TerraTrueTerraTrue's privacy by design platform helps teams comply with global privacy regulations, identify risks, and trigger privacy and security reviews.

Get Started

July 7, 2023

Issue 22: States are starting to protect women

Oh Hey! Welcome to The Privacy Beat Newsletter!

Here’s the gist: Come here for insights on the hottest topics in privacy according to our peers’ tweets so you can walk into any happy hour or team meeting and sound like the absolute baller you are. No current topic gets by you!

Despite anyone's hope for a lighter load in these summer months, I've got a whole bunch of updates for you. The states continue to make moves on their own privacy laws while the feds struggle to get it done. Plus, New York is aiming to regulate algorithms, and that whole Privacy Shield 2.0 deal looks close to fully baked. Read on!

WA attorney general wants to help you out

Washington Attorney General Bob Ferguson issued an FAQ on some of the “My Health My Data” Act’s requirements. It only answered 7 questions, but the office said it’ll update the document periodically. I can’t stand formality, so here’s what the FAQ says in my own (still accurate) words. Because let’s talk like humans sometimes, non?

Remember, this comes into effect for most of us on March 31, 2024. Small businesses have until June 30, 2024.

The guidance was more baseline than nuanced, but here are the parts you’d care about:

All of us privacy pros were nervous about how to identify what counts as “consumer health data” under the law, because it described, vaguely, any data linked or linkable to a person and identifies their "past, present, or future physical or mental health status."To clarify this, in its FAQs, Ferguson’s office said definitionally, “consumer health data” doesn’t include something like buying toilet paper or tampons. But, yes, an app that tracks digestion or periods would count.

However, y’all: If a business was to draw inferences about a consumer’s health data based on those purchases, that would count as “consumer health data.”

And yes, the attorney general said, companies covered by MDMD must post a link to its “Consumer Health Data Privacy Policy” on its homepage.

Finally, yes, you do need affirmative consent – and receipts proving that consent – to sell consumer health data. The legalese here is important, so, FINE, lawyers (I love you, just kidding!): I’ll add that the attorney general says “both the seller and purchaser are required to retain a copy of the valid authorization for six years.” Ferguson’s office notes that consumers have the right to delete their data from a company’s system AND (my emphasis) its backup systems.

Oh dang, NYC!

As NBC News reports, a groundbreaking law mandates that NYC businesses using AI to make hiring decisions are now on the hook to prove the algorithm they used wasn’t sexist or racist. It’s an interesting requirement because we haven’t cracked the code on eliminating algorithmic bias. No one has presented the path forward to avoiding bias when the data sets we’re using to train AI are populated with human inputs.

Anyway, the new NYC law requires companies using AI for hiring decisions to pass a third-party audit to prove its altruism. For what it’s worth, New York’s Department of Consumer and Worker Protection will take and investigate complaints against any accused companies.

We’ll see how it goes? No one wants anyone looking under the hood.

Delaware thinks women are worth protecting

We all know the states are passing bills that protect sensitive data. But Delaware takes things a step further by 1) Including pregnancy as a type of sensitive data and 2) Including "status as transfer or nonbinary" as sensitive.

That makes Delaware one of few states to pass laws that seem to directly respond to the Dobbs ruling.

California: In effect, obvs.
Virginia: In effect (Jan. 1, 2023)
Colorado: Effective July 1, 2023
Connecticut: Effective July 1, 2023
Utah: Effective Dec. 31, 2023
Texas: Effective March 1, 2024
Florida: July 1, 2024
Oregon: July 1, 2024
Tennessee: Effective July 1, 2024
Montana: Effective Oct. 1, 2024
Delaware: January 1, 2025
Iowa: Effective Jan. 1, 2025
Indiana: Effective Jan. 1, 2026

Connecticut amends its law for a post-Dobbs world

Y’all. If I can be honest with you for a second, and I get how this maybe feels secondary to males, but the idea of being left behind by your fellow Americans because you happen to have the organs necessary to give life is a lonely feeling. Now that there are real-life bounty hunters going after women suspected of seeking or obtaining an abortion, it's dangerous to leave women's pregnancy data unprotected. Thankfully, Connecticut passed amendments deeming "consumer health data" to be sensitive data, and forbids a person from selling or offering to sell consumer health data without consumers' consent.

Like Delaware, the Connecticut amendments seem to reflect lawmakers' awareness of the perils women face in a post-Dobbs world. We tip our caps to you, Connecticut.

Breaking as of press-time

Hot take of the week

Thanks for reading, loves! If you have any thoughts, hit me up at ! I'd love to hear from you. And if you like this edition, please share!

xoxo,

Angelique

Loading GTM...