Podcasts
Caveat
Ep 93
Caveat 9.9.21
Ep 93 | 9.9.21

Threading the needle on consumer privacy laws.

Show Notes
Transcript

Aaron Tantleff: Part of the desire in a place like Colorado is trying to thread the needle between how to protect consumers, but ensure that the legislation remains business-friendly.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben has an update on Apple's CSAM-scanning plans. I've got details on Apple's plans to integrate your official state ID into Apple Wallet. And later in the show, my conversation with Aaron Tantleff. He's from Foley & Lardner’s Privacy, Security & Information Management Practice. We're going to be discussing how Colorado's privacy law differs from CCPA and how companies need to prepare. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's kick things off here. You're going to start off - we got some big news from Apple, yeah? 

Ben Yelin: We sure did, Dave. We did it. It was me and you. 

Dave Bittner: (Laughter) I think you're right. Right. Official word from Tim Cook says that, as an avid listener of the "Caveat" podcast, my opinion was changed, right (laughter)? 

Ben Yelin: Yeah. Yeah. And thanks, Tim, for that shoutout. We also need to give David Derigiotis some credit, too. 

Dave Bittner: Yeah. 

Ben Yelin: Because he was on our episode we did where we reviewed this program from Apple that would have allowed them to scan iPhones for digital evidence of sexually exploitative material from minors. 

Dave Bittner: Right. 

Ben Yelin: And Apple has reversed that decision. It's not a full reversal. 

Dave Bittner: Yeah. 

Ben Yelin: They're doing the proverbial, we're taking a pause, taking time to review our policies. So they're not canceling the program per se, but they are acknowledging that there was a significant backlash. 

Dave Bittner: Yeah. 

Ben Yelin: A number of the provisions were not as controversial. The one that allowed parents to opt into a program where they would be alerted if their own child sent or received sexually exploitative material - I think, you know, that probably would have survived. But the provision where Apple was actually going into our devices and scanning our iCloud photos for images that matched known child pornography images on the internet was, even despite the noble intentions, something that really - you know, to use colorful language - pissed off the... 

(LAUGHTER) 

Ben Yelin: ...Privacy and security community. 

Dave Bittner: Yeah. 

Ben Yelin: So there are a lot of lessons here. One is that activism works. Apple is susceptible to public opinion, particularly among people who know what they're talking about. You know, I think these organizations, especially Apple, listen to groups like the Electronic Frontier Foundation, from EPIC, some of these other online privacy groups. 

Dave Bittner: Right. 

Ben Yelin: Because you know, as we said in that episode that we recorded, they want to be the industry-leader in privacy and security. 

Dave Bittner: Yeah. 

Ben Yelin: They pride themselves on that. So to get that kind of feedback - I think they take that very seriously. And unlike... 

Dave Bittner: I think it is a good faith, core value. I think it's more than just marketing and lip service. 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. 

Ben Yelin: And they practice what they preach in most circumstances. 

Dave Bittner: Right. 

Ben Yelin: We talked about the San Bernardino case being the most high-profile one. I also will say, the activist groups should be extremely proud of themselves. They sprung into action quickly. They went online and collected signatures. This article that we're using for our piece today, which we'll post in the show notes, comes from The New York Times. They note that the Electronic Frontier Foundation set up an online petition that got 25,000 signatures. You know, these are the types of things that can have an impact - I dare say, have more of an impact in the private sector than it does in the public sector. Because quite honestly, Apple is more directly responsible to its customers, sometimes, than policymakers are to their constituents. It's easier for me to choose a different device or an encrypted application... 

Dave Bittner: Right. 

Ben Yelin: ...Sometimes than it is for me to choose a new legislator. 

Dave Bittner: There's no alternative DMV you can go get your driver's license from (laughter). 

Ben Yelin: I sure wish there was. Yeah, I'm going to go to the super hipster alternative DMV. Yeah. 

Dave Bittner: (Laughter) Right. Right. Right. 

Ben Yelin: Nice lighting in there. Yeah. 

