New Report Explores Privacy Implications of Driver Safety Systems

Report Offers Recommendations for Organizations Developing, Implementing, and Regulating Technologies

Today, the Future of Privacy Forum (FPF) is releasing a new report explaining how safeguarding driver privacy and data protection will be critical to ensuring widespread acceptance of new safety technology in vehicles. This report comes as the National Highway Traffic Safety Administration (NHTSA) is in the process of establishing new requirements for safety technology that vehicle manufacturers will soon integrate into vehicles of the future. 

FPF’s report explores the privacy implications of vehicle safety systems – including Advanced Driver Assistance Systems (ADAS) and Driver Monitoring Systems (DMS) – and impairment detection technologies, which use automated technology to enhance vehicle safety. In addition to core recommendations for public and private entities developing and enforcing these technologies, the report includes insights from a survey completed with the Automotive Coalition for Traffic Safety, which gauges individuals’ attitudes toward the use of Vehicle Safety Systems and explores how to prioritize privacy.

“Vehicle safety systems can save lives and reduce injuries–but only if people use them. Policy makers and auto manufacturers must consider the privacy and data protection implications for all drivers when incorporating new technology into vehicles to bolster driver trust and adoption.”

Adonne Washington, Policy Counsel of Data, Mobility, and Location

The 2021 Infrastructure Investment and Jobs Act requires NHTSA to establish a new Federal Motor Vehicle Safety Standard surrounding impaired driving technology. In response, the report identifies five core recommendations for organizations developing, implementing, and regulating these technologies:

The survey results informed the recommendations. The key findings from the survey revealed that many individuals value advanced vehicle safety technologies but worry about the privacy risks, accuracy of the technology, cost, and data transfers to third parties. Additionally, individuals indicated that they generally trust carmakers’ data practices more than online companies and the government but worry about vehicle systems that collect information about occupant behaviors. Individuals want to incorporate these technologies for safety but need privacy and data protection practices like disclosure limits, encryption, on-car storage, and de-identification to trust these systems.

“Ensuring privacy protections in vehicles is necessary. Privacy protections can’t be considered at the end of the process when developing technology and shouldn’t be considered in a vacuum, but rather privacy should be continually considered in regard not only to every stage of the development pipeline but also to any unique risks for marginalized or multimarginalized individuals and communities.”

Adonne Washington, Policy Counsel of Data, Mobility, and Location

The report examines the strategies needed to protect consumer privacy when technologies, especially those to detect impairment, are included in vehicles. Washington underscored that policy leaders, regulators, and automakers should use the resources published to better understand drivers’ knowledge of data collection and safety systems in and around new and advanced vehicles.

FPF will also host a panel discussion and reception on the report. Learn more about the event here

DOWNLOAD THE REPORT

Privacy and the Rise of “Neurorights” in Latin America

Authors: Beth Do, Maria Badillo, Randy Cantz, Jameson Spivack

“Neurorights,” a set of proposed rights that specifically protect mental freedom and privacy, have captured the interest of many governments, scholars, and advocates. Nowhere is that more apparent than in Latin America, where several countries are actively seeking to enshrine these rights in law, and some even in their Constitutions.

The rapid global proliferation of neurotechnology—devices that can access mental states by decoding and modulating neural activity—has generated a large amount of consumer neurodata (also known as neural, brain, or cerebral data; brain information; mental activity; etc.). As most existing privacy laws do not separately or explicitly regulate neurodata—even though such data is normally covered by the broad definitions of “personal data” in such legislation—several governments and international bodies have begun to develop specific legal protections for this type of personal data.

This analysis focuses on current legislative efforts in Chile, Mexico, and Brazil, which are indicative of how far the conversation in Latin America has progressed. Other jurisdictions, such as the United States, Israel, South Korea, and Europe, are also in the nascent stages of discussing protections for mental privacy. As neurotechnologies continue to evolve, industry and regulatory bodies alike should look to Latin America for developing trends and best practices.

1. What is neurotechnology?

Neurotechnology is an umbrella term for technologies that allow access to neurodata. Raw neurodata is collected from an individual’s central nervous system (the brain and spinal cord) and/or peripheral nervous system (the nerves outside the brain and spinal cord), including electrical activity between these systems. Neurotechnology includes both traditional techniques such as electroencephalography (EEG) testing and magnetic resonance imaging (MRI) scans, as well as new methods that can monitor or modulate brain activity.

Neurodata is valuable and uniquely sensitive as it can access a person’s emotions, biases, and memories. For example, EEGs can measure inattention, as brainwaves can indicate whether someone’s mind is focused or wandering. With sufficient data over a period of time, brainwave patterns may also even be more uniquely identifying than fingerprints.

2. What are neurorights?

“Neurorights” have been formulated to encompass mental privacy, integrity, and liberty. They are not yet widely recognized at the national level or codified in an international human rights framework, and there is disagreement about their usefulness as a conceptual framework. Some prefer using other terms such as “mental privacy” or “cognitive liberty;” others question the necessity of introducing new rights, or if current legal frameworks are sufficient or could be strengthened to account for them. Neurorights can be simplified into five fundamental rights:

3. The emergence of neurorights

Advances in neurotechnology, partly funded by large research programs such as the US-based Brain Research Through Advancing Innovative Neurotechnologies (BRAIN) Initiative, have spurred global interest in establishing legal safeguards for the brain and neurodata. In 2019, the Organisation for Economic Co-operation and Development (OECD) developed the first international standards to respond to neurotechnology’s ethical, legal, and social challenges. The OECD’s Recommendation on Responsible Innovation in Neurotechnology provides guiding principles to prioritize safety, inclusivity, collaboration, and trust in neurotechnology. In 2022, the UNESCO International Bioethics Committee issued a report on the ethical issues of neurotechnology and advocated for a comprehensive governance framework.

On a regional level, the Inter-American Juridical Committee of the Organization of American States (OAS) issued a Declaration on neuroscience and neurotechnologies and human rights in 2021. Two years later, the OAS followed up with a set of Principles to align international standards to national frameworks. In the same year, the Ibero-American Network of Data Protection Authorities (RIPD), the main forum for Spanish- and Portuguese-speaking data protection regulators, declared support for the OAS Declaration and Principles and announced the establishment of a working group on neurodata.

Perhaps the most consequential call for action was the 2022 Neurorights Model Law, drafted by the Latin American and Caribbean Parliament (Parlatino), a regional organization that promotes regional integration through legislative harmonization. The model law provides both structure and foundational concepts to regulate neurotechnology, including establishing an independent oversight authority and providing redress mechanisms. 

Transnational stakeholders such as the OAS and Parlatino have played large roles in establishing Latin America as a leading player in the neurorights discussion. However, legislative initiatives at the domestic level may prove more influential, as their impact continues to reverberate in Latin America and beyond.

4. Chile: The first country to protect “mental integrity” in its Constitution

As a pioneer in the neuroprivacy movement, Chile was the first country to amend its Constitution to protect “mental integrity” and neurodata in 2021. Specifically, the provision states that “the law shall regulate the requirements, conditions, and restrictions for [neurodata], and shall especially protect brain activity, as well as the information derived from it.” Furthermore, scientific and technological developments are to be conducted with “respect for […] physical and mental integrity.”

Led by Senator Guido Girardi Lavín and several other legislators, the amendment centered on the individual identity as an intrinsic value of human evolution and referred to physical and psychic integrity as its main elements. The legislators asserted that any technological development affecting mental integrity, as a fundamental right, should be authorized by law. Simultaneously, the same legislators introduced Bill 13.828-19, which aimed to further regulate neurotechnology by requiring consent to use neurotechnology and establishing penalties for noncompliance.

