News Alerts and Breach Report for Week of April 10, 2023
Iowa Signs Data Privacy Bill Into Law
Last week, Iowa became the sixth U.S. state to pass a data privacy law when Governor Kim Reynold signed Senate File 262 into law. Like other state data privacy laws, SF 262, broadly, gives Iowa residents the right to access, correct, delete, and transfer their personal information held by businesses, and imposes penalties for data breaches. The bill is based on the Uniform Law Commission’s Uniform Personal Data Protection Act which was developed with input from the Technology Association of Iowa. According to the release, it applies to companies that “control or process data of at least 100,000 Iowa consumers or control or process data of at least 25,000 Iowa consumers and derive 50% of their revenue from the sale of personal data.”
Meanwhile Forbes notes that “for employers conducting background checks, Iowa joins California, Colorado, Connecticut, Utah, and Virginia by exempting data regulated by the Fair Credit Reporting Act (FCRA). Exceptions also exist for state and municipal entities, political subdivisions, banks, and financial companies subject to the Gramm-Leach-Bliley Act (GLBA), and healthcare organizations as specified in the statute subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), non-profits, higher education institutions including Family Educational Rights and Privacy Act (FERPA) data, data governed by the Children’s Online Privacy Protection Act of 1998 (COPPA) and certain information related to employment. The law provides businesses with a 90-day period to respond to data subject requests, and to cure violations. There’s no private right to action, but consumers are allowed to report violations to the attorney general, who will exclusively handle enforcement. The law will take effect in January 2025.
Health Privacy Bill Moves Through Washington Senate
If passed, the My Health, My Data Act could strengthen privacy protections for health care data. According to GeekWire, “Healthcare privacy has gained extra urgency as states such as Missouri pass prohibitions against abortion and seek to limit women from obtaining abortions in other states, said Washington state Rep. Vandana Slatter (D-Redmond), the sponsor of the House version of the bill (HB 1155). Period tracking apps, for instance, can disclose information about abortions or miscarriages, and the new law would shield such data.” The My Health, My Data Act, which was requested by Washington state attorney general Bob Ferguson, would be enforceable under the state’s Consumer Protection Act. The act applies to all Washington businesses, and GeekWire says that “The draft bill also regulates how consent is given, such as mandating that websites provide separate consent for collecting and sharing data, and prohibiting privacy statements as part of a document with unrelated information.”
Italy Bans ChatGPT
Citing privacy concerns, Italy’s government has banned OpenAI’s chat AI bot, ChatGPT. According to Cyber Security Hub, The Italian data protection agency, Garante per la Protezione dei Dati Personali (also known as Garante) said there was an “absence of any legal basis that justifies the massive collection and storage of personal data” to “train” ChatGPT, in addition to accusing OpenAI of failing to verify the age of users of ChatGPT. The move has prompted Ireland and France to explore similar action.
Utah Creates Cyber Center
On May 3, amendments to Utah’s data privacy regulations will take effect. The amendments include a breach notification rule, and creates a Utah Cyber Center to handle investigations.
- Yum! Brands (Pizza Hut, Taco Bell, KFC)
- University of Hawaii Maui
- Dish Network
* * * * * * *
To read our latest article on updates to Pennsylvania’s Data Privacy Law, click here.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Just Released Episode 90:
90 | AdTech Meets Privacy Laws
This week our guest is Susan Israel, principal of Susan Israel Law, and one of the most respected privacy professionals in the field. Susan has a pre-law background in broadcast news and publishing and has become one of the foremost experts on privacy compliance in the field of advertising technology. We discuss key aspects of AdTech compliance, such as cookies, location data, and IP addresses, the issues associated with them, and trends in legal frameworks and regulatory approaches. Susan also delves into industry groups playing a large role in AdTech and US and EU government perspectives.
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.