Privacy in the Spotlight: A Concise Overview of US State General Privacy Laws + illegible paper agreement and enforceability + quick hits
Welcome to the next issue of Legal-tender: Your fin-tastic guide to the legal side of crypto and fintech.1
For this newsletter, I write about the following:
A concise and comprehensive overview of state data privacy laws
An interesting contract formation case involving the enforceability of an illegible paper agreement
Recent statements from Comptroller Hsu on open banking
Quick hits on some minor topics, including a DFPI money transmitter opinion, a DFPI cease and desist regarding fraudulent AI claims, and the Kansas Financial Institutions Information Security Act.
Privacy in the Spotlight: A Concise Overview of US State General Privacy Laws
Iowa recently became the sixth state to enact substantive consumer privacy legislation.2 Numerous other states have bills moving through their legislature, which may create a further patchwork of state privacy laws for entities to comply with.
While many readers may be familiar with the broad contours of these privacy laws—especially the California Consumer Privacy Act—I think it’s helpful to provide an overview of what these laws require because the variations are sufficient enough that entities subject to these laws need to decide how they want to comply.
Much of this information may be known for larger entities subject to CCPA since its outset. These entities likely have well-developed privacy policies, data mapping for determining which data is in scope, and processes for responding to consumer requests.
But for newly formed or growing entities who may be nearing the threshold for being within the scope of at least some of these state laws, understanding what these laws require, what rights they grant consumers, and what obligations the laws impose on businesses is imperative. Having a compliant privacy policy is only the starting point.
To help with this understanding, I’m going to break my summary and analysis into the following sections:
What consumer rights do the laws grant?
What disclosure obligations do the laws impose?
What other business obligations do the laws impose?
What is the scope of these laws? (good news here is the requirements can be high—depending on the nature of your business—and California increased requirements for one prong, including by removing “receives…personal information" as a triggering condition)
While the laws have many overlapping concepts and obligations—with some states using basically the same language for certain portions—sufficient differences exist between them. A close reading of each state’s requirements is essential. Further, states that enacted regulations, like California and Colorado, require scrutiny of the obligations imposed by statute, the obligations imposed by regulations, and where the regulations may add additional requirements or clarify statutory requirements.
What consumer rights do the laws grant?
The rights that states collectively grant consumers can generally3 be categorized into the following key rights:
Right to know: This right permits consumers to obtain information about the types of personal information that an entity collects about a person, plus how that entity processes the information.
Right to access: This right—which is related to or incorporated in the right to know by some states, but I break it out as a separate right—permits consumers to directly access the data the entity has collected on them.
Right to correct: This right permits consumers to correct inaccurate or outdated information.
Right to opt-out of sale of data: This right permits consumers to opt out of the entity selling their personal information to third parties.
Right to opt-out of targeted advertising: This right permits consumers to opt out of advertisements made to them based on data obtained or inferred over time from the consumer’s activities across nonaffiliated sites, apps, or online services to predict a consumer’s preferences or interests.
Right to limit use of sensitive personal information: This right permits consumers to limit an entity’s ability to process that consumer’s sensitive personal information; frequently this right requires the consumer to affirmatively opt in to such processing.
Right to opt-out of profiling/automated decision making: This right permits consumers to opt out of processing personal information used for decisioning that results in providing or denying financial products or services, housing, insurance, educational opportunities, employment opportunities, and other essential goods or services.
Right to data portability: This right permits consumers to receive requested personal information in a commonly used, machine-readable format.
Right to non-retaliation: This right prohibits companies from retaliating against consumers who exercise any other right provided under the privacy law.
Does every state provide all these rights? No. Iowa, for example, does not provide a right to opt out of profiling or a right to correct inaccurate information.
Are these rights clearly identified in one section of each state’s law? No. While state laws will contain a section enumerating specific rights, other rights states grant consumers may be found within separate sections. For example, California4 addresses the right to data portability in the section addressing how entities must reply to a consumer’s request to exercise his or her right to access personal information.
Do states define terms the same? No. For example, “sale” is defined differently across states, with some defining it to include monetary or other consideration while some limit it to monetary consideration.5
Takeaway: If subject to or potentially subject to a state’s privacy law, businesses should decide early in the process how to provide consumers with the rights state law provides. This includes whether to broadly and proactively give the same rights to all consumers regardless of jurisdiction or limit the enumerated rights to the state at issue.
What disclosure obligations do the laws impose?
Privacy Policy
First, the easy one - a privacy policy. Every entity already has—or should have!—a privacy policy. It’s likely structured like the vast majority of privacy policies. But state privacy laws require that the privacy policy contain specific disclosures for entities subject to their jurisdiction.
As with consumer rights, state laws frequently have overlapping disclosure requirements. Sometimes the requirements are phrased slightly different, but the effect is the same. Sometimes, however, certain states will require disclosures not expressly required by other states.
