National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS

« Previous: VII. OVERVIEW OF STATE CONSTITUTIONAL PRIVACY PROTECTIONS
Page 43
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 43
Page 44
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 44
Page 45
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 45
Page 46
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 46
Page 47
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 47
Page 48
Suggested Citation:"VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 48

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 43 Many of these state data security laws are recent enact- ments that provide a comprehensive approach to security.359 Some provide specific measures to protect sensitive information from unauthorized access, use, modification, disclosure, or de- struction.360 Many of these laws provide for the development of standards and guidelines, training for employees, and security audits.361 B. Data Security Laws Regulating the Private Sector Roughly half of the states have passed legislation to ensure that private sector entities provide security for data they col- lect and retain. These enactments are in addition to measures required for government organizations that collect and retain data. The adoption of these measures has rapidly expanded in the past five years largely in response to concerns over iden- tity theft and data breaches. The National Conference of State Legislatures maintains a running reference of states with data security laws applicable to private sector entities.362 The thrust of most of these laws is to require “’reasonable procedures and practices’” regarding sensitive or personal information (PI) in the possession or control of private entities.363 The definition of what information is covered and the determination of what measures are required vary by statute.364 In 2010, the Commonwealth of Massachusetts became the first state to mandate specific security requirements for busi- nesses that maintain electronic data on state residents with the Massachusetts Standards for the Protection of Residents of the Commonwealth.365 The Massachusetts law requires user identification, access control measures, encryption, system monitoring, firewalls, anti-malware, and employee training.366 However, the statute requires that these security measures be implemented only if “technically feasible.”367 This regulation has resulted in relatively weak enforcement of otherwise rigorous requirements. In contrast, the New York Stop Hacks and Improve Electron- ic Data Security (SHIELD) Act368 mandates detailed data secu- rity requirements. The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data 359 See, e.g., Conn. Gen. Stat. § 4e-70 (requiring a comprehensive data security program applicable to any state agency with a department head and any state agency disclosing confidential information to a con- tractor pursuant to a written agreement with such contractor for the provision of goods or services for the state). 360 See, e.g., Ala. Code § 8-38-8. 361 See, e.g., Ariz. Rev. Stat. § 18-105; Cal. Govt. Code § 11549.3 et seq.; Cal. Govt. Code § 8592.30-8592.45; Cal. Govt. Code § 8586.5. 362 Data Security Laws: Private Sector, Nat’l Conf. of State Legis. (May 29, 2019), https://www.ncsl.org/research/telecommunications- and-information-technology/data-security-laws.aspx#DataSecLaws. 363 See id. 364 See id. 365 Mass. Gen. Laws Ch. 93H § 2. 366 201 Mass. Code of Regs. 17.00-17.04. 367 201 Mass. Code of Regs. 17.04. 368 N.Y. CLS Gen. Bus. §§ 899aa-899bb. trine to conclude that the provisions in their state constitutions, though similar to the Fourth Amendment to the U.S. Constitu- tion, offer more expansive protections. Campbell, Jackson, Connolly, and Weaver demonstrate the real possibility that state courts can and will extend provisions creating privacy rights beyond those provided by the U.S. Con- stitution.356 These cases highlight the possibility that as technol- ogy develops, states may interpret their constitutions to provide enhanced privacy protection. Thus, understanding state law is essential to crafting sufficient privacy protections with respect to data collection. These enhanced standards will have to be ac- commodated in the collection and use of any unified data col- lection and analysis system. Analysis of state court decisions on state constitutional privacy protections is necessary to assess state requirements for data collection and technology imple- mentation. This is especially true for governmental entities like airports whose collection of data is restricted by legal protec- tions for individual privacy at both state and federal levels. For example, airports in Oregon will have to satisfy any federal privacy requirements, but also that state’s higher constitutional standards that govern the collection of surveillance data.357 VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS At the state level, there has been significant activity in address ing issues of data privacy. State measures have served to address both government and private use of data. The types of data addressed by state regulations are also expanding to include private consumer data. Looking at these state law de- velopments offers both a mandatory compliance requirement for airports within certain states as well as serves as a potential guide for airports in states without regulation or that lack suffi- cient court guidance. While every state law cannot be examined, understanding the types of regulatory schema developed within various states will assist in determining trends and frameworks that may eventually govern airport activity. A. Data Security Laws Regulating the Public Sector While all states have measures in place governing personal data they collect and retain, in well over half of the states, those requirements are imposed by statute. In most states, these laws apply only to state government. In some states, however, the laws also apply to other public entities like public educational institutions and other local governmental entities. The National Conference of State Legislatures maintains a running reference guide to state data security laws.358 356 It should be noted that U.S. Supreme Court’s 2012 decision in Jones, supra, footnote. 88, extended protections to require a warrant before placement of a GPS tracking device on a suspect’s vehicle. 357 See State v. Campbell, 759 P.2d 1040 (Or. 1988). 358 Data Security Laws: State Government, Nat’l Conf. of State Legis. (Feb. 14, 2020), https://www.ncsl.org/research/ telecommunications- and-information-technology/data-security-laws-state- government.aspx.

