Thursday, June 6, 2024

FYI: Minnesota Becomes 18th State to Enact Comprehensive Consumer Data Privacy Law

Minnesota Governor Tim Walz recently signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the 18th state to enact a comprehensive consumer data privacy law.

 

The Minnesota law will go into effect July 31, 2025.

 

There were a number of consumer data privacy bills in play during the state's legislative session that never made it to the finish line. Ultimately, the Minnesota Act hitched a ride in a bill related to appropriations, cannabis policy, and commerce policy.

 

Minnesota joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware, New Jersey, New Hampshire,  Kentucky, Nebraska, and Maryland.

 

APPLICABILITY

 

The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

 

·        During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

·        Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

·        Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;

·        Protected health information under the Health Insurance Portability and Accountability Act of 1996;

·        The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;

·        Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

·        Confirm whether a controller is processing their personal data;

·        Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;

·        Delete personal data concerning the consumer;

·        Obtain a portable copy of their personal data to the extent technically feasible, in a readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;

·        Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer;

·        Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;

·        Obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent.

 

"Sensitive data" is:

 

·        Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;

·        The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;

·        The personal data of a known child; or

·        Specific geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:

 

·        Ensure that each person processing personal data is subject to a duty of confidentiality;

·        Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;

·        Establish, implement, and maintain reasonable data security practices;

·        Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;

·        Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;

·        Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

 

·        The processing of personal data for purposes of targeted advertising;

·        The sale of personal data;

·        The processing of sensitive data;

·        Any processing activities involving personal data that present a heightened risk of harm to consumers; and

·        The processing of personal data for purposes of certain profiling.

 

ENFORCEMENT

 

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires Jan. 31, 2026.

 

IMPRESSION

 

While similar in many respects to some of the post-California comprehensive data privacy laws, the Minnesota Act ventures farther in some respects, including providing consumers the right to question the results of profiling and to obtain a list of the specific third parties with whom the controller disclosed their personal data. For those aligning compliance with this act with other state laws, careful attention is warranted given the originality of some of the provisions.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Thursday, May 16, 2024

FYI: SCOTUS Rules CFPB Funding Mechanism is Constitutional

The Supreme Court of the United States ruled that the federal Consumer Financial Protection Bureau's funding mechanism complies with the United States Constitution's Appropriations Clause.

 

A copy of the opinion is available at:  Link to Opinion

 

This is the second time in four years the Supreme Court has rejected a constitutional attack on the CFPB's authority.

 

This most recent challenge attacked the Bureau's funding structure which the U.S. Court of Appeals for the Fifth Circuit ruled as unconstitutional.

 

Justice Clarance Thomas, writing for the seven-justice majority, disagreed with the lower court. "Under the Appropriations Clause, an appropriation is simply a law that authorizes expenditures from a specified source of public money for designated purposes. The statute that provides the Bureau's funding meets these requirements. We therefore conclude that the Bureau's funding mechanism does not violate the Appropriations Clause."

 

Unlike most other federal agencies, the Bureau does not ask Congress for funding. Instead, it obtains its funds by making a request to the Federal Reserve, and that request may not exceed 12% of the Federal Reserve's "total operating expenses."

 

The Fifth Circuit held this scheme violated the Appropriations Clause which grants Congress exclusive control over "the federal purse." The Fifth Circuit reasoned Congress' funding control is a necessary apparatus to the checks and balances between the three branches of the federal government. The Appropriations Clause prevents "the executive [branch] . . . from unilaterally spending funds," by allowing Congress to retain control of the purse strings. The CFPB, in the end, holds the strings to the purse, not Congress, and so it is constitutionally defective, according to the Fifth Circuit's opinion.

 

Justice Thomas saw it differently. "Based on the Constitution's text, the history against which that text was enacted, and congressional practice immediately following ratification, we conclude that appropriations need only identify a source of public funds and authorize the expenditure of those funds for designated purposes to satisfy the Appropriations Clause."

 

Justice Samuel Alito delivered a dissent, joined by Justice Gorsuch. The dissent criticized the majority opinion as undermining the checks and balances protection afforded by the Appropriations Clause, causing it to be nothing more than "a minor vestige."

 

A concurring opinion was delivered by Justice Kagan, which was joined by Justices Sotomayor, Kavanaugh and Barrett. Justice Jackson filed a separate concurring opinion.

 

The CFPB issued a statement Thursday applauding the decision. "This ruling upholds the fact that the CFPB's funding structure is not novel or unusual, but in fact an essential part of the nation's financial regulatory system, providing stability and continuity for the agencies and the system as a whole. As we have done since our inception, the CFPB will continue carrying out the vital consumer protection work Congress charged us to perform for the American people."

