InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Maryland enacts child consumer protection laws
On May 9, the Governor of Maryland approved SB 571 (the “Act) to provide consumer online protections for children. The Act will afford protections from online products aimed at children or that are likely accessed by children. Specifically, the Act will require companies that provide online products “reasonably likely to be access[ed] by children” to prepare a data protection impact assessment (DPIA) for the online product. The DPIA will identify the purpose of the online product, how the product uses children’s data, determine if the product would be in children’s best interests, and include a description of the compliance steps the company will have taken to comply with the duty to act in a manner consistent with the best interests of children, among other requirements. The Act outlined several violations, including against processing data not in children’s best interests, profiling children, processing geolocation, using of dark patterns, or monitoring of children’s activities without first notifying the parent/guardian. The Act will go into effect on October 1.
Maryland enshrines its consumer online data privacy act
On May 9, the Governor of Maryland approved SB 541 (the “Act”) which enacted the Maryland Online Data Privacy Act of 2024, setting forth new provisions for businesses and data processors under the state’s UDAP commercial code. The Act will prevent persons or processors from providing access to consumer health data unless contractually required, or from using a geofence within a certain distance from health or mental health facilities. The Act will enable consumers to exercise certain rights with respect to their data, including confirming use, accessing data, correcting inaccuracies, requiring deletion of data (unless protected by law), and opting out of targeted advertising or sales of one’s personal data. Consumers will also be able to designate an agent to opt-out on their behalf.
The Act will prohibit controllers from selling sensitive data and from collecting, processing, or sharing sensitive consumer data unless “the collection or processing is strictly necessary to… maintain a specific product,” among others. The Act will enable controllers to limit collection to what would be “reasonabl[y] necessary” and establish data security practices. Controllers will also be forced to provide consumers with a privacy notice that will outline their use of the data and a consumer’s rights, as well as establish a secure method for a consumer to exercise such rights. The Act will not apply to financial institutions or to consumer credit data that is protected under the FCRA. The Act will go into effect on October 1, 2025.
NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information
On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.
State attorneys general push Congress on federal consumer privacy legislation
On May 8, the Attorney General of California, Rob Bonta, and 15 other state attorneys general wrote a letter to Congressional leaders following the introduction of the American Privacy Rights Act (APRA) in Congress. The attorneys general encouraged Congress to set a “federal floor, not a ceiling” for consumer privacy rights, as APRA preempts state law under its current draft. The letter highlighted how states have “played a critical role” in setting new data privacy standards without curbing business practices or developments in technology. In addition, the attorneys general expressed concern that the APRA would limit some attorneys general to issue civil investigative demands (CIDs) because their CID authority would require a violation of state or federal law before issuance. The APRA, however, provided that “a violation of [the APRA] or a regulation promulgated under [the APRA] may not be pleaded as an element of any violation of [a state] law.” Despite these concerns, the attorneys general did express their support for other provisions of APRA, such as data minimization by default, stronger consent requirements, and protections for minors.
Fed, OCC, and FDIC release third-party risk management report for community banks
On May 3, the Fed, OCC, and FDIC (the regulators) released a report to help community banks assess their third-party relationship risk exposure. The report discusses key considerations in three areas: risk management, third-party relationship life cycle, and governance. In addition, the regulators’ report contained an appendix with additional resources, such as FFIEC interagency guidance and CISA cybersecurity protocols. With respect to risk management, the report suggested community banks apply more rigorous risk-management practices for third parties that support critical bank activities, such as those that could have a significant customer impact or have a significant impact on the bank’s financial condition. In describing the third-party relationship life cycle, the report identified five key stages of the life cycle – planning, due diligence, contract negotiation, ongoing monitoring, and termination. With respect to governance, the report described three key pillars: oversight and accountability, independent review, and documentation and reporting.
Department of Commerce announces new actions related to Executive Order on AI
On April 29, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce released several announcements regarding the progress on President Biden's Executive Order on AI (covered by InfoBytes here). NIST released four draft publications aimed at enhancing AI systems' safety, security, and trustworthiness.
