one, but their main law that they passed, which is mainly the online portion of it. I don't know if they have a name for it, but it has a very, very high threshold. So you really can't consider it a comprehensive privacy Consumer Privacy Act because it is essentially the social media part is related to government directed content moderation of social media platforms.

And then the other part is related to companies that you have to hit the 1 billion mark in order to be triggered by it. Now that's for the, the, the social media and everything there and the protecting the children. But then when you come down to their digital rights act, it is a little bit more broad.

And it isn't just for those who hit the 1 billion mark. It's basically you do business in Florida and you collect data. Then it's triggered. However, the things that you have to do as it goes into more details makes it clear. It's not just all companies that have to do it. So Florida took quite an interesting tactic when it came to it, but very much looks like it's trying to protect people online or the government moderation of online social media.

[00:09:49] Paul Breitbarth: And yet, Florida is not marked as a comprehensive

[00:09:52] K Royal: No,

[00:09:53] Paul Breitbarth: on all the visuals that we see. Is that

[00:09:56] K Royal: not. They usually say there's seven or eight and Florida is that eight because their, their digital rights act bill of rights actually is pretty comprehensive when you look at consumer rights. But yeah, it's not quite this old.

[00:10:12] Joanne Furtsch: The scopes narrower, where I think the others.

Take broader view of,

[00:10:20] K Royal: it is very much so. I was looking to see if I misspoke and it is the digital rights act is the one billion. I'll look at that and I'll correct it if it's not. But I was surprised at a portion of it today when it said it applied and then the 1 billion mark is brought up somewhere else. It might be in the definition.

OK. Yes. The 1 billion is in the definition of controller. You have to make an excess of 1 billion. So the digital rights act still is. Less comprehensive because it only applies to some companies. I'll correct my statement on that one later. You can tell I read a lot of it in the past couple hours.

But that's why paul and I have previously said that yes, sometimes you can include florida And sometimes you can't is it a privacy act? Yes. Does it have rights? Yes But it only applies to those 1 billion or more. It makes it a little issue a little nuance there however in the definition of children So I was pleased that when it comes to the original five states.

that some of them go to the COPPA definition. They say child is defined as it's defined in COPPA, which means if COPPA's age goes up, that law automatically goes up. No, no. For most of the others, they went with under 13. However, if you comply with COPPA, then your authentication processes are deemed to comply with the privacy law.

However, the definition Did not go with the COPPA definition. It went with under 13. So if COPPA changes, these laws do not automatically change with them. But Florida, oh wait, no, Florida had to go with under 18.

[00:11:50] Joanne Furtsch: Oh,

[00:11:52] K Royal: Right? It's like, oK. And then there was one state that at least came up with, it also included the special acts for targeted 13 to 15 years old. Which is Montana, which I was pleased to see that I don't think the others did but the one part and Paul and I have Talked about this several times There are several states here that is not the no data from a known child It is the child's personal data.

So they don't say whether it's from a child or own a child They say it's the child's personal data. I love

[00:12:28] Joanne Furtsch: which could be.

Yeah, but

[00:12:31] K Royal: ahead.

[00:12:32] Joanne Furtsch: personal data could be entered by an adult.

[00:12:35] K Royal: Yes. And exactly. And that's been a sore point with me that they're only protecting data from a child, which it could be anybody else sharing that child's data online, which could be just as damaging. But the personal data of a known child is in both Delaware and Oregon. I was very pleased to see that.

I'm quite sure I single handedly influenced that piece of legislation all by myself. Right.

[00:13:00] Joanne Furtsch: well, which is going to be a really interesting and how that works with. Kappa, which focuses on the collection directly from a child and then.

[00:13:12] K Royal: Yeah.

[00:13:13] Joanne Furtsch: But the challenge with COPPA and focusing on collecting directly from a child raises a whole other set of challenges, as you know, with, well, how do you know you're collecting from a child?

And then, you know,

[00:13:27] K Royal: Yeah, how do you know that that person is actually a child? I mean, that's the biggest thing. They seem to focus on the fact that they want par parental permission to actually have that child on their platform, but then they don't actually have measures to make sure that that is a child on their platform.

I'll give a shout out here to out school that I worked with that they actually do that. They go through some processes where they need to make sure that the person who is using the services is actually a child,

which I think is pretty cool.

So let's see, what else do we have here? OK. Very standard.