 

The Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), on Thursday said, "Despite the setback from today's ruling, Republicans will continue the fight to rein in the rogue CFPB. To be clear, this Supreme Court opinion yet again emphasizes that Congress has exclusive authority and discretion over federal agencies' funding structures. The House must urgently take up Congressman Andy Barr's CFPB Transparency and Accountability Reform Act. This commonsense legislation will fix the mistakes of Dodd-Frank which set the dangerous precedent of tapping the central bank to fund partisan political objectives. It's past time the CFPB is held accountable to the American people through their elected representatives."

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Wednesday, May 8, 2024

FYI: Massachusetts AG Provides Guidance on Intersection of Artificial Intelligence and Existing State Laws

The Massachusetts Office of Attorney General ("AGO") recently issued an Advisory on the development, supply, and use of artificial intelligence ("AI").  The Advisory provides guidance in the context of the Massachusetts Consumer Protection Act,[1] Anti-Discrimination Law,[2] Data Security Law,[3] and associated regulations.

 

The AGO defines AI as:  "A machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations or decisions influencing real or virtual environments. Artificial intelligence systems use machine- and human-based inputs to perceive real and virtual environments; abstract such perceptions into models through analysis in an automated manner; and use model inference to formulate options for information or action."

 

For this definition, the AGO cites Executive Order 14110, "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," though the definition originates from the National Artificial Intelligence Initiative, 15 U.S.C. § 9401(3).

 

The AGO provides the following list of acts or practices that could be "unfair and deceptive" under the Massachusetts Consumer Protection Act:

 

  • Falsely advertising the quality, value, or usability of AI systems;
  • Supplying an AI system that is defective, unusable, or impractical for the purpose advertised;
  • Misrepresenting the reliability, manner of performance, safety, or condition of an AI system;
  • Offering for sale or use an AI system in breach of warranty, i.e., the system is not fit for the ordinary purposes for which such systems are used, or is unfit for the specific purpose for which it is sold where the supplier knows of such purpose;
  • Misrepresenting audio or video content of a person for the purpose of deceiving another to engage in a business transaction or supply personal information as if to a trusted business partner, as in the case of deepfakes, voice cloning, or chatbots used to engage in fraud; or
  • More broadly, failing to comply with "Massachusetts statutes, rules, regulations or laws, meant for the protection of the public's health, safety or welfare."

 

In the context of Massachusetts' Anti-Discrimination Law, the AGO warns against "deploying technology that discriminates against residents on the basis of a legally protected characteristic," including "algorithmic decision-making that relies on or uses discriminatory inputs and that produces discriminatory results, such as those that have the purpose or effect of disfavoring or disadvantaging a person or group of people based on a legally protected characteristic."

 

The AGO also advises that developers, suppliers, and users of AI remain subject to Massachusetts' data breach notification laws and the regulations setting forth the standards for the protection of personal information.

 

As Congress and state legislatures grapple with how to regulate AI without deterring innovation, the Advisory illustrates how state attorneys general can rely on existing laws to address many potential issues.

 

. . .

[1] Mass. Ann. Laws ch. 93A, § 2; 940 Code Mass. Regs. 3.00 et seq.; 940 Code Mass. Regs. 5.00 et seq.

 

[2] Mass. Ann. Laws ch. 151B, § 4.

 

[3] Mass. Ann. Laws ch. 93H; 201 Code Mass. Regs. 17.00, et seq.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Saturday, April 6, 2024

FYI: Kentucky Becomes 15th State to Enact a Comprehensive Consumer Data Privacy Law

Kentucky Gov. Andy Beshear recently signed into law House Bill 15, the Kentucky Consumer Data Protection Act, making Kentucky the 15th state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware,  New Jersey, and New Hampshire. 

 

The new Kentucky law will go into effect Jan. 1, 2026.

 

APPLICABILITY

 

The Act applies to persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents and that during a calendar year control or process personal data of at least:

 

100,000 consumers; or

25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;

Covered entities or business associates governed by the privacy, security, and breach notification rules established pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA");

Protected health information under HIPAA;

The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

Confirm whether a controller is processing their personal data and to access such personal data;

Correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of processing the data;

Delete personal data provided by or obtained about the consumer;

Obtain a portable copy of the personal data that they previously provided to the controller;

Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data [except] in accordance with the federal Children's Online Privacy Protection Act 15 U.S.C. § 6501, et seq.

 

"Sensitive data" means a category of personal data that includes:

 

Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;

The personal data collected from a known child; or

Precise geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.  The contract must also require that the processor:

 

Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the Act;

Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under the Act, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of the assessment to the controller upon request;

Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor.