Dave Bittner: Yeah. Nice cafe, good coffee, all that. Yeah, sure (laughter). Well, what about - I've seen folks sort of having the cynical response to this and saying Apple's pause just means that Apple's going to bide their time and then, you know, quietly, under cover of darkness, in the middle of the night on a weekend, holiday weekend, they'll just kick this into place. 

Ben Yelin: Going to be the Friday news dump... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...Before, like, a... 

Dave Bittner: Right. 

Ben Yelin: ...Major - you know, Christmas Eve. 

Dave Bittner: Exactly. Yeah. Yeah. 

Ben Yelin: You know, I think, based on our experience over these past several weeks, they can't do that. Because the activist community is on edge, and they have their eyes on the issue now. I think what Apple will have to contend with is, there is a backlash on the other side here. There are advocacy groups - you know, the Center for Missing and Exploited Children, similar groups like that, are not happy that Apple has walked back this decision. So they do have to balance these interests. And you know, I think just because the privacy community has been up in arms, that doesn't mean that, you know, Apple necessarily is going to abandon this entirely. Because there is a large constituency, obviously, for curbing sexually exploitative material. 

Dave Bittner: Right. Right. 

Ben Yelin: So - but yeah. I don't think they would be able to do this in the cover of night, given how plugged in the activist community is, how all of these groups are keeping a watchful eye. I mean, we saw how quickly groups sprung into action, I think, in a way that was clearly unanticipated by the bigwigs at Apple. 

Dave Bittner: Yeah. 

Ben Yelin: And you know, us at "Caveat" - we do not do a single episode on one topic very often. 

Dave Bittner: (Laughter). 

Ben Yelin: But when we decided to do one on this, that should have been a signal that is serious. 

Dave Bittner: (Laughter). It was serious. Right. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. Well, I mean, you know, it's - we have fun here, but it is a serious topic... 

Ben Yelin: Yes. 

Dave Bittner: ...For sure. I wonder, could Apple come at this the way that most of the other tech companies do? Could they simply scan people's iCloud photos on the server side, up in the cloud, the way that Google does, the way that Facebook does, the way that Dropbox does? This is a - I mean, it's a common practice from the other large providers of these sorts of services. If Apple simply fell back and said, you know, that'll work, do you think they could go at it from that direction? 

Ben Yelin: I think that would be a better alternative to them than what they tried to do, which was to go directly on people's devices. 

Dave Bittner: Right. 

Ben Yelin: I still think it's more of a challenge for Apple than it is for other companies because of the position they hold in the market as the holiest protector of your privacy rights. And given the backlash we saw here, you know, I think anything that Apple does is going to be met with a skeptical eye. 

Ben Yelin: You know, what's interesting about the backlash is, not only did Apple not anticipate it, but they kind of seemed to think that they were doing something that everybody was going to be proud of. They sent, you know, two media sources information on how the technology works. You know, they sent explainers to child safety groups and computer scientists. They really thought that this was going to be good PR for their company and that they were doing the right thing. 

Dave Bittner: Right. 

Ben Yelin: So you know, I could see something like that happening if they decided, like Google and some of these other companies, to just do the scans in the cloud... 

Dave Bittner: Yeah. 

Ben Yelin: ...Thinking, all right, everybody is going to like this. Other companies do it. We're not going to face a backlash. But again, you're talking about - you know, it's like when old Coke changed to new Coke. 

Dave Bittner: (Laughter) Now, Ben. 

Ben Yelin: I... 

Dave Bittner: I was alive when that happened. I don't think you - you certainly weren't conscious. You weren't keeping track of these things when that happened. I was in high school when that happened. 

Ben Yelin: I was not. I mean... 

Dave Bittner: (Laughter). 

Ben Yelin: You remember that, though. It's not like, you know... 

Dave Bittner: No. 

Ben Yelin: If Tab changed their flavor... 

Dave Bittner: Right. Right. 

Ben Yelin: ...No one would have batted an eye. 

Dave Bittner: Right. 

Ben Yelin: But because it was Coca-Cola... 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. Absolutely. Well, and I think, as we spoke about in our original episode, I think part of this was a little bit of hubris on Apple's part. You know, they have been on the side of them knowing what's best for users time and time again. And it most of the time pays off for them. 