In 2023, only two years after the country’s Constitution was amended, Chile’s Supreme Court became the first court to rule on a neuroprivacy case. The plaintiff, Senator Girardi, alleged that his brain data was insufficiently protected by the US-based Emotiv’s “Insight” device, a headband that records detailed information about the brain’s electrical activity. The Court ultimately found that Emotiv violated Sen. Girardi’s constitutional rights to physical and psychological integrity as well as the right to privacy, setting aside Emotiv’s arguments that the harms were hypothetical. Citing both Chilean domestic law and international human rights law, the Court focused on the fact that Emotiv retained Sen. Girardi’s data for research purposes, even in anonymized form, without obtaining prior consent for this specific purpose. In addition to setting a precedent for neuroprivacy litigation, this case reflects the neurorights movement’s influence beyond the policy sphere.

5. Mexico: Proposed constitutional amendment for neuroprivacy rights

As of March 2024, there are two pending neuroprivacy bills that seek to amend Mexico’s Constitution. The first bill, proposed by Deputy María Eugenia Hernández Pérez, would include the right to individual identity, as well as physical and psychological integrity. The Chilean constitutional amendment’s influence is noticeable throughout the Mexican bill, including language requiring the State to respect mental privacy and integrity. Moreover, the proposal has the same wording as Chile’s constitutional amendment and similarly spotlights the value of individual identity. 

The proposal centers on human identity and its relation to technology, and not solely privacy and data protection, which are already recognized as two separate fundamental rights under Article 16 of Mexico’s Constitution. It includes broad legal safeguards to ensure the confidentiality of neurodata collection, informed consent before access, clear limits on neurotechnologies, and anti-discrimination measures. Moreover, the bill notes that while some local laws protect human rights and neurodata in the context of medical and scientific uses, there is a lack of regulation for non-medical uses.

The second Mexican bill, spearheaded by Senator Alejandra Lagunes Soto Ruiz, would amend Article 73 of the Constitution to provide congressional authorization to pass federal legislation related to artificial intelligence (AI), cybersecurity, and neurorights. Under this authority, Congress could safeguard mental privacy, cognitive autonomy, informed consent for the use of brain data, identity and self-expression, non-discrimination, and equal access to technology. 

Both bills acknowledge that neuroprivacy is an emerging concept and focus on how neurotechnology could jeopardize fundamental rights. Although these bills approach the issue from different viewpoints, they both seek to protect personal data and build citizen trust. Additionally, in November 2023 the Mexican Data Protection Authority published a Digital Human Rights Charter that recognizes the five fundamental neurorights.

6. Brazil: Proposed constitutional amendment and neuroprivacy rights in privacy law

Several neuroprivacy initiatives have gained traction in Brazil. Bill 29/2023, introduced by Senator Randolph Frederich Rodrigues Alves in June 2023, seeks to amend the Brazilian Constitution to include protections for mental integrity and algorithmic transparency. In particular, the proposal highlights that recognizing “mental integrity” is essential to expand the “legal and normative understanding of human dignity in this new digital context” that protects both personal data and the “psychic and physical integrity of human beings.” The proposal was presented to the Senate in June 2023 and is pending until a Rapporteur is appointed to review the bill. 1 Of note, the Brazilian Constitution was amended in February 2022 to include a right to the protection of personal data, distinct from the right to privacy.

Separately, Bill 522/2022, introduced by Deputy Carlos Henrique Gaguim in March 2022, would amend Brazil’s General Data Protection Law (LGPD) to regulate neurodata as a category of sensitive data. The bill would add a new section to regulate the processing of neurodata, emphasizing that the request for consent must “clearly and prominently indicate the possible physical, cognitive and emotional effects” of processing neurodata. Currently, Article 5 of the LGPD establishes racial and ethnic origin; religious, political, and philosophical affiliations; health, sexual and life data; and genetic and biometric data as categories of sensitive data. However, the proposal highlights the need to include neurodata as a distinct category of sensitive data, not to be confused or associated with biometric data. The bill was approved by the Health Commission Rapporteur in October 2023 and awaits further consideration. 

The neurorights discussion has also made its way into Brazil’s Federal Civil Code. In December 2023, the Sub-Committee on Digital Law of the Commission of Jurists, who are responsible for reviewing the Civil Code, submitted a report that seeks to recognize neuroprivacy under the LGPD. Independently, in December 2023, Río Grande do Sul, Brazil’s fifth-largest state by population, amended its Constitution to include neurorights, specifying mental integrity as a constitutional principle.

7. Other regional initiatives

Similar legislative efforts are underway in the region, with some variations:

As neurotechnology continues to advance, it raises key questions about how the data involved should be regulated. Latin America is at the forefront of that conversation and has paved the way in recognizing neuroprivacy, from Chile’s Constitution, to Mexico and Brazil’s pending legislation. Regional frameworks, such as the OAS Declaration and Principles, illustrate that neurorights are coalescing on the international level as well. The groundswell of legislative proposals and domestic laws demonstrates that the fight for neuroprivacy is here to stay—and for now, at least, Latin America is the place to watch.

1 According to the Brazilian Chamber of Deputies Internal Rules, Art. 56, committee bills and other proposals will be examined by a Rapporteur who must issue an opinion.

AI Audits, Equity Awareness in Data Privacy Methods, and Facial Recognition Technologies are Major Topics During This Year’s Privacy Papers for Policymakers Events

Author: Judy Wang, Communications Intern, FPF

The Future of Privacy Forum (FPF) hosted two engaging events honoring 2023’s must-read privacy scholarship at the 14th Annual Privacy Papers for Policymakers ceremonies.

On Tuesday, February 27, FPF hosted a Capitol Hill event featuring an opening keynote by U.S. Senator Peter Welch (D-VT) as well as facilitated discussions with the winning authors: Mislav Balunovic, Emily Black, Albert Fox Cahn, Brenda Leong, Hideyuki Matsumi, Claire McKay Bowen, Joshua Snoke, Daniel Solove, and Robin Staab. Experts from academia, industry, and government moderated these policy discussions, including Michael Akinwumi, Didier Barjon, Miranda Bogen, Edgar Rivas, and Alicia Solow-Niederman.

On Friday, March 1, FPF honored winners of internationally focused papers in a virtual conversation hosted by FPF Global Policy Manager Bianca-Ioana Marcu, with FPF CEO Jules Polonetsky providing opening remarks. Watch the virtual event here.

For the in-person event on Capitol Hill, Jordan Francis, FPF’s Elise Berkower Fellow, provided welcome remarks and emceed the night, thanking Alan Raul, FPF Board President, and Debra Berlyn, FPF Board Treasurer, for being present. Mr. Francis noted he was excited to present leading privacy research relevant to Congress, federal agencies, and international data protection authorities (DPAs).

fpf privacy papers jordan francis

FPF’s Jordan Francis

In his keynote, Senator Welch celebrated the importance of privacy and the pioneering work done by this year’s winners. He emphasized that privacy is a right that should be protected constitutionally and that researchers studying digital platforms are essential for understanding evolving technologies and their impacts on our privacy. He also told the authors that their scholarship is consistent with the pioneering work of Justice Louis Brandeis and Samuel Warren, stating that “the fundamental respect that they had then underlies the work that you do for American citizens today.” He concluded his remarks by highlighting the need for an agency devoted to protecting privacy and that the work done by the authors is providing that foundation.

fpf privacy papers senator welch

Senator Peter Welch (D-VT) 

Following Senator Welch’s keynote address, the event shifted to discussions between the winning authors and expert discussants. The 2023 PPPM Digest includes summaries of the papers and more information about the authors.

