InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts’ attorney general issues AI guidance related to state UDAP law
On April 16, the Attorney General for Massachusetts (AG) released an advisory notice on how developers, suppliers and users of artificial intelligence (AI) should avoid “unfair and deceptive” practices to comply with consumer protection laws. The AG noted how AI systems could pose consumer harms, including through bias, lack of transparency, and data privacy issues – since consumers often lack the ability to avoid or test the “appropriateness” of AI systems forced upon them. Chapter 93A of Massachusetts law, the Massachusetts Consumer Protection Act, protected consumers against “unfair and deceptive” practices, the definition of which has changed over time. In addition to the consumer protection law, the AG highlighted several other state and federal consumer protections, including the ECOA, to bolster her advisory.
The AG’s advisory construed Chapter 93A to apply to AI, clarifying that the following practices may qualify as “unfair or deceptive”: (i) a company falsely advertising the quality of its AI systems; (ii) a company suppling a defective or impractical AI system; (iii) a company misrepresenting the reliability or safety of its AI system; (iv) a company putting an AI system up for sale in breach of warranty, meaning that the system was unfit for the purpose for which it was sold; (v) a company using multimedia content to impersonate or deceive (such as using a deep fake, voice cloning, or chatbots within fraud); (vi) or a company failing to comply with other Massachusetts’ statutes.
Kentucky enacts a comprehensive data privacy law for controllers
On April 4, Kentucky enacted HB 15 (the “Act”) which will apply to persons who conduct business that produces products or services that are targeted towards Kentucky residents. The Act will also apply to companies handling personal data of at least (i) 100,000 consumers, or (ii) 25,000 consumers and derive over 50 percent gross revenue from the sale of personal data. The Act does not apply to various entities, including: (i) city or state agencies, or political subdivisions of the state; (ii) financial institutions and their affiliates, as well as data subject to the Gramm-Leach-Bliley Act; (iii) covered entities or businesses governed by HIPAA regulations; and (iv) nonprofit organizations. Enforcement of the Act will be through Kentucky’s Attorney General.
The Act will impose several requirements on controllers, including: (i) limiting collection of personal data to what is relevant and necessary for the disclosed purposes; (ii) implementing reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of personal data; (iii) refraining from processing personal data for undisclosed purposes unless the consumer consents; and (iv) obtaining explicit consent before processing sensitive data, particularly from known children, in accordance with the Children’s Online Privacy Protection Act. Controllers will also need to conduct and document a data protection impact assessment for certain activities, such as targeted advertising, selling personal data, and profiling. Furthermore, controllers will be required to furnish consumers with a privacy notice containing information on the categories and purposes of data processing, consumer rights, appeals processes, and disclosures to third parties.
The Act will grant consumers the right to confirm whether their personal data is being processed by a controller and to access that data, except where doing so would expose trade secrets. Also, consumers will have the right to rectify any inaccuracies, as well as the right to have their personal data deleted or to receive a copy of their personal data processed by the controller in a portable and easily usable format. This will allow transmission to another controller without impediment where processing is typically automated. Further, consumers will have the right to opt out of processing for targeted advertising, sale of personal data, or profiling for solely automated decisions with significant legal effects. Controllers must respond to consumer rights requests within 45 days and may be given another possible 45-day via an extension if necessary. Controllers and processors will be given a 30-day cure period during which they must confirm in writing that alleged violations have been rectified and pledge to prevent future breaches. The Act will go into effect January 1, 2026.
California regulator advises businesses to only collect needed data under CCPA
On April 2, The California Privacy Protection Agency issued Enforcement Advisory No. 2024-01 reminding businesses that data minimization is a foundational principle the California Consumer Privacy Act. The Advisory noted that the Agency has observed certain businesses collecting unnecessary and disproportionate amounts of personal information and emphasized that minimization principles would apply to processing consumer requests. As such, the Advisory highlighted the requirements of minimization, including the concept that the collection, use, sharing, and retention of personal information must be reasonable and proportionate to the purposes identified, considering the minimum personal information required, the potential negative impacts on consumers, and the existence of additional safeguards that addressed the applicable negative impacts. As part of the discussion, the Advisory also discussed two scenarios: one described an opt-out procedure, and the other described verification in connection with a consumer request. For the opt-out procedure, the Advisory reminded businesses that businesses may not verify a consumer’s identity to process an opt-out (it may, however, ask the consumer for the information necessary to complete the request). For the verification procedures, the Advisory outlined a possible process for analyzing whether additional verification information would be required, such as whether the business stores driver license information.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.