Ben Yelin: Right. 

Dave Bittner: Right? So you have that. I saw one Apple pundit who was saying that the fact that Apple didn't just go ahead and implement this, the fact that Apple announced it before implementation, was a sign that Apple was open to criticism. I don't know that I buy that argument (laughter). 

Ben Yelin: No, I don't buy that either, especially from what we just said about... 

Dave Bittner: Right. 

Ben Yelin: ...How they were sending out bragging press releases. I think... 

Dave Bittner: Right. 

Ben Yelin: ...You know, there's always some lead time before you actually engage in a new program. I think it's natural to have that lead time. 

Dave Bittner: Right. 

Ben Yelin: I... 

Dave Bittner: It was going to roll out with a new version of the operating system... 

Ben Yelin: Right. 

Dave Bittner: ...Which is on a set cadence, you know? 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: Which always, they insist, is going to download between 1:00 and 5:00 a.m., but... 

Dave Bittner: (Laughter). 

Ben Yelin: ...I always wake up in the morning, and even when it's plugged in, it says, we weren't able to download the new iOS. So maybe they can fix that problem. 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. 

Dave Bittner: That horrible amount of time you have to sit there with no phone. It's like having your arm cut off. 

Ben Yelin: It's so boring. 

Dave Bittner: What are we going to do? All right. Well, you know, interesting development for sure. I'm trying to think, am I surprised that Apple has paused this? I suppose in some ways I am. Because again, Apple's corporate attitude is, we know what's best, and you'll come around, you know (laughter) eventually. 

Ben Yelin: Right. 

Dave Bittner: Like we say, you know, you don't need that headphone jack. You'll come around, right? 

Ben Yelin: Yeah. And they've withstood previous backlashes... 

Dave Bittner: Right. 

Ben Yelin: ...Which is what makes this interesting. 

Dave Bittner: Yeah. 

Ben Yelin: I think perhaps they are, you know, tuning in more to what these privacy and advocacy groups are saying... 

Dave Bittner: Yeah. 

Ben Yelin: ...Than they have in the past, realizing, you know, that that is such an important part of their market base. 

Dave Bittner: Right. Right. All right. Well, we will have a link to that New York Times article that really has a good overview of it. We'll have that in the show notes. 

Dave Bittner: My story this week also has to do with Apple, although a much lighter topic. I'm using the coverage from Daring Fireball, which is John Gruber's Mac news website. He provides a lot of news and commentary on all things Apple. And I think he has a good overview of this particular issue. His article is titled, "Initial Details on Using Driver's Licenses and State IDs in Apple Wallet." And Apple recently released a press release, saying that they were working with several states. Arizona, Georgia, Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah are among the first ones to work with Apple on making your state IDs accessible via your iPhone or Apple Watch with Apple's wallet technology. This, I think, is very interesting. We've talked before about the issue with our IDs having barcodes on them... 

Ben Yelin: Yep. 

Dave Bittner: ...And being able to walk up to a bar, for example, and the bouncer's scanning our driver's license and getting every bit of information on that driver's license... 

Ben Yelin: Right. 

Dave Bittner: ...And being able to share that information with the bar across town, right? So that if I'm a problem customer at this bar... 

Ben Yelin: Which we know you are. Yep. 

Dave Bittner: Yes, I am. I'm - yes, absolutely. If I go to the bar across town, they will have been warned about me and will know not to let me in, right? So that's a potential, and not just a theoretical. That was a use case bars were actually doing. 

Ben Yelin: Right. Right. I feel like we talked about this a long time ago. 

Dave Bittner: We did. 

Ben Yelin: Yeah. 

Dave Bittner: We did. The problem is - one of the problems is - that I hand that license over to the bouncer. And really the only piece of information that bouncer needs about me is, am I old enough to enter this place? 

Ben Yelin: Right. 

Dave Bittner: The bouncer does not need my home address. 

Ben Yelin: Or the fact that you're an organ donor. 

Dave Bittner: Right. 

