Wednesday, July 10, 2024

FYI: Pennsylvania Amends Data Breach Notification Law

Pennsylvania Gov. Josh Shapiro recently approved Senate Bill 824, which amends Pennsylvania's data breach notification law, 73 Pa. Stat. Ann. § 2301, et seq.

 

The amendments will go into effect Sept. 26, 2024.

 

Among other things, the amendments:

 

  • Require concurrent notification to the Attorney General if notification must be given to more than 500 individuals
  • Require the notice to the Attorney General include:

The organization name and location

The date of the breach

A summary of the incident

An estimated number of individuals affected

An estimated number of individuals in Pennsylvania affected

  • Reduce the threshold for reporting an incident to consumer reporting agencies from more than 1,000 affected individuals to more than 500
  • Require entities that are required to report the incident to consumer reporting agencies to assume the costs of providing the affected individuals with:

Access to one credit report if an individual is not eligible for a free report

Access to credit monitoring services for one year

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Tuesday, July 2, 2024

FYI: Rhode Island Enacts Haphazard Customer Data Privacy Law

The "Rhode Island Data Transparency and Privacy Protection Act" (Rhode Island Senate Bill 2500, the "Act") was enacted on June 28, 2024 without Governor Dan McKee's signature. The new Act will go into effect Jan. 1, 2026.

 

A copy of the legislation is available at:  Link to the Rhode Island Data Transparency and Privacy Protection Act

 

This makes Rhode Island the 19th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, and Minnesota.

 

INFORMATION SHARING PRACTICES

 

The Act begins with a section titled "Information Sharing Practices," which broadly applies to any commercial website (undefined) or internet service provider conducting business in Rhode Island or with customers in the state.

 

Despite the title, this section has little to do with "sharing."  If such an entity collects, stores and sells customers' "personally identifiable information" (undefined), its controller must, in its customer agreement or on its website, "identify all third parties to whom the controller has sold or may sell customers' personally identifiable information," among other things.

 

This poses several problems. First, it would be almost impossible for a controller to predict every specific third party to whom it may sell personally identifiable information at any time in the future.

 

Second, and moreover, the term "personally identifiable information," is undefined yet referred to 10 times in the Act, plus one reference to undefined "personally identifiable data."  While "personal data" is defined, it is not clear that these are all one in the same.

 

Curiously, this section contains a lengthy list of entities and information that are exempt from the Act that differs from the shorter list provided in a separate section titled "Construction" summarized below, though there is some overlap.

 

APPLICABILITY

 

Apart from the "Information Sharing Practices" section, the Act applies to for-profit entities that conduct business in Rhode Island or that produce products or services that are targeted to residents of Rhode Island and that during the preceding calendar year did any of the following:

 

    > Controlled or processed the personal data of not less than 35,000 customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

    > Controlled or processed the personal data of not less than 10,000 customers and derived more than 20% of their gross revenue from the sale of personal data.

 

Oddly, these same thresholds are repeated in the sections titled "Customer Rights," "Exercising Customer Rights," and "Controller and Processor Responsibilities."

 

EXEMPTIONS

 

In addition to the list of exemptions contained in the "Information Sharing Practices" section, the "Construction" section provides the Act does not apply to:

 

    > A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act and its implementing regulations;

 

    > Information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);

 

    > Personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f);

 

    > Any entity recognized as a tax exempt organization under the Internal Revenue Code;

 

    > A contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.

 

Additionally, the definition of "customer" excludes "an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency."

 

CUSTOMER RIGHTS

 

The Act provides a customer with the right to:

 

    > Confirm whether their personal data is being processed;

    > Correct inaccuracies;

    > Delete personal data provided by, or obtained about, the consumer;

    > Obtain a portable copy of the personal data processed;

    > Opt out of the processing of their personal data if for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

 

SENSITIVE DATA

 

A controller is prohibited from processing sensitive data without a customer's consent.

 

"Sensitive data" is defined as "personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise  geolocation data."

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

 

It must also require that the processor:

 

    > Ensure that each person processing personal data is subject to a duty of confidentiality;

    > At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

    > Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations of the Act;

    > After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;

    > Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations of the Act.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a customer, including:

 

    > The processing of personal data for purposes of targeted advertising;

    > The sale of personal data;

    > The processing of personal data for purposes of profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers;

    > The processing of sensitive data.

 

ENFORCEMENT

 

A violation constitutes a deceptive trade practice, and an intentional disclosure of personal data in violation of the Act may result in a fine of not less than $100 and no more than $500 for each such disclosure. The Attorney General has sole authority to enforce the Act, which contains no cure provision.

