So, What’s Going On With Data Privacy Regulation Nowadays?

An adult white woman wearing a black dotted white shirt and jeans stands facing a white wall with black text. The text lists and describes the five data privacy principles by Mozilla: sensible settings, no surprises, defense in depth, user control, and limited data.
Image source: https://www.flickr.com/photos/vintagedept/15704560667/ (CC BY 2.0)

Welcome to the first post of the year! We hope you all had a restful holiday break. Now that most of us are back from our holiday break, it’s time to figure out what exactly is going on and what to expect in the new year.

2022 is shaping up to be another busy year for privacy professionals. A lot of that work will be around tracking data privacy regulations worldwide, from China’s new data protection regulation (PIPL) to India’s proposed changes to their Personal Data Protection bill. News from the EU is steady with GDPR violations and fines and will continue throughout the year. The EU is also poised to introduce more data regulations, including regulations around AI and cybersecurity.

While other countries are implementing and revising data privacy regulations, the US remains in a perpetual cycle of failed data privacy and security bills. A glance at the US State Privacy Legislation Tracker shows that despite 23 states introducing data privacy bills last year, Virginia and Colorado were the only states to sign a bill into law in 2021. Like LDH’s home state of Washington, some states failed to pass multiple data privacy bills, including bills that were re-introduced after earlier attempts to pass the same bill in previous years.

On a federal level, several data privacy and security bills – such as the Data Care Act of 2021, the Mind Your Own Business Act of 2021, and the Children and Teens’ Online Privacy Protection Act – remain active; however, there is no strong indication about the fate of these bills in the current session of Congress. Comprehensive data privacy and security legislation, such as the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act and the Consumer Data Privacy and Security Act of 2021, remain in committee. Again, there’s no firm indication if either of these comprehensive bills will become law in 2022.

Where does all of this leave US libraries and library vendors? Internationally, data privacy regulation updates will mean more changes for vendors who fall within the scope of said regulations. The upcoming data initiatives in the EU, for example, can impact the data privacy practices of library vendors and other organizations that fall under the scope of GDPR. In addition, as was the case with GDPR, international data privacy regulations can influence the overall shape of the data privacy legislation in the US. Nevertheless, the US continues to march to the beat of their own drum, still relying on a sectorial approach to data privacy regulation, with states trying to figure out comprehensive data privacy regulation on their terms.

Most of the existing comprehensive data privacy regulations, like CCPA and VCDPA, target for-profit and/or organizations that meet specific revenue or data sharing/selling thresholds, leaving most libraries outside of the scope of these laws. Just because libraries are not currently required to comply with these laws does not mean that they are not impacted by this patchwork approach to data privacy in the US. While GDPR impacted some libraries via their parent institutions (such as higher education institutions with campuses or partnerships in the EU), most libraries have probably noticed changes with library vendor services throughout the year as vendors work toward CCPA compliance. Some of these changes include allowing patrons to request a copy of the personal data the vendor has in their systems. If other states pass data privacy bills, libraries should expect additional change concerning how the vendor handles data privacy, regardless of where the library is located in the US.

In short, the data privacy regulation landscape for 2022 looks a bit like 2021 – a lot of legislative activity, but we’re not sure if that activity will lead to actual regulation. As always, LDH will keep you up to date on data privacy regulations that will impact libraries and library vendors. In the meantime, libraries should continue to work with vendors in not only ensuring compliance to specific data privacy regulations but going beyond a compliance-only approach to better protect patron privacy at the library.

Privacy Roundup – Heat Dome Edition

8:31 am - 90 degrees at SeaTac and it's 8 a.m. Here we go.
Welcome to Monday morning in Seattle. Source: The Seattle Times.

Seattle is in the middle of a record-breaking heatwave, with Monday predicted to be in the low 100s F, making this the third consecutive day of 100+ temperatures. This week’s newsletter comes to you in three short parts as we take advantage of the cooler temperatures to write.

What’s going on in Colorado?

When we last wrote, Colorado lawmakers passed the Colorado Privacy Act, making it the third state to enact data privacy regulations, behind California and Virginia. While the bill has yet to receive the governor’s signature, the privacy world is already planning for CPA. CPA stays relatively close to California and Virginia data privacy regulation, though CPA also takes some inspiration from GDPR. There is one key distinction that sets CPA apart from the other states’ laws – the inclusion (or, more accurately, the lack of exemption) of non-profit entities alongside their commercial counterparts in the scope of the Act. This inclusion could mean that many non-profit library vendors who fell outside the scope of CCPA, CPRA, and CDPA might need to assess if their data privacy practices need to change to comply with CPA.

What does compliance to CPA all entail? The charts from the National Law Review comparing CPA with GDPR and the California data privacy laws are a good place to start. The write-up on CPA from Thompson Hine LLP provides a more focused overview of Colorado’s (soon to be) new law. Finally, an IAPP article about the CPA talks about the strengths, missed opportunities, and less than stellar parts of the Act.

Privacy webinars and websites and resources, oh my!

Are you looking for library privacy webinars? How about recordings? Resources? No matter what you’re looking for, we got you covered!