Ben Yelin: Yeah. 

Dave Bittner: Or God forbid, my weight. 

Ben Yelin: Yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: Although that's, you know... 

Dave Bittner: (Laughter). 

Ben Yelin: Let's just say they always measure that in the past. 

Dave Bittner: (Laughter) That's right. 

Ben Yelin: So for most people, that's a lower number than the current weight. 

Dave Bittner: Yeah, exactly. I recently got my driver's license renewed. And there was a moment when - the lovely lady who was helping me, you know, fill out all the information, we kind of looked at each other for a moment when she asked, is this weight up to date? 

(LAUGHTER) 

Dave Bittner: I sort of said, I haven't been that weight since, you know, 1995 (laughter). 

Ben Yelin: Yeah. And not to take more time on this, but when - I first got my driver's license when I was in high school. And I badly estimated my weight then. 

Dave Bittner: Right. 

Ben Yelin: And then I had that same weight on my driver's license for about 10 years. It said I was 135 pounds, which... 

Dave Bittner: Yeah (laughter). 

Ben Yelin: ...If anybody's ever seen me... 

Dave Bittner: Yeah. 

Ben Yelin: ...That's absolutely comical. Yeah. 

Dave Bittner: Yeah. Yeah. So what's interesting about this is that this technology in Apple Wallet will allow you to use this virtual ID. And according to this - just a quote here from Apple's statement about this. It says, driver's licenses and state IDs in Wallet are only presented digitally through encrypted communication directly between the device and the identity reader, so users do not need to unlock, show or hand over their device. And to me, that is a key... 

Ben Yelin: Absolutely. 

Dave Bittner: ...Point here, because you never, ever, ever, ever, ever, ever, ever (laughter) want to hand over your device to law enforcement. 

Ben Yelin: Or to anyone for that matter, but especially law enforcement. 

Dave Bittner: Yeah. Right. 

Ben Yelin: Yeah. I mean, am I wrong to be a little bit excited that this is being rolled out in our home state of Maryland? 

Dave Bittner: I'm intrigued. I say, I'm intrigued. I think the obvious use case for this, and probably the leading-edge use case of this is going to be TSA at the airport. 

Ben Yelin: Right. 

Dave Bittner: The TSA is going to accept this. So rather than having to pull out your driver's license, you'll be able to - you know, the same way... 

Ben Yelin: Scan your boarding pass... 

Dave Bittner: Yeah. 

Ben Yelin: ...Scan your license. Yeah. 

Dave Bittner: And if you use - if you're familiar with using Apple Pay - or if you're on an Android device, Google Pay - it's the same sort of thing. You just tap your device, bloop. It hands over your identification, presumably, in this case... 

Ben Yelin: You are who you are, yep. 

Dave Bittner: ...Your photo, your - right. And off you go. This seems great to me. I don't think that this is really going to be a situation where you're going to be able to leave your driver's license at home because - just in case (laughter). 

Ben Yelin: Right. 

Dave Bittner: Right? But I think it could streamline things. It could make things faster. 

Ben Yelin: Yeah. I think that's true. And I think the security standards, from what we've seen so far, are robust enough that, you know, any added convenience might, you know, supersede whatever security concerns I might have. 

Dave Bittner: Right. 

Ben Yelin: You know, they've talked about using a particular standard that Apple has developed for the mobile's driver's - mobile driver's license to ensure that, you know, it meets industry standards... 

Dave Bittner: It's going to be an open standard. 

Ben Yelin: It's an open standard. 

Dave Bittner: Yep. Yeah. 

Ben Yelin: So, you know, if you're nerdy about that stuff, you can even go and look at it for yourself. So I - yeah, I think it's, you know, something for us to be somewhat excited about. Now, I think policymakers in each of these states are going to have to write into legislation or executive orders, you know, requiring that the digital license plates meet the most recent, rigorous industry standards. I think that's going to be a requirement because if they allow for mobile driver's license based on the current standards and some new, you know, potential security threats emerge, then you get into this period of stasis where nothing changes, you know, maybe information becomes more vulnerable. There's nothing in state legislation or coming out of the State Department of Information Technology requiring you to, you know, adjust your security practices. That's where we could get in some danger. But otherwise, you know, I feel like, bring it on. I already have my airline tickets and my, you know, loyalty cards and my Apple Wallet. And, you know, maybe I'll be adding my driver's license. 

