The DNA of Genetic Privacy Legislation: Montana, Tennessee, Texas, and Virginia Enter 2024 with New Genetic Privacy Laws Incorporating FPF’s Best Practices

In 2023, four states enacted new genetic privacy laws regulating direct-to-consumer genetic testing companies. This blog post provides details on what these new laws cover and how they compare to FPF’s widely-adopted Best Practices for Consumer Genetic Testing Services. 

Genetic privacy has been under increasing scrutiny at the state and federal levels, and regulators are prioritizing efforts to examine how businesses handle and disclose genetic data. For instance, the Federal Trade Commission (FTC) obtained orders against genetic testing providers Vitagene (2023) and CRI Genetics (2023) over alleged deceptive trade practices, including a claim that Vitagene had left sensitive data unsecured and retroactively changed its privacy policy without user consent. The White House has also taken a keen interest in genetic data privacy protections; genetic data privacy was flagged as an area of interest in the Biden Administration’s recent executive order that seeks to restrict “countries of concern” from accessing Americans’ sensitive personal data in bulk. The Department of Justice has also indicated that genetic data will be a focus of an upcoming Advance Notice of Proposed Rulemaking related to the executive order.

While federal agencies and lawmakers have been active in this area, state legislators have been the most active in mandating protections for this particularly sensitive category of personal information. In 2023, Montana, Tennessee, Texas, and Virginia joined six other states (Arizona, California, Kentucky, Maryland, Utah, and Wyoming) that have enacted privacy laws for direct-to-consumer genetic testing companies. These four newly enacted laws follow the trend of the six existing laws in adopting baseline requirements–including requirements to publish privacy notices and create consumer rights of access and deletion–in line with FPF’s Privacy Best Practices for Consumer Genetic Testing Services, first released in 2018.

However, the four state laws leave out key elements of the best practices around transparency about law enforcement access to data, children’s and teens’ online privacy, and consent for revised privacy policies that reflect the use of emerging technologies in genetic testing. As these privacy issues take center stage in 2024, states should consider expanding the scope of direct-to-consumer genetic testing privacy laws to address emerging technologies like artificial intelligence and persistent concerns about law enforcement access to data and minors’ rights to their genetic data.

New State Laws on Genetics Privacy Include Strong, Important Protections for Individuals

These four new state genetic privacy laws largely incorporate the foundational principles of the Future of Privacy Forum’s 2018 best practices. All four states’ genetic privacy laws create a consumer right to access and delete personal data, prohibit sharing genetic information with insurers and employers, and require companies to create a comprehensive security program to protect individuals’ data. All four laws also require companies to collect separate express consent to use data for marketing, research, and third-party sharing, with some laws extending this requirement to any secondary use or additional retention of individuals’ genetic data.

Laws in Tennessee, Texas, and Virginia exclude de-identified data from their definitions of “genetic data.” This is in line with FPF’s best practices on de-identified data, which note that de-identified data is not subject to the remaining best practices, as long as “de-identification measures taken establish strong assurance that the data is not identifiable.”  In addition, Tennessee, Texas and Virginia follow the guidance from the FTC and the Department of Health and Human Services (HHS) for de-identified data; the three state laws require that companies (1) take measures to ensure that individuals’ data cannot be linked to them, (2) commit to maintain and use data only in its de-identified form, and (3) contractually obligate data recipients to do the same.

Montana and Texas, meanwhile, each go beyond any existing consumer genetic privacy laws and the scope of FPF’s best practices to create additional requirements for direct-to-consumer genetic testing companies. Montana imposed data localization requirements for its residents’ genetic data and Texas established a property right for its residents over their genetic samples and data.

New State Laws Differ on Key Privacy Issues, Including Law Enforcement Access to Data, Kids’ Privacy Needs, and Transparency

The four state genetic privacy laws passed in 2023 are the first such laws to be passed in the wake of the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization (2022), overruling the precedent set in Roe v. Wade and negating constitutional protections for reproductive health services. These four new laws have created essential genetic data privacy protections in line with the existing direct-to-consumer genetic privacy laws, but they differ on some key privacy issues that are the subjects of intense debate, including law enforcement access to data, children’s and teens’ online privacy, and transparency requirements around changing privacy policies to consider emerging technologies, including AI.

Law Enforcement Access to Data

FPF’s best practices call for genetic testing companies to notify individuals when their personal data is shared with law enforcement agencies and to publicly report on data requests from law enforcement on at least an annual basis. In the wake of Dobbs, the processes by which law enforcement agencies may gain access to health data have come under increased public and regulatory scrutiny. Data collected by direct-to-consumer genetic testing companies may reveal relationship and health data that could be used in abortion prosecutions; for example, fetal tissue samples could be compared to genetic data held by direct-to-consumer genetic testing companies to determine paternity or maternity, and retained biological samples could be repurposed by law enforcement for saliva-based pregnancy tests. As a result, even though none of the four laws specifically refer to reproductive health data or post-Dobbs privacy issues, some of them may impact how law enforcement can access genetic data to enforce restrictions on abortion and how direct-to-consumer genetic testing companies may respond to law enforcement requests for data.

Of the four laws, only Montana’s specifies that government agencies must provide a warrant to access genetic data after June 1, 2025, unless the disclosure is otherwise permitted by a specific state law. Two of the remaining new genetic privacy laws (Tennessee and Texas) explicitly permit law enforcement and government agencies to access individuals’ genetic data with valid legal process, which may include a warrant or subpoena, depending on the specific data being requested. While legal process may require notification to the impacted individual, in practice individuals can be prevented from receiving that notice under non-disclosure provisions. Only Virginia’s law does not specify detailed procedural requirements for genetic testing companies to share data with government agencies. 

