State Privacy Laws

Question 1

Illinois Biometric Info Privacy Act (BIPA)

Answer 1

passed in 2008

most high profile biometric privacy law

applies to
1. biometric identifiers- retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry
2. biometric info- info based on individuals biometric identifier and used to identify individual

Question 2

BIPA requirements

Answer 2

1. must give notice to individual prior to processing info (include length of time it will be collected/stored before processing biometric identifiers or biometric info)
2. obtain written release from data subject before collection
3. no sale of biometric data
4. disclose only in limited situations
5. meet requirements for storage + publicly available policy for retention

Question 3

BIPA enforcement

Answer 3

private cause of action

Question 4

Texas Capture or Use of Biometric Identifier Act (CUBI)

Answer 4

1. need consent to
   - capture biometric identifier of individual for commercial purposes
   - sell, lease, or disclose that biometric identifier to 3rd party
2. use reasonable care in storing data
3. destroy data no later than 1 year after purpose for collecting identifier expires

Question 5

CUBI enforcement

Answer 5

TX attorney general

Question 6

Washington Biometric Privacy Law

Answer 6

passed in 2017

company may not enroll biometric identifier into database for commercial purposes unless
1. adequate notice provided +
2. consent received +
3. mechanism is put in place to prevent subsequent use of info for commercial purposes

Question 7

Virginia Consumer Data protection Act (VCDPA)

Answer 7

2nd state to implement comprehensive privacy legislation (behind CA)

applies to
1a. any person conducting business in VA
1b. any person that produces products/services targeted at VA residences
+
2a. processes personal data of at least 100,000 consumers or
2b. controls/processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from sale of personal data

no revenue threshold (different from CCPA)

doesn’t apply to
- organizations subject to GLBA or HIPAA
- nonprofits
- higher education institutions

Question 8

VCDPA consumer rights

Answer 8

1. access
2. confirmation whether processing their data
3. amend
4. delete
5. obtain copy
6. opt out

Question 9

VCDPA enforcement

Answer 9

VA attorney general

Question 10

Colorado Privacy Act (CPA)

Answer 10

3rd state to enact comprehensive privacy legislation

applies to
1a. persons that conduct business in CO or
1b. persons that produce/deliver commercial products/services intentionally targeted at CO residents
+
2a. control/process data of 100,000 consumers or more during 1 year
2b. sell personal data and process/control data of 25,000 consumers

doesn’t apply to
- organizations subject to HIPAA, GLBA< COPPA, FERPA etc
- data maintained for employment records purposes
APPLIES TO NONPROFITS

Question 11

CPA controller responsibilities

Answer 11

1. transparency (privacy notifications)
2. purpose specification
3. data minimization (only what is reasonably necessary)
4. care
5. avoid unlawful discrimination
6. consent
7. safeguards
8. processor contracts (processor must adhere to controller instructions and can’t engage in subcontracts unless controller opt to object)

Question 12

CPA data subject rights

Answer 12

1. access
2. amend
3. delete
4. opt out
5. appeal action on requests to exercise rights

Question 13

CPA enforcemen

Answer 13

CO attorney general and local district attorneys

Question 14

Nevada Privacy Act

Answer 14

applies to personally identifiable info obtained from internet or online service maintained by operator of website or data broker

doesn’t apply to
1. CRA
2. processing for fraud prevention
3. personal data publicly available
4. data regulated by DPPA or GLBA or FCRA

Question 15

Nevada Privacy Act requirements

Answer 15

must provide online privacy notice

operators and data brokers must establish designated request address

Question 16

Nevada Privacy Act

Answer 16

NV attorney general

Question 17

Connecticut Data Privacy Act

Answer 17

applies to
1. any business operating in Connecticut
1b. any business targeting goods/services to CT residents
+
2a. process personal data of at least 100,000 consumers or
2b. process personal data of 25,000 consumers and derive over 25% of its gross revenue from sale of personal data

doesn’t apply to
1. personal data deidentified or publicly available
2. processing done solely for payment transactions

Question 18

Connecticut Data Privacy Act data subject rights

Answer 18

1. access
2. correct
3. delete
4. data protability
5. opt out

Question 19

Connecticut Data Privacy Act enforcement

Answer 19

CT attorney general

Question 20

Utah Consumer Privacy Act

Answer 20

controllers or processors that
1. conduct business in Utah or target consumer in UT
2. have annual revenue of 25 million (revenue threshold)
3. either
- process personal data of 100,000 or more consumers or
- process personal data of 25,000 and derive 50% of gross revenue from sale of personal data

doesn’t apply to aggregated data (relates to group or category of consumers which individual identification is removed)

Question 21

UDPA rights of data subject

Answer 21

1. delete
2. opt out

no right to correct inaccurate data

Question 22

UDPA enforcement

Answer 22

UT attorney general

division of consumer protection administers system to receive consumer complaints and refers matter to AG if believe violation exists

Question 23

Iowa Consumer Data protection Act (ICDPA)

Answer 23

6th state to enact comprehensive privacy legislation

effective in 2025

applies to
1. entities that conduct business or target consumers in Iowa
2. process or control data
- data of 100,000 IA consumers or
- personal data of at least 25,000 IA consumers and derive more than 50% of their gross revenue from selling personal data

Question 24

ICDPA data subject rights

Answer 24

1. notice
2. opt out
3. access
4. obtain copy
5. delete

no right to correct data or opt out of profiling or automated decision making

no assessments needed to be made by businesses

Question 25

ICDPA enforcement

Answer 25

IA attorney general

Question 26

Delaware Online Personal Privacy Protection Act (DOPPA)

Answer 26

broader than COPPA

applies to children under age of 18 (not under 13 as in COPPA)

prohibits advertising related to tobacco, firearms, tanning equipment, etc towards children

requires privacy policy notice posted on website that collect personal information

Question 27

Illinois Student Online Personal Protection Act (SOPPA)

Answer 27

most comprehensive state level privacy legislation applicable to student records or education industry

applies to covered info - personally identifiable info that is not publicly available dn is created by or provided to operator of education tech service by student, parent or school

Question 28

SOPPA- operator of education services requirements

Answer 28

1. no
   - targeted ads
   - profiling of students
   - selling student data or
   - disclosing covered info
2. implement reasonable security practices
3. delete info within reasonable time or upon request
4. privacy notice
5. written contracts with schools before receive covered info
6. notify school of any breach of students covered info
7. provide schools list of 3rd party vendors covered info is shared with

Question 29

SOPPA- schools requirements

Answer 29

1. no selling or disclosing covered info unless to parent or school board member
2. make expansive disclosures about personal info collected, data breaches, that are posted on school website
3. implement reasonable security procedures
4. designate school privacy officer

Question 30

SOPPA- state board of education

Answer 30

1. no selling or disclosing student data
2. must public data about vendors and covered info it maintained
3. develop model student data privacy policy and procedure

Question 31

data breach notification laws

Answer 31

all 50 states have data breach notification laws (no federal law)