Dave Bittner: What about the traffic stop situation here, right? To me, this is a potentially problem area for this. 

Ben Yelin: Yes. 

Dave Bittner: People have pointed out you get pulled over for whatever, you know, you're speeding. You run a stop sign. Who knows? And the police officer says, you know, I need your ID. 

Ben Yelin: License and registration, please. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: Yeah. 

Dave Bittner: You - and you - now this presumes that the police officer is going to have something that can read this. 

Ben Yelin: Which, in the short term, is probably not a reasonable... 

Dave Bittner: Correct. 

Ben Yelin: Yeah - assumption. 

Dave Bittner: Correct. You certainly don't want to hand over your phone so that the police officer can take it back to their squad car to scan it. 

Ben Yelin: Please, don't do that. 

Dave Bittner: Even if it's locked... 

Ben Yelin: Right. 

Dave Bittner: ...Right? So does that really just make it not practical for that? 

Ben Yelin: You'd have to have - you know, this is another thing I think has to be written in legislation that adopts - or regulation that adopts mobile driver's license, where the customer still has possession of the device. They can scan it on a mobile scanner so that that device never gets into the hand of law enforcement. But law enforcement, once they've received the relevant information, can go back to the car, you know? That's - I feel like we're a very long time for - from that being operational. I mean, for one thing, that would have to be adopted not only by state law enforcement agencies but local law enforcement. 

Dave Bittner: Right. 

Ben Yelin: And so, you know, I wouldn't go driving around without your driver's license... 

Dave Bittner: Yeah. 

Ben Yelin: ...Physical driver's license anytime soon. 

Dave Bittner: I wonder to what degree is the user going to have control over what information is shared. For example, am I able to dial it in? If I go to the bar... 

Ben Yelin: Right. 

Dave Bittner: ...And I don't want everything shared, am I in control of that? Or are they going to have some sort of standard where if you're a bar, you only are entitled to this information? I would much rather have that be under my control than the bar's. 

Ben Yelin: Right. And it seems like, from what this article is saying - is that the bar or the TSA, they're going to be the ones determining what information they want. You know, maybe that's something else that we could put into legislation or regulation, where, you know, we require organizations who are scanning these mobile driver's license to only collect the information they need to collect for their practical business purposes. So for a bar, it's your age. You know, for the TSA, it's probably going to be most of what's on your driver's license... 

Dave Bittner: Yeah. 

Ben Yelin: ...So they can be sure that it's you... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...Probably don't need your address. But, you know... 

Dave Bittner: Who knows? 

Ben Yelin: Yeah - a lot of what else is on there. 

Dave Bittner: Yeah. 

Ben Yelin: But, yeah, I mean, it would be good to give the user that option of what to share. It still gives the - you know, the TSA or law enforcement or the bar some power because they could say, all right, well, you're not getting into this bar unless, you know, I see more information than just your age. 

Dave Bittner: Right. 

Ben Yelin: I want to make sure your name is on there, too. I want, you know, you to use some biometric something or other to ensure that you're not your older brother. 

Dave Bittner: (Laughter) Right. Right. Right. Right. It's getting harder to - the days of the McLovin fake ID are... 

Ben Yelin: Yeah. 

Dave Bittner: ...(Laughter) Are getting harder and harder to pull off, right (laughter)? 

Ben Yelin: Yes. You're a 25-year-old from Hawaii? 

Dave Bittner: (Laughter). 

Ben Yelin: I am McLovin. 

Dave Bittner: Yes, I am. Yes. Yes, I am (laughter). All right. Well, that is my story this week. We will have a link to that - again, from John Gruber over at Daring Fireball. I think he has a good summary and analysis of it. So we will have a link to that. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Aaron Tantleff. He is from Foley & Lardner’s Privacy, Security & Information Management Practice. And our conversation centers on Colorado's privacy laws and the ways that it differs from CCPA and how companies need to prepare. Here's my conversation with Aaron Tantleff. 