Professor Emily Black (Barnard College, Columbia University) kicked off the first discussion of the night with Michael Akinwumi (Chief Responsible AI Officer at the National Fair Housing Alliance) by talking about her paper, Less Discriminatory Algorithms, co-written with Logan Koepke (Upturn), Pauline Kim (Washington University School of Law), Solon Barocas (Microsoft Research), and Mingwei Hsu (Upturn). Their paper analyzes how entities that use algorithmic systems in traditional civil rights domains like housing, employment, and credit should have a duty to search for and implement less discriminatory algorithms (LDAs). During her conversation, Professor Black discussed model multiplicity and argued that businesses should have an onus to proactively search for less discriminatory alternatives. They also discussed the reframing of the industry approach, what regulatory guidance could look like, and how this aligns with President Biden’s “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” 

fpf privacy papers professor black and micahel akinwumi

Michael Akinwumi and Professor Emily Black

Next, Claire McKay Bowen (Urban Institute) and Joshua Snoke (RAND Corporation) discussed their paper, Do No Harm Guide: Applying Equity Awareness in Data Privacy Methods, with Miranda Bogen (Director, AI Governance Lab at the Center for Democracy & Technology). Their paper uses interviews with experts on privacy-preserving methods and data sharing to highlight equity-focused work in statistical data privacy. Their conversation explored questions such as “What are privacy utility trade-offs?”, “What do we mean by data representation?” and highlighted real-world examples of equity issues surrounding data access, such as informing prospective transgender students about campus demographics versus protecting current transgender students at law schools. They also touched on aspirational workflows, including tools and recommendations. Attendees asked questions regarding data cooperatives, census data, and more.

fpf privacy papers bowen snoke and bogen

Miranda Bogen, Claire McKay Bowen, and Joshua Snoke

Brenda Leong (Luminos.Law) and Albert Fox Cahn (Surveillance Technology Oversight Project) discussed their paper AI Audits: Who, When, How…Or Even If? with Edgar Rivas (Senior Policy Advisor for U.S. Senator John Hickenlooper (D-CO)). Co-written with Evan Selinger (Rochester Institute of Technology), their paper explains why AI audits are often regarded as essential tools within an overall responsible governance system while also discussing why some civil rights experts are skeptical that audits can fully address all AI system risks. During the conversation, Ms. Leong stated that AI audits need to be developed and analyzed because they will be included in governance and legislation. Mr. Cahn raised important questions, such as whether we have the accountability necessary for AI audits already being deployed and whether audit elements voluntarily provided in the private sector can translate to public compliance. The co-authors also discussed New York City’s 2023 audit law (used as a case study in their paper), commenting that the law’s standards and broad application potentially open the door for discussion of key issues, including those relating to discriminatory models.

fpf privacy papers leong and cahn

Brenda Leong and Albert Fox Cahn

During the next panel, Professor Daniel Solove (George Washington University Law School) discussed his paper Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data with Didier Barjon (Legislative Assistant for U.S. Senate Majority Leader Charles Schumer (D-NY)). His paper argues that heightened protection for sensitive data does not work because the sensitive data categories are vague and lack a coherent theory for identifying them. In their discussion, Professor Solove noted that we can still infer sensitive information through non-sensitive data, making it difficult to know which combinations can become sensitive data and which don’t. He then stated that to be effective, privacy law must focus on harm and risk rather than the nature of personal data: “Categories are not proxies—[we] need to do the hard work of figuring out the harm and risk around data.”

fpf privacy papers professor solove and didier barjon

Didier Barjon and Professor Daniel Solove

Professor Solove and Mr. Barjon were then joined on stage by Hideyuki Matsumi (Vrije Universiteit Brussel) to discuss Professor Solove’s and Mr. Matsumi’s co-authored paper, The Prediction Society: Algorithms and the Problems of Forecasting the Future. Their paper raises concerns about the rise of algorithmic predictions and how they not only forecast the future but also have the power to create and control it. Mr. Barjon asked the authors about the “self-fulfilling prophecy” problem discussed in the paper, and Mr. Matsumi explained that this refers to the idea that people perform better if there’s a higher expectation to do so and vice versa. Therefore, even if an algorithmic prediction is inaccurate, individuals susceptible to or prone to believe the prediction will be impacted, and the prediction will be made true, leading to what the authors called a “doom cycle.” The authors advocated for a risk-based approach to predictions and stated that we should analyze and think deeply about predictions rather than ban them altogether.

fpf privacy papers solove and matsumi

Hideyuki Matsumi and Professor Daniel Solove

In the evening’s final presentation, Robin Staab and Mislav Balunovic (ETH Zurich SRI Lab) discussed their paper, Beyond Memorization: Violating Privacy Via Inference with Large Language Models, with Professor Alicia Solow-Niederman (George Washington University Law School). Their paper, co-written with Mark Vero and Professor Martin Vechev (ETH Zurich SRI Lab), examined the capabilities of pre-trained large language models (LLMs) to infer personal attributes of a person from text on the internet and raised concerns about the ineffectiveness of protecting user privacy from LLM interferences. Professor Solow-Niederman asked the authors about the provider intervention suggested in the paper that could potentially align models to be privacy-protected. The authors noted that there are limitations to what providers can do and that there is a tradeoff between having better inferences across all areas or having limited inferences but better privacy. They also stated that we need to be aware that alignment is not the solution and that the way to move forward is for users to be aware that such inferences can happen and have the tools to write text from which inferences cannot be made.

fpf privacy papers staab balunovic and niederman

Professor Alicia Solow-Niederman, Robin Staab, and Mislav Balunovic

As panel discussions ended, FPF SVP for Policy John Verdi closed the event by thanking the audience, winning authors, judges, discussants, the FPF Events team, and FPF’s Jordan Francis for making the event happen.

fpf privacy papers john verdi

John Verdi

Thank you to Senator Peter Welch and Honorary Co-Hosts Congresswoman Diana DeGette (D-CO-1) and Senator Ed Markey (D-MA), Co-Chairs of the Congressional Privacy Caucus. We would also like to thank our winning authors, expert discussants, those who submitted papers, and event attendees for their thought-provoking work and support.

Later that week, FPF honored the winners of internationally focused papers in a virtual conversation hosted by FPF Global Policy Manager Bianca-Ioana Marcu, with FPF CEO Jules Polonetsky providing opening remarks.

The first discussion was moderated by FPF Policy Counsel Maria Badillo with authors Luca Belli (Fundação Getulio Vargas (FGV) Law School) and Pablo Palazzi (Allende & Brea) on their paper, Towards a Latin American Model of Adequacy for the International Transfer of Personal Data co-authored by Dr. Ana Brian Nougrères (University of Montevideo), Jonathan Mendoza Iserte (National Institute of Transparency, Access to Information and Personal Data Protection), and Nelson Remolina Angarita (Law School of the University of the Andes). The conversation focused on diverse mechanisms for data transfers, such as the adequacy system, and the relevance and necessity of having a regional model of adequacy, including the benefits of having a Latin American model. The authors also dive into the role of the Ibero-American Data Protection Network.

fpf pppm virtual event badillo belli and palazzi

Maria Badillo, Pablo A. Palazzi, and Professor Luca Belli

The second discussion of the event was led by FPF Senior Fellow and Considerati Managing Director Cornelia Kutterer with author Catherine Jasserand (University of Groningen) on her winning paper Experiments with Facial Recognition Technologies in Public Spaces: In Search of an EU Governance Framework. Their conversation highlighted the experiments and trials in the paper as well as the legality of facial recognition technologies under data protection law. The second portion of the discussion focused on the EU AI Act and how it relates to the relevancy and applicability of the laws highlighted in the paper.

fpf pppm virtual event kutterer and jasserand

Cornelia Kutterer and Professor Catherine Jasserand

We hope to see you next year at the 15th Annual Privacy Papers for Policymakers!

FPF Statement on the adoption of the EU AI Act and New Resource Webpage

“Today the European Union adopted the EU AI Act at the end of a long and intense legislative process. At the Future of Privacy Forum we believe that multistakeholder global approaches and advancing common understanding in the area of AI governance are key to ensuring a future with safe and trustworthy AI, one that protects fundamental rights while promoting innovation to benefit society. 

The EU AI Act is a comprehensive, binding law, with broad extraterritorial effect and is therefore poised to play a crucial role in the global debate on AI regulation. We welcome the openness and foresight of the European Union’s lawmakers to adopt a definition of AI systems that is interoperable with that proposed by the OECD. 

At the same time, we acknowledge the long and complicated road ahead to make the provisions of the EU AI Act effective in practice. With personal data playing a key role in the development and deployment of AI systems, we at the Future of Privacy Forum are paying particular attention to how privacy and data protection norms around the world interact with AI governance frameworks such as the EU AI Act. We will continue to explore this complicated question with research, convenings, and evidence-based tools related to AI governance.” 

Jules Polonetsky, CEO of the Future of Privacy Forum

For a list of existing FPF Resources on the EU AI Act, see our new dedicated webpage

FPF Files COPPA Comments with the Federal Trade Commission

Today, the Future of Privacy Forum (FPF) filed comments with the Federal Trade Commission (Commission) in response to its request for comment on the Children’s Online Privacy Protection Act (COPPA) proposed rule.

Read our comments in full.

As technology evolves, so must the regulations designed to protect children online, and FPF commends the Commission’s efforts to strengthen COPPA. In our comments, we outlined a number of recommendations and considerations that seek to further refine and update the proposed rule, from how it would interact with multiple provisions of a key student privacy law to the potential implications of a proposed secondary verifiable parental consent requirement. 

To amplify the questions about how COPPA would interact with the Family Educational Rights and Privacy Act (FERPA), FPF was also one of 12 signatories to a multistakeholder letter addressed to the Commission and Department of Education urging the development of joint guidance.

Read the letter here.

Considerations Applicable to All Operators

Children today are increasingly reliant on online services to connect with peers, seek out entertainment, or engage in educational activities, and while there is a great benefit to this, there are also risks to privacy and personal data protection, and we applaud the Commission for its ongoing efforts to find a balance between these tradeoffs. Our comments and recommendations focused on areas where we believe there is further opportunity to strike that balance, including:

Unique Considerations for Schools and Educational Technology

FPF commends the Commission’s effort to provide better clarity regarding how the rule should be applied in a school context; however, there are several areas where the proposed rule does not fully align with the Family Educational Rights and Privacy Act (FERPA), the primary federal law that governs use and disclosure of educational information. Both laws are complex, and the potential impact of confusion and misalignment is significant for the more than 13,000 school districts across the country and for the edtech vendor community.

With that in mind, our comments related to the proposed rule’s implications for student privacy focused in large part on identifying areas where more alignment and clarity around the interaction between COPPA and FERPA would be particularly instructive for both schools and edtech companies. Our recommendations include:

To read FPF’s COPPA comments in full, click here.

To download the joint letter to the FTC and U.S. Department of Education signed by FPF and 11 others, click here.

Little New About Hampshire

On March 6, 2024, Governor Sununu signed SB 255 into law, making New Hampshire the fourteenth U.S. State to adopt a comprehensive privacy law to govern the collection, use, and transfer of personal data. SB 255 is the second comprehensive privacy law enacted in 2024, the first having been New Jersey’s S332, which was also a holdover from the 2023 legislative session. Another example of states following the “Connecticut model,” S255 bears a strong resemblance to other laws following the Washington Privacy Act (WPA) framework. The law will take effect on January 1, 2025. This blog post addresses two unique facets of SB 255, including its narrow rulemaking authority and a unique provision addressing conflicts with other laws, while ultimately reflecting on how SB 255 is arguably the first “boring” state comprehensive privacy law.

1. Two Novel Provisions in New Hampshire

a. Narrow Rulemaking Authority

Prior to New Hampshire joining the fray, there were two approaches to rulemaking in the state comprehensive privacy landscape. In the first category are laws that provide no rulemaking authority, which includes a majority of enacted legislation. However, a handful of states—California, Colorado, and New Jersey— exist in another category where the legislation provides broad rulemaking authority, either to promulgate regulations for the purpose of carrying out the law or, in California’s case, to issue regulations on a variety of important topics. 

SB 255 breaks this trend by including two narrow rulemaking provisions. First, in section 507-H:6, which notes that the secretary of state will establish standards for privacy notices. The second rulemaking provision is section 507-H:4(II), which specifies that the secretary of state will establish a “secure and reliable means” for individuals to exercise their rights under the law. Most other states task controllers with establishing their own means for individuals to exercise their rights (e.g., Delaware). California was slightly more prescriptive in its requirements (e.g., requiring that businesses offer a toll-free telephone number to exercise rights) but ultimately leaves much to the discretion of businesses. New Hampshire’s requirement that the secretary of state establish a uniform means for exercising data rights could make it easier for individuals to submit requests given that the mechanism will not vary from controller-to-controller. Businesses interact with their customers in a variety of ways, however, and this standardization could pose challenges for businesses if it is overly rigid.

b. Compliance with Other Law

SB 255 contains a unique provision regarding compliance with “other law.” Section 507-H:12 provides that anyone covered by SB 255 and “other law regarding third party providers of information and services” must comply with both laws, and, where there is a “direct conflict” between the two laws, the individual or entity “shall comply with the statute that provides the greater measure of privacy protection to individuals.” For the purposes of that provision, opt-in consent for disclosing personal information is deemed more protective than the opt-out rights in SB 255. 

This language was added while SB 255 was in committee to prevent potential conflicts between SB 255 and HB 314, a distinct bill that was being considered in parallel to SB 255. Originally intended to curtail government acquisition of personal information, HB 314 was expanded significantly by the House Judiciary Committee to place strict limits on the disclosure of personal information by a “third-party provider of information,” defined broadly under that bill to encompass telephone companies, utilities, internet service providers, streaming services, social media services, email service providers, banks and financial institutions, insurance companies, and credit card companies. 

HB 314 passed the New Hampshire House of Representatives in early January 2024, but it has not progressed in the Senate at the time of writing. Retaining this conflict provision in SB 255 without also passing HB 314 raises questions about the provision’s function, given that “third-party provider of information or services” currently is not defined in law.

2. The First “Boring” Privacy Law?

Perhaps what is most interesting about SB 255 is how uninteresting it is—at least in regard to comprehensive privacy law, there is very little new in New Hampshire:

That SB 255 adds little new to the state comprehensive privacy landscape is indicative of the maturity of state privacy law. Once upon a time, a state enacting comprehensive privacy legislation warranted an emergency blog post with detailed analysis and lofty questions about a looming “patchwork” of incompatible laws. In the almost six years since the California Consumer Privacy Act was enacted, fourteen states have now joined the fold. As noted in FPF’s forecast of the 2024 privacy landscape, while there was a general regulatory convergence on the WPA framework, there are still meaningful differences between most of the post-California comprehensive state privacy laws. Many have wondered whether any states would buck the consensus trend in 2024 and adopt a novel approach to data privacy. That may be the case, as several states are currently considering bills inspired by the American Data Privacy and Protection Act. But if New Hampshire is anything to go by, perhaps 2024 will instead be a year of greater convergence and uniformity amongst the states. Time will tell.

FPF Statement on President Biden’s 2024 State of the Union Address

“At this critical moment in time, the U.S. is positioned to demonstrate leadership to develop and regulate emerging technologies such as AI. These tools, while incredibly advantageous when deployed responsibly, also carry tremendous potential to cause harm. We commend the Biden administration for recognizing the multifaceted challenges and opportunities presented by AI technologies. 

We’re also encouraged to hear President Biden reaffirm his commitment to enacting stronger privacy protections for kids online. Technology creates both terrific opportunities and real risks for young people, and as kids spend more time online and as AI and other technologies continue to evolve, finding that balance has become more difficult ― and more important ― than ever before. We stand by the fact that a comprehensive federal privacy law would address some of the most pressing privacy concerns associated with AI, including algorithms’ use of mass amounts of sensitive data.”

 – Jules Polonetsky, CEO, Future of Privacy Forum 

Read the full State of the Union Address here.

Event Recap: FPF X nasscom Webinar Series – Breaking Down Consent Requirements under India’s DPDPA

Following the enactment of India’s Digital Personal Data Protection Act 2023 (DPDPA), the Future of Privacy Forum (FPF) and nasscom (National Association of Software and Service Companies), India’s largest industry association for the information technology sector, co-hosted a 2-part webinar series focused on the consent-centric regime under the DPDP Act. Spread across two days (November 9, 2023 and January 29, 2024), the webinar series comprised four panels that brought together experts from industry, governments, civil society, and the global data privacy community to share their perspectives on operationalizing consent under the DPDPA. This blog post provides an overview of these discussions. 

Panel 1 – Designing notices and requests for meaningful consent 

The first panel was co-moderated by Bianca Marcu (Policy Manager for Global Privacy, FPF) and Ashish Aggarwal (Vice President for Public Policy, nasscom) They were joined by the following panelists: 

  1. Paul Breitbarth, Data Protection Lead, Catawiki & Member of the Data Protection Authority, Jersey.
  2. Eduardo Ustaran, Partner, Global Co-Head of Privacy & Cybersecurity, Hogan Lovells.
  3. Eunjung Han, Consultant, Rouse, Vietnam.
  4. Swati Sinha, APAC, Japan and China Privacy Officer & Senior Counsel, Cisco.

The panel began with a short presentation by Priyanshi Dixit (Senior Policy Associate, nasscom) that introduced the concepts of notice and consent under the DPDPA. During the discussion, panelists emphasized the importance of clear, understandable written notices and discussed other design choices to ensure that consent is “free, specific, informed, unconditional, and unambiguous”. To this end, Swati Sinha highlighted consent notices for different categories of cookies under the EU General Data Protection Regulation (GDPR), and granular notices with separate tick boxes in South Korea and China as examples of how data fiduciaries under the DPDPA could design notices to enable individuals to make informed decisions. However, Swati also stressed that consent forms should not bundle different purposes or come with pre-ticked boxes. Eduardo Ustaran observed that the introduction of strict consent requirements in many new data protection laws internationally has transformed the act of giving consent from a passive action into a more active and affirmative one. Eduardo also stressed the importance of ensuring that consent was clearly and freely given and maintaining clear records. 

Adding to this, Paul Breitbarth suggested that visuals such as videos and images could help make the information in notices more accessible, particularly given that long text-based notices might not be convenient for individuals using mobile devices. Paul used the example of airline safety videos as an effective method for presenting notices, with voiceovers and subtitles to ensure accessibility for a broader audience. However, Paul cautioned that it is always advisable to include written notices alongside such visual representations. 

The panelists also highlighted challenges to relying on consent as a basis for processing personal data, such as varying levels of digital literacy, the risk of “consent fatigue,” and the use of deceptive design choices (such as pre-ticked consent boxes). The discussions therefore considered alternatives to consent under different data protection laws. The panelists highlighted that in Europe, consent is not always the most popular legal basis for processing personal data as under the GDPR consent is one of several equal bases for processing personal data. The panelists also considered that in jurisdictions whose data protection laws emphasize consent over other legal bases, organizations may face difficulties in ensuring that consent is meaningful. Eunjung Han cited Vietnam’s recent Personal Data Protection Decree as an example of a framework that emphasizes consent and could potentially limit businesses’ ability to process personal data for their operations. She also noted that industry stakeholders in Vietnam are engaging in conversations with the government to share global practices where business necessity serves as a legal basis for processing.

Regarding regulatory actions, the panelists noted that regulators initially offer guidance and support to industry but over time, may transition to initiating enforcement actions. As final takeaways, panelists stressed the importance of accountability and emphasized the need to clearly identify usage of personal data, only collect personal data that is necessary for a specific purpose, and adhere to data protection principles. 

Panel 2 – Examining consent and its alternatives

The second panel was co-moderated by Gabriela Zanfir-Fortuna (Vice President for Global Privacy, FPF) and Ashish Aggarwal (Vice President for Public Policy, nasscom). They were joined by the following panelists:

  1. Francis Zhang, Deputy Director, Data Policy, PDPC Singapore.
  2. Leandro Y. Aguirre, Deputy Privacy Commissioner, Philippines National Privacy Commission.
  3. Kazimierz Ujazdowski, Member of Cabinet, European Data Protection Supervisor.

Varun Sen Bahl (Manager, nasscom) set the context for the panel discussion through a brief presentation, outlining various alternatives to consent under the DPDP Act: legitimate uses (section 7) and exemptions (sections 17(1) and 17(2)).

Throughout the discussion, the panelists drew from their experiences with their respective data protection laws: Singapore’s Personal Data Protection Act (PDPA), the Philippines’ Data Privacy Act (DPA), and the EU’s GDPR. In particular, a common experience shared by the three panelists was that they had all faced questions on the interpretation of alternative bases to consent in their respective jurisdictions. They noted that this was an evolving trend and suggested that it would likely extend to India as well. 

Panelists noted that some data protection authorities were proactively promoting alternative legal bases to consent. This need arose because organizations in their jurisdictions were over-relying on consent as the de facto default legal basis for processing personal data, leading to “consent fatigue” for data subjects. For instance, Francis Zhang explained that Singapore amended its PDPA in 2020 to include new alternatives to consent that aim to strike a balance between individual and business interests. 

Gabriela highlighted the similarities between section 15(1) of Singapore’s PDPA and section 7(a) of the DPDP Act. Both provisions allow for consent to be deemed where an individual voluntarily shares their personal data within an organization. In this context, Francis Zhang shared Singapore’s experience with this provision and explained that it was intended to apply in scenarios where consent can be inferred from the individual’s conduct, such as sharing payment details in a transaction or health information during a health check-up.