 

IMPRESSION

 

While similar in many respects to some of the post-California comprehensive data privacy laws, this legislation appears to have been cobbled together in a hasty and haphazard fashion, which may create compliance issues for those trying to align its compliance requirements with those of other states. Like California, it is anticipated that this Rhode Island Act will undergo numerous corrective amendments in the next legislative session.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Monday, June 24, 2024

FYI: 11th Cir Holds Anti-Modification Provision in Bankruptcy Code Applies to Mixed-Use Real Properties

The U.S. Court of Appeals for the Eleventh Circuit Court recently held that the anti-modification provision in the federal Bankruptcy Code applies to loans secured by mixed-use real properties, such as the large parcel at issue here which functioned both for commercial use and as the debtor's principal residence.

 

A copy of the opinion is available at:  Link to Opinion

 

The debtor defaulted on her mortgage loan for a 43-acre property in Georgia, which served as her principal residence and was also leased to a farming company. In an effort to restructure her debts, Lee filed a voluntary bankruptcy petition and proposed a reorganization plan that included payments to the mortgagee.

 

The mortgagee sought relief from the automatic stay, arguing that the anti-modification provision barred the court from approving a plan that altered the mortgagee's claim. The bankruptcy court agreed, holding that the anti-modification provision applied because the property was the debtor's principal residence, despite its additional use as farmland. Consequently, the bankruptcy court granted the mortgagee's motion for relief from the automatic stay, allowing the mortgagee to proceed with foreclosure.

 

The debtor appealed, but the district court affirmed the bankruptcy court's ruling. The debtor then appealed to the Eleventh Circuit.

 

The Eleventh Circuit first noted that the Bankruptcy Code generally allows debtors to modify or restructure their debts, subject to certain limits.  For example, the Court continued, a Chapter 11 restructuring plan may "modify the rights of holders of secured claims, but, under the anti-modification provision, it cannot modify those rights if a creditor's claim is "secured only by a security interest in real property that is the debtor's principal residence." 11. U.S.C. § 1123(b)(5).  The Court also noted that the Chapter 11 anti-modification provision in "section 1123(b)(5) is identical to section 1322(b)(2) — the anti-modification provision in chapter 13."

 

Agreeing with similar rulings of Sixth and Ninth Circuits, the Eleventh Circuit held that the text of the anti-modification provision, when read together with the statutory definition of a "debtor's principal residence", has "three distinct requirements." In re Wages, 508 B.R. 161, 165 (B.A.P. 9th Cir. 2014). First, "the security interest must be in real property."  Second, "the real property must be the only security for the debt."  Lastly, "the real property must be the debtor's principal residence."

 

The debtor argued that the approach taken by the First and Third Circuits should be followed. The Eleventh Circuit noted that First and Third Circuits "read the anti-modification provision to require that the debtor use her real property only or exclusively as her principal residence and for no other purpose."  See  In re Scarborough, 461 F.3d 406, 411 (3d Cir. 2006); Lomas Mortg., Inc. v. Louis, 82 F.3d 1, 4–7 (1st Cir. 1996)

 

However, the majority of the Eleventh Circuit disagreed.  Examining the plain language of the anti-modification provision, and standard dictionary definitions, the Eleventh Circuit majority held that the anti-modification provision's requirements were clear: the debt must be secured by real property, which must be the debtor's principal residence and the sole security for the debt.

 

The debtor also urged the adoption of a "second, case-by-case, totality-of-the-circumstances approach that focuses heavily on the parties' subjective intentions" that "was first set out in In re Brunson, 201 B.R. 351 (Bankr. W.D.N.Y. 1996)," such as "whether the property is used 'for significant commercial purposes' rather than as the debtor's principal residence."  However, the Eleventh Circuit held that this approach was not grounded in the text of the anti-modification provision.

 

The Eleventh Circuit thus rejected the debtor's argument that the property's additional use as farmland should exempt it from the anti-modification provision. and affirmed the rulings of the lower courts.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Thursday, June 6, 2024

FYI: Minnesota Becomes 18th State to Enact Comprehensive Consumer Data Privacy Law

Minnesota Governor Tim Walz recently signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the 18th state to enact a comprehensive consumer data privacy law.

 

The Minnesota law will go into effect July 31, 2025.

 

There were a number of consumer data privacy bills in play during the state's legislative session that never made it to the finish line. Ultimately, the Minnesota Act hitched a ride in a bill related to appropriations, cannabis policy, and commerce policy.

 

Minnesota joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware, New Jersey, New Hampshire,  Kentucky, Nebraska, and Maryland.