 

DATA IMPACT ASSESSMENTS

 

A controller must conduct and document a data impact assessment of each of the following processing activities:

 

The processing of personal data for the purposes of targeted advertising;

The processing of personal data for the purposes of selling personal data;

The processing of personal data for the purposes of certain profiling;

The processing of sensitive data; and

Any processing that presents a heightened risk of harm to consumers.

 

ENFORCEMENT

 

The Attorney General has exclusive authority to enforce violations. For any violation that is not cured within 30 days of notice, the Attorney General may seek damages up to $7,500 for each violation.

 

IMPRESSION

 

The Kentucky Consumer Data Protection Act is sensible legislation that balances the rights of consumers with the impact on businesses. The Act follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those that must comply with one or more of the other laws.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Sunday, March 24, 2024

FYI: 3rd Cir Rules Securitization Trusts May Be Subject to CFPB, Action Not Time-Barred

In a case involving the federal Consumer Financial Protection Bureau (CFPB) and a group of asset securitization trusts, the U.S. Court of Appeals for the Third Circuit recently held that the defendant trusts were "covered persons" under the federal Consumer Financial Protection Act (CFPA), and rejected the defendant trusts' arguments that the CFPB failed to ratify its action before the statute of limitations had run.

 

A copy of the opinion is available at:  Link to Opinion

 

The CFPB initiated enforcement proceedings against the trusts for alleged violations related to servicing and collecting on student loans, which the trusts had contracted out to third parties.  The Trusts had no employees, and the trustee was "empowered to 'act on behalf of the Trust[s]," including through "Administration Agreements" and "Servicing Agreements" with third parties.  The third parties would "perform the duties of the trusts as well as the duties and obligations" of the trustee, as well as "provide and perform certain services such as borrower communications, procedures for delinquency and default, and disbursement", "conduct collections", and "oversee collection lawsuits against borrowers in the name of the Trusts."

 

The CFPB issued a civil investigative demand (CID) on each defendant trust "for information on collections lawsuits brought against borrowers for defaulted on student loans".  The CFPB eventually initiated enforcement proceedings in 2017.  The parties settled the allegations, but the trial court declined to enter the related consent decree, and the CFPB filed this action.

 

As you may recall, the Supreme Court of the United States in 2020 held that the CFPB's "for cause" removal provision "unconstitutionally insulated the Director of the CFPB from the president's removal authority".  Seila Law LLC v. Consumer Financial Protection Bureau, 140 S. Ct. 2183 (2020).  The SCOTUS concluded that "[t]he provisions of the Dodd-Frank Act bearing on the CFPB's structure and duties remain fully operative without the offending tenure restriction," and that "if the CFPB Director did not effectively ratify the underlying suit, the petition had to be dismissed."

 

In addition, the Supreme Court of the United States in 2021 held that the similar "for cause" removal provision for the director of the Federal Housing Finance Authority (FHFA) was also unconstitutional.  Collins v. Yellen, 594 U.S. __ (2021).  However, the SCOTUS declined to declare all actions by the FHFA's director to be void ab initio, ruling instead that "[a]ll the officers who headed the FHFA during the time in question were properly appointed. Although the statute unconstitutionally limited the President's authority to remove the confirmed Directors, there was no constitutional defect in the statutorily prescribed method of appointment to that office. As a result, there is no reason to regard any of the actions taken by the FHFA as void."  Id.  The SCOTUS also rejected that argument that "agency actions are void unless ratified by an Acting Director who was removable at will by the President."  Id.

 

The defendant trusts argued that they were not "covered persons" under the CFPA, and that the CFPB's action was untimely because it was initiated when the CFPB director was unconstitutionally insulated from presidential removal and ratified after the statute of limitations had expired.

 

The trial court ultimately rejected the timeliness argument, holding that "[t]his suit would have been filed even if the director had been under presidential control. It has been litigated by five directors of the CFPB, four of whom were removable at will by the President. And the CFPB did not change its litigation strategy once the removal protection was eliminated. This is strong evidence that this suit would have been brought regardless. Thus, the CFPB's initial decision to bring this suit was not ultra vires."

 

The trial court also held that the defendant trusts were "covered persons" under the CFPA.  As you may recall, 12 U.S.C. § 5531 provides that the CFPB may bring enforcement actions to "prevent a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice," and a "covered person" is defined as "any person that engages in offering or providing a consumer financial product or service."  The trial court found that this definition was "broad enough to encompass actions taken on a person's behalf by another, at least where that action is central to his enterprise."

 

On appeal, the Third Circuit agreed with the lower court that the trusts were "covered persons" under the CFPA because they were engaged in offering or providing a consumer financial product or service.