I've noticed we've gone to 45 days. to respond with an additional 45 days for a lengthy need and requiring an appeal, an appeal process. That's in all eight of the new states. I'm going to roll Florida in there. That's in all eight of them that you have the 45 days to respond. One of the other things that I've noticed in these part of tract They all require data protection assessments or data protection impact assessments, however you want to call it.

They all of course have the contract between the controller and processor and they all use the language controller and processor. They all pretty much say it does not apply to data in a commercial context or in a uh, employment context. So no B2B and no. No employment related doesn't apply to. So those are becoming standards.

I enjoy that. Now here's an interesting part, and I'm pretty sure you picked up on this as well. The pseudonymous data rules.

So they, if they, a lot of them, and I could probably pick out which ones here for you say that pseudonymous data is personal data, but de identified and publicly available data are not personal data.

And so a lot of them are rolling pseudonymous into personal data because the company usually retains the ability to re identify them

[00:15:25] Joanne Furtsch: which would make sense, you know, if it can be tied back to the individual, then it becomes personal data.

And really that,

[00:15:36] K Royal: Go ahead.

[00:15:37] Joanne Furtsch: yeah, so that is also the key concept that they're trying to address. It's not only, you know, is the data by itself personally identifiable, but are you able to tie

[00:15:50] K Royal: Yep.

[00:15:51] Joanne Furtsch: back to an individual?


[00:15:53] K Royal: Yep.

[00:15:53] Joanne Furtsch: what makes it identifiable.

[00:15:56] K Royal: And some of them do talk about aggregate data but it's not as big of a piece of conversation as the de identified and the pseudonymous. I will say that under the de identified there are usually rules. You have to keep policies or procedures where you're not re identifying the data, you don't have a key, this, that, the other.

So do make sure that if you think you're using Deidentified data that you're following the rules that you need to follow to make sure you can consider it. Deidentified data.

[00:16:26] Joanne Furtsch: Yeah, and if you're sharing that de identified data with a vendor, or you're a vendor that's receiving it there needs to be the mechanisms in place to ensure that you're not able to go back and re identify that

[00:16:41] K Royal: Exactly.

[00:16:43] Joanne Furtsch: including contractual

[00:16:45] K Royal: Yep.

Contractual that they will not try to re identify the data. And what I've seen in contracts being on the company side now is language that says that you cannot combine the data with any other data you get from another source, which is usually around the, the blending of data, the mixing of data, as opposed to the trying to re identify, but that not combining it with data you get from another source actually does help keep the re identification under control as well.

So I think that's really cool. And Paul, you were about to ask a question.

[00:17:18] Paul Breitbarth: yeah, I mean, I heard you,

[00:17:20] Joanne Furtsch: chime in.

[00:17:21] Paul Breitbarth: I heard you say something about publicly available data being excluded from definitions. Can you define public available data?

[00:17:31] K Royal: they do. Most of the time they do go in here and define, let me,

[00:17:35] Paul Breitbarth: Would that include social network sites?

[00:17:38] K Royal: one of them actually does include social network sites. It's interesting. I'll see if I took notes on which one that is. I'll look at it, but let me see publicly available information. I am looking at Florida right now. which is a pretty common definition.

Information lawfully made available through government records or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media by a consumer or by a person to whom a consumer has disclosed the information unless that consumer has restricted the information to a specific audience.

[00:18:17] Paul Breitbarth: OK, so that is the call for everybody to put their social network sites to a non public profile because otherwise it can be

[00:18:26] K Royal: Yeah. Like

[00:18:26] Paul Breitbarth: be used

[00:18:27] K Royal: the former Twitter X never had a way to restrict it. Exactly. I'm looking to see, I'm looking at another one now.

[00:18:35] Paul Breitbarth: Well, I mainly I'm mainly thinking about the the LinkedIn data scraping discussions that we've been having for a long time And this seems to open up That that data could legally be used

Because it would be considered as publicly available.

[00:18:52] Joanne Furtsch: Yeah. And that has popped up again recently is

[00:18:58] K Royal: OK, here is another. This is under, do do do do, who is it under? I don't even know who I'm looking at.

It doesn't even have, it's engrossed hold on, it's like the last one I did, so it's either Oregon, oh, no, it's Delaware. OK, so in Delaware, they have publicly available information, is information that's lawfully made available through federal, state, or local government records. or information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.

