Podcasts
Caveat
Ep 290
Caveat 1.8.26
Ep 290 | 1.8.26

Your data, your rules.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's Privacy, Surveillance, Law, and Policy Podcast. I'm Dave Bittner, and joining me is my cohost, Ben Yellen from the University of Maryland Center for Cyber, Health and Hazard Strategies. Hey there, Ben.

Ben Yellen: Hello, Dave.

 

Dave Bittner: On today's show, Ben and I review some of the new privacy legislation taking effect across the US. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben. Happy New Year.

 

Ben Yellen: Happy New Year to you too. It is good to be back.

 

Dave Bittner: It is good to be back. I hope you had a lovely and rejuvenative break.

 

Ben Yellen: I did, and I hope our listeners enjoyed some encore broadcasts of our --

 

Dave Bittner: That's right.

 

Ben Yellen: -- wonderful podcasts.

 

Dave Bittner: Re-rolls.

 

Ben Yellen: So We're back to new content.

 

Dave Bittner: That's right.

 

Ben Yellen: We're for real in 2026.

 

Dave Bittner: That's right, that's right. Well, we've got a lot to talk about. Today we are going to go over a lot. There's a lot of legislation that's going into effect here as we roll over the new year. We're keying off of an article that was written for Bloomberg Law. This is actually written by Paula Heckrich, who is from FEMA, wrote this article.

 

Ben Yellen: Interesting.

 

Dave Bittner: Yeah. Kind of a rundown of some of the legislation. But let's start off with the big one here, I think, which is fair -- which I think it's fair to say is California.

 

Ben Yellen: You said it, not me. I know I have my California biases. But yes.

 

Dave Bittner: That's true.

 

Ben Yellen: This is -- this is a California story.

 

Dave Bittner: Go for it.

 

Ben Yellen: So going back a few years, California passes the CCPA. It's the first major state level data privacy act in the country. They have this opt out provision where people have the right -- California residents have the right to petition individual companies to prevent their data from being sold to data brokers. The problem with that is there are a lot of companies out there, and the process was very cumbersome. You have to fill out forms for every single entity for which you want data taken down. So, with that in mind, the California State Legislature passed a revision to this law, which opened up a one-stop shop for you to request from all websites that your personal data be taken down. This government website is now open. If you are a California resident, you can go to privacy.ca.gov/drop. It gives you more control over your data. You have the right to tell data brokers to delete and not sell your personal information. The one caveat, so to speak, is that companies don't have to comply with the request until September. So you have a few months until you'll be able to see whether -- definitively whether your information has been taken down. The other caveat, of course, is that this only applies to California residents. And they have an ID check system, just kind of like a digital certification that they are actually California residents. So, unfortunately, me and you can't participate in this effort. But my parents can. I've got a lot of relatives in California who can take advantage of this opportunity. And this is really a major blow to the data broker industry, potentially.

 

Dave Bittner: Yeah.

 

Ben Yellen: Now, again, it's just one state; and this is just the beginning of the process. We don't know how many people are going to go to this portal, fill out the form, show their ID, and get their personal information taken down.

 

Dave Bittner: Yeah.

 

Ben Yellen: But this is such a profitable industry. You have data brokers that sell people's addresses, social security numbers, relatives, medical ailments, all the things that the internet tracks because we're not reading the EULAs; and we give them consent to track us as we go from site to site.

 

Dave Bittner: Right.

 

Ben Yellen: You know when you go to a new site. And it's like, Would you like to log in using your Google account?

 

Dave Bittner: Yeah.

 

Ben Yellen: That is, yeah. That's code speak for we have 17 years of emails stored from you. And we know exactly the things you like, your political views, and the very secretive places that you like to go. And there just haven't been many restrictions on how that -- how and when that data can be sold. So that's why California in 2023 passed the amendment to this law. You have that single website. Any data broker that operates in the state, no matter their size, is required to delete personal information upon request. And, once we get to September, the state can start levying daily fines against the companies if they refuse a person's request to have their information taken down.

 

Dave Bittner: Yeah. That was going to be my question because I guess the cynical side of me, which seems to be growing larger every day, says --

 

Ben Yellen: Oh, for sure. Same here.

 

Dave Bittner: Yeah. Like, you know, we had the Do Not Call list, right?

 

Ben Yellen: Yeah. It hasn't done a great job.

 

Dave Bittner: I mean, I guess there was a blip when it first happened where we all thought, oh, this is great. We're getting fewer, you know, spam calls or whatever. But then the avalanche continued. And, if nothing, more grew -- I think things are better now than they were at its peak. But I guess my question is, do you feel as though California has put enough teeth into this law that it'll actually make a dent for their citizens?

 

Ben Yellen: Yes. Because these fines are real, but I'm -- will not count my chickens before they hatch --

 

Dave Bittner: Yeah.

 

Ben Yellen: -- because there's going to be issues with compliance. And, you know, what happens if there is some question as to whether a piece of data is actually public information, in which case the company would not have to take it down; and are we going to see lawsuits on things like that? So there are personal information -- there is personal information out there that is in the public domain and would not qualify as information that needs to be taken down under this statute. So somebody's voter registration information is public data. That's how they can have robust opinion, political opinion polling because they have information on where you're registered to vote; and that gives the basics on your age, your ZIP code, etc. So we can have issues where data brokers refuse to take down things that they believe are public information. And then, you know, there's an investigation. You have this California Privacy Protection Agency, which is the watchdog that's theoretically going to be enforcing this. But, beyond that, especially since these fines that are going to be levied are pretty significant, I'm pretty optimistic that they'll be able to enforce this until, you know, companies start to figure out workarounds. That's really what happened with the Do Not Call list is you're right. We had the two or three years when it was -- oh, it was blissful. If I got a phone call, I could be confident --

 

Dave Bittner: Right.

 

Ben Yellen: -- that it was somebody I actually wanted to talk to and not, Have you considered refinancing your house?

 

Dave Bittner: Right. Your warranty is about to expire.

 

Ben Yellen: Yes. Get a lot of those. So, yeah. I think at least in the near term I'm optimistic that it's going to be enforced until, like I said, the companies are creative about finding workarounds to not comply.

 

Dave Bittner: Let me tie this into something personal. Over the holidays, I was driving around running some errands and, you know, as you do. And I noticed I actually visited more than one Home Depot.

 

Ben Yellen: Oh, look at you.

 

Dave Bittner: Yeah. Being Mr. Handyman.

 

Ben Yellen: Blue-blooded American visiting more than one Home Depot.

 

Dave Bittner: That's right, that's right. And what I noticed was that the entrances and exits to both of the Home Depots that I visited had the Flock license plate reader cameras. This caught my eye. And so I did a little digging, and I found out that many, many, many, many Home Depots have Flock license plate camera readers at their entrances and exits. So I suspect this means some kind of deal was struck between Flock and Home Depot. I don't know if there's any money exchanging hands or if it's just a courtesy. But what struck me about this was I would love to be able to opt out of this, right? And I currently cannot. So what this leads me to is my question for you. I know, you know, you -- you have an ear to legislation here in Maryland. Are there any conversations about these sorts of things? Are our legislators looking at what's going on in California? Are these types of things on their radar?

 

Ben Yellen: Absolutely. They look at California as the model. They have since the CCPA was enacted. Since then, Maryland, the state I'm most familiar with, passed its own data privacy protection law; and they're always looking to improve it. We have some very impressive national advocacy organizations in this space and state-based advocacy organizations who care deeply about data privacy and realize that the fight right now is taking place at the state level. And we've seen, as I think you'll get to when we get to this Bloomberg Law article, like, hundreds if not thousands of laws on various aspects of data privacy. I think it started with these sort of general data privacy laws that were modeled after California, and that happened in a good bunch of states. And then, as new problems arose, I think states are taking more sector-specific approaches and trying to identify problems for consumers before they become bigger problems and give people the ability to protect themselves. So I do think this is something that state legislatures are focused on. I think you're hitting at something very important, that opting out, while it might be very satisfying, might deprive you of certain services and certain benefits that you might end up regretting. I mean, the fact that we are being tracked does add a level of convenience in the sense that I'm getting advertisements that are tailored to me and my interests, and occasionally those end up being products that I didn't know I wanted and got a really nice milk frother for a Secret Santa at Christmas this year that I saw on a Facebook ad. And that's a life changer, and I never would have thought I needed it.

 

Dave Bittner: Okay. Fair enough.

 

Ben Yellen: So, yeah. Are you, for example, in that Home Depot scenario really going to -- you're right there. You know, you're about to shop and get your custom nails or whatever. Are you really going to leave because they're tracking your license plate, and you're going to go to Ace Hardware or Lowe's? That's kind of where I see, like, everybody's going to try and opt out; and then maybe they notice that some incidental benefits that they took for granted are not there anymore. And I think that's where this could end up being less dramatic than it now seems in terms of impact.

 

Dave Bittner: What do you think is the most effective way as a consumer, as a resident of any state to engage with my lawmakers in a way that is beneficial to both them and me?