The four draft publications include: (i) NIST AI 600-1 that offers a Generative AI Profile to help organizations identify and manage risks associated with generative AI; (ii) NIST SP 800-218A to expand on the Secure Software Development Framework (SSDF) and address concerns about malicious training data affecting AI systems, as well as provide potential risks and strategies for handling training data, including recommendations for analyzing data for signs of poisoning, bias, homogeneity, and tampering; (iii) NIST AI 100-4 that proposes technical methods to improve the transparency of AI-created or “synthetic” content; and (iv) NIST AI 100-5 which will outline a plan to encourage the global development of AI-related technical standards and seek feedback on areas for AI standardization, including methods for tracking the origin of digital content and shared practices for AI system testing and evaluation. Additionally, NIST is launching challenges to create methods for distinguishing between human and AI-generated content. Public comments on these initial drafts will be due by June 2.
Nebraska enacts a comprehensive data privacy law
On April 17 Nebraska enacted LB 1074 (the “Act”), establishing a comprehensive consumer data privacy law. The Act applies to a person that is not a small business (as determined under the federal Small Business Act) who conducts business in Nebraska or produces a product or service used by Nebraska consumers and who processes or sells personal data. The Act includes exemptions for certain classes of data, including data subject to the Gramm-Leach-Bliley Act, as well as for certain entities including state agencies, financial institutions and their affiliates, nonprofits, higher education institutions, and covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services.
The Act grants consumers the right to (i) request information about whether their data is being processed; (ii) access their data; (iii) correct inaccuracies; (iv) delete their data; (v) obtain a portable copy of their data; and (vi) opt out of certain uses of their data, such as targeted advertising, sale, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.” Controllers, defined as persons that determine the purpose and means of processing personal data, must respond to authenticated consumer requests within 45 days and may extend the period once by another 45 days if necessary. If a request is denied, consumers must be informed of the reasons and instructed on how to appeal to the Attorney General. Controllers must offer a free response to two requests per year from each consumer but may charge a fee or refuse to act if requests are unfounded or excessive. Controllers also must establish an appeals process for consumers whose requests are denied, and inform the consumer of the outcome of their appeal within 60 days.
Rights afforded to consumers under the Act cannot be waived or limited by contract or agreement. Further, under the Act, controllers must provide consumers with a clear privacy notice including information similar to that required under the Gramm-Leach-Bliley Act.
The Act is effective on January 1, 2025 and enforceable by the Attorney General and does not provide a private right of action.
Massachusetts’ attorney general issues AI guidance related to state UDAP law
On April 16, the Attorney General for Massachusetts (AG) released an advisory notice on how developers, suppliers and users of artificial intelligence (AI) should avoid “unfair and deceptive” practices to comply with consumer protection laws. The AG noted how AI systems could pose consumer harms, including through bias, lack of transparency, and data privacy issues – since consumers often lack the ability to avoid or test the “appropriateness” of AI systems forced upon them. Chapter 93A of Massachusetts law, the Massachusetts Consumer Protection Act, protected consumers against “unfair and deceptive” practices, the definition of which has changed over time. In addition to the consumer protection law, the AG highlighted several other state and federal consumer protections, including the ECOA, to bolster her advisory.
The AG’s advisory construed Chapter 93A to apply to AI, clarifying that the following practices may qualify as “unfair or deceptive”: (i) a company falsely advertising the quality of its AI systems; (ii) a company suppling a defective or impractical AI system; (iii) a company misrepresenting the reliability or safety of its AI system; (iv) a company putting an AI system up for sale in breach of warranty, meaning that the system was unfit for the purpose for which it was sold; (v) a company using multimedia content to impersonate or deceive (such as using a deep fake, voice cloning, or chatbots within fraud); (vi) or a company failing to comply with other Massachusetts’ statutes.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
California regulator advises businesses to only collect needed data under CCPA
On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.