As of now, 12 states (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, and VA) have passed comprehensive privacy laws that are in effect (CA, CT, CO, and VA), or are about to go into effect sometime soon (DE, IA, IN, MT, OR, TN, TX, and UT). If any of these laws
Probably not.
Under the European GDPR, if the personal information that an organization is going to use as part of training an AI has been collected directly from individuals, then those individuals should be provided with a copy of the organization’s privacy notice “at the time when personal data are obtained.”[1] If the personal
Greenberg Traurig Data Privacy & Cybersecurity attorneys David A. Zetoony, Co-Chair of the U.S. Data Privacy and Cybersecurity Practice, and Andrea C. Maciejewski will participate in the Rocky Mountain Information Security Conference June 7-9 in Colorado. On June 7 at 8:00 a.m. MDT, David and Andrea will present the International Privacy Law Update during
It is important to always confirm and understand all the various requirements of laws applicable to the sensitive personal information being processed.
Continue Reading Processing Sensitive Personal Information under U.S. State Privacy Laws
All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart
Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.
The regulations implementing the CCPA, as amended by the CPRA, require organizations to process “opt-out
Modern data privacy statutes require that organizations inform individuals about the organization’s privacy practices by creating a privacy notice (sometimes referred to as a privacy policy or a notice at collection). Some data privacy statutes provide specific directions regarding how the privacy notice must be distributed. For example, the California Consumer Privacy Act and the
The California Consumer Privacy Act and the California Privacy Rights Act specifically state that they do not restrict a business’s ability to collect, use, retain, sell, share, or disclose “aggregated consumer information.”[1] Aggregate consumer information is defined as “information that relates to a group or category of consumers, from which individual consumer identities have
Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities. These assessments are sometimes referred to as “data protection assessments” or “data protection impact assessments” (generically a DPIA). For example, several state data privacy statutes mandate that a DPIA be conducted if an organization intends to
Several modern state data privacy statutes refer to precise geolocation information as a “sensitive” category of personal information. What constitutes precise geolocation information differs slightly between and among states. The following table provides a side-by-side comparison of the how the states have defined the term.
| Click here for a side-by-side comparison of the how the |