While the four state laws diverge in their requirements for valid legal process and consumer notification, none of the laws include a requirement for companies to publish reports on data requests from law enforcement agencies. Leading direct-to-consumer genetic testing companies voluntarily publish reports on government requests for consumers’ data–including 23andMe and Ancestry, both of which report on data multiple times a year. Those reports are not often broken out by topic or type of data. Notably, some of the disclosures in these reports may be limited by law, including the U.S. Foreign Intelligence Surveillance Act.

Children’s and Teens’ Online Privacy

In recognition of the need for heightened privacy protections for children, FPF’s best practices recommend that direct-to-consumer genetic testing companies not market or directly offer their services to minors (under age 18). When parents and guardians provide consent for minors to submit their DNA samples, FPF recommends that genetic testing companies provide minors with a right to access their data and become the primary account holder once they reach age 18. 

2023 was also a banner year for debate around children’s online privacy and safety issues, including a unanimous vote by the Senate Commerce Committee to advance a bill to expand children’s privacy protections and cover teens aged 13 to 16. However, despite FPF’s recommendations and the recent attention given to children’s online privacy, none of the four state genetic privacy laws explicitly address children’s privacy interests when engaging with direct-to-consumer genetic testing companies, including scenarios where parents and guardians may submit genetic samples on behalf of their children.

Emerging Technologies and New Privacy Policies

Consent is an important part of all of the new genetic privacy laws, in line with the baseline standards for consent established in the six other existing state laws and in FPF’s best practices. Montana, Tennessee, and Virginia establish a specific requirement for direct-to-consumer genetic testing companies to collect initial express consent from users seeking genetic testing products and services–this initial consent must specify the inherent contextual uses of the data. Texas does not specifically require initial express consent but does require separate express consent for several different types of data processing.

FPF’s best practices state that companies should notify individuals and seek their consent before making any changes to privacy policies–over the past year, this has also become a major topic for regulatory enforcement. For instance, in 2023, the FTC issued its first genetic privacy enforcement action. In the Vitagene (2023) case, the FTC argued that the company engaged in deceptive behavior when it updated its privacy policy in 2020 and retroactively expanded third-party data sharing without notifying existing consumers or seeking their consent for the policy change. In the press release about the settlement order, Director of the FTC Bureau of Consumer Protection Samuel Levine noted, “[c]ompanies that try to change the rules of the game by re-writing their policy policy are on notice” for any unilateral applications of new privacy policies to existing consumer data.

The practice of ensuring that consent is obtained with updates to privacy policies and practices is becoming more important with the incorporation of new technologies into genetic testing business models. As AI becomes increasingly integrated in direct-to-consumer genetic testing companies’ platforms and product offerings, the inherent contextual uses of individuals’ genetic data may evolve, requiring updates to privacy policies.

All four laws also require entities to collect separate express consent for any secondary uses of individuals’ genetic data that are beyond the scope of the initial genetic testing product or service. However, none of the four laws explicitly include any procedural requirements for how companies should collect consent before implementing policy changes. The absence of an explicit provision in the laws means that the need to notify individuals of policy changes and seek consumer consent to implement those changes will largely be a matter of judicial or regulatory interpretation, and may vary from state to state.

State Legislatures Should Consider Expanded Genetic Privacy Protections in 2024

In addition to the four states that enacted genetic privacy laws in 2023, eight other states considered bills to regulate direct-to-consumer genetic testing companies’ privacy practices, demonstrating state lawmakers’ growing appetite for state genetic privacy legislation in the absence of comprehensive federal legislation. The 2024 legislative session is another opportunity for additional states to establish new protections, and state legislatures in Alabama, Indiana, Nebraska, and West Virginia have already considered legislation largely based on FPF’s best practices. 

2024 is also an opportunity for states with existing laws, including the four states that passed laws in 2023, to establish additional protections for individuals’ genetic data and adopt FPF’s best practices around law enforcement access to data, minors’ rights to their genetic data, and transparency for privacy policy changes. While these laws establish baseline genetic privacy protections that are in line with FPF’s best practices and consistent with existing state genetic privacy laws, they have left space for future legislators to further consider additional protections needed in the areas of law enforcement access to data post-Dobbs, children’s and teens’ online privacy, and direct-to-consumer genetic testing companies’ embrace of emerging technologies. 

By fully incorporating FPF’s best practices, states can promote a more privacy-protective genetic testing ecosystem and strive to better address the privacy issues that emerged in 2023 and continue to be a priority in 2024. In doing so, states can also raise the standard for genetic data privacy and effectively complement the federal government’s approach to regulating direct-to-consumer genetic testing companies.

FPF Awarded DOE and NSF Grants to Advance Privacy Enhancing Technologies & AI

The Future of Privacy Forum (FPF) has been awarded grants by the Department of Energy (DOE) and the National Science Foundation (NSF) to support FPF’s establishment of a Research Coordination Network (RCN) for Privacy-Preserving Data and Analytics. FPF’s work will support the development and deployment of Privacy Enhancing Technologies (PETs) for beneficial data sharing and analytics. Most notably, the RCN will bring together a multi-stakeholder community of academic researchers, industry practitioners, policymakers, and other stakeholders to advance the adoption of PETs in the context of AI and other key technologies.

Since its founding, FPF’s work has been driven by a belief in the fair and ethical use of technology to improve people’s lives,” said John Verdi, FPF’s Senior Vice President for Policy, who will serve as the RCN’s