Privacy Roundup – Heat Dome Edition

8:31 am - 90 degrees at SeaTac and it's 8 a.m. Here we go.
Welcome to Monday morning in Seattle. Source: The Seattle Times.

Seattle is in the middle of a record-breaking heatwave, with Monday predicted to be in the low 100s F, making this the third consecutive day of 100+ temperatures. This week’s newsletter comes to you in three short parts as we take advantage of the cooler temperatures to write.

What’s going on in Colorado?

When we last wrote, Colorado lawmakers passed the Colorado Privacy Act, making it the third state to enact data privacy regulations, behind California and Virginia. While the bill has yet to receive the governor’s signature, the privacy world is already planning for CPA. CPA stays relatively close to California and Virginia data privacy regulation, though CPA also takes some inspiration from GDPR. There is one key distinction that sets CPA apart from the other states’ laws – the inclusion (or, more accurately, the lack of exemption) of non-profit entities alongside their commercial counterparts in the scope of the Act. This inclusion could mean that many non-profit library vendors who fell outside the scope of CCPA, CPRA, and CDPA might need to assess if their data privacy practices need to change to comply with CPA.

What does compliance to CPA all entail? The charts from the National Law Review comparing CPA with GDPR and the California data privacy laws are a good place to start. The write-up on CPA from Thompson Hine LLP provides a more focused overview of Colorado’s (soon to be) new law. Finally, an IAPP article about the CPA talks about the strengths, missed opportunities, and less than stellar parts of the Act.

Privacy webinars and websites and resources, oh my!

Are you looking for library privacy webinars? How about recordings? Resources? No matter what you’re looking for, we got you covered!

  • This Tuesday, June 29th, at 4 pm Eastern Time, Safe Data | Safe Families will be hosting a free webinar sharing materials and resources to help public libraries and patrons face the challenges around data privacy and security at the library and beyond.  Even if you can’t make it to the webinar, check out the staff training resources on the website, particularly the personas you can use for your library privacy training.
  • If you missed the Health Literacy and Privacy in a Pandemic webinar series, don’t fret! You can access and download notes, graphs, and other documentation from the conference at https://healthandprivacy.com/notes/. Looking for the videos? You can watch them as well on the front page.
  • Last but not least, if you missed our founder’s keynote at the Evergreen International Conference, you can now watch the recording on YouTube. Download the slides to follow along as well as resource notes!

Reader survey

Thank you all again for those who filled out the reader survey. While we had a small number of respondents, the responses were all positive! Based on the survey, we will hold off on membership levels and monthly subscription memberships for now but will continue to provide the vast array of content to continue to be helpful in your work.

On the other hand, the Executive Assistant was slightly disappointed that more people did not demand more cat photos in the survey. We will attempt to cheer her up with a nice cool can of tuna, though that could mean changing our donation from a cup of tea to a can of tuna.

Write about library privacy (and more) at the ALA Intellectual Freedom Blog!

Is the library privacy muse inspiring you to write a blog post or two about library privacy topics? Sign up to be a blog writer for the ALA Intellectual Freedom blog! This is an excellent opportunity for those wanting to share your thoughts about library privacy to a large library audience or those looking for a service opportunity (I’m looking at you, academic library folks!). Go to the Blogger Application page to learn more about becoming a writer for the blog.

Welcome To The Club, Virginia: The Consumer Data Protection Act

A white roadside billboard with the text "Virginia Welcomes You". An illustration of a cardinal sitting on a tree branch with two white flowers at the branches' ends separates the words Virginia and the rest of the billboard message.
Image source: https://www.flickr.com/photos/cgpgrey/4891418085/ (CC-BY 2.0), http://www.cgpgrey.com/

Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.

What Virginia Libraries Need to Know About CDPA Right Now

Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.

First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.

CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.

Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?

Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.

Opt-out vs opt-in rights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.

Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.

Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.

A Heads Up to Libraries Outside of Virginia and California

While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.

Related CDPA Resources and Commentary