That is the more common definition.

And so LinkedIn wouldn't be publicly available because you have to be linked to a person in order for them to see certain things about you

[00:19:49] Paul Breitbarth: I think that depends on the settings of your, to the

[00:19:52] K Royal: Yeah,

[00:19:53] Paul Breitbarth: your profile.

[00:19:54] K Royal: yeah it is.

So let's see, I think this one is Texas. And I wanted to go to Texas because I know they usually do things a little different.

Texas has,

[00:20:09] Paul Breitbarth: of Texas.

[00:20:10] K Royal: right?

I always go back to Miss Kijini Allis. Miss Texas!

OK. Publicly available information means information that is lawfully made available through government records or information. that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media by a consumer or by a person to whom a consumer has disclosed the information unless the consumer has restricted the information to a specific audience.

[00:20:40] Joanne Furtsch: So that gets to your social media profile

[00:20:43] K Royal: Exactly. So it goes through that. So it's, it's really interesting how they do it. So I picked out a couple of other things. Something I'm seeing not uncommon is that the companies trying to contract around specific requirements or actions is against public interest and is default not permitted.

[00:21:02] Joanne Furtsch: Yep.

The one thing.

[00:21:06] K Royal: periods we're seeing.

Iowa has a 90 day cure period. So

[00:21:11] Joanne Furtsch: Oh, and they're proposed. Yeah. The other thing that I like about the Iowa bill, and I think it builds upon what Tennessee was trying to do is, you know, the inference of that you need a privacy program in place,

and that, you know, it is a way to show accountability and easily demonstrate, you know, your compliance where,

[00:21:38] K Royal: Well, one of them. Actually, is this Tennessee? Is that the one you were just mentioning?

[00:21:42] Joanne Furtsch: yeah, Tennessee,

[00:21:45] K Royal: Volunteer Privacy Program, so they can voluntarily offer to comply with the law as long as their privacy program follows the NIST.

[00:21:55] Joanne Furtsch: or or APEC CDPR, and in Ohio, they do also call out The NIST privacy framework that, you know, you need to follow that if you are setting a privacy program and they get a little bit more into what that comprises of where Tennessee took a more broader approach of if you. You know, stand up that program, it should align with either the

[00:22:25] K Royal: yes.

[00:22:25] Joanne Furtsch: framework or the APEC CDPR,

[00:22:28] K Royal: I'm looking for the actual language now, because I know I wrote it down. It, it, let me see, it is 47 1832. 13 in the, in the bill portion. So once they passed, I don't know, but I think they leave the same numbers in place in Tennessee. Here we go. Affirmative defense, a voluntary privacy program. So It is

a controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that reasonably conforms to the National Institute of Standards Privacy Framework entitled A Tool for Improving Privacy Through Enterprise Risk Management Version 1.

0 1. 0 or other documented policy standards or procedures designed to safeguard consumer privacy and is updated to reasonably conform with the subsequent revision to the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or comparable privacy framework and provides a person with the substantive rights required by this.

[00:23:49] Paul Breitbarth: And then they say European legislation is unreadable.

This is an impossible sentence to understand.

[00:23:59] K Royal: They do. They go down and say the scale and the scale and scope is appropriate if based on the size and complexity, the nature and scope of their activities, the sensitivity of the data, the cost and availability of tools, compliance with comparable state laws. And then importantly, section C says, in addition to those, a controller may be certified pursuant to the Asia Pacific Economic Cooperation's cross border privacy rule system.

[00:24:24] Joanne Furtsch: yes,

[00:24:25] Paul Breitbarth: And does

[00:24:26] K Royal: And a processor may also be certified in the sub certifications may be considered in addition to the factors in B. And so very, very much specifically recognizes as Paul and I were discussing in one of our recent episodes, we're not hearing anything about CBPRs anymore. Nobody's talking about them.

Well, Tennessee is going to talk about them.

[00:24:44] Paul Breitbarth: Well, but does Tennessee also recognize the global CBPRs then? Or is it just the APEC CBPRs?

[00:24:50] K Royal: just says

[00:24:51] Joanne Furtsch: I, I, that's it.

Yeah, so when it shifts over to the global, they're going to need to make an update,

[00:25:01] K Royal: right? We're going to

[00:25:02] Joanne Furtsch: but

[00:25:03] Paul Breitbarth: not regulate those things in your legislation, but do it in implementing guidelines because then you're much more flexible.