 

APPLICABILITY

 

The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

 

·        During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

·        Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

·        Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;

·        Protected health information under the Health Insurance Portability and Accountability Act of 1996;

·        The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;

·        Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

·        Confirm whether a controller is processing their personal data;

·        Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;

·        Delete personal data concerning the consumer;

·        Obtain a portable copy of their personal data to the extent technically feasible, in a readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;

·        Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer;

·        Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;

·        Obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent.

 

"Sensitive data" is:

 

·        Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;

·        The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;

·        The personal data of a known child; or

·        Specific geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:

 

·        Ensure that each person processing personal data is subject to a duty of confidentiality;

·        Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;

·        Establish, implement, and maintain reasonable data security practices;

·        Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;

·        Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;

·        Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

 

·        The processing of personal data for purposes of targeted advertising;

·        The sale of personal data;

·        The processing of sensitive data;

·        Any processing activities involving personal data that present a heightened risk of harm to consumers; and

·        The processing of personal data for purposes of certain profiling.

 

ENFORCEMENT

 

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires Jan. 31, 2026.

 

IMPRESSION

 

While similar in many respects to some of the post-California comprehensive data privacy laws, the Minnesota Act ventures farther in some respects, including providing consumers the right to question the results of profiling and to obtain a list of the specific third parties with whom the controller disclosed their personal data. For those aligning compliance with this act with other state laws, careful attention is warranted given the originality of some of the provisions.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Thursday, May 16, 2024

FYI: SCOTUS Rules CFPB Funding Mechanism is Constitutional

The Supreme Court of the United States ruled that the federal Consumer Financial Protection Bureau's funding mechanism complies with the United States Constitution's Appropriations Clause.

 

A copy of the opinion is available at:  Link to Opinion

 

This is the second time in four years the Supreme Court has rejected a constitutional attack on the CFPB's authority.

 

This most recent challenge attacked the Bureau's funding structure which the U.S. Court of Appeals for the Fifth Circuit ruled as unconstitutional.

 

Justice Clarance Thomas, writing for the seven-justice majority, disagreed with the lower court. "Under the Appropriations Clause, an appropriation is simply a law that authorizes expenditures from a specified source of public money for designated purposes. The statute that provides the Bureau's funding meets these requirements. We therefore conclude that the Bureau's funding mechanism does not violate the Appropriations Clause."

 

Unlike most other federal agencies, the Bureau does not ask Congress for funding. Instead, it obtains its funds by making a request to the Federal Reserve, and that request may not exceed 12% of the Federal Reserve's "total operating expenses."

 

The Fifth Circuit held this scheme violated the Appropriations Clause which grants Congress exclusive control over "the federal purse." The Fifth Circuit reasoned Congress' funding control is a necessary apparatus to the checks and balances between the three branches of the federal government. The Appropriations Clause prevents "the executive [branch] . . . from unilaterally spending funds," by allowing Congress to retain control of the purse strings. The CFPB, in the end, holds the strings to the purse, not Congress, and so it is constitutionally defective, according to the Fifth Circuit's opinion.

 

Justice Thomas saw it differently. "Based on the Constitution's text, the history against which that text was enacted, and congressional practice immediately following ratification, we conclude that appropriations need only identify a source of public funds and authorize the expenditure of those funds for designated purposes to satisfy the Appropriations Clause."

 

Justice Samuel Alito delivered a dissent, joined by Justice Gorsuch. The dissent criticized the majority opinion as undermining the checks and balances protection afforded by the Appropriations Clause, causing it to be nothing more than "a minor vestige."

 

A concurring opinion was delivered by Justice Kagan, which was joined by Justices Sotomayor, Kavanaugh and Barrett. Justice Jackson filed a separate concurring opinion.

 

The CFPB issued a statement Thursday applauding the decision. "This ruling upholds the fact that the CFPB's funding structure is not novel or unusual, but in fact an essential part of the nation's financial regulatory system, providing stability and continuity for the agencies and the system as a whole. As we have done since our inception, the CFPB will continue carrying out the vital consumer protection work Congress charged us to perform for the American people."

 

The Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), on Thursday said, "Despite the setback from today's ruling, Republicans will continue the fight to rein in the rogue CFPB. To be clear, this Supreme Court opinion yet again emphasizes that Congress has exclusive authority and discretion over federal agencies' funding structures. The House must urgently take up Congressman Andy Barr's CFPB Transparency and Accountability Reform Act. This commonsense legislation will fix the mistakes of Dodd-Frank which set the dangerous precedent of tapping the central bank to fund partisan political objectives. It's past time the CFPB is held accountable to the American people through their elected representatives."