  • This Tuesday, June 29th, at 4 pm Eastern Time, Safe Data | Safe Families will be hosting a free webinar sharing materials and resources to help public libraries and patrons face the challenges around data privacy and security at the library and beyond.  Even if you can’t make it to the webinar, check out the staff training resources on the website, particularly the personas you can use for your library privacy training.
  • If you missed the Health Literacy and Privacy in a Pandemic webinar series, don’t fret! You can access and download notes, graphs, and other documentation from the conference at https://healthandprivacy.com/notes/. Looking for the videos? You can watch them as well on the front page.
  • Last but not least, if you missed our founder’s keynote at the Evergreen International Conference, you can now watch the recording on YouTube. Download the slides to follow along as well as resource notes!

Reader survey

Thank you all again for those who filled out the reader survey. While we had a small number of respondents, the responses were all positive! Based on the survey, we will hold off on membership levels and monthly subscription memberships for now but will continue to provide the vast array of content to continue to be helpful in your work.

On the other hand, the Executive Assistant was slightly disappointed that more people did not demand more cat photos in the survey. We will attempt to cheer her up with a nice cool can of tuna, though that could mean changing our donation from a cup of tea to a can of tuna.

Write about library privacy (and more) at the ALA Intellectual Freedom Blog!

Is the library privacy muse inspiring you to write a blog post or two about library privacy topics? Sign up to be a blog writer for the ALA Intellectual Freedom blog! This is an excellent opportunity for those wanting to share your thoughts about library privacy to a large library audience or those looking for a service opportunity (I’m looking at you, academic library folks!). Go to the Blogger Application page to learn more about becoming a writer for the blog.

Welcome To The Club, Virginia: The Consumer Data Protection Act

A white roadside billboard with the text "Virginia Welcomes You". An illustration of a cardinal sitting on a tree branch with two white flowers at the branches' ends separates the words Virginia and the rest of the billboard message.
Image source: https://www.flickr.com/photos/cgpgrey/4891418085/ (CC-BY 2.0), http://www.cgpgrey.com/

Virginia joined California last week in the data privacy regulation club as the state governor signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2nd, 2021. This law shares some similarities with the CCPA and the upcoming CPRA, but there are just enough differences that will cause some possible confusion for library vendors who fall under the scope of the new law.

What Virginia Libraries Need to Know About CDPA Right Now

Virginia libraries paying attention to what happened in California might have a head start with what to expect in the coming years when the law comes into effect in 2023. If you were hoping that Virginia lawmakers would keep close to CCPA in an attempt to create consistent expectations and requirements for consumer data privacy, you might be out of luck. Nonetheless, there are some similarities: some good, others not so much.

First thing’s first – as was the case in California and CCPA, the vast majority of Virginia libraries do not fall under the scope of CDPA. The law pertains to entities conducting business in the state that meet a threshold of either controlling/processing personal data of at least 100,000 Virginia consumers in a calendar year OR controlling/processing personal data of at least 25,000 Virginia consumers and deriving at least 50% of their revenue from selling personal data. Combined with the exceptions made for government entities, non-profits, and higher education institutions, many libraries most likely are exempt from the CDPA, as well as non-profit library vendors.

CDPA stays close to the GDPR model of data controller (an entity determining the purpose of as well as the ways of processing personal data) and data processor (an entity that processes data on behalf of the controller). This eliminates the confusion that CCPA created by going with a different model (and CPRA added more to the confusion with the introduction of a new contractor role in that model!). Library vendors covered by CDPA could be both controller and processor in that the vendor collects and processes data on their behalf but also collects and processes data on behalf of the libraries and library patrons. Data controllers must include data collection and processing information in a publicly posted privacy notice, including what type of data is collected and shared with third parties.

Beyond scope and updates to vendor privacy notices, what do Virginia libraries need to know about CDPA?

Data rights – The new law grants the rights to access, correct, and delete their personal data with a data controller, as well as the right to request a copy of their personal data from the controller. Unlike CCPA, CDPA seems to not include household data in these rights; therefore, there might be a lesser chance of patrons requesting data that might include other patron data from their household.

Opt-out vs opt-in rights – Virginia consumers have the right to opt-out of the sale of their personal data, processing their personal data for targeted marketing, and using their personal data for profiling. This goes beyond the initial sale opt-out of CCPA. Even with the addition of “sharing” to the opt-out in CPRA, there might be confusion with vendors trying to accommodate different types of opt-out between CA and VA consumers.

Here’s where more confusion might set in – CDPA requires consumers to opt-inbefore their sensitive data is processed. Sensitive data in CDPA include race/ethnicity, sexual orientation, religious affiliation, mental and physical health, immigration status, biometric data, and precise geolocation data. On top of all this, sensitive data also includes any data collected from children under 13 years of age. CCPA requires affirmative opt-in of collecting personal data from 13- to 16-year-olds, so both laws are coming at collecting and processing minors’ data in very different ways.

Barring clarifications and amendments to either state’s regulations, expect some confusion from patrons when vendors attempt to comply with CDPA and the California data privacy laws.

A Heads Up to Libraries Outside of Virginia and California

While it took a while for another state outside of California to pass a data privacy law, the reality is that Virginia might be the first of a rapid succession of states to pass their own data privacy laws. At the time of this post, there are at least 13 states with active data privacy bills. Many of these bills share some similarities with CCPA/CPRA, but some have more in common with GDPR. The US currently has no federal data privacy law, and as time progresses, it might be that any successful federal data privacy regulation will not preempt stricter state laws. What we are looking at is a possible repeat of what we have with US data breach notification laws – 50+ different approaches, all just different enough to require their own processes. We’ll keep you updated on the latest regulations as they make their way through the legislative process, but it’s starting to look like 2021 might be a very busy year for data privacy regulation.

Related CDPA Resources and Commentary