Aaron Tantleff: I would say, the reason why I probably don't have the best answer in terms of what - you know, in terms of, you know, why it happened - there's a desire for a number of states, not just Colorado, but for a number of states to pass some type of comprehensive privacy legislation. Obviously, California was the first and then Virginia. Other states are looking at it. But there seems to be a divide or discussion amongst whether or not, for example, there will be a federal piece of legislation and whether that federal legislation will have state preemption or not, what that would mean for the states, but also, how doing business within the states was impacted by - you know, by this growing ability to use personal data. 

Aaron Tantleff: We're seeing - you know, there are states adopting it, various countries who have adopted it. And it impacts businesses. And there's also the desire to protect the residents of the state. There's certainly a growing voice amongst consumers, you know - and I guess you would call it constituents - who are clamoring for more comprehensive protection over their personal information, as well as the concern about how private businesses and even how governments are utilizing their personal information for their personal gain, at the detriment of the individuals or even at the ability to, let's say, make people uncomfortable. 

Aaron Tantleff: And so the desire to create legislation is one of those things. And I think part of the desire in a place like Colorado - and you can see it in how they designed the legislation - is trying to find or, as they would say, thread the needle between how to protect consumers but ensure that the legislation remains business friendly. We - you know, they want to make sure that in a place like Colorado, which is - you know, it's certainly attracting business. There's a lot of growth there. But at the same time, what we see is privacy legislation amongst other types of legislation, so not just privacy. But certainly, this is one of them that has the ability to, let's say, strike fear into the hearts and minds of companies who are trying to do business in the state or try to direct business towards or market to the residents of those states. 

Aaron Tantleff: And in a place like Colorado with a growing business community is to ensure that it remains protective of their constituents and their residents and protects business. In fact, when passing the legislation, the governor, in an issued statement that he had made to the general assembly - I think he said, in a haste to pass this legislation or to pass the bill, he was concerned that there were still a number of issues even outstanding as of then, but realized that they needed to get the legislation out there. But part of what, you know, they're trying to do - and he's urging the general assembly to take a look at to ensure that they continue to strike an appropriate balance between the consumer protection while not stifling the innovation and Colorado's position as a top state to do business in. 

Aaron Tantleff: But the point there was, as I took away from that - when I was thinking about why this legislation has certain exemptions in it or where it's different from California and Virginia and others that are pending is, I think, because of that focus to ensuring it remains a business-friendly state. So while I think a lot of other privacy legislation in itself truly focused on people, truly focused on protecting personal data, you didn't see any overt acts of deference towards business. But surprisingly enough, though, there are a few tweaks in here that seem to be at odds with that statement. And I wonder if they are the type of thing that would be primed for targeting. So for example, before I run away with this whole thing... 

(LAUGHTER) 

Aaron Tantleff: ...I'll let you ask some questions. But one of them was, which was fascinating - is underneath the CPA, there is no revenue threshold, right? So just like, you know, with California and just like with Virginia, when it seeks to target businesses, you know, Colorado makes it clear that it intentionally applies to businesses that intentionally target Colorado consumers and collect or store data on at least 100,000 consumers or on revenue from selling data of at least 25,000 consumers. So initially, that number's higher than the CCPA. But when you look at the new CPRA and Virginia's CDPA, then that number's consistent. So whatever it - for whatever reason, 100,000 is sort of the number that's consistent across the states. And that's fine. 

Aaron Tantleff: If you control a process - the personal data of at least 25,000 Colorado consumers per year and you derive revenue or receive a discount on pricing of goods or services, etc. on the sale of personal data, you can be subject to the CPA. However, unlike the CCPA or the Virginia CDPA, there is no percentage threshold, or any type of revenue or discount that's received from the sale of personal data may be sufficient, and even if you're talking a de minimis amount of money. So on one hand, this becomes an interesting anecdote about how the CPA ensuring that Colorado remains a top state to do business in because this likely could result in a significant amount of litigation because if you think about how difficult it would be to show that there isn't some type of consideration associated with that sale of personal data, the other aspect of that - the lack of the revenue threshold - the idea here, if you think about in the other states - California, etc. - so it's a company who's got - who may have a higher revenue stream - right? - but they're not in the business of processing personal data. So under CPA, they would still likely be considered - they would still likely fall under this legislation. 