44 ACRP LRD 42 D. Data Breach Laws Also consistent with the growing concern over data security is the increase in state law provisions governing actions in the event of data breach. All fifty states now have laws that guide public and private entities in the event of data breaches involv- ing personally identifiable information. These laws generally outline the parties that must comply, provide definitions of crit- ical terms like personally identifiable information and breach, and establish requirements for notice (who, when, and how). The National Conference of State Legislatures maintains a refer- ence index of state security breach notification laws.383 For example, Vermont has a robust regulatory scheme gov- erning data breaches.384 It requires entities subject to a breach to provide notice of the breach to either the state Attorney General or the Department of Financial Regulation depend- ing on the type of data accessed.385 It has specific requirements as to the type of notice and the timing of notice required for con sumers.386 It has provisions for substitute notice and also for various exemptions from the notice requirement.387 Lastly, it contains an enforcement provision.388 Vermont amended its data breach notification law to expand the definition of what constitutes PII.389 The changes are effec- tive on July 1, 2020, and provide that, when combined with a consumer’s first name or first initial and last name, PII now in- cludes the following: • Individual taxpayer identification number; • Passport number; • Military identification card number; • Any identification number that originates from a govern- ment identification document commonly used to verify identity for a commercial transaction; • Biometric data generated from measurements or tech- nical analysis of human body characteristics used by the owner or licensee to identify or authenticate the consumer; • Genetic information; and • Health records or a health insurance policy number.390 Vermont may be a good example for an airport or airport stakeholder to review in developing a data breach notification policy due to its complex and evolving data privacy regulatory regime. 383 Security Breach Notification Laws, Nat’l Conf. of State Legis. (July 17, 2020), https://www.ncsl.org/research/telecommunications- and-information-technology/security-breach-notification-laws.aspx. 384 9 V.S.A. § 2435. 385 Id. § 2435(b)(3). 386 Id. § 2435(b)(4). 387 Id. § 2435(b)(5). 388 Id. § 2435(g). 389 Id. 390 Id. § 2430. which includes private information” of a New York resident.369 The SHIELD Act contains a comprehensive definition of PI.370 A business is in compliance with the SHIELD Act if it imple- ments a data security plan that includes reasonable administra- tive, technical, and physical safeguards.371 Businesses that fail to comply with the SHIELD Act’s security requirements are liable for civil penalties of up to $5,000 per violation, and there are no penalty caps.372 There is a $250,000 penalty cap for failure to notify authorities when a breach occurs.373 Enforcement of the SHIELD Act is limited to the Office of the New York Attorney General; there is no limited private cause of action under the SHIELD Act.374 C. Data Disposal/Destruction Laws Consistent with concerns over data security, there are a growing number of state laws concerning data disposal and destruction or otherwise deleting personal information from records. These laws frequently apply to both government and private organizations. In 2019, the National Conference of State Legislatures reported the existence of data disposal laws applying to public and private entities in 35 states and in Puerto Rico.375 These laws are in addition to data disposal requirements set out by the FTC Disposal Rules376 that apply to persons and entities that use consumer reports. The FTC Disposal Rules apply to the reports themselves and the information derived from them.377 These state data disposal laws vary as to whom they apply as well as what documents are covered.378 For instance, the Delaware data disposal law applies to businesses, but does not apply to government entities except in their capacities as em- ployers.379 The Wisconsin statute only applies to financial in- stitutions, medical business, or tax preparation entities.380 The Arizona statute only applies to paper records.381 One common aspect of state data disposal laws is specificity as to methods of disposal/destruction.382 This is a point that air- ports and airport stakeholders should specifically note. 369 N.Y. CLS Gen. Bus. § 899bb(1)(b). 