Reflecting on his experience in Europe, Kazimierz Ujazdowski observed that data protection authorities tend to be reactive as they are constrained by the resources at their disposal. He suggested that Indian regulators could be better prepared than the ones in Europe at the time of the enactment of the GDPR by proactively identifying practices that are likely to adversely affect users. He also highlighted the importance of taking a strategic approach to map areas of risk requiring regulatory attention. Deputy Commissioner Aguirre emphasized the need for India’s Data Protection Board to establish effective mechanisms to offer guidance regarding the interpretation of key legal provisions and how to comply with them. He highlighted that effective communication between regulators and industries was crucial for anticipating lapses and promoting compliance. He also explained that complaints and awareness efforts during the transition period before the Philippines’ DPA took effect helped to refine the Philippines’ data protection legal frameworks.

Panel 3 – Realizing the ‘consent manager’ model

The third panel was focused on the novel concept of consent managers introduced under the DPDPA and was moderated by Malavika Raghavan (Senior Fellow, FPF) and Varun Sen Bahl (nasscom). They were joined by the following panelists:

  1. Vikram Pagaria, Joint Director, National Health Authority of India. 
  2. Bertram D’Souza, CEO, Protean AA and Convener, AA Steering Committee, Sahamati Foundation. 
  3. Malte Beyer-Katzenberger, Policy Officer, European Commission. 
  4. Rahul Matthan, Partner – TMT, Trilegal.
  5. Ashish Aggarwal, Head of Public Policy, nasscom.

To kick off the discussions, Varun Sen Bahl provided a quick overview of the provisions on “consent managers” under the DPDPA.The law defines a “consent manager” as a legal entity or individual who acts as a single point of contact for data principals (i.e., data subjects) to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Consent managers must be registered with the Data Protection Board of India (once established) and will be subject to obligations under forthcoming subordinate legislation to the DPDPA.

As the concept of a consent manager is not found in other legislation in India or internationally, there has been a great deal of speculation as to what form consent managers will take, and what role they will play in India’s technology ecosystem, once the DPDPA and its subordinate legislation are fully implemented. 

The discussion among panelists touched upon the evolving role of consent managers and their potential impact under the DPDPA. 

Rahul Matthan highlighted two concepts from existing consent management frameworks in India: the “account aggregator” framework in the financial sector, and the National Health Authority’s Ayushman Bharat Digital Mission (ABDM) in the health sector that could serve as potential operational models for consent managers under the DPDPA. He also suggested that these initiatives could facilitate data portability, even though the DPDPA does not expressly recognize such a right. He also anticipated that forthcoming subordinate legislation would clarify how these existing initiatives will interface with consent managers under the DPDPA.

Bertram D’Souza and Vikram Pagaria provided background on how these two sectoral initiatives function in India.

Bertram noted that in India’s financial sector, account aggregators currently enable users to manage their consent with over 100 financial institutions, including banks, mutual funds, and pension funds and enable users to manage their consent. Several different account aggregators exist on the market today, but must register with the Reserve Bank of India to obtain an operational license. 

Vikram highlighted how ABDM enables users in the health sector to access their health records and consent to requests from various different entities (such as hospitals, laboratories, clinics, or pharmacies) to access that data. Users can also control the type of health record to be shared and the duration for which the data needs to be shared. Vikram also noted that approximately 500 million individuals have consented to create their Health IDs (Ayushman Bharat Health Account), with around 300 million health records linked to these IDs.

Malte Beyer-Katzenberger drew parallels between these existing sectoral initiatives in India and the EU’s Data Governance Act (DGA), a regulation that establishes a framework to facilitate data-sharing across sectors and between EU countries. He explained how the DGA evolved from business models trying to solve problems around personal data management and consent management. In this context, he noted that EU regulators are keen to collaborate with India on the shared objectives of empowering users with their data and enabling data portability.  

Ashish highlighted that the value of consent managers lies in providing users a technological means to seamlessly give and withdraw consent. He also saw scope for data fiduciaries to rely on consent managers as a tool to safeguard against liability and regulatory action. When asked about what business model consent managers would adopt, Bertram noted that it is an evolving space and the market in which consent managers will operate is extremely fragmented. While he anticipated that based on his experience with account aggregators, consent managers would initially be funded by India’s technology ecosystem system, they may eventually shift to a user-paid model. The panelists also highlighted the need to obtain “buy-in” from data fiduciaries and ensure that they are accountable towards users towards users). Malte also pondered how consent managers could achieve scale in the absence of a legislative mandate requiring their use.

Rahul Matthan highlighted the immense potential of the market for consent managers in India, noting that as of January 2024, account aggregators have processed 40 million consent requests, twice the number from August of the previous year. Though account aggregators are not mandatory for users, Rahul noted that the convenience and efficiency that they offer is likely to encourage people to opt into using these services, whether they are within the formal financial system or outside it. Agreeing with this, Bertram highlighted the need for consent managers to focus on enhancing user experience and foster cross-sectoral collaborations. 

In his concluding remarks, Ashish underscored the importance of striking a balance by allowing the industry to develop the existing account aggregators framework while ensuring that use of this framework is optional for consumers. He agreed that the account aggregator framework is likely to influence the development of consent managers under the DPDPA, and suggested that there may also be use cases for similar frameworks in other areas and sectors, such as in e-commerce, to address deceptive design patterns.

Panel 4 – Operationalizing ‘verifiable parental consent’ in India

The final panel in the webinar series was focused on examining the requirements for verifiable consent for processing the personal data of children under the DPDPA. The panel was co-moderated by Christina Michelakaki (Policy Counsel for Global Privacy, FPF) and Varun Sen Bahl and they were joined by the following panelists:

  1. Kieran Donovan, Founder, k-ID. 
  2. Rakesh Maheshwari, Former Head of the Cyber Laws and Data Governance Division, Ministry of Electronics and Information Technology.
  3. Iqsan Sirie, Partner, TMT, Assegaf Hamzah & Partners, Indonesia. 
  4. Vrinda Bhandari, Advocate – Supreme Court of India. 
  5. Bailey Sanchez, Senior Counsel, Youth & Education Privacy, Future of Privacy Forum. 

Varun Sen Bahl presented a brief overview of verifiable parental consent under the DPDPA. Specifically, the legislation requires data fiduciaries to seek verifiable consent from the parent or lawful guardian when processing the personal data of minors aged eighteen years or below or persons with disabilities. However, the Act empowers India’s Central Government to: 

The forthcoming subordinate legislation under the DPDPA is expected to provide further detail on how these provisions will be implemented.

Building on the presentation, the panelists shed light on the complexities surrounding parental consent requirements under different data protection laws. Iqsan Sirie drew parallels between India’s DPDPA and Indonesia’s recently enacted Personal Data Protection Law, which also introduced parental consent requirements for processing children’s data that will only be clarified through enactment of secondary regulation. Iqsan cited guidelines issued by Indonesia’s Child Protection Commission as “soft law” which businesses could refer to when developing online services. 

Rakesh Maheshwari explained that the Indian Government’s intent in introducing these measures in the DPDPA was to address concerns regarding children’s safety, albeit while providing the Central Government flexibility in implementing these measures. 

Vrinda Bhandari focused on the forthcoming subordinate legislation to the DPDPA and stressed that any method for verifying parental consent must be risk-based and proportionate. Specifically, she highlighted privacy risks and low digital literacy as challenges in introducing such tech-based solutions. First, she pointed out that biometric-based verification methods, such as India’s national resident ID number (Aadhaar) or any other government-issued ID that captures sensitive personal data, could pose security risks, depending on who can access this information. Second, she noted that the majority of Indians belong to a mobile-first generation, where parents may not be digitally literate. Although Vrinda cited tokenization as a good alternative, she questioned whether it would be feasible to implement it in India, given the costs and technical complexity of deploying this solution.