[00:25:10] K Royal: Well,

[00:25:10] Joanne Furtsch: so, you know, I think it raises a really interesting point is, you know, the role of certification, how it can help companies

[00:25:18] K Royal: write

[00:25:19] Joanne Furtsch: comply with these different laws, you know, because

[00:25:24] Paul Breitbarth: Yeah, let's talk, let's talk a bit about compliance because I hear a lot of similarities between all these laws, but I also hear both of you say, Oh yeah, but here are this, the detail is slightly different. Here, the definition is slightly different. How in the world should a company that is active in 50 states comply with all of these different ifs and buts?

[00:25:46] Joanne Furtsch: Oh, we do have our lovely network of breach notifications set the way.

[00:25:54] Paul Breitbarth: Well, I mean, there I have a tool where I can look up whether I need to report in whatever state under which definition.

[00:26:00] Joanne Furtsch: Well, but that's the reason why privacy management software is going to be so critical.

[00:26:06] K Royal: is.

[00:26:07] Joanne Furtsch: It really is. I mean, you know, as you said, you know, the, the, the core basic requirements that you get down to the core principles of what they're addressing. They're the same across states. It's just that, you know, one state may have you know, a specific disclosure they may want in your privacy notice, but the overall requirement is you need to have a comprehensive privacy notice needs to be easily accessible and also clear and easily understandable by you.

Your consumers. Also, you have a blanket set of individual rights

[00:26:49] K Royal: Yeah, pretty much standard for rights. You got to protect sensitive data. Now each one of them includes a definition of sensitive data. The definition is pretty standard there. Although I will say some of these laws get really ridiculous in this doesn't apply to Or this doesn't this does not require a controller to do the following.

And some of them go down 20 something lists of things they're not required to do, or they, it's not required to make them do certain things. So the exceptions and the exemptions are something that would drive a European insane. 

 so I was really I don't know if I was taken aback, shocked, or pleased, but I do see some states are actually defining, quote, decisions that produce legal or similarly significant effects concerning the consumer. And you wouldn't think you would have to define that, but there are some states laws that are defining that.

I was thinking of Montana in particular, but some of the others have it as well. So, decisions that produce legal or similarly significant effects concerning the consumer means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education, enrollment, or opportunity.

criminal justice, employment opportunities, healthcare services or access to necessities such as food and water. Who would have thought you needed to define that?

[00:28:19] Joanne Furtsch: yeah, it's amazing what they have to define, but you know, it also aligns with the direction that California has taken with its automated decision making regulations, you know, that they're in the process of drafting and kind of take a more, especially addressing, you know, some of the risks related to, oh, wait, we can't have a privacy thing these days without mentioning AI.

[00:28:46] K Royal: Yeah. Right. So it's, it's really fascinating what we've what we've come to with these. And like I said, most of these go into effect across 24 and 25. There's some in 26, one piece of the Florida's already went into effect this year. But that's the government moderation of social media platforms, I believe.

So it was really interesting. Was there anything else that you noted that stood out to you of any, either these consumer privacy laws or any of the others that passed that stood out to you?

[00:29:17] Joanne Furtsch: Yeah you know, going back to you know, the trends looking at, uh, the different, though, none of these have really passed, but they are looking at other ways of how the current laws apply to AI and really looking at automated decisioning, profiling, looking at the definitions of profiling across the different states and how the individual rights and transparency requirements are applied in those particular cases.

And I think, you know, in addition to seeing specific bills coming out around that, I think we're going to see more and more interpretation of regulations coming out around how do these requirements apply to when you're using AI.

And so I, I think that is the other key trend. And I think, you know, we'll continue to see more evolve around children's privacy.


[00:30:22] K Royal: I think that one's going to be really big because not only has the U. S. not really had a definition of sensitive data until these omnibus privacy laws started, but now every single one of them is rolling in data. From a known child or these more recent ones data a child's personal data I think I wrote down exactly how they they're they're calling it is a child's personal data or is Personal data of a known child

[00:30:52] Joanne Furtsch: yeah, and I think that definition is gonna play a critical role as you think about using profiling data You know, children, you know, in that, and especially also in your AI sets as you're training the AI, how do you you know, use a data about a child or collected from a child in that, and so I think the, how that's defined to your earlier point K is really going to play a role in how the, we Think about not only children's privacy, but you know how AI impacts that as well.