Utah enshrines two acts to create cybersecurity notification guidelines
On March 19, Utah enacted SB 98 which amended the state’s online data security and privacy requirements. SB 98 will include new protocols that individuals and governmental entities must follow under its data breach reporting requirements. SB 98 will require individuals and governmental entities to provide specific information about the breach, including, among other things: (i) when the data breach occurred; (ii) when the data breach was discovered; (iii) the total number of individuals affected by the breach, with a separate count for Utah residents; (iv) the type of personal data involved; (v) a brief description of the data breach; and only for government entities (vi) the path of means by which access was granted to the system if known; (vii) the individual or entity who perpetrated the breach if known; and (viii) the actions taken by the governmental entity to mitigate the effects of the breach. Additionally, the Cyber Center will be tasked with assisting the governmental entity in responding to breaches. This assistance may include: (a) conducting or participating in an internal investigation; (b) assisting law enforcement with their investigation if necessary; (c) determining the scope of the data breach; (d) helping the entity to restore the integrity of the compromised system; and (e) providing any other necessary support in response to the breach.
On that same day, the governor also signed into law HB 491 which enacted the Government Data Privacy Act. Similarly, the bill will describe the duties of state government agencies related to personal data privacy, including breach notification requirements, limits on data collection and use, and the ability to correct and access personal data. On structure, the bill created the Utah Privacy Governing Board to recommend changes in the state privacy policy, established the Office of Data Privacy to coordinate implementation of privacy protections, and named the Personal Privacy Oversight Commission to the Utah Privacy Commission and amended the commission’s duties. Both SB 98 and HB 491 will go into effect on May 1.
EU Parliament becomes first to enact binding law on artificial intelligence
On March 13, the European Parliament of the European Union voted into law the world’s first binding law on artificial intelligence (AI) titled “Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act)” to put forth a flexible coordinated approach regarding the “human and ethical” implications of AI. The stated objectives of this new regulation comprise ensuring that AI systems are safe and respecting the existing laws that protect the fundamental rights of citizens. Further, the act will aim to make sure AI investments are legally sound, enforce AI laws effectively, and develop a single market for AI applications. The European Parliament stated its legal basis for this law is through Article 114 of the Treaty on the Functioning of the European Union.
Following 89 preambles, the law’s Title I sets forth general subject matters: the law will set “harmonised rules” for the market as it will implement more AI systems; it prohibited certain AI systems; created specific requirements for “high-risk” AI systems; created transparency rules regarding emotion-recognition or biometric systems; and created rules on marketing surveillance. Title II prohibited AI practices and Title III covered “high-risk” AI systems. Prohibited AI systems include distorting someone’s behavior or vulnerabilities, evaluating trustworthiness with possibly a social score, or using “real-time” remote biometric identification systems for law enforcement (unless searching for either victims of a crime or missing children, among others). Title III on “high-risk” AI systems defined “high-risk” systems as those that pose fundamental risks to the rights of individuals, specifically to the health and safety of a citizen, among others.
New Hampshire enshrines a new consumer privacy law
On March 6, the Governor of New Hampshire, Chris Sununu, signed into law a sweeping consumer privacy bill. Under the act, consumers will have the right to confirm if a controller (an individual who controls personal data) is processing their personal data, a right to access that data, as well as correct inaccuracies, obtain a copy, delete, and opt-out of the processing of the data for targeted advertising purposes. The act also imposed limits on collectors, including that a controller shall (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for the intended purpose; (ii) establish and maintain administrative security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent or, if the data concerns a known child, process the data in accordance with COPPA; (iv) provide an easy means for consumers to revoke consent; and (v) not process personal data for targeted advertising purposes without consumer consent. The bill further outlined a processor’s responsibilities and required controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. The act will go into effect on January 1, 2025.