 

First, the Court noted that trusts are explicitly included as "persons" under the CFPA.  12 U.S.C. § 5481(19).  Similarly, under § 5481(15), a "financial product or service" includes "extending credit and servicing loans."

 

Second, the Third Circuit examined whether the defendant trusts were "engaged" in offering or providing consumer financial products or services.  Parsing various case law and dictionary definitions of the word "engage", and applying these definitions to the stated purposes and activities of the defendant trusts in their trust agreements, the Appellate Court concluded that "[t]he Trust Agreement's purpose indicates that the Trusts engage in both student loan servicing and debt collection.  As such, the Trusts fall within the purview of the CFPA because they 'engage' in a known 'consumer financial product or service' and are necessarily subject to the CFPB's enforcement authority."

 

The Third Circuit also held that the CFPB was not required to ratify the action before the statute of limitations had run, following Collins v. Yellen as well as CFPB v. Law Offices of Crystal Moroney, P.C., 63 F.4th 174 (2d Cir. 2023), and Kaufmann v. Kijakazi, 6 32 F.4th 843 (9th Cir. 2022).  The Third Circuit concluded that there was no indication that the unconstitutional limitation on the President's authority to remove the CFPB Director harmed the Trusts, and thus no need for ratification.

 

In sum, the Third Circuit held that (1) the defendant trusts "are covered persons subject to the CFPA's enforcement authority because they 'engage' in the requisite activities"; and (2) "the CFPB did not need to ratify this action before the statute of limitations had run."

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars

  

 

 

 

 

Friday, March 8, 2024

FYI: New Hampshire Enacts Comprehensive Consumer Data Privacy Law

New Hampshire Governor Chris Sununu recently signed into law Senate Bill 255, making New Hampshire the 14th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, and New Jersey.  The law will go into effect Jan. 1, 2025.

 

A copy of the legislation is available at:  Link to SB255

 

APPLICABILITY

 

The Act applies to persons that conduct business in New Hampshire or persons that produce products or services that are targeted to residents of New Hampshire that during a one-year period:

 

  • Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

 

  • Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

 

EXEMPTIONS

 

Exemptions include, but are not limited to:

 

·        A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, et seq.;

·        Protected health information under the Health Insurance Portability and Accountability Act of 1996;

·        The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.

 

CONSUMER RIGHTS

 

Consumers have the right to:

 

·        Confirm whether a controller is processing their personal data and access such personal data;

·        Correct inaccuracies in their personal data;

·        Delete personal data provided by, or obtained about, the consumer;

·        Obtain a copy of their data processed by the controller in a portable and, to the extent technically feasible, readily usable format;

·        Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data (subject to exceptions), or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

 

SENSITIVE DATA

 

A controller may not process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children's Online Privacy and Protection Act.

 

"Sensitive data" means personal data that includes data revealing:

 

·        Racial or ethnic origin;

·        Religious beliefs;

·        Mental or physical health condition or diagnosis;

·        Sex life or sexual orientation;

·        Citizenship or immigration status;

·        Genetic or biometric data processed for the purpose of uniquely identifying an individual;

·        Personal data collected from a known child;

·        Precise geolocation data.

 

CONTRACT REQUIREMENTS

 

A contract between a controller and a processor must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor:

 

·        Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

·        At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

·        Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter;

·        After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

·        Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor must provide a report of such assessment to the controller upon request.

 

DATA PROTECTION ASSESSMENTS

 

A controller must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer, including:

 

·        The processing of personal data for the purposes of targeted advertising;

·        The sale of personal data;

·        The processing of personal data for the purposes of certain profiling; and

·        The processing of sensitive data.

 

ENFORCEMENT

 

The Act does not create a private right of action. A violation that is not cured within 60 days of notice from the Attorney General is an unfair method of competition or an unfair or deceptive act or practice in the conduct of any trade or commerce under N.H. Rev. Stat. Ann. § 358-A:2 which provides for injunctive relief and civil penalties up to $10,000 for each violation.

 

IMPRESSION

 

This law follows the pattern of many post-California comprehensive data privacy laws and should not present overly burdensome compliance challenges for those complying with those other laws.

 

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

 

 

 

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, Suite 3300
Chicago, Illinois 60602
Direct:  (312) 551-9320

Mobile:  (312) 493-0874
Email: rwutscher@MauriceWutscher.com

 

Admitted to practice law in Illinois

 

 

 

Alabama   |   Florida   |   Illinois   |   Massachusetts   |   New Jersey   |   New York   |   Ohio   |   Pennsylvania   |   Tennessee   |   Texas   |   Washington, DC

 

 

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.


Our updates and webinar presentations are available on the internet, in searchable format, at:

 

Financial Services Law Updates

 

and

 

The Consumer Financial Services Blog

 

and

 

Webinars