[00:31:31] K Royal: It is and I think one of the things to Paul's question about how can a company hope to meet these? Requirements you try to get a program that in general meets all the requirements and if it's something really unusual maybe you do make an exception for it, but you try your best not to have an exception based framework that you're working from.

I will say it does offer complications when you're working with clients in different geographical regions. Because if you write a, I don't want to call it a generic DPA, but if you write a generic DPA where you list data protection laws under applicable laws or whatever, and you list out some regions as examples, they will sometimes come through and change your generic definitions that are designed to meet the requirements of all the laws you're subject to and change it to their specific country laws.

[00:32:27] Joanne Furtsch: Oh yeah,

[00:32:27] Paul Breitbarth: No, I mean that's that's fair and in general multinationals will be used to dealing with multiple laws at the same time and they maybe have been a little spoiled by having one law for for 29 30 31 countries in the european union now for a long time European economic area for a long time that are that are the same and where you don't need to pay too much attention to national implementations.

But it's not only that the material provisions in the U. S. vary so, so massively but also the scope of application is so different. All these thresholds that you need to monitor on a state by state level, do I already meet the threshold for compliance? Is of course. For a lot of companies going to be really difficult.

And then you can argue, oK, but then just build your program as if the law would apply to you. But for all the reporting obligations and for all the statements that you need to make it can be fairly difficult.

[00:33:28] K Royal: And most of them exempt all the federal laws in the U S this doesn't apply. If HIPAA applies to you or GLB applies to you or FERPA applies to you or whatever applies to you. I don't see any exemptions for GDPR.

[00:33:44] Paul Breitbarth: Obviously not, because that's not a U. S. law.

[00:33:47] K Royal: Well, but, but you have a voluntary privacy program if you adhere to the CBPRs, which I suppose the U. S. is a signatory to, so that might be

[00:33:55] Paul Breitbarth: Well, that's a big difference. I mean, recognizing the GDPR as part of your compliance program would mean that the U. S. would say, or U. S. state would say, Oh, we recognize another Supreme Overlord a couple of thousand miles away. And

[00:34:11] K Royal: Tell us how you feel about the U. S. arrogance there, Paul.

[00:34:14] Paul Breitbarth: I mean, although some some Americans may actually would like to join the European Union, depending on the outcomes of your next presidential

[00:34:23] Joanne Furtsch: I don't know, Paula, you may have an influx of us after 2020.

[00:34:27] Paul Breitbarth: exactly. So, but no, without kidding, obviously, it would be strange for the US to recognize the GDPR as, as a standard for compliance, because it's a foreign law.

[00:34:40] K Royal: but is it wrong?

[00:34:42] Paul Breitbarth: Yes, as a constitutionalist, I would say it's also wrong.

[00:34:46] Joanne Furtsch: you

know, look at California, you know, we're, you know, the state, you know, could potentially get its own adequacy determination of EU. So, it's, it's

[00:35:00] Paul Breitbarth: able to get their own adequacy determination in the EU. I, I, I still don't believe that that will happen.

[00:35:08] Joanne Furtsch: it's not for lack of trying.

[00:35:11] Paul Breitbarth: No, well, at least they have the Dubai Financial Center already

[00:35:14] K Royal: Right.

And at some point, they're going to have a massive earthquake that's going to separate California from the rest of the U. S., and I don't think it's going to put them in the ocean. Right. I think they're just going to split off and be their own island, like Great Britain. And, and see how that works.

But who knows? They may secede from the Union one day. Who knows? Most everybody outside the U. S., I think California, thinks California and Texas are their own countries anyway.

[00:35:45] Paul Breitbarth: So is it strange to say that this Despite the fact that there is a lot of alignment between these laws and that it should be possible to comply with them, that it would be desirable to have some overarching federal

[00:36:01] K Royal: it would be.

[00:36:02] Paul Breitbarth: harmonize all of this?

[00:36:04] K Royal: It would be. And it looks like some areas are going towards that direction

[00:36:09] Joanne Furtsch: Yeah, just speaking of our favorite state of California. Really. Has concerns around preemptions of the protections that they've put in place. So that,

[00:36:20] K Royal: states are worried about private right of action

[00:36:23] Joanne Furtsch: exactly. So it's, you know, a federal law is gonna have to find some sort of sweet spot, or I think, you know, we're gonna fall into having a directive model where the federal law sets a floor and then.