For example, California—like the other states—requires a business’s privacy policy to identify the specific business or commercial purpose for collecting personal information.6 But Colorado, for example, requires a "duty of purpose specification."7 The regulations interpret this requirement to require controllers to "specify the express purposes for which each category of Personal Data is collected and Processed in both external disclosures to Consumers, including privacy notices."8
These two requirements are good examples for two reasons. First, this demonstrates how different states require different but related disclosures. Second, the Colorado regulations expressly require such disclosure in the privacy policy while the statute does not expressly do so.9 Mapping statutory obligations to regulations is criticial to ensure that both obligations are being met.
Therefore, carefully reading what the law requires is essential. While the laws require that privacy policies be drafted using plain English, be clearly understandable, and meet other readability requirements, doing so while meeting individual disclosure obligations can be tricky.
Takeaway: Close reading of each state’s requirements is essential. While many disclosure obligations overlap, not all do. This overlap may allow for consolidating some, but not all, required disclosures.
Notice at Collection
Second, and California to date is the outlier here, California requires entities to provide a “Notice at Collection.” The Notice of Collection must be “readily available where consumers will encounter it at or before the point of collection of any personal information.”10 While the required information can be contained within a privacy policy, merely directing the consumer to the beginning of the privacy policy is insufficient. Instead, to satisfy the delivery and timing requirements, the business can provide “a link that takes the consumer directly to the specific section” that contains the required information.11
Takeaway: States don’t just require disclosures in privacy policies. California’s Notice at Collection is the most prominent example; which while it may be contained in a privacy policy, any link must take the consumer to the specific section and not the privacy policy generally.
What other business obligations do the laws impose?
In addition to providing consumers with specified rights—including describing how and providing a means to exercise those rights—and requiring specified disclosures, state privacy laws impose data collection and operational obligations on businesses.
Data minimization: While state privacy laws predominantly emphasize consumer rights, thereby placing a significant burden on consumers to take action, the data minimization requirement serves as a proactive measure, compelling businesses to confine personal data collection and processing to what is genuinely essential for the intended purposes, with the intent to diminish privacy risks and foster responsible data handling practices.
Data security practices and safeguards: The privacy laws obligate businesses to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
Data protection assessments: As enacted so far, states frequently require that businesses perform data assessments for each of the business’s processing activities that presents a heightened risk of harm to a consumer. The statute, or regulation, then provides greater detail about performing the assessment.
Data processing agreements: The data privacy laws require businesses that sell, share, or disclose personal information to third parties, service providers, contractors, or the like to enter into agreements with such parties.
Note that this requirement may cause some businesses operational burdens if (1) the business was not subject to the privacy law when the agreement was signed, (2) the business becomes subject to the privacy law after, and (3) the business did not include the required obligations in its agreement.
This is not an exhaustive list of obligations; further, some obligations, such as data protection assessments, can have robust obligations.
Takeaway: The headlines for many privacy laws are the rights the laws provide consumers of a state. However, the laws frequently impose numerous obligations on the business that collects, processes, and shares/discloses consumer data. Careful attention to these requirements is imperative. Building towards compliance from the outset rather than retrofitting fixes on after-the-fact is frequently a more efficient approach.
Scope
Do these laws apply to all businesses in each state? No. The privacy laws require a threshold. This threshold may differ per state, but typically the components require that the business control or process personal data from X amount of consumers in the state, or derive a % of revenue from the sale of personal data.
Do the laws only apply to consumer data? Generally yes. Except for California. CCPA applies to certain job applicant and employee information and certain business-to-business information.
What about GLBA? Well, many states that have enacted privacy laws exempt both financial institutions under GLBA and GLBA data. California, however, only exempts GLBA data.
Takeaway: Many businesses will not meet the thresholds for all states. For example, in Connecticut, a business may need to control or process data for about 3% of the total population to be within scope. But small businesses do become large businesses. And retrofitting privacy obligations into existing infrastructure and policies can be difficult. This is not to say businesses should default to compliance with laws they are not subject to. Instead, businesses should assess where they are and where they want to be. If where they want to be may bring them within the scope of a state’s privacy law, planning for how to comply sooner rather than later is likely beneficial.
Miscellaneous
The above represents a comprehensive, but incomplete, overview of state privacy laws. I addressed and emphasized key components generally relevant to all state privacy laws. But some states have enacted detailed requirements concerning other topics, such as Colorado and loyalty programs and use of a universal opt-out mechanism.
As a threshold matter, all entities should assess whether they trigger a state’s privacy law. If the entity does, it should then assess what components of the law apply to it.
Small Print - How small is too small?
A recent California court of appeals case12 addressed the issue of font size and whether “tiny and blurred print…[which] renders [the paper agreement] largely unreadable” was both procedurally and substantively unconscionable such that the agreement was unconscionable and thus unenforceable.
