Hintze Law continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from the last month. If you missed our last round of updates, you can find those here.
United States: State Law Updates
AI Legislation Proposed in Washington State
On December 15, broad AI legislation was pre-filed in Washington State for the upcoming legislative session. House Bill 1951 aims to address automated decision tools (ADTs) and algorithmic discrimination. The bill would require, among other things, (a) deployers and developers of ADTs to complete annual impact assessments, (b) developers of ADTs to provide a deployer with a statement regarding the intended uses of the tool and documentation regarding the tool's development and known limitations, and (c) developers of ADTs to make publicly available a clear policy that summarizes the types of ADTs currently made available by the developer & how the developer manages the reasonably foreseeable risks of algorithmic discrimination that may arise. HB 1951 would be enforced by the Washington Attorney General and does not contain a private right of action.
California Attorney General Bonta Files Brief in Defense of the California Age Appropriate Design Code
Earlier this year, a federal district court issued a preliminary injunction staying enforcement of California’s AADC, primarily citing First Amendment concerns. On December 13, AG Bonta filed a brief appealing the preliminary injunction.
California Privacy Protection Agency Proposes Requiring Browsers to Offer Opt-Out Mechanism
On December 11, 2023, the CPPA published an announcement that the Board voted 5-0 at its meeting on December 8, 2023, to put forth a legislative proposal that would require browsers to offer consumers an opt-out mechanism, which is not currently required and is something that most large browsers do not offer.
Montana Attorney General Knudsen Files Lawsuit Against Meta
Montana AG Austin Knudsen's office has filed suit against Meta in a federal district court, alleging that Instagram's age ratings are "illegally misleading in relation to the content actually available on its apps." Montana's suit is similar to previous lawsuits filed this year saying that Instagram's functions were designed to have an "addictive and consuming effect on children." The lawsuit also alleges COPPA violations.
California Extends its Confidentiality of Medical Information Act (CMIA) to Reproductive, Sexual Health, and Gender Affirming Information on Mobile Applications and Internet Websites
On September 27, 2023, Governor Newsom signed AB 254 and AB 352, both of which amend the CMIA.
· AB 254 amends the definitions of “medical information” and “health care providers” to expressly include reproductive health services. “Medical Information” now explicitly covers digital reproductive or sexual health services and the related health information. “Health care provider”, the definition of which has continued to expand, now includes “any business that offers a reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual”.
· AB 352 requires that a business that electronically processes medical information on behalf of a provider of health care, health care service plan, pharmaceutical company, contractor, or employer (e.g., an EHR system), develop capabilities, policies and procedures to limit access to, prevent disclosure of, and segregate medical information related to gender affirming care, abortion and related services, and contraception by July 2024.
Generative AI Chatbots Face Wiretap Litigation in California
California’s Invasion of Privacy Act, which makes it illegal for businesses to wiretap consumer communications, continues to be an area of risk for companies that use chatbots or session replay on their websites.
CPPA Proposes Revisions to CPPA Regulations
On December 1, 2023, the CPPA added proposed revisions to the CCPA regulations to the December 8th board meeting agenda. The CPPA provided a redline version and a seven page chart of the proposed changes. Some of the changes include an update to the definition of sensitive personal information to include the information of consumers under 16, the right to file a complaint, the requirement to show whether an opt-out preference signal has been honored (currently optional), a requirement to ensure deleted data remains deleted (including where it may be re-collected from sources like data brokers), and the introduction of a "Consumer Price Index Adjustment" that would require the CPPA to change the monetary threshold every odd numbered year.
Federal Judge Blocks Montana From Banning TikTok Use in State
A federal judge has blocked Montana’s SB419 from taking effect. In his ruling, he said that the state ban "violates the Constitution in more ways than one" and "oversteps state power." The bill states that TikTok cannot operate nor should app stores offer it for download within the Montana state borders. There are separate ongoing lawsuits against the State of Montana by TikTok and users of TikTok seeking to block the U.S. State ban.
Medical Personnel Exempt from BIPA
Illinois Supreme Court Finds Healthcare Workers Exempt from BIPA. On November 30, 2023, the Illinois Supreme Court unanimously overturned an appellate decision and found that when health care providers collect fingerprint scans from health care workers to permit access medication and medical supplies for patient health care and treatment, the health care provider is exempt from the Illinois Biometric Information Privacy Act (BIPA) because the biometric information is collected, used or stored for health care treatment, payment or operations under HIPAA.