 

Ben Yellen: Great question. First of all, align yourselves and become -- I wouldn't say activists, but definitely align yourselves with organizations that are doing work in the space like Epic, The Electronic Frontier Foundation. They have a lot of resources. Oh. The International Association of Privacy Professionals. They have a lot of resources. So you can, A, become very knowledgeable on which states have passed which data privacy laws; and, B, they have advocacy tools so that you're more informed when you're talking to your state legislators. State legislators are far more accessible, and they actually listen to constituents more in my experience than members of Congress. Part of it is just that they represent a smaller population of people. But another part of it is at least, you know, in my experience in Maryland, anybody can testify if you sign up in advance on any piece of legislation. And so if this is something that you're passionate about and there is a data privacy bill coming up in your state, even if you can't go and testify in person, submit written testimony. If there's kind of a critical mass of people who are submitting this testimony, I think it does have a big impact on our legislators to see that there's some real movement behind this push for data privacy. So I do think people can have a big impact. In the meantime, I mean, those of us who live in the remaining 49 states --

 

Dave Bittner: Right.

 

Ben Yellen: -- are not going to have the same protection as Californians. We don't have access to this portal. So this Washington Post article gives some good suggestions about what you can do in the meantime, before your state passes a law. Using web browsers from Brave Firefox or DuckDuckGo, all of those are more privacy conscious. You have the option to tell websites you visit not to share, sell information. The old Privacy Badger, which you can download from EFF's Consumer Advocacy Group, it is compatible with almost all of your favorite web browsers. Permission Slip from Consumer Reports. So, if you give that application your basic information, it will assist you. It's kind of a personal bot assistance to tell companies not to sell your information or to delete it. And then you can ask People Search websites to delete your information as well. And their last recommendation is the one that you started with. Become somebody who's willing to talk to legislators and willing to get yourself in the arena and show policymakers that this is something that their constituents actually care about.

 

Dave Bittner: Yeah. So before we move on to our next state, there are a couple of things that caught my eye here in this article from Bloomberg. One was about opt out request noticing, which is kind of what I was talking about with Home Depot, right?

 

Ben Yellen: Right. Exactly. Yeah. A different version of that, but yep.

 

Dave Bittner: Yeah. And they actually have some teeth in here. The other was about health insurance portability and accountability. What's going on with that one?

 

Ben Yellen: Our favorite acronym -- acronym, HIPAA --

 

Dave Bittner: Yeah.

 

Ben Yellen: -- which everybody, of course, gets wrong. It's one P and two A's.

 

Dave Bittner: Right, right.

 

Ben Yellen: So we'll start with that as a backdrop. No. I mean, this is something that's been done under the Health Information Technology for Economic and Clinical Health Act, which goes all the way back to 2009. And this law in California allows state enforcers to mitigate HIPAA violations of California residents. So it gives California residents an avenue where you have state enforcers through the Attorney General's office trying to maximize privacy claims involving health data. I think this has become critically important as people feel that their personal health data is threatened at the federal level for things like reproductive health and gender identity stuff. And I think that's one of the motivating factors behind this law. So that certainly caught my eye, and it's something that I know has been a focus in California and some other states.

 

Dave Bittner: Yeah. All right. Well, I'll tell you what. Let's take a quick break here, and we will be right back after this message. And we are back. You know, one of the things that I think is interesting about this article here in Bloomberg is we start off with California. And I think, when it comes to privacy legislation and those sorts of things, most people would probably nod their head and go, oh, yeah. California. That makes sense.

 

Ben Yellen: Right.

 

Dave Bittner: Number two on the list, Texas.

 

Ben Yellen: Yee haw!

 

Dave Bittner: Couldn't be more polar opposites from California when you think of attitudes, approaches, you know, legislative priorities. And, yet, Texas is also very vigilant when it comes to privacy.

 

Ben Yellen: Data privacy knows no political boundaries, and this is something that's been encouraging for me to see. They might focus on different aspects of protecting data privacy.

 

Dave Bittner: Yeah.

 

Ben Yellen: You know, Texas had that age verification law for adult websites that went up to the Supreme Court because of First Amendment issues. And so that's an area where they'll maybe focus on, and California won't. But there's actually a lot of common ground. I think this is something that is relatively nonpartisan in that members of both parties have their own unique interests in trying to protect people's data privacy. So we see that in red states, and we see that in blue states.

 

Dave Bittner: What are some of the things that Texas is focusing on this year?

 

Ben Yellen: So there's something called the Texas Responsible Artificial Intelligence Governance Act and the Texas Data Privacy and Security Act. This does a bunch of things as it relates to children's data. So the Texas Attorney General now has authority under this Office of Data Privacy, and they enforce a couple of new Texas statutes. One of them is the Texas Responsible Artificial Intelligence Governance Act, and the other is the Texas Data Privacy and Security Act. And they are doing a bunch of things in a different -- in a bunch of different areas. So they've taken action on children's data and applications. I mentioned that age verification effort that could be invalidated as unconstitutional. Securing Children Online Through Parental Empowerment Act was the name of that statute. There's another statute in place that regulates children's exposure to pornography, which has survived judicial scrutiny. And there's also, of course, COPPA at the federal level, Children's Online Privacy Protection Act, which involves some degree of state-level enforcement. They mentioned vendor agreements. So the state is reviewing agreements with vendors for provisions that imply permission for the vendor to co-opt data for its own purposes. One thing this article noted is vendor agreements with state government tend to not have in-depth review. It's just something that can kind of be overlooked. So the Texas Attorney General's office under this data privacy team is going to see if vendors are taking advantage of either state agencies or private sector companies, if there are impermissible expansions of data usage beyond an agreement's boilerplate terms. Genetic data, this is one that's always interested me. So this is under a law Texas passed called the Texas Direct to Consumer Genetic Testing Act. There's also the Texas Genomic Act of 2025 which gives people a private right of action to challenge the collection of their genetic data through things like biometrics and then the same thing for geolocation data. So this Texas Direct to Consumer -- or, sorry, this Texas Privacy Act requires explicit consent for processing location data; and this is something that the attorney general's office in Texas has prioritized for enforcement. And it's something that at least in this article Bloomberg Law claims could be a model across the country. So that's a lot of things that this privacy office is working on under the authority of these statutes and certainly very interesting to see it come out of the state of Texas.

 

Dave Bittner: Yeah. That is interesting. And, like you said, I don't know. It's just fascinating to me that the two states that seem to be leading the charge here are in so many ways different. But, when it comes to this, there's a lot of crossover.

 

Ben Yellen: Yeah. And, again, sometimes they're motivated by different things.

 

Dave Bittner: Right.

 

Ben Yellen: There are certain things that bother conservatives and certain things that bother liberals; and sometimes there can be common ground on how to ameliorate those things, if it makes sense. And that's where data privacy laws can be bipartisan. If you're concerned about too much information, if you're a libertarian concerned about government agencies or local police departments buying data from data brokers, or you're concerned about, you know, monopolized companies in the private sector taking advantage of your personal data, the common solution is a data privacy law, no matter what your ideological bent is.

 

Dave Bittner: Moving on here, last but not least, in this rundown, they talk about Virginia, our neighbor to the South. So they've got the Virginia Consumer Data Protection Act, and this says they're focusing on data and social media this year. What can we expect here, Ben?

 

Ben Yellen: Yeah. So they've done a couple of things under the authority of this act. The first has to do with children's data. So this law includes a provision prohibiting the processing of children's geolocation data and a requirement for data protection assessments for online services targeting children. And the idea is that, if they are rigorous with enforcement here, this can end up being model legislation, especially as there's more interest at the federal level in protecting children's data privacy. There's a provision of the law in Virginia that just went into effect that requires good faith age screening methods plus limitations on screen time of one hour a day unless a verifiable parent increases the allotment.

 

Dave Bittner: Wow.

 

Ben Yellen: Just admit those of us who are parents who try to enforce screen time limits.

 

Dave Bittner: Yeah.

 

Ben Yellen: And we get the little request that says, Your child is requesting another hour of screen time. And, you know, I've been working all day and just want to watch football. I can't -- I can't say I'm above just pressing the Approve button.

 

Dave Bittner: Right. Because of the alternative is they come and pester you.

 

Ben Yellen: Exactly. We've all been there.

 

Dave Bittner: Parenting 101 by Ben Yellen.

 

Ben Yellen: Exactly.

 

Dave Bittner: Parenting through neglect.

 

Ben Yellen: So, you know, I think it's kind of questionable to me how this could be enforced.

 

Dave Bittner: Yeah.

 

Ben Yellen: Especially if there are workarounds where technologically savvy kids can figure out what the four-digit passcode is to disable screen time limitations. But I think it's a good faith effort to protect children and to get them off of social media. I mean, I think we've seen a pushback against the saturation of social media, the saturation of screens for children. All these states have passed laws restricting the use of devices during public school hours, which I think is gaining momentum across the country. So I think that's part of this effort.

 

Dave Bittner: Yeah.