Aaron Tantleff: So, you know, where you think about, like, California's CPA or CPRA, you know that it's specifically trying to target those types of businesses. Under Virginia, it targets pretty much every business or almost every business. Obviously, there are certain - still thresholds that you have to hit. But it becomes very difficult not to hit those thresholds based upon their definitions. 

Dave Bittner: Now, when you're advising your clients, the folks that you work with, are there any particular areas that you're warning them to look out for? Are there any, you know, pitfalls or prickly parts of this that need attention? 

Aaron Tantleff: Well, so actually the first one is sort of - let's take that actually back a step. So the legislation goes into effect July 1, 2023. And there's the discussion with the Colorado AG's office - may adopt rules between now and, you know, before January 1, 2025. The first question's that clients are saying, well, 2023 is a long time away. July 1, 2023 is a long time away. And there could be amendments out there. There is a lot of discussion as to whether or not something is going to be effective or not. 

Aaron Tantleff: So we first eliminate things that would be - that they would be subject to regardless of Colorado's - and any change because we know they would be subject to something very similar under GDPR, under CCPA, under CDPA and others that are out coming into effect - again, unique things under CPA. And the question becomes, do we start working on compliance now, or do we wait to see what amendments have been passed? And quite frankly, some companies, you know, have already decided, we scrambled when GDPR came around. We scrambled when CCPA came around. You know, we scrambled - you know, if we were subject to HIPAA - whatever it may have been. So everyone had different points in their career or in their times of when they scrambled. So scrambling is becoming, I hate to say it, somewhat of a method of doing business when it comes to privacy in some of these states, you know? 

Aaron Tantleff: So that's one aspect of themselves, is that, you know, we've already implemented for GDPR. We've already started our CCPA. And now we're looking at doing CPRA and CDPA. Do we need to specifically add in Colorado? And while there are some differences, you know, some companies are saying, we're almost there. We don't yet know what these amendments are going to be. We don't know how it's going to impact it. It's still some time away. We believe that what we have left to do may not be as difficult as it once seemed. Or maybe we're already given more rights. 

Aaron Tantleff: But the flip side is actually - is we're getting some clients who are saying, I was exempt under CCPA. I'm exempt under CDPA. But it appears as though I may not be exempt under CPA. So question one is, what do we think? Do we think that there's going to be an amendment that's going to move them outside of it again? Or will they have to start worrying about it? Under CPA, though, there are some things that I do believe businesses have - I don't want to say concerned about, but have - you know, what I do think will have additional obligations that they haven't had so far that will have an impact on how they utilize business or how they document and move forward. So I think there's been some different views on transparency as to what companies are required to provide to individuals with respect to their data. 

Aaron Tantleff: And companies have been asking, how are they supposed to document everything that's being required under CPA, and how do they share that with them? And there are certainly technological solutions that will enable that to be easily addressed in theory, assuming people get comfortable with, how do you disclose everything that's there? - 'cause part of it is - you know, there's a discussion as to whether or not some of these issues of transparency, as to how you use it, could even - either trade secret or some other type of proprietary information on the company as to who they share information with, how they share it - and the question is, is there a way to share this information without disclosing, you know, who some of our partners may be or how we process this data to derive certain information? Or who do we partner with? And so that's something that I know we've been in discussions with some companies as to their level of comfort as to how much information has to be disclosed. 

Aaron Tantleff: Another one where I do know that we're seeing a lot of interest in terms of companies trying to understand what does it mean, which we've already seen before - this idea of, you know, secondary use. Under the CCPA and CPRA as well as the CDPA, you know, hearkens to, you know, sort of, like, the GDPR, is the duty to avoid secondary use of data. So companies that have complied with or are working on their compliance with CCPA, CPRA, CDPA, have been asking about this issue because it's one of those where it's new to those businesses that are operating, at least, you know, certainly domestically. 