CPPA Considers Automated Decisionmaking Regulations
The CPPA released draft regulations regarding automated decisionmaking on November 26, 2023. The draft regulations are broad enough to sweep most technologies within scope, as the regulations were not limited to technologies that make decision but also to technologies that aid or facilitate human decision-making and to technologies that profile consumers. Under the draft regulations, consumers would have new access and opt-out rights for in-scope technologies, and businesses would have new risk assessment obligations.
At their December 8th meeting, the CPPA Board referred the draft regulations back to CPPA staff for revisions according to individual Board member feedback, citing concerns over the scope of the draft regulations. The Hintze team is actively tracking these developments and published a summary of the regulations and a summary of the December 8th board meeting earlier this month.
Colorado AG Publishes Universal Opt-Out Shortlist
The Colorado Attorney General has published a shortlist of universal opt out mechanisms (UOOM) and is now requesting public comment. The shortlist can be found here: https://coag.gov/uoom/.
On November 21, 2023, the Colorado Attorney General published a shortlist of universal opt-out mechanisms, which includes three applications. The applications are from the "Global Privacy Control," "OptOutCode," and "Opt-Out Machine." The Attorney General is seeking comments on the shortlist, which it will consider in determining the final list, along with the information in each application. The comment period closed December 13, 2023.
New York to Propose Cybersecurity Rules for Hospitals
New York State will soon seek public comment on new cybersecurity regulations for hospitals. The proposed regulations include: a two-hour window for reporting major breaches; incident response plans and risk assessments; controls, such as the use of multifactor authentication and encryption; and security risk management for third-party-developed software. The proposed regulations are set to be published in the New York State Register on Dec. 6, followed by 60 days of public comment, ending Feb. 5, 2024.
United States: Federal Updates
DOJ Releases Guidance on SEC Breach Reporting Exemptions
To clarify new SEC breach reporting requirements that went into effect this month, the DOJ released guidance for companies on when they may seek a temporary exemption for national security or public safety purposes.
US Government Accountability Office Issues AI report
In sum, the report functions as a quasi AI-inventory/audit of most government agencies (minus DOD) and a provides a comprehensive list of recommendations for agencies to achieve compliance with the White House EO. It's great to see the EO's government-wide requirements/expectations listed plainly and with ongoing tracking.
NIST Publishes Guidelines for Evaluating Differential Privacy Guarantees
The National Institute of Standards and Technology (NIST) released an initial public draft on December 11th of SP 800-226, Guidelines for Evaluating Differential Privacy Guarantees. The draft is in response to President Biden's Executive Order on AI. It covers what differential privacy is (a privacy enhancing technology that quantifies privacy risk to individuals), techniques for achieving differential privacy, and related concerns for deployments of differential privacy. A supplemental interactive software archive of Python Jupyter notebooks is included to illustrate concepts in the draft. Comments are open until January 25, 2024.
In addition, NIST released several new publications at the end of November:
Technical Note 2276 - NIST Phish Scale User Guide, published November 15th, for use in phishing awareness training programs.
Draft Internal Report 8496, Data Classification Concepts and Considerations for Improving Data Collection, published November 15th, for use in improving the quality and efficiency of characterizing data assets. The public comment period is open until January 9, 2024.
Special Publication 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio, published November 17th.
Special Publication 800-221A, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio, published November 17th.
Special Publication 800-140B, Revision 1, Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B, published November 17th.
Joint Commission Announces Certification for Responsible Use of Health Data
On December 5, 2023, the Joint Commission announced a voluntary Responsible Use of Health Data™ (RUHD™) Certification program for U.S. hospitals and critical access hospitals, effective Jan. 1, 2024. RUHD Certification is based on principles adopted from the Health Evolution Forum’s “The Trust Framework for Accelerating Responsible Use of De-identified Data in Algorithm and Product Development.” The certification’s standards include oversight structure, data de-identification, data controls, limitations on use, algorithm validation, and patient transparency. The Joint Commission accredits and certifies more than 22,000 health care organizations and programs in the United States.
DHS CISA and UK NCSC Joint Guidelines for Secure AI System Development
The U.S. Dept. of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.'s National Cyber Security Center (NCSC) jointly released their Guidelines for Secure AI System Development. The guidelines are intended for providers (both developers and deployers) of AI systems.
