Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.


ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

©2022 Greenberg Traurig, LLP. All rights reserved.

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Virginia Accelerates Adult-Use Cannabis Legalization

We previously highlighted the Virginia Legislature’s move to legalize adult-use cannabis.  This week the Virginia Legislature passed a bill legalizing adult-use cannabis.  In doing so, Virginia greatly accelerated the timeline for legalization.

Prior drafts had set a 2024 date for legalizing the possession of recreational cannabis.  The bill passed this week when Lieutenant Governor, Justin Fairfax, broke a 20-20 tie in the Virginia Senate legalizes adult possession of an ounce or less of cannabis beginning on July 1, 2021.

While the new law legalizes recreational possession and allows Virginia residents to grow up to four cannabis plants beginning July 1st, Virginia still isn’t likely to begin licensing recreational cannabis retailers until 2024.  Likewise, the new bill doesn’t allow existing medical cannabis dispensaries to begin selling to adults for recreational use.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.

 


For more articles on cannabis, visit the NLR Biotech, Food, Drug section.

Virginia is for… Cannabis Lovers… in 2024?

While adult-use cannabis legalization has been gaining popular support across the country, many state legislatures have been slow to translate that support into legislative action.  That is changing in Virginia.  In 2020, Virginia decriminalized the simple possession (up to an ounce) of cannabis while providing a civil penalty up to $25.  On February 5, 2021, the Virginia House and Senate took another significant step further when both passed bills approving adult-use cannabis legalization in Virginia.  Senate Bill 1406 passed on a 23-15 vote.  House Bill 2312 passed on a 55-42 vote.

There are differences in the bills that must be resolved in a conference committee.  However, an adult-use legalization bill is likely to pass through conference and be sent for Governor Ralph Northam’s signature.  Governor Northam has already stated his support for legalizing adult-use cannabis.  With passage, Virginia would become the 16th state to legalize recreational cannabis, but only the 3rd state to do so solely through the legislative process.

Key Rules and Penalties Found in Both Bills:

  • Adults who are 21 or older can possess up to one ounce of cannabis or an equivalent amount of cannabis product.
  • A household can cultivate up to two mature and two immature cannabis plants at their primary residence.
  • Possessing more than an ounce of cannabis remains punishable by a civil fine up to $25.
  • Possessing more than five pounds could result in up to 10 years in prison.
  • Possession on school grounds could result in up to 6 months in jail.
  • Bringing any cannabis into Virginia would be punishable by up to 1 year in jail.

Regulatory and Licensing Framework Found in Both Bills:

  • A Cannabis Control Authority, governed by a five-member board of directors, will be created to regulate the adult-use cannabis market.
  • Licensing priority will be given to social equity applicants.
  • A Cannabis Business Equity and Diversity Support Team will be created.
  • A Cannabis Public Health Advisory Council will be created to make public health recommendations.
  • Requirements for seed-to-sale tracking, packaging, and labeling, including state-created risk information and warning labels, are included.
  • A state tax of 21% would be levied at the point of sale.  Localities could impose their own tax up to 3%.
  • Portions of the tax revenue would be earmarked for pre-K education for at-risk children and substance abuse treatment and prevention, among other things.

Both bills also provide automatic expungement of misdemeanor marijuana–related offenses and allow for petitions for expungement of marijuana-related felonies under certain circumstances.

The House and Senate bills differ in the role and scope of local government involvement.  The Senate bill allows localities to ban cannabis stores by voter referenda.

Both bills set January 1, 2024 as the earliest date for beginning the retail sale of cannabis.  As Virginia moves forward toward 2024, the regulatory framework will continue to grow in size and complexity at both the state and local levels.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more, visit the NLR Biotech, Food, Drug section.

4th Cir. First to Apply "Disability" Definition Under ADAAA – ADA Amendments Act of 2008

Odin-Feldman-Pittleman-logo

On January 23rd, in a ground-breaking decision under the ADA Amendments Act of 2008 (“ADAAA”), the United States Court of Appeals for the Fourth Circuit held that an injury that left the plaintiff unable to walk for seven months and that, without surgery, pain medication, and physical therapy, likely would have rendered the plaintiff unable to walk for far longer can constitute a disability under the Americans with Disabilities Act.  The Fourth Circuit in Summers v. Altarum Institute, Corp. indicated that it is the first appellate court to apply the ADAAA’s expanded definition of “disability.”

The Court reversed a District Court’s dismissal of the plaintiff’s case pursuant to a Rule 12(b)(6) motion.  The U.S. District Court for the Eastern District of Virginia based its dismissal of the plaintiff’s disability-based discharge claim on its view that the plaintiff’s impairment was temporary and therefore not covered by the Americans With Disabilities Act. In its reversal, the Fourth Circuit held that the plaintiff “has unquestionably alleged a ‘disability’ under the ADAAA sufficiently plausible to survive a Rule 12(b)(6) motion.”

Article by:

Timothy M. McConville

Of:

Odin, Feldman & Pittleman, P.C.