Below is a portion of the agreement. “The longest paragraph squeezed something like 900 words into about three vertical inches.” Before reading further, guess what the court’s holding was.
The court held that the agreement was not substantively unconscionable. California law requires both procedural and substantive unconscionability.
The court concluded that nullifying substantive unconscionability would transform the unconscionability doctrine into a one-element defense focusing solely on procedural unconscionability. The court believed this would potentially call into question many form contracts, especially online ones. Diluting substantive unconscionability would lead to similar issues. Contract law enforces contracts even if they are difficult or impossible to read due to factors like language barriers or disabilities. The court concluded that tiny and unreadable print is a procedural unconscionability issue, and cannot be counted as a substantive unconscionability problem.
I expect this case to be cited frequently by defendants in online contract formation cases.
Acting Comptroller Hsu’s statements on Open Banking
Acting Comptroller of the Currency Michael J. Hsu addressed the FDX Global Summit and discussed the OCC's approach to open banking. He noted the potential of open banking to provide consumers with increased control over their financial data, enhance portability, and improve competition in the financial services sector. Hsu acknowledged the impact of technological advancements on the banking industry and emphasized the need for regulators to adapt to these changes. The OCC established the Office of Financial Technology to better understand and manage the rapid pace of change in the financial services sector.
Hsu highlighted several areas where open banking may affect the OCC's supervision of banks, including liquidity risk, operational risk, third-party risk management, and compliance risk. He also discussed the importance of maintaining a balance between the traditional banking culture and the disruptive tech industry culture. In the context of open banking, Hsu stressed the importance of trust and urged the industry to prioritize trust above other objectives, including growth and profit. Furthermore, he recognized the blurring of lines between banking and commerce and the need for regulators to closely monitor the evolving relationship between banks, fintechs, and large technology firms. Hsu concluded by expressing the OCC's excitement for the future and their commitment to working collaboratively with stakeholders as open banking and the banking system evolve.
Note that the CFPB released the final report from the SBREFA panel on Rule 1033. See my tweet thread on the report here.
Quick hits
CFPB, DOJ Civil Rights Division, EEOC, and FTC jointly released a statement on discrimination and bias in automated systems - “Existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices.” I wrote a tweet thread assessing this statement in greater detail here.
“JPMorgan Chase (JPM), the largest U.S. bank in terms of assets, remains steadfast in its plan to "tokenize" traditional-financial assets, largely undeterred by the crypto bear market and regulatory uncertainty.”
DFPI issues desist and refrain orders to five entities to stop fraudulent investment schemes tied to AI. The DFPI alleged that the five entities violated California securities laws by offering unqualified securities and making misrepresentations to investors. These entities claimed to use AI for crypto trading, promising high returns, but the DFPI concluded they were ultimately fraudulent schemes that left investors without access to their funds.
The Kansas Financial Institutions Information Security Act establishes information security standards for covered entities in line with 16 C.F.R. § 314. Covered entities include credit service organizations, mortgage companies, supervised lenders, financial institutions engaging in money transmission, trust companies, and technology-enabled fiduciary financial institutions. The act requires covered entities to implement reasonable safeguards to protect customer information, maintain an information security program, and keep records in compliance with retention requirements. The State Bank Commissioner is responsible for implementing, administering, and enforcing the act, including conducting examinations, investigations, and taking necessary enforcement actions
Per DFPI, escrow is not stored value and not subject to California’s MTA - “An escrow trust account is not the same as stored value. Because the transaction is not stored value, it is unnecessary to address your remaining arguments regarding the MTA.”
I am providing this information generally; this information is not legal advice and not intended to apply to any specific legal or factual situation. By reading or subscribing to this newsletter, you are not forming an attorney-client relationship with me, or with Ketsal PLLC. These views are my own—especially the wrong ones—and do not represent Ketsal. If you need legal advice or have questions requiring an attorney, please reach out to an attorney you trust.
Indiana, Tennessee, and Montana legislatures have also passed consumer privacy laws, but the bills are awaiting the respective state’s governor’s signature.
States may have other rights, such as a right to appeal a decision or a right to private action.
Cal. Civ. Code § 1798.130(a)(3)(B)(iii); 11 CA ADC § 7024(g).
For monetary or other consideration, see Cal. Civ. Code § 1798.140(ad) and Colo. Rev. Stat. § 6-1-1303(23) while for just monetary, see Va. Code Ann. § 59.1-575.
Cal. Civ. Code § 1798.110(c)(3)); 1798.130(a)(5)(B)(iii); 7011(e)(1)(C).
Colo. Rev. Stat. §§ 6-1-1308(2).
4 CCR 904-3, Rule 6.06.
The statutory requirement
11 CA ADC § 7012(c).
11 CA ADC § 7012(f).
Fuentes v. Empire Nissan, Inc., No. 20STCV35350 (Cal. Ct. App., 2nd Appellate District, Apr. 21, 2023).