FTC Authorizes Compulsory Process for AI-related Products and Services
The FTC has approved a 10-year "omnibus resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that use or claim to be produced using artificial intelligence (AI), as well as products and services that claim to detect AI use." The goal of the resolution is to streamline FTC staff's ability to issue civil investigative demands (CIDs) in investigations relating to AI.
FTC, CA Obtain Order Against DNA Testing Firm over Charges of Misrepresentations to Consumers
California-based CRI Genetics, LLC will pay a $700,000 civil penalty and will be barred from a wide range of deceptive practices to settle charges from the Federal Trade Commission and the California Attorney General that the company deceived users about the accuracy of its DNA reports.
CISA Cybersecurity Guidance for Healthcare
On November 17, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Mitigation Guide providing recommendations and best practices to combat pervasive cybersecurity threats affecting the healthcare and public health sector. The guide incorporates the CISAS’s Known Exploited Vulnerabilities (KEV) catalog, information from other sources, and the MITRE ATT&CK framework, to contextualize vulnerability trends.
Ransomware Group Files SEC Complaints Against Victims Who Don’t Report under New Breach Notification Rules
The Alphv/BlackCat ransomware group has filed an SEC complaint against a California-based company, MeridianLink, alleging the company failed to disclose the group’s breach of the company’s systems within the four-day notification period. The article suggests that MeridianLink chose not to negotiate with the ransomware group, which led to the complaint.
United States: Industry and Trade Group Updates
Google CMP Requirement Goes into Effect Jan. 16, 2024
Publishers and developers using Google AdSense, Ad Manager, or AdMob will be required to use a Google-certified Consent Management Platform that is integrated with the IAB's Transparency and Consent Framework beginning January 16, 2024.
Meta and IBM Launching an "AI Alliance" with 50+ AI Companies and Research Institutions
On December 05, Meta and IBM announced the newly formed "AI Alliance," an international coalition of 50+ organizations dedicated to advancing responsible AI.
Membership in the Alliance spans across AI start-ups, big tech enterprises, science organizations, universities and non-profits. commercial and research organizations and counts Intel, Oracle, NASA, CERN and Harvard University among its members.
Notably, the AI Alliance is championing an open source model for AI and has stated their goal is to advance "open innovation and open science in AI." This approach runs counter to some of the closed AI systems currently dominating the market and draws a sort of ideological line in the sand for the direction and openness of AI innovation.
Europe and the United Kingdom
Irish Council for Civil Liberties Sends Report to EU Commission Regarding Algorithmic Recommendation Systems
The Irish Council for Civil Liberties sent a draft binding code titled the Online Safety Code to the European Commission on December 14, 2023. The code would require video-sharing platforms to implement the code's requirements including turning recommender algorithms off by default where they are used for profiling purposes or where they engage or infer special category data. Coimisiún na Meán, Ireland's new broadcasting and online regulator, published the Online Safety Code.
UK ICO Issues Draft Guidance on Recruitment Selection and Employment Record Retention
On December 12, 2023, the UK ICO issued draft guidance for consultation on recruitment and selection practices and employment record retention practices. Consultation is open through March 5, 2024, for both documents.
EU Reaches Agreement for EU AI Act
On December 8, 2023, the EU Commission, EU Council, and EU Parliament reached a political agreement on the EU AI Act, the EU’s comprehensive framework for the regulation of AI. The Act represents a major milestone in the regulation of AI, as it will serve as a global standard against which future AI legislation worldwide will be compared. The final text of the Act is expected in early 2024. For more information, see these FAQs issued by the EU Commission.
Denmark Publishes Guidance on Access Rights
On December 7, 2023, Denmark's DPA Datatilsynet released guidance on managing access rights. The guidance covers human and automated access to IT systems, physical premises, and data, and includes sample scenarios. The official version is currently only available in Danish.
EU Court of Justice Rules Credit Scoring an Automated Decision
Also on December 7th, the EU Court of Justice held that "scoring,” defined as “a mathematical statistical method used to predict the probability of future behaviour, such as the repayment of a loan,” must be regarded as an "automated individual decision" prohibited in principle by Article 22 of the GDPR to the extent it plays a determining role in the granting of credit.