House Committee report finds broad financial surveillance by federal government using financial institutions data following January 6th events
On March 5, the Committee on the Judiciary and its Select Subcommittee on the Weaponization of the Federal Government released an interim staff report on how federal law enforcement agencies, in the wake of the events of January 6, 2021, at the U.S. Capitol, engaged in financial surveillance by encouraging financial institutions to provide data on private transactions of consumers without a nexus to criminal conduct. The report indicated the consumers particularly targeted were those who tend to hold “conservative viewpoints.” The report cited several whistleblower testimonies and provided email transcripts of the government agents’ requests. One institution allegedly acted “voluntarily and without legal process” and provided the FBI with a dataset of names of those who used that institution’s credit or debit card in the Washington, D.C. region between January 5 and January 7, 2021, but also included those who had ever used that institution’s debit or credit card to purchase a firearm. The report suggested that citizens who did nothing other than go “shopping or exerciz[e] their Second Amendment rights” were placed under a type of financial surveillance between their financial institution and the government, making specific mention of right-leaning individuals now at risk.
The report provided context with the Right to Financial Privacy Act of 1978, Section 314(a) of the USA Patriot Act, and the Bank Secrecy Act in mind. While these federal acts were created to protect citizens, the report alleged they “have failed to adequately protect American’s financial information.” The report was particularly critical of the federal government using “informal meetings and backchannel discussions” with financial institutions to devise the best methods for getting Americans’ private financial information, including using merchant category codes and politicized “search terms,” and the federal government disseminating “political materials” to such institutions that were allegedly “hostile” to conservative viewpoints and “treated lawful transactions as suspicious.”
NIST releases cybersecurity framework 2.0 with tailored guidance
On February 26, the National Institute of Standards and Technology (NIST) finalized its Cybersecurity Framework (CSF), a document on guidance for reducing cybersecurity risk. After releasing the draft proposal last August for Cybersecurity Framework Version 2.0 which was updated to help organizations understand and reduce cybersecurity risks (covered by InfoBytes here), and considering public comments, NIST “expanded the CSF’s core guidance and developed related resources to provide different audiences with tailored pathways into the CSF and make the framework easier to put into action.”
According to NIST’s press release, the revised framework acknowledges that organizations will approach the CSF with different requirements and levels of proficiency in cybersecurity tool implementation. Novice users would benefit from the experiences of others and choose relevant implementation examples and quick-start guides tailored for specific user categories, including small businesses, enterprise risk managers, and organizations focused on securing supply chains. “NIST plans to continue enhancing its resources and making the CSF an even more helpful resource to a broader set of users… and feedback from the community will be crucial.”
FCC partners with two U.K. regulators in combating privacy issues and protecting consumer data
Recently, the FCC announced (here and here) that it has partnered with two U.K. communications regulatory agencies to address issues regarding privacy and data protection in telecommunications. The FCC announced two separate statements because the two U.K. regulators perform different duties: the first announcement is with the U.K. Information Commissioner’s Office (ICO), which regulates data protection and information rights; the second is with the U.K.’s Office of Communications (OFCOM) which regulates telecommunications. Both announcements highlighted a strengthening of resources and networks to protect consumers on an international scale, given the large amounts of data shared via international telecom carriers.
The FCC’s announcement with ICO explained that the partnership would be focused on combatting robocall and robotext efforts, as well as finding means to better protect consumer privacy and data concerns. In the FCC’s announcement with the OFCOM, the U.S. regulator announced a new collaboration to combat illegal robocalls and robotexts given the two countries’ shared interest in investigating networking abuses. The FCC elaborated on its desire to bolster requirements for gateway providers: this is the “on-ramp” for international internet traffic into U.S. networks.