Data protection concerns spike as states get ready to…

The use of personal data from brokers, apps, smartphones, and browsers to identify those seeking an abortion raises new data protection and privacy risks.

The U.S. Supreme Court will almost certainly stick to its leaked draft decision to overturn the landmark Roe v. Wade decision that legalized abortion 50 years ago. According to some tallies, abortion may be banned or tightly restricted in as many as 28 states in the weeks after the Court formally hands down its decision next month.

As the American Civil Liberties Union (ACLU) has noted, “The lack of strong digital privacy protections has profound implications in the face of expanded criminalization of reproductive health care.” Enforcement of the law will likely hinge on increased digital surveillance by authorities to more efficiently identify, arrest, and prosecute pregnant people who contemplate or seek abortions. “Expanded criminalization of abortion will become an increasingly attractive target for prosecutors and police,” the ACLU says.

Lawmakers press data brokers and apps for answers
Law enforcement and other state agencies can track suspected abortion seekers using commercial services even without direct surveillance by authorities. Location data firms sell information related to clinics such as Planned Parenthood that provide reproductive health services and can even show where people visiting abortion clinics live.

Data marketplaces sell information on users who have downloaded period-tracking apps. Privacy experts are already warning people not to use period-tracking apps because of the extensive personal data they retain.

Federal lawmakers are taking note. Senate Democrats are already demanding answers from location data firms SafeGraph and Placer.ai to provide information about any collection or sales of cellphone data tied to visits to abortion clinics. “Especially in the wake of the Supreme Court’s leaked draft opinion overturning Roe v. Wade, your company’s sale of such data—to virtually anyone with a credit card—poses serious dangers for all women seeking access to abortion services,” the senators reportedly wrote to SafeGraph, with similar wording in a letter to Placer.

Representative Suzan DelBene (D-WA), who has introduced several pieces of privacy legislation, said, “It’s important that people are aware of the information that’s out there that isn’t protected today, and what the risks are to consumers and, in particular, the huge concerns and risks that would be in place for women if the Supreme Court moves forward and we don’t protect their personal information.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Manny Becerra on Unsplash



Proposed bill would create a new federal agency to…

The Data Protection Act of 2021 has wide-ranging definitions of high-risk data practices and privacy harm.

n mid-June, Senator Kirsten Gillibrand (D-NY) reintroduced a new version of her bill, the Data Protection Act of 2021, that would create a new independent, executive-level government agency, the Data Protection Agency (DPA). The DPA would “protect Americans’ data, safeguard their privacy, and ensure data practices are fair and transparent.”

Under the bill, the DPA would have the authority and resources to enforce any data protection rules created by Congress or the agency itself, backed by a range of enforcement tools, including civil penalties, injunctive relief, and equitable remedies. In addition to creating privacy rules and enforcing federal-level rules, the DPA would reach out to organizations to promote data protection and encourage the adoption of model privacy and data protection standards, guidelines and policies.

The new bill, which features substantial changes to Gillibrand’s original 2020 legislation, spells out DPA’s three core missions:

  1. Authorize DPA to create and enforce data protection rules to give Americans more control and protection over their data by regulating high-risk data practices and personal data collection.
  2. Foster innovation by ensuring fair competition within the digital marketplace by having DPA’s research unit analyze and report on data protection and privacy innovation across sectors. The research unit would also develop the model privacy and data protection templates.
  3. Prepare the American government for the digital age by advising Congress on emerging privacy and tech issues while coordinating with Federal agencies and State regulators to promote consistent regulatory treatment of personal data.

This article appeared in CSO Online. To read the rest of the article please visit here.



Virginia data protection bill signed into law

The state is the second in the nation to enact a consumer data protection law along the lines of the EU’s GDPR. Here’s what businesses need to know about Virginia’s CDPA.

On March 2, Virginia’s Democratic Governor Ralph Northam signed into law the nation’s second major piece of state legislation that governs consumer data privacy and protection. Virginia’s Consumer Data Protection Act (CDPA) follows the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. In a referendum last fall, California citizens voted to amend the CCPA by approving the California Privacy Rights and Enforcement Act (CPRA), which will mostly go into effect on January 1, 2023.

All three laws follow the European Union’s landmark data protection law, the General Data Protection Regulation (GDPR), implemented on May 25, 2018. Although the CCPA, CPRA and CDPA borrow heavily from the GDPR, each data privacy vehicle contains provisions that vary from the other laws.

Virginia’s CDPA, also set to go into effect January 2023, spells out a complex framework for how businesses or “persons conducting business in the Commonwealth” control or process data. The bill’s provisions apply only to businesses that control or process personal information of at least 100,000 consumers, defined as Virginia residents, or companies that control or process the data of at least 25,000 Virginia residents that also derive 50% or more of their gross revenue from the sale of personal data.

The legislation spells out that some organizations and data are exempt from the bill’s requirements. Among the exemptions in the CDPA are state and local governments, non-profit organizations, and higher education institutions. Information subject to the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act (COPPA), and personal data processed in employment contexts are also exempt. The bill further exempts institutions subject to the Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA).

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Markus Spiske on Unsplash