- Privacy Picks
- Posts
- Embracing the "dreaded patchwork" of state privacy laws
Embracing the "dreaded patchwork" of state privacy laws
Plus: A VPPA dismissal, California updates, Mozilla's privacy "creep-o-meter", and more
In this edition of Privacy Picks, we’ll look at privacy concerns arising from the recent 23andMe data breach and, in the absence of comprehensive federal privacy legislation, the need to hold companies accountable under state privacy law.
Also, clarifying “videotape service providers” under the VPPA, the results of a recent privacy survey conducted by Mozilla, amendments to the CPRA, and a New York ban on facial recognition technology in schools.
Let’s get started!
After 23andMe, it’s to embrace the “dreaded patchwork” of state privacy laws
In light of the recent 23andMe breach, which specifically targeted Ashkenazi Jews and exposed the personal details of over one million customers, concerns have surged among privacy experts and consumer advocates.
According to digital rights advocate Kate Krauss, it’s time to take action.
But without a robust, comprehensive federal privacy law, where do we start?
One suggestion is the establishment of nonpartisan, independent tech groups to counter the deficiency in state and federal privacy laws. These groups could form communities focused on educating and advocating for privacy rights, aiming to better comprehend and safeguard consumer data.
Additionally, private entities and nonprofits, such as Consumer Reports, have developed their own tools to help consumers control privacy settings and submit deletion and do not sell requests.
Lastly, the article advocates for “awkwardly embracing the dreaded patchwork” of state-level privacy laws. This approach is viewed as preferable to leaving gaps in national privacy standards and provides an opportunity to hold large tech companies accountable for mishandling personal data where consumers reside.
However, as noted last week, without a built-in private right of action, many state laws still lack the “teeth” to hold companies accountable for privacy violations.
Not all companies are videotape service providers under the VPPA
I recently mentioned the rise in class actions brought under the VPPA, along with a $16 million dollar settlement involving streaming service Crunchyroll.
However, simply streaming or hosting videos on your website does not necessarily make you subject to the VPPA. For example, the VPPA applies specifically to “videotape service” providers, defined as “any person[ ] engaged in the business … of rental, sale, or delivery of prerecorded video cassette tapes or similar audiovisual materials.”
Therefore, the focus for most companies will be on whether their use of online videos amounts to the “delivery” of “audiovisual materials”.
Importantly, in dismissing a VPPA case brought against The Hershey Company, a California court recently found that if the delivery of audiovisual materials is not a core focus of the company’s business model, but rather an ancillary part of its marketing efforts, the VPPA does not apply.
According to Mozilla, the state of privacy is “very creepy”
Mozilla's inaugural "Annual Consumer Creep-o-Meter" report for 2023 reveals a concerning digital privacy landscape.
Over the past five years, more than 500 products, including gadgets and apps, have been assessed for security and data collection practices.
While security measures have improved, not surprisingly, the gathering and sharing of personal data by companies have escalated significantly. Some companies, like BetterHelp and Nissan, collect extensive personal information without transparent disclosure.
Moreover, the trend of products requiring constant online connectivity makes it harder to safeguard one's privacy. Complex and sprawling privacy policies exacerbate the problem.
Mozilla advises consumers to opt out of data collection when possible, prioritize security features, and voice concerns to drive privacy improvements in the tech industry.
Privacy-conscious products like Signal, Sonos' SL Speakers, and the Pocketbook eReader earn high marks, but the majority of car companies fall well short of acceptable privacy and security standards.
California Updates: AB 947 and AB 1194
On October 8, the California governor signed two bills, AB 947 and AB 1194, amending California privacy laws.
AB 947 broadens the definition of "sensitive personal information" to include details related to a consumer's citizenship or immigration status.
AB 1194 mandates that businesses comply with the California Privacy Rights Act (CPRA) when handling personal information linked to services related to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” with exceptions for aggregated, deidentified data.
These changes become effective on January 1, 2024, and July 1, 2024, respectively.
NY bans facial recognition technology in schools (fingerprinting gets a pass)
In late September, the New York State Education Department issued a two-page order prohibiting the purchase and use of facial recognition technology in public schools.
This decision was based on a critical report by the New York Office of Information Technology Services which highlighted privacy concerns and equity issues associated with facial recognition.
The report expressed worries about the potential for incorrect identifications, particularly among people of color, non-binary individuals, women, the elderly, and children. It also raised concerns about data breaches and the permanent risks associated with biometric data disclosure.
However, the order still leaves the door open for the use of other biometric technologies, such as digital fingerprinting, and allows school districts to make that determination on a case-by-case analysis.
This analysis must consider “the privacy implications thereof; the impact on civil rights, if any; the effectiveness of the biometric tool; and parental input.”
Similar debates are happening in other states, such as Montana, where facial recognition technology is being employed in some school districts.