Aaron Tantleff: The other aspect about it is, it doesn't comport with, again, the governor's statement about, we want to make sure we're - ensure that we don't stifle innovation in business in Colorado. So in the legislation, there is a prohibition on companies who are - you know, to use data for any purpose that's not reasonably necessary or compatible with the specified purposes for which personal data are processed. You know, while the legislation, you know, certainly makes it easy that you could override this by seeking new consent, that doesn't necessarily alleviate the issue because, one, a business needs to now make sure it flags the data as to how it's - you know, what the consent was for, you know, how that data was originally processed. 

Aaron Tantleff: There used to be, if you remember years ago, privacy policies that said, we can use your data for A, B and C and for any other purpose we so choose, you know, now or in the future. We don't see that anymore in privacy policies. That's pretty much because the FTC has its own position on, you know, post-collection data practices - that your use of the data must be consistent with the nature in which you collected it. 

Aaron Tantleff: The CPA, I think, goes beyond that because the CPA takes the position that it can only be used for the specified purposes. And they talk about the express consent requirement for new uses. While the FTC, you know, does identify that - you know, your purpose of your post-data collection use, you know, consistent with pre-collection use, it's not as narrow as what the CPA has done. 

Aaron Tantleff: So for a lot of businesses - this restriction will be significant for a lot of businesses. Because there is the tendency, whether intentionally or otherwise, for businesses to, you know, utilize the data they've collected for a variety of purposes, generally aligning with what's stated. But it's not unrealistic to either think about or see companies moving that line out a little bit further or, you know, utilizing it for other purposes within the company that may not be - you know, they may be related, right? They may be, whether directly on point or tangentially related. 

Aaron Tantleff: But I believe in a lot of uses that I've seen companies do and things that we have written opinions about as to whether or not this would likely be permitted - you know, and we've - you know, we've discussed, you know, with clients both, you know, uses that a permissible and one we don't think they should consider without seeking express consent or disclosing that. I think this language under the CPA takes it much further. 

Aaron Tantleff: And as a result of that, I think it's going to require companies to put a lot more scrutiny into those specified purposes, you know, as per the CPA, as to what they're disclosing and getting consent for, as well as what they need to follow up and get consent for. Because it's not practical to think that a compliant policy going forward or for some time would allow you to have a vague or generic sort of forward-thinking statement encompassing new uses that are not yet employed by a company or contemplated. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: A couple of interesting elements, to me, of the conversation. One is that Colorado is trying to fashion itself as a good place to do business. As your interviewee said, it's a state that's had a lot of growth recently. So they're really trying to thread that needle, as you said, between trying to protect user privacy, while also, you know, not making Colorado a difficult state to do business with. 

Dave Bittner: Right. Right. 

Ben Yelin: And the other thing that stuck out to me is this question of the income thresholds. You know, I think that's a gap because you don't want these privacy laws to apply to mom and pop shops who aren't going to be able to pay the compliance costs. 

Dave Bittner: Right. 

Ben Yelin: So I think that's something that California has done well. You know, it's not an easy question to answer because sometimes, you know, net revenue or whatever is hard to measure. But I thought that was another really interesting element of the interview. 

Dave Bittner: Yeah, it reminds me - like, there are some things with federal laws with having to comply with disability... 

Ben Yelin: Right. 

Dave Bittner: ...You know, guidelines, where your company has to have a certain number of people... 

Ben Yelin: Yeah. 

Dave Bittner: ...Before there - you know, before you have to have everything be wheelchair-accessible, for example, you know, things like that, which... 

Ben Yelin: Yeah. And it has some downstream effects because, you know, then a company might - if a bunch of new regulations go into place when you hit your 50th person, the company might try and limit its employees to 49. I mean, it has effects on the margins, for sure. 

Dave Bittner: Right. Right. Well, our thanks to Aaron Tantleff for joining us again. He is from Foley & Lardner’s Privacy, Security & Information Management Practice. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.