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Wednesday, May 8, 2024

FYI: Massachusetts AG Provides Guidance on Intersection of Artificial Intelligence and Existing State Laws

The Massachusetts Office of Attorney General ("AGO") recently issued an Advisory on the development, supply, and use of artificial intelligence ("AI").  The Advisory provides guidance in the context of the Massachusetts Consumer Protection Act,[1] Anti-Discrimination Law,[2] Data Security Law,[3] and associated regulations.

 

The AGO defines AI as:  "A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."

 

For this definition, the AGO cites Executive Order 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," though the definition originates from the National Artificial Intelligence Initiative, 15 U.S.C. § 9401(3).

 

The AGO provides the following list of acts or practices that could be "unfair and deceptive" under the Massachusetts Consumer Protection Act:

 

  • Falsely advertising the quality, value, or usability of AI systems;
  • Supplying an AI system that is defective, unusable, or impractical for the purpose advertised;
  • Misrepresenting the reliability, manner of performance, safety, or condition of an AI system;
  • Offering for sale or use an AI system in breach of warranty, i.e., the system is not fit for the ordinary purposes for which such systems are used, or is unfit for the specific purpose for which it is sold where the supplier knows of such purpose;
  • Misrepresenting audio or video content of a person for the purpose of deceiving another to engage in a business transaction or supply personal information as if to a trusted business partner, as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud; or
  • More broadly, failing to comply with "Massachusetts statutes, rules, regulations or laws, meant for the protection of the public's health, safety or welfare."

 

In the context of Massachusetts' Anti-Discrimination Law, the AGO warns against "deploying technology that discriminates against residents on the basis of a legally protected characteristic," including "algorithmic decision-making that relies on or uses discriminatory inputs and that produces discriminatory results, such as those that have the purpose or effect of disfavoring or disadvantaging a person or group of people based on a legally protected characteristic."

 

The AGO also advises that developers, suppliers, and users of AI remain subject to Massachusetts' data breach notification laws and the regulations setting forth the standards for the protection of personal information.

 

As Congress and state legislatures grapple with how to regulate AI without deterring innovation, the Advisory illustrates how state attorneys general can rely on existing laws to address many potential issues.

 

. . .

[1] Mass. Ann. Laws ch. 93A, § 2; 940 Code Mass. Regs. 3.00 et seq.; 940 Code Mass. Regs. 5.00 et seq.

 

[2] Mass. Ann. Laws ch. 151B, § 4.

 

[3] Mass. Ann. Laws ch. 93H; 201 Code Mass. Regs. 17.00, et seq.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Saturday, April 6, 2024

FYI: Kentucky Becomes 15th State to Enact a Comprehensive Consumer Data Privacy Law

Kentucky Gov. Andy Beshear recently signed into law House Bill 15, the Kentucky Consumer Data Protection Act, making Kentucky the 15th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware,  New Jersey, and New Hampshire. 

 

The new Kentucky law will go into effect Jan. 1, 2026.

 

APPLICABILITY

 

The Act applies to persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents and that during a calendar year control or process personal data of at least:

 

100,000 consumers; or

25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;

Covered entities or business associates governed by the privacy, security, and breach notification rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA");

Protected health information under HIPAA;

The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

Confirm whether a controller is processing their personal data and to access such personal data;

Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing the data;

Delete personal data provided by or obtained about the consumer;

Obtain a portable copy of the personal data that they previously provided to the controller;

Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data [except] in accordance with the federal Children's Online Privacy Protection Act 15 U.S.C. § 6501, et seq.

 

"Sensitive data" means a category of personal data that includes:

 

Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;

The personal data collected from a known child; or

Precise geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  The contract must also require that the processor:

 

Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the Act;

Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under the Act, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of the assessment to the controller upon request;

Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor.

 

DATA IMPACT ASSESSMENTS

 

A controller must conduct and document a data impact assessment of each of the following processing activities:

 

The processing of personal data for the purposes of targeted advertising;

The processing of personal data for the purposes of selling personal data;

The processing of personal data for the purposes of certain profiling;

The processing of sensitive data; and

Any processing that presents a heightened risk of harm to consumers.

 

ENFORCEMENT

 

The Attorney General has exclusive authority to enforce violations. For any violation that is not cured within 30 days of notice, the Attorney General may seek damages up to $7,500 for each violation.

 

IMPRESSION

 

The Kentucky Consumer Data Protection Act is sensible legislation that balances the rights of consumers with the impact on businesses. The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other laws.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars