Automated Decisionmaking and Profiling (ADM) Requirements in U.S. State Privacy Laws, and Current State of Play in State AI RegulationsMay 15, 2024
This paper examines the requirements regarding automated decisionmaking and profiling included in comprehensive state privacy laws as well as notable, state-level artificial intelligence regulations.
Comprehensive state consumer privacy laws play a crucial role in shaping the use of AI technologies by imposing specific regulations on automated processing and decisionmaking. Most such laws that have been adopted to date provide consumers the right to opt-out of any processing of personal information for the purpose of “profiling” that produces legal or similarly significant effects. We also compare these requirements to similar requirements found in the EU General Data Protection Regulation (“GDPR”) to benchmark US state law requirements against the currently dominant global standard on this issue. |
Comparison of U.S. State Privacy Laws: Data Protection AssessmentsFebruary 8, 2024
The ever-growing number of privacy laws enacted by state legislatures and the lack of a uniform federal standard have left organizations in the United States wrestling with inconsistent legal obligations regarding the collection and use of personal data.
This paper addresses data protection assessment requirements. It unpacks the difficulties organizations face in light of divergent rules and urges state lawmakers to promote interoperability and convergence moving forward. |
Why We Need Interstate Privacy Rules for the USSeptember 25, 2020
In the absence of a comprehensive federal privacy law that pre-empts disparate and inconsistent state privacy laws, a multistate interoperability code of conduct or certification may be the only way for organizations, particularly SMEs, to comply with an ever-increasing number of state privacy requirements.
This Concept Proposal makes the case for interstate privacy rules for the U.S. |
Data Protection in the New Decade: Lessons from COVID-19 for a US Privacy FrameworkAugust 24, 2020
Data protection is constantly evolving, and the global experience with COVID-19 in 2020 has offered valuable lessons to help guide that evolution in the future. Digital data and technologies have assumed an even greater importance in economic activity, social connectivity, and public health.
This discussion paper highlights some of the key data protection lessons from COVID-19. It focuses on providing guidance to inform development of a comprehensive US federal privacy framework, while also drawing on the broader context of other nations and regions. |
What Does the USMCA Mean for US Federal Privacy Law?January 17, 2020
This paper argues that in light of the USMCA, any new comprehensive federal privacy law must take account of and enable the CBPR and similar formal accountability mechanisms, such as privacy codes of conduct and certifications, in order to fully account for U.S. obligations under the digital trade chapter in which this recognition is found. Moreover, such formal privacy programs and certifications should be included regardless of the USMCA because they are important tools for effective legal compliance, serve as cross-border transfer mechanisms for data flows to and from countries that require such transfer mechanisms, and deliver many other benefits to all stakeholders, as discussed below.
|
Organizational Accountability in Light of FTC Consent OrdersNovember 13, 2019
In the United States, organizational accountability is a requirement that has long been established in law and regulatory guidance across a wide variety of corporate compliance areas. In the US privacy realm, the Federal Trade Commission (FTC) has traditionally spelled out many of accountability’s key features through its consent decrees. Practically every consent decree resulting from an FTC privacy case has included a requirement to establish and implement a written privacy and security program, with many of these incorporating the essential elements of organizational accountability.
This paper will explore the recent $5 billion dollar FTC settlement with Facebook (“Facebook Settlement”) which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order. It will also examine the recent FTC settlement with Equifax, related to its 2017 data breach (“Equifax Settlement”). |
The Concept of Organizational Accountability - Existence in the US Regulatory Compliance and its Relevance for a Federal Data Privacy LawJuly 3, 2019
As the US considers the adoption of a comprehensive federal privacy law, numerous stakeholders have raised the importance of incorporating the concept of “organizational accountability” into any new US privacy law. Accountability is now globally recognized as a key component of effective privacy and data protection regulation. This global acceptance, however, creates the misconception for some that this concept is somehow a foreign import and does not fit within US corporate and legal culture. Accountability is also sometimes misunderstood as a concept that is too vague or hard to define, or as something that is promoted by industry in lieu of strict and enforceable privacy rules. Nothing could be further from the truth.
This paper explores the concept of organizational accountability as it exists within the current US legal system across a variety or regulatory areas and what this can teach us for a federal privacy law. |
Ten Principles for a Revised US Privacy FrameworkMarch 21, 2019
Our economies and societies are in the midst of the 4th industrial revolution, with digitalization and datafication transforming the way we live, work and interact. This transformation has brought into sharp focus the question of how we should regulate data use, governance and privacy to enable us to reap the benefits of data driven innovation while mitigating the risks associated with ubiquitous and massive data use. In response, many countries have updated or are in the process of updating their data privacy laws and frameworks.
This paper focuses on principles for a potential US federal privacy law. This federal law should have the dual objectives of providing appropriate privacy protections for consumers and enabling the digital economy and innovation to ensure US leadership and competitiveness. CIPL believes that the following principles will help ensure that these dual goals are met. |
Learning from GDPR: What Elements Should the US Adopt?January 25, 2019
This paper outlines top aspects of the GDPR which should be incorporated in a new federal US privacy law and top aspects that should not be included without further adaptation.
These aspects are stated at a very general level with a non-GDPR expert audience in mind. |
Copyright © 2024 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
|