370 N.Y. CLS Gen. Bus. § 899bb(1). 371 N.Y. CLS Gen. Bus. § 899bb(2). 372 N.Y. CLS Gen. Bus. § 899bb(2)(d). 373 Id. 374 N.Y. CLS Gen. Bus § 899bb(2)(e). 375 Data Disposal Laws, Nat’l Conf. of State Legis. (Jan. 4, 2019), https://www.ncsl.org/research/telecommunications-and-information- technology/data-disposal-laws.aspx. 376 Disposing of Consumer Report Information? Rule Tells How, FTC (June 2005), https://www.ftc.gov/tips-advice/business-center/ guidance/ disposing-consumer-report-information-rule-tells-how. 377 Id. 378 Id. 379 Id. 380 Id. 381 Id. 382 Id.

ACRP LRD 42 45 a. The California Online Privacy Protection Act (CalOPPA) The CalOPPA applies to “[a]n operator of a commercial web site or online service that collects PII through the Internet about individual consumers residing in California who use or visit its commercial web site or online service . . . .”398 The CalOPPA defines PII as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.”399 The CalOPPA does not apply to Internet Service Pro- viders or to other services that process PII on behalf of a third party.400 The CalOPPA does apply to mobile app providers.401 What is critical to note is that the CalOPPA not only applies to California-based businesses, but to any business that affects California consumers.402 While government-operated airports are not themselves subject to the CalOPPA, airlines and other airport tenants that operate commercial websites or online ser- vices are. The CalOPPA requires that covered websites or online ser- vices display a privacy policy that discloses basic information about the website or online service’s privacy practices.403 The privacy policy must disclose (1) the categories of personal infor- mation collected; (2) the categories of third-parties that might receive the information; (3) whether the website or online ser- vice has a process that allows consumers to review and request changes to the information held on them, and if so, there must be a description of that process; (4) a description of the process used to inform consumers of any changes to the privacy policy; and (5) the date from which the privacy policy takes effect.404 The privacy policy must be “conspicuously posted.”405 The CalOPPA was amended in 2014 to require privacy poli- cies to include technical information as to whether the website honors “Do Not Track” (DNT) signals.406 The CalOPPA does not have a requirement on how to treat DNT signals, but only to disclose whether the website honors such signals.407 The CalOPPA does not contain a private cause of action as a remedy. The law is enforced solely by the California Attorney General. In May, 2014, the California Attorney General pub- 398 Cal. Bus. & Prof. Code § 22575(a). 399 Id. § 22577(a). 400 Id. § 22577(c). 401 Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications, Cal. Dep’t of Justice (Feb. 22, 2012). https://oag.ca.gov/news/press- releases/attorney-general-kamala-d-harris-secures-global-agreement- strengthen-privacy. 402 Cal. Bus. & Prof. Code § 22576. 403 Id. § 22575(a). 404 Id. § 22575(b). 405 Id. § 22575(a). 406 Id. § 22575(b)(5)-(6). DNT is a browser setting which requests that a website not apply tracking technology to the visitor. 407 Id. E. Consumer Protection A variety of state statutes are directed at consumer protec- tion. These range from general unfair and deceptive acts and practices (UDAP) laws to more targeted consumer data privacy laws. 1. Unfair and Deceptive Acts and Practices Laws All 50 states have UDAP statutes. The National Consumer Law Center (NCLC) conducted a 50-state evaluation of UDAP statutes.391 Among the key findings in the Executive Summary section of the NCLC report is a comment on the variance in laws from state to state.392 For example, the NCLC found that Hawaii’s UDAP statute contained “strong prohibitions and strong provisions for enforcement by both the state and by con- sumers and no carve-outs for major industries.”393 The NCLC was most critical of UDAP statutes in Michigan and Rhode Island as court decisions have interpreted the statutes as being applicable to almost no consumer transactions.394 Overall, the NCLC report is a useful resource as to the range of specific pro- tections and distinct limitations of UDAP statutes in all states. 