So it's baseline, which really doesn't solve the problem of having to deal with, you know, all these different differences in the laws.

[00:36:53] Paul Breitbarth: So Joanne I understand TrustArk is, is putting out some resources. What do you have available right now for people who are struggling with this?

[00:37:03] Joanne Furtsch: Yeah in addition to the resources that we have available on our website we do have our NMDI research product, especially topics, which shows you kind of the, across the different states, you know, the different requirements around, You know, say individual rights, you know, especially you know, the timelines and the specifics that you need to do there as well as you know, what you need to do around cookies and behavioral advertising.

So, there's a variety of different topics that our research team covers, and the U. S. state laws are Definitely outlined individually, and you can do that kind of side by side comparison.

[00:37:54] K Royal: Very nice.

[00:37:55] Paul Breitbarth: Very good. And there's also quite a few webinars. Webinars and infographics on on the website. The U. S. Consumer Privacy Handbook obviously is there

[00:38:06] Joanne Furtsch: yep, and that's also available in the research as well. And Privacy Central, we are getting All the laws in there. So you'll be able to see you know, through our common controls library where there are common requirements across the different laws, but also being able to assess yourself against the nuanced differences.

[00:38:31] K Royal: I love it. I love it. We're, we're, we're excited to see some of these laws. We have one more law coming into effect here just in a couple of weeks. Utah will come into effect December 31st. And then I did not look at the dates of the others, but I do not believe we have one coming into effect in January 24.

I think the first ones are, Texas and Oregon in July. Texas and Oregon both take effect into July. Texas has a very small threshold for whether or not the law applies to you. You just have to process you have to engage in the sale of personal data and their sale of personal data is our other valuable consideration and is not a small business as defined by the U.

S. Small Business Administration. So pretty much a very low threshold there. Then you've also got Montana in October of 2024 and then you start with Iowa, January, Iowa and Delaware in January of 25. Tennessee in July of 25 and then Indiana is the one that is January of 2026. So I expect some states to still carry over.

I have not looked to see which states are still alive after. The 2023 legislative season. That's one piece of information I didn't pull up, but we might actually have that on the IAPP

[00:39:54] Joanne Furtsch: Yeah. 

Yeah, there's 10 active bills right now.

[00:39:58] K Royal: OK.

[00:39:59] Joanne Furtsch: One of which is Ohio is reintroduced a bill that they fine tuned since they initially introduced it which I. Back in 2021 and then they've refined some items and that's another thing that we're seeing is the states are going back and amending their bills.

I mean, California has amended CCPA multiple times Connecticut amended it's law to address

[00:40:28] K Royal: Nevada does. It adds bits and pieces here and there. So yeah, the ones that are still alive if I'm reading this right, are Maine, Massachusetts, which again, my surprise state. Michigan, Missouri, New Hampshire, New Jersey, North Carolina, Ohio, Pennsylvania, and Wisconsin apparently are still active. I would have to look up as to whether or not they have two years legislators or not to know if they die at the end of 2023 or not.

But the only ones that have really moved are New Hampshire and Wisconsin.

All the others are, they say, are inactive. Hawaii, Illinois, Indiana, Kentucky, Louisiana. Of course, there's bits and pieces of these because we have an Indiana privacy law, but it would be another piece of it. Maryland, Minnesota, Mississippi, New York, Oklahoma, Rhode Island, Vermont, Washington, and West Virginia.


[00:41:22] Joanne Furtsch: so lots happening in many different threads on the U S

[00:41:27] K Royal: it

[00:41:28] Paul Breitbarth: That, that seems a fair statement to wrap up with. And to be continued next year, because until the, until the map fully colors, it will not stop. And until there is federal privacy legislation, it will not stop. And until Europeans finally get some protection under U. S. state privacy legislation, I won't stop commenting on that specific part.

And on that note, we'll wrap up another episode of Serious Privacy. If you liked the episodes, please rate and review us in your favorite podcast app or on your favorite podcast platform. Join the conversation on LinkedIn. Whether you put your profile to private or not but you can join us, find us under Serious Privacy.

You will find K on social media as Heart of Privacy, and myself as EuropolB. And believe it or not, finally I got K to laugh during the exit.

Until next week, goodbye!

[00:42:23] K Royal: Bye y'all.