Dutch Data Protection Authority Issues Report on Privacy Policies
The Dutch DPA created two guidelines to help companies be more transparent with the way they deal with privacy issues. They suggest companies call attention to their privacy policies in their annual reports and the creation of a supervisory board. They created guidelines to help with the implementation of both.
NYOB Files Complaint about Meta's No-Ad Subscription Plan
Austrian digital rights group, None of Your Business (NYOB), filed a complaint with the Austrian Data Protection Authority (DPA) in late November, alleging that Meta's no-ad subscription service requires a user to pay a fee to ensure individual privacy. The subscription cost is 250 Euros/year, which NYOB says is "unacceptable," particularly when one considers what it might cost an entire family to subscribe. This complaint may be transferred to the Irish DPA as Meta's European headquarters is in Ireland.
Spain’s AEPD Publishes Guidance for Processing Biometric Data
On November 23, 2023, Spain’s data protection authority La Agencia Española de Protección de Datos (AEPD) published a guide for using biometric data for authentication and identification purposes in compliance with the GDPR. The guide clarifies that consent cannot be used as a legal basis for processing biometric data for authentication purposes in either a work context (due to the imbalance between the employee and employer) or outside of the work context (due to not meeting the necessity requirement). It also includes a list of measures to be implemented to comply with the GDPR when processing biometric data, including conducting data protection impact assessments (DPIAs), collecting and retaining only what is necessary, and informing data subjects regarding the high risks of processing sensitive biometric data.
Italian Data Protection Authority Launches Investigation into Personal Data Collection for AI
On November 22, 2023, the Italian DPA provided notice of an investigation into the collection of personal data for the purpose of training algorithms. The investigation includes the use of surveys to determine "suitable measures to prevent the massive collection (webscraping) of personal data" The notice also invited trade and consumer associations, experts, and academics to submit comments on this issue within 60 days of the date of the notice.
North and South America
Canada Privacy Commissioner Releases Generative AI Principles
Canada's Privacy Commissioner released a document laying out key privacy principles for developing, providing, or using generative AI models, tools, products, or services.
Asia-Pacific, Middle East, and Africa
India's Central Consumer Protection Authority Releases Draft Guidelines for Prevention and Regulation of Dark Patterns.
On November 30th, India's Central Consumer Protection Authority (which is unfortunately abbreviated as "CCPA") released its Draft Guidelines for Prevention and Regulation of Dark Patterns.
The guidelines prohibit "dark patterns" defined as "any practices or deceptive design patterns using UI/UX (user interface/user experience) interactions on any platform; designed to mislead or trick users to do something they originally did not intend or want to do; by subverting or impairing the consumer autonomy, decision-making or choice; amounting to misleading advertisement or unfair trade practice or violation of consumer rights."
The guidelines also delineate and describe ten specific dark patterns of concern, which include:
false urgency
basket sneaking
confirm shaming
forced action
subscription trap
interface interference
bait and switch
drip pricing
disguised advertisement
nagging
Office of the Australian Information Commissioner (OAIC) Appoints New Commissioners
The Australian Information Commissioner announced on November 27th the appointment of two new commissioners, moving the OAIC to a three-commissioner model. The new Privacy Commissioner and the new Freedom of Information (FOI) Commissioner will step into their roles in February of 2024.
New Zealand Privacy Commissioner Drafting Biometrics Privacy Code in 2024
The Office of the New Zealand Privacy Commissioner announced on November 23rd that his office will be publicly consulting on a draft of a biometrics privacy code in early 2024. The draft code will propose new rules for all agencies regulated by the NZ Privacy Act (businesses, organizations, and government agencies) who want to collect or use biometric information using biometric technology. The three key proposals likely to form the backbone of the code include:
A proportionality assessment
Additional transparency and notification requirements
Purpose limitations
South Korea's PIPC Announces PIPA Amendments
On November 11, 2023, South Korea's Personal Information Protection Commission announced they will be amending the Personal Information Protection Act between November 11, 2023, and January 23, 2024. The amendments include establishing procedures for exercising the right of information subjects to refuse automated decisions, determining the role of a personal information protection officer, and establishing procedures to evaluate protections for personal information. Comments concerning the proposed amendments can be made through the Center of Public Participation Legislation or the Personal Information Commission's email by January 1, 2024.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.