 

Ben Yellen: And then there is a bill amending the Virginia Consumer Protection Act to heighten protection of reproductive and sexual health information that took effect last April, and this is a priority for the incoming Virginia Attorney General and the new gubernatorial administration in Virginia.

 

Dave Bittner: Oh, right. Okay. Sure, sure.

 

Ben Yellen: So this is just another example. We've kind of gone blue state, red state. This is more of a -- it's still more of a blue state than a red state, but it's certainly not as progressive as California.

 

Dave Bittner: Yeah.

 

Ben Yellen: And they're all kind of using the same methods here to reach the ultimate result, which is increased enforcement, protecting privacy for everyone and particularly for children.

 

Dave Bittner: Yeah. I guess I -- it's funny. I really hadn't thought much about where Virginia sits on the, you know, blue, red, purple spectrum. But I guess like a lot of states they have a population -- their cities are highly populated, and that leans them towards blue. But then there's so much rural area that tends to go more red. And I think a lot of those states, particularly on the East Coast, are kind of like that. You know, think about New York and Pennsylvania. Even Maryland, you know, you get away from Baltimore towards either --

 

Ben Yellen: The Eastern Shore.

 

Dave Bittner: Eastern Shore or the Western panhandle and you're very, very red but not enough to make it so that it's not a very blue state, right?

 

Ben Yellen: Yeah. I think some people in those rural locations can feel underrepresented.

 

Dave Bittner: Yeah, yeah.

 

Ben Yellen: They -- their voice is swamped by people in Arlington and other areas of Northern Virginia. And so I think it's incumbent upon state legislators to try and represent the views of most of their constituents. And I think this is an issue where it's not just something of interest to people living in Northern Virginia. A lot of people in southwest Virginia who live in rural areas have kids and are concerned about their kids having unfettered access to things like pornography and social media. And so it's something where legislators and policymakers have found common ground, and I think that's very encouraging.

 

Dave Bittner: Looking at the big picture here, looking at these three states, what's your outlook for 2026? I mean, does it seem like this is a priority for the states around the nation to be tightening down on this privacy stuff?

 

Ben Yellen: I do. And states really feed off each other. There's the National Conference of State Legislatures. The group meets regularly. I think they have annual conferences. But there are also workgroups, and I've been a part of conversations in those. The workgroups are great because you get, you know, two legislators from Texas who help draft these statutes. And they explain to legislators from other states, like, here's what worked; here's what hasn't worked. And I think, when you have something like this where the goals are all very admirable but the methods, I think, are things that we're still playing around with, trying to work on, that's where advice from the experience of other states might be very useful. So there -- you know, there are different ways of trying to enforce these privacy laws and try to -- trying to improve data privacy within these states. So setting up internal consumer complaint databases within the various enforcement agencies, things like ways to drive media attention. So the most high profile cases, how do you use those as a way to justify further enforcement of policy? So sometimes it's those types of methods that states that haven't passed these laws can really learn from what other states have done, what's actually effective in effectuating change. Is a certain level of penalty enough to induce a big data broker company that you haven't heard of to stop selling our data when we request it through the portal? Like, that's a very useful piece of information to state legislators.

 

Dave Bittner: Yeah. I mean, it's that old thing about the states being the laboratories, right?

 

Ben Yellen: Laboratories of democracy. That's right.

 

Dave Bittner: There we go, There we go.

 

Ben Yellen: Yeah. And it's just this is what you have to do in the absence of comprehensive federal data privacy legislation. And, when you have the federal government talking in the context of artificial intelligence about things like preemption, where the federal government will preemptively -- this is kind of the double meaning of preemption, but they will preemptively sue states who they think are enacting artificial intelligence regulations in violation of the administration's priorities. And I think that's relevant here because you can see how active and how nimble states can be in responding to the concerns of their constituents. It's much easier to pass legislation. It's much easier to just try things and see if they work than it is at the federal level. And if you have some sort of federal policy, whether it's an act of Congress or an executive order that tries to stifle the ability of states to be nimble, whether it's for artificial intelligence or data privacy, I think that's going to have a huge impact. I mean, just looking at everything we've talked about here, none of that would have been possible if there had been some type of federal preemption. And so I think giving the states the ability to experiment with this and to become models for other states I think is extremely valuable.

 

Dave Bittner: Yeah. All right. Well, we will have a link to this article in our show notes. Again, it's written by Paula Heckrich, who is a lead attorney for Crisis Context Data at the US Department of Homeland Security. Works for FEMA. And that is our show. We want to thank all of you for listening. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yellen: And I'm Ben Yellen.

 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.