Whether through more and more state laws or the newly proposed federal APRA, the US is more serious than ever about data privacy.
View in browser

Data Privacy Happenings ๐Ÿ“ฐ

Hello from MineOS's monthly newsletter, The Privacy Mindset! ๐Ÿ‘‹

 

The US is getting more serious about privacy, with Kentucky, Nebraska, and Maryland bringing the total states with data privacy laws up to 18. Are each of the 18 state laws similar, with the same requirements and exemptions?

 

Absolutely not!

 

Confused yet? You will be once these laws start entering into effect over the next two years, rendering a state-by-state privacy program utterly unmanageable. 

 

The solution? A federal privacy law, and thus we come to the newly proposed American Privacy Rights Act. The APRA is in its infancy and will likely change considerably as it goes through committees in both the Senate and the House, but a federal law would cut through the complications of a patchwork of state laws.

 

One of the main problems facing the APRA? Preemption. 

 

The law would take priority over state laws, which is a problem on both the left and right side of the American political aisle. 

 

On the left, California--which helped kill the previous attempt at federal legislation, the ADPPA, does not want a weaker law overruling the rights and progress it has made for Californians, while on the right, many states are not comfortable throwing businesses into the fire with stricter data minimization protocols and giving individuals the right to private action (which means people could sue companies over alleged data privacy violations). 

 

These negotiations and data privacy itself are urgent matters however, given the APRA would take action just 180 days after enactment. Yet even for an issue with bipartisan support despite criticisms, the path ahead for the bill is uneven and unlikely to result in a law passing in 2024.

 

The bill, beyond the preemption issue, is trying to cover a lot of ground on a lot of different topics, including AI algorithms, data breach reporting requirements, and of course, a host of privacy aspects such as an equivalent to Californiaโ€™s proposed Delete Act, establishing a universal method for issuing data subject requests through a national data broker registry. 

 

Many of these desires are admirable, but impractical, and squishing them together into a single bill is a surefire way to slow down the legislative process during an election year that will prompt nearly all legislative business to cease come August.

 

America is trying and that's a positive, but brighter days are still a ways out for data privacy within the U.S.

Product Spotlight ๐Ÿ”ฆ

MineOS has just launched one of our biggest product updates ever: the new AI Asset Discovery module! ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ

 

Similar to our cutting-edge data mapping technology, the new AI Asset Discovery module lets organizations map all their AI systems and data to ensure continuous & full visibility in order to assess each tool's usage in accordance with new and emerging regulatory frameworks.

 

The new module has both discovery and assessment features to ensure proper visibility and accounting of any AI assets in use.

 

This granular view provides a full snapshot into where systems are used, who uses them, and how risky each AI system is, with AI assessment templates in place to make compliance even easier.

 

Through a dedicated inventory of AI data assets, stakeholders, datasets and assessments, your organization can trust that its use of AI remains within the bounds of ethical and regulatory standards.

 

Regulation Focus ๐Ÿ”ฌ

Maryland Online Data Privacy Act 14-4607 A.1-2

"A controller may not:

 

1) Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains and unless the controller obtains the consumer's consent, collect, process, or share sensitive data concerning a consumer; 
(2) Sell sensitive data;"

 

The most recent comprehensive state-level privacy law to pass in the US and the fifth this year, Maryland immediately stands out as one of the more unique laws in the sphere. While it is pending the Governor's signature to make it official, the law for practical purposes is done and will enter into effect on October 1, 2025.

 

The vast majority of US state privacy laws treat sensitive data as a separate but significant entity from personal data, having opt-outs for personal data but opt-ins for sensitive data.

 

Maryland has taken this further than any previous law, practically (and rightfully) treating sensitive data as sacred. Under the MODPA, there is virtually no reason for any company to be processing or collecting sensitive data unless the consumer explicitly asks for the company to do so in order to deliver a service; this goes way beyond a simply opt-in, which can be gamed with deceptive design the same consent policies have been beaten into the public through things like cookie fatigue. 

 

The outright restriction on selling sensitive data is a big win for American data privacy as well, finally ensuring individuals' rights correspond to the potential privacy harms of such data falling into the wrong hands.

 

Whether the next states to pass laws follow suit with such pro-individual aspects remains to be seen (particularly with the APRA pending), but Maryland has left its mark on the industry.
Kobi Nissan

Founder's Corner ๐ŸŽ™๏ธ

CPO & co-founder Kobi Nissan

 

Q: What is your advice in building a compliance program out around AI during these early days of the technology and its regulation?

 

A: First, that you should start now. The AI Act will enter into force piece-by-piece over the next 1-2 years and if you don't have structures in place to manage AI governance, your organization will regret it.

 

Secondly? That the underlying need of any compliance framework is showing awareness and responsibility in how you handle data. Because of that, it's no longer acceptable to be running a privacy program without a continuous, comprehensive data map in place to give your org proper visibility into what's going on and clear next steps on mitigating risk.

 

I'm sure the US will pass something on AI soon, but just having proper data visibility in place will give you the ability to comply with any number of differing regulations worldwide. 

Webinars & Events ๐Ÿ“…

MineOS has a few great events lined up in May, so make sure you come see us or stay tuned for more:

 

๐Ÿ’ผ Gal Ringel & Mike Trites from our leadership team will be hosting a Consero CPO roundtable on how to create future-proof privacy programs on May 16th

 

๐Ÿ‘ We'll be at the inaugural GRC Connect event in Atlanta, ready to give out great swag and talk data privacy on May 22nd & 23rd

 

๐ŸŒ CEO Gal Ringel and CPO Kobi Nissan will participate in panels as part of PrivSec Global's virtual extravaganza on May 22nd & 23rd.

 

Come check out and learn from the best on Navigating the EU AI Act: Safeguarding Privacy & Security and GDPR Influence Beyond Borders: Global Perspectives on Data Protection.

 

โœ๏ธRegister here: https://www.grcworldforums.com/privsec/privsec-global/register

 

Talk with us

How did you like this month's issue?

Let us know
footer

SayMine Technologies Ltd., 94 Igal Alon st., Alon 1, Tel Aviv, Israel, 6789155

Unsubscribe Manage preferences