2. Consumer Data Privacy The existence of comprehensive state laws addressing con- sumer data privacy is a relatively new phenomenon, with California at the forefront. Two statutes in particular are impor- tant to understand. In 2004, California enacted the California Online Privacy Protection Act of 2003 (CalOPPA).395 This statute addresses privacy in connection with internet use. The California Consumer Privacy Act of 2018 (CCPA)396 is perhaps the most comprehensive statute in the United States addressing consumer data protection. While the implications of this statute are still unfolding, it has already significantly affected the legal landscape. A number of states are looking to enact similar legis- lation to address consumer data privacy, but no other state has yet done so. Moreover, many large companies that operate in California in addition to other states are changing their operat- ing procedures nationwide to conform to the rules of the CCPA. Statutes in Maine and Nevada have also sought to deal with this subject, although in a less comprehensive manner.397 Exam- ining the CalOPPA, the CCPA, and some of the other devel- oping statutes on consumer privacy protection, will help define some of the measures that airports should consider as potential future regulatory regimes governing data programs. 391 Consumer Protection in the States: A 50 State Evaluation of Unfair and Deceptive Practices Laws, Nat’l Consumer Law Ctr. (Mar. 2018), https://www.nclc.org/images/pdf/udap/udap-report.pdf. 392 Id. at 1-4. 393 Id at 2. 394 Id. at 1. 395 Cal. Bus. & Prof. Code § 22575 et seq. 396 Cal. Civ. Code § 1798.100. 397 Me. Rev. Stat. Ch. 94; Nev. Rev. Stat. Ch. 603(a).

46 ACRP LRD 42 Entities must be CCPA compliant if they (1) do business in California; (2) collect California residents’ PI; and (3) meet one of the following thresholds: have annual gross revenue of over $25 million; buy, receive, sell or share PI of 50,000 or more con- sumers, households, or devices for commercial purposes each year; or derive 50% or more of annual revenue from selling con- sumer PI.418 The CCPA has specific requirements for privacy policies and notices.419 Businesses that are covered by CCPA must update this information annually.420 The CCPA contains two exemptions. First, it exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.421 Second, the CCPA also exempts from specified provisions personal information reflect- ing a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communication or transaction with the business occurs solely within the context of the business conducting due diligence regarding, or provid- ing or receiving a product or service to or from that entity.422 On September 1, 2020, the CCPA was amended to extend these exemptions until January 1, 2022.423 Enforcement of the CCPA is also largely left to the Office of the California Attorney General, which can issue penalties of up to $2,500 per violation under Section 17206 of the Business and Professions Code.424 The CCPA also provides that busi nesses may also be fined up to $7,500 for each violation.425 Lastly, a consumer may bring private claims under the CCPA where a business allows “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s data due to a failure to maintain “reasonable security procedures.”426 Under such circumstances, each consumer can recover between $100 and $750 per incident or actual damages–whichever is greater.427 The final regulations under the CCPA provide guidance on a number of statutory requirements including definitions (Ar- ticle 1), notice requirements (Article 2), businesses’ obligations in handling consumer rights requests (Article 3), verification of 418 Cal. Civ. Code § 1798.140(c). 419 Cal. Civ. Code § 1798.100 (b)-(d). 420 Cal. Civ. Code § 1798.130(a)(5). 421 Cal. Civ. Code § 1798.145(h)(1). 422 Cal. Civ. Code § 1798.145(n)(1). 