Drawing from his expertise at K-ID, which aids developers in safely authenticating and safeguarding children’s online privacy, Kieran Donovan highlighted the array of methods for implementing age-gating, ranging from simple email verifications to advanced third-party services aimed at privacy preservation. He discussed the use of payment transactions, SMS 2-factor authentication, electronic signatures, and question-based approaches designed to gauge user maturity. He also pointed out that only 4 of the 103 countries requiring parental consent specify the exact method for verifying parental consent. He also spoke about the challenges faced by businesses in implementing age-gating measures, including the cost per transaction and resistance from users to sophisticated verification methods. 

Comparing India’s DPDPA with the Children’s Online Privacy Protection Act (COPPA) Bailey Sanchez noted that the age for consent in this context is 13 years in the US and is applicable only for services directed at children. Bailey also observed that it is not straightforward to demonstrate compliance under the COPPA. However, the Federal Trade Commission proactively updates the approved methods for parental verification and also works with industry to review new methods that reflect technological advancements. Christina spoke about the legal position on children’s consent in the EU under GDPR, and the challenges in relying on other legal bases for processing children’s data. 

As final takeaways, the discussion touched on the importance of regulatory guidance and risk-based intervention that incentivizes stakeholders to participate actively. Overall, panelists noted that a nuanced approach balancing privacy protection and practical considerations is essential for effective implementation of parental consent requirements globally.

To conclude the webinar series, Josh Lee Kok Thong (Managing Director for APAC, FPF) expressed his gratitude to all the panelists, viewers, and hosts (from FPF and nasscom) for their active participation, extending a special note of thanks for their contributions.

Conclusion

In the run up to the notification of the subordinate legislation which will enforce key provisions of the DPDPA, the FPF x nasscom webinar series aimed to foster an active discussion that captured the insights of regulators, industry, academia, and civil society from within India and beyond. Going forward, FPF will play an active role in building on these conversations.

The DNA of Genetic Privacy Legislation: Montana, Tennessee, Texas, and Virginia Enter 2024 with New Genetic Privacy Laws Incorporating FPF’s Best Practices

In 2023, four states enacted new genetic privacy laws regulating direct-to-consumer genetic testing companies. This blog post provides details on what these new laws cover and how they compare to FPF’s widely-adopted Best Practices for Consumer Genetic Testing Services. 

Genetic privacy has been under increasing scrutiny at the state and federal levels, and regulators are prioritizing efforts to examine how businesses handle and disclose genetic data. For instance, the Federal Trade Commission (FTC) obtained orders against genetic testing providers Vitagene (2023) and CRI Genetics (2023) over alleged deceptive trade practices, including a claim that Vitagene had left sensitive data unsecured and retroactively changed its privacy policy without user consent. The White House has also taken a keen interest in genetic data privacy protections; genetic data privacy was flagged as an area of interest in the Biden Administration’s recent executive order that seeks to restrict “countries of concern” from accessing Americans’ sensitive personal data in bulk. The Department of Justice has also indicated that genetic data will be a focus of an upcoming Advance Notice of Proposed Rulemaking related to the executive order.

While federal agencies and lawmakers have been active in this area, state legislators have been the most active in mandating protections for this particularly sensitive category of personal information. In 2023, Montana, Tennessee, Texas, and Virginia joined six other states (Arizona, California, Kentucky, Maryland, Utah, and Wyoming) that have enacted privacy laws for direct-to-consumer genetic testing companies. These four newly enacted laws follow the trend of the six existing laws in adopting baseline requirements–including requirements to publish privacy notices and create consumer rights of access and deletion–in line with FPF’s Privacy Best Practices for Consumer Genetic Testing Services, first released in 2018.

However, the four state laws leave out key elements of the best practices around transparency about law enforcement access to data, children’s and teens’ online privacy, and consent for revised privacy policies that reflect the use of emerging technologies in genetic testing. As these privacy issues take center stage in 2024, states should consider expanding the scope of direct-to-consumer genetic testing privacy laws to address emerging technologies like artificial intelligence and persistent concerns about law enforcement access to data and minors’ rights to their genetic data.

New State Laws on Genetics Privacy Include Strong, Important Protections for Individuals

These four new state genetic privacy laws largely incorporate the foundational principles of the Future of Privacy Forum’s 2018 best practices. All four states’ genetic privacy laws create a consumer right to access and delete personal data, prohibit sharing genetic information with insurers and employers, and require companies to create a comprehensive security program to protect individuals’ data. All four laws also require companies to collect separate express consent to use data for marketing, research, and third-party sharing, with some laws extending this requirement to any secondary use or additional retention of individuals’ genetic data.

Laws in Tennessee, Texas, and Virginia exclude de-identified data from their definitions of “genetic data.” This is in line with FPF’s best practices on de-identified data, which note that de-identified data is not subject to the remaining best practices, as long as “de-identification measures taken establish strong assurance that the data is not identifiable.”  In addition, Tennessee, Texas and Virginia follow the guidance from the FTC and the Department of Health and Human Services (HHS) for de-identified data; the three state laws require that companies (1) take measures to ensure that individuals’ data cannot be linked to them, (2) commit to maintain and use data only in its de-identified form, and (3) contractually obligate data recipients to do the same.

Montana and Texas, meanwhile, each go beyond any existing consumer genetic privacy laws and the scope of FPF’s best practices to create additional requirements for direct-to-consumer genetic testing companies. Montana imposed data localization requirements for its residents’ genetic data and Texas established a property right for its residents over their genetic samples and data.

New State Laws Differ on Key Privacy Issues, Including Law Enforcement Access to Data, Kids’ Privacy Needs, and Transparency

The four state genetic privacy laws passed in 2023 are the first such laws to be passed in the wake of the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization (2022), overruling the precedent set in Roe v. Wade and negating constitutional protections for reproductive health services. These four new laws have created essential genetic data privacy protections in line with the existing direct-to-consumer genetic privacy laws, but they differ on some key privacy issues that are the subjects of intense debate, including law enforcement access to data, children’s and teens’ online privacy, and transparency requirements around changing privacy policies to consider emerging technologies, including AI.

Law Enforcement Access to Data

FPF’s best practices call for genetic testing companies to notify individuals when their personal data is shared with law enforcement agencies and to publicly report on data requests from law enforcement on at least an annual basis. In the wake of Dobbs, the processes by which law enforcement agencies may gain access to health data have come under increased public and regulatory scrutiny. Data collected by direct-to-consumer genetic testing companies may reveal relationship and health data that could be used in abortion prosecutions; for example, fetal tissue samples could be compared to genetic data held by direct-to-consumer genetic testing companies to determine paternity or maternity, and retained biological samples could be repurposed by law enforcement for saliva-based pregnancy tests. As a result, even though none of the four laws specifically refer to reproductive health data or post-Dobbs privacy issues, some of them may impact how law enforcement can access genetic data to enforce restrictions on abortion and how direct-to-consumer genetic testing companies may respond to law enforcement requests for data.

Of the four laws, only Montana’s specifies that government agencies must provide a warrant to access genetic data after June 1, 2025, unless the disclosure is otherwise permitted by a specific state law. Two of the remaining new genetic privacy laws (Tennessee and Texas) explicitly permit law enforcement and government agencies to access individuals’ genetic data with valid legal process, which may include a warrant or subpoena, depending on the specific data being requested. While legal process may require notification to the impacted individual, in practice individuals can be prevented from receiving that notice under non-disclosure provisions. Only Virginia’s law does not specify detailed procedural requirements for genetic testing companies to share data with government agencies. 

While the four state laws diverge in their requirements for valid legal process and consumer notification, none of the laws include a requirement for companies to publish reports on data requests from law enforcement agencies. Leading direct-to-consumer genetic testing companies voluntarily publish reports on government requests for consumers’ data–including 23andMe and Ancestry, both of which report on data multiple times a year. Those reports are not often broken out by topic or type of data. Notably, some of the disclosures in these reports may be limited by law, including the U.S. Foreign Intelligence Surveillance Act.

Children’s and Teens’ Online Privacy

In recognition of the need for heightened privacy protections for children, FPF’s best practices recommend that direct-to-consumer genetic testing companies not market or directly offer their services to minors (under age 18). When parents and guardians provide consent for minors to submit their DNA samples, FPF recommends that genetic testing companies provide minors with a right to access their data and become the primary account holder once they reach age 18. 

2023 was also a banner year for debate around children’s online privacy and safety issues, including a unanimous vote by the Senate Commerce Committee to advance a bill to expand children’s privacy protections and cover teens aged 13 to 16. However, despite FPF’s recommendations and the recent attention given to children’s online privacy, none of the four state genetic privacy laws explicitly address children’s privacy interests when engaging with direct-to-consumer genetic testing companies, including scenarios where parents and guardians may submit genetic samples on behalf of their children.

Emerging Technologies and New Privacy Policies

Consent is an important part of all of the new genetic privacy laws, in line with the baseline standards for consent established in the six other existing state laws and in FPF’s best practices. Montana, Tennessee, and Virginia establish a specific requirement for direct-to-consumer genetic testing companies to collect initial express consent from users seeking genetic testing products and services–this initial consent must specify the inherent contextual uses of the data. Texas does not specifically require initial express consent but does require separate express consent for several different types of data processing.

FPF’s best practices state that companies should notify individuals and seek their consent before making any changes to privacy policies–over the past year, this has also become a major topic for regulatory enforcement. For instance, in 2023, the FTC issued its first genetic privacy enforcement action. In the Vitagene (2023) case, the FTC argued that the company engaged in deceptive behavior when it updated its privacy policy in 2020 and retroactively expanded third-party data sharing without notifying existing consumers or seeking their consent for the policy change. In the press release about the settlement order, Director of the FTC Bureau of Consumer Protection Samuel Levine noted, “[c]ompanies that try to change the rules of the game by re-writing their policy policy are on notice” for any unilateral applications of new privacy policies to existing consumer data.

The practice of ensuring that consent is obtained with updates to privacy policies and practices is becoming more important with the incorporation of new technologies into genetic testing business models. As AI becomes increasingly integrated in direct-to-consumer genetic testing companies’ platforms and product offerings, the inherent contextual uses of individuals’ genetic data may evolve, requiring updates to privacy policies.

All four laws also require entities to collect separate express consent for any secondary uses of individuals’ genetic data that are beyond the scope of the initial genetic testing product or service. However, none of the four laws explicitly include any procedural requirements for how companies should collect consent before implementing policy changes. The absence of an explicit provision in the laws means that the need to notify individuals of policy changes and seek consumer consent to implement those changes will largely be a matter of judicial or regulatory interpretation, and may vary from state to state.

State Legislatures Should Consider Expanded Genetic Privacy Protections in 2024

In addition to the four states that enacted genetic privacy laws in 2023, eight other states considered bills to regulate direct-to-consumer genetic testing companies’ privacy practices, demonstrating state lawmakers’ growing appetite for state genetic privacy legislation in the absence of comprehensive federal legislation. The 2024 legislative session is another opportunity for additional states to establish new protections, and state legislatures in Alabama, Indiana, Nebraska, and West Virginia have already considered legislation largely based on FPF’s best practices. 

2024 is also an opportunity for states with existing laws, including the four states that passed laws in 2023, to establish additional protections for individuals’ genetic data and adopt FPF’s best practices around law enforcement access to data, minors’ rights to their genetic data, and transparency for privacy policy changes. While these laws establish baseline genetic privacy protections that are in line with FPF’s best practices and consistent with existing state genetic privacy laws, they have left space for future legislators to further consider additional protections needed in the areas of law enforcement access to data post-Dobbs, children’s and teens’ online privacy, and direct-to-consumer genetic testing companies’ embrace of emerging technologies. 

By fully incorporating FPF’s best practices, states can promote a more privacy-protective genetic testing ecosystem and strive to better address the privacy issues that emerged in 2023 and continue to be a priority in 2024. In doing so, states can also raise the standard for genetic data privacy and effectively complement the federal government’s approach to regulating direct-to-consumer genetic testing companies.

FPF Awarded DOE and NSF Grants to Advance Privacy Enhancing Technologies & AI

The Future of Privacy Forum (FPF) has been awarded grants by the Department of Energy (DOE) and the National Science Foundation (NSF) to support FPF’s establishment of a Research Coordination Network (RCN) for Privacy-Preserving Data and Analytics. FPF’s work will support the development and deployment of Privacy Enhancing Technologies (PETs) for beneficial data sharing and analytics. Most notably, the RCN will bring together a multi-stakeholder community of academic researchers, industry practitioners, policymakers, and other stakeholders to advance the adoption of PETs in the context of AI and other key technologies.

Since its founding, FPF’s work has been driven by a belief in the fair and ethical use of technology to improve people’s lives,” said John Verdi, FPF’s Senior Vice President for Policy, who will serve as the RCN’s principal investigator. “We are convening a multidisciplinary, cross-sector, and international group of experts to better understand the risks of data sharing and analytics and how PETs can and cannot mitigate those risks.”

The DOE-NSF grants will enable FPF to establish a robust expert network with members from academia, industry, government, and civil society to discuss and develop best practices for advancing PETs. Its goals are to facilitate ethical data use, stimulate responsible scientific research and innovation, and enable individuals and society to benefit from data sharing and analytics.

The RCN will operate in two interrelated parts:

“Privacy-enhancing technologies are increasingly important in today’s data-driven landscape. They allow us to safeguard sensitive datasets and information needed to advance a broad research, development, and demonstration portfolio,” said Asmeret Asefaw Berhe, Director of DOE’s Office of Science. “This Research Coordination Network will help us move toward the shared goal of establishing new standards for data safety and security that will allow us to continue to develop the innovations and scientific discoveries we need to achieve our clean energy and industrial goals.” 

The awarded grants build on FPF’s years-long track record of convening private-sector stakeholders and regulators to discuss responsible data sharing and the deployment and regulation of PETs, including its Privacy Research and Data Responsibility RCN and Global PETs Network.

“This crucial investment represents our commitment to advancing the foundations of responsible AI and privacy-enhancing technologies,” said Dilma DaSilva, Acting Assistant Director for NSF’s Computer and Information Science and Engineering Directorate. “This effort supports research and development that enables individuals and society to benefit from the value derived from privacy preserving data sharing and analytics.”

The RCN will inform the public debate on PETs, provide useful information to policymakers, and contribute to the development of systems and products to support AI. For more information about the RCN and how to get involved, please contact [email protected]. To keep updated on similar issues and emerging topics, apply to join the Ethics and Data in Research Working Group.

The Research Coordination Network (RCN) for Privacy-Preserving Data Sharing and Analytics is supported by U.S. National Science Foundation (Award #2413978) and the Department of Energy (Award #DE-SC0024884).