423 AB-1281, An Act to Amend Section 1798.145 of the Civil Code, relating to privacy. See Cal. Civ. Code § 1798.145(h)(4) and (n)(4). N.B.: Sec. 2 of AB-1281 provides “This act shall become operative only if the voters do not approve any ballot proposition that amends Section 1798.145 of the Civil Code at the November 3, 2020, statewide general election.” This ballot proposition is discussed infra under State Legisla- tive Initiatives and Trends. 424 Cal. Civ. Code § 1798.155(a). 425 Cal. Civ. Code § 1798.155(b). 426 Cal. Civ. Code § 1798.150(a)(1). 427 Id. lished recommendations on developing a privacy policy.408 The Executive Summary includes highlights of recommendations including readability, online tracking/do not track, data use and sharing, individual choice and access, and accountability. The penalty for noncompliance with CalOPPA is a maximum of $2,500 per violation.409 b. California Consumer Privacy Act (CCPA) The CCPA went into effect on January 1, 2020, and required the Office of the California State Attorney General to adopt regulations on or before July 1, 2020.410 On August 14, 2020, the final text of the CCPA regulations was approved by the Office of Administrative Law (AOL).411 \\Enforcement by the Office of the California State Attorney General began on July 1, 2020.412 The activity covered under the CCPA includes “[i]nternet or other electronic network activity information, including, but not limited to, browsing history search history, and information regarding a consumer’s interaction with an internet web site, ap- plications, or advertisement.”413 The CCPA has codified California consumers’ rights to: (1) opt-out of the sale of their PI to third parties; (2) request to know what PI businesses have collected about them and how businesses have sold or disclosed that PI to third parties; (3) request that businesses delete PI that has been collected about them; and (4) not be discriminated against on the basis that they have exercised their rights under the CCPA. The CCPA also requires an affirmative opt-in to any sale of children’s personal data.414 In contrast to the CalOPPA, the CCPA defines “personal information” much more expansively than PII as “information that identifies, relates to, describes, is capable of being associ- ated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”415 This definition is similar to the GDPR and may even be broader by including “household.”416 The CCPA specifically refers to IP Addresses and location data as PI.417 408 See Kamala D. Harris, Making Your Privacy Practices Public: Rec- ommendations on Developing a Meaningful Privacy Policy, Cal. Dep’t of Justice (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/ cybersecurity/making_your_privacy_practices_public.pdf. 409 Cal. Bus. & Prof. Code § 17206. 410 Cal. Civ. Code §§ 1798.100-199. 411 See Final Text of Proposed Regulations, Cal. Office of A.G., https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text- of-regs.pdf. 412 Attorney General Becerra Issues Statement on Day One of CCPA Enforcement: Know Your Responsibilities, Cal. Dep’t of Justice (July 1, 2020). 413 Cal. Civ. Code § 1798.140(o)(1)(F). 414 Cal. Civ. Code § 1798.120 (c)-(d). 415 Cal. Civ. Code § 1798.140(o) (emphasis added). 416 Article 4(1) of the GDRP defines personal data as any informa- tion related to an identified or identifiable natural person. Gen. Data Protection Reg., 2016/679, art 4(1) (EU). 417 Cal. Civ. Code § 1798.140(o).

ACRP LRD 42 47 tions provide four examples to illustrate discrimination.436 The regulations also provide eight different methods of calculating the value of a consumer’s PI to the business.437 f. Minors The regulations require that a business’s privacy policy must contain an affirmative statement on whether the busi- ness has actual knowledge that it sells the PI of minors under 16.438 Parental verification requirements are triggered only by a business’s actual knowledge of selling minors’ PI, not by the collection or maintenance.439 The regulations provide parental consent verification standards for children under 13.440 For sales of PI from minors between the ages of 13 and 16, there is a re- quirement of an affirmative opt-in using a two-step process.441 F. State Legislative Initiatives and Trends 1. California Privacy Rights Act of 2020 (CPRA) Ballot Initiative On June 24, 2020, the California Secretary of State certi- fied the CPRA to appear on the November, 2020 ballot after it gained the requisite number of signatures.442 The ballot initia- tive was adopted in the November 3, 2020 general election. The new law, with the exception of the right of data access, will go into effect on January 1, 2023, and apply only to data collected after January 1, 2022.443 Enforcement would begin on July 1, 2023.444 While the regulations and implementing guidance for the CRPA are not yet established, the following observations are drawn from an evaluation of the ballot initiative. Like the CCPA, the proposed CPRA would not apply to government entities, but would cover airlines and other airport tenants who operate commercial websites or otherwise provide online services and who meet the statutory threshold tests.445 The proposed CPRA significantly expands the CCPA and close- ly parallels the EU’s GDPR.446 Also, because the CPRA would be enacted by voters, rather than the California legislature, the legislature would be constrained in passing amendments that lower the level of consumer privacy protection contained in the 436 Id. 437 Id. § 999.337. 438 Id. § 999.308. 439 Id. § 999.332. 440 Id. § 999.330. 441 Id. § 999.331. 442 New Measure Eligible for California’s November 2020 Ballot, Cal. Sec’y of State (June 24, 2020), http://www.sos.ca.gov/administration/ news-releases-and-advisories/2020-news-releases-and-advisories/ ap20058-new-measure-eligible-californias-november-2020-ballot/. 443 Cal. Privacy Rights Act of 2020, Version 3, No. 19-0021, Cal. Office of A.G. (received Nov. 13, 2019), § 31, https://oag.ca.gov/ system/ files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20 Version%203%29_1.pdf. 444 Id. 445 Id. § 14. 446 Gen. Data Protection Reg., 2016/679, art 4 (EU). consumers making requests (Article 4), rules regarding minors (Article 5), and use cases for the nondiscrimination mandate (Article 6).428 c. Notice Requirements The final regulations provide guidance on three areas of notices businesses must provide under the CCPA:429 1. for businesses that collect personal information directly from customers, a notice to consumers about the collec- tion of PI at or before the point of collection; 2. for businesses that sell PI, a notice of the right to opt out and a notice of sale details; and 3. for businesses that offer financial incentives430 or a price or service difference, a notice of financial incentive. As a separate matter from the notice requirements, the final regulations instruct that “[t]he purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline practices regarding the collec- tion, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.”431 d. Consumer Rights Requests The identity verification requirements in the regulations focus on proving that requesters are who they claim to be rather than on proving that each requester is a California resident.432 It is not clear what a business can do to verify residency beyond an attestation. The regulations require that accessibility for persons with disabilities follow generally recommended industry standards, and for website accessibility, they specifically adopt the Web Content Accessibility Guidelines (WCAG), version 2.1 of June 5, 2018, authored by the World Wide Web Consortium.433 The WCAG outlines how to make websites accessible for people with visual, auditory, physical, speech, cognitive, language, learning and neurological disabilities.434 e. Nondiscrimination and Loyalty Programs The regulations instruct that a financial incentive or a price or service difference is discriminatory only if the consumer is treated differently by the business because the consumer exer- cised a right under the CCPA or the regulations.435 The regula- 428 Cal. Code Regs. tit. 11, ch. 20 (California Consumer Privacy Act Regulations). 429 Id. § 999.304. 430 Id. § 999.301(j) (“Financial Incentive” means a program, benefit, or other offering, including payments to consumers, related to the col- lection, retention, or sale of personal information). 431 Id. § 999.308. 432 Id. § 999.323. 433 Id. § 999.308. 434 Web Content Accessibility Guidelines (WCAG), Web Accessibil- ity Initiative, https://www.w3.org/WAI/standards-guidelines/wcag/. 435 Cal. Code of Regs. tit. 11, § 999.336.

48 ACRP LRD 42 password or a security question-and-answer that would permit access to the account.454 • The CPRA would create new requirements for data re- tention that must be disclosed in a company’s privacy notice.455 • The CPRA would expand a consumer’s right to know and access specific pieces of personal information and includes a portability-type requirement similar to the GDPR.456 • The CPRA would create a new category of “contractor” along with the CCPA’s “service provider” category. There would be mandatory written contract and auditing re- quirements for both contractors and service providers.457 • Perhaps most significantly, the CPRA provides for a new agency to be established, the California Privacy Protec- tion Agency (CPPA), which will assume the authority currently held by the California Attorney General to issue regulations, bring enforcement actions, and determine administrative fees. The CPRA provides that the CPPA would issue regulations requiring companies determined to be involved with high-risk data processing to have annual audits and providing for consumer access and opt-out rights with respect to automated profiling and decision-making, similar to GDPR requirements.458 The focus of attention on the CPPA and the subsequent CRPA ballot initiative is reflective of the influence that California has had on the development of privacy law in the U.S. The docu- mented “California Effect,”459 owing to the size of the state’s economy and the predominance of technology companies located in the state, has influenced both large corporate enti- ties in shaping their data protections and privacy policies as well as the protections offered in other states. Thus, the influence of prior statutes like CalOPPA and now the CCPA and anticipated influence of CPRA, are factors airports and airport stakeholders should consider in trying to discern legal trends. G. Other State Legislative Bills Nine other states have introduced draft bills that would im- pose varying requirements on business in the consumer data privacy area.460 Hawaii, Maryland, Massachusetts, Mississippi, 454 Id. § 16. 455 Id. §§ 3-4. 456 Id. § 7. 457 Id. § 13. 458 Id. § 24. 459 See, e.g., Anupam Chander, Margot E. Kaminski, & William McGeveran, Catalyzing Privacy Law, Georgetown L. Fac. Publ’ns & Other Works 2190, at 27 (2019), available at https://scholarship.law. georgetown.edu/facpub/2190. 460 S.B. 418, 2019 Leg., 30th Sess. (Haw. 2019); S.B. 613, 2019 Reg. Sess. (Md. 2019); S.D. 341, 191st Leg., Reg. Sess. (Mass. 2019); H.B. 1253, 2019 Leg., Reg. Sess. (Miss. 2019); S.B. 176, 54th Leg., 1st Sess. (N.M. 2019); S. 224, 2019-2020 Gen. Assemb., Reg. Sess. (N.Y. 2019); H.B. 1485 2019 Leg., 66th Sess. (N.D. 2019) (enacted); S. 0234, 2019 Gen. Assemb., Reg. Sess. (R.I. 2019); S.B. 6281, 66th Leg., 2020 Reg. Sess. (Wash. 2020). CPRA.447 Among the differences between the CCPA and the proposed CPRA are the following: • The CPRA would raise one of the threshold tests of appli- cability from processing personal information of 50,000 or more California consumers or households to process- ing personal information of 100,000 or more California consumers or households.448 • The CPRA would create a new right for data subjects to correct inaccurate personal data held by a business.449 • The CPRA would establish a new category of “sensitive personal information,” which would include govern- ment identification, such as social security numbers and driver’s license numbers; precise geolocation; and racial, ethnic, genetic, and biometric data. Significantly, the contents of a consumer’s mail, email, and text messages would also be in this category unless the business is the intended recipient. Consumers would be allowed to limit the use of sensitive personal information to what is neces- sary to provide the goods or services requested and other compatible purposes. A business would be required to display clearly and conspicuously a “Limit the Use of My Sensitive Information” link on its website unless it allows consumers to exercise this option using a preference sig- nal from a browser.450 • The CPRA would expand CCPA’s right to know obliga- tions to include “sharing” and disclosure of personal information by a covered business and also expands the opt-out for sale of such personal information. A business would be required to clearly and conspicuously display a “Do Not Sell or Share My Personal Information” link on its website unless it allows consumers to opt out from both selling and sharing by using a preference signal from a browser.451 • The CPRA would extend a consumer’s right to know beyond the twelve-month lookback provided under CCPA.452 • The CPRA would increase administrative fines to up to $7,500 for an intentional violation or one where the vio- lator has actual knowledge that the personal information involved someone under the age of 16.453 • The CPRA would grant a private cause of action for data breaches caused by a company’s failure to use reason- able security measures for additional types of personal information, specifically an email address and either a 447 Cal. Const. art. II, § 10(c). 448 Cal. Privacy Rights Act of 2020, Version 3, No. 19-0021, Cal. Office of A.G. (received Nov. 13, 2019), § 14, https://oag.ca.gov/system/ files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20 Version%203%29_1.pdf. 449 Id. § 6. 450 Id § 13. 451 Id. 452 Id. 453 Id. § 17.

Next: IX. DEVELOPING STATE AND LOCAL LAWS, AND FEDERAL AGENCY ACTIONS AND LEGISLATIVE PROPOSALS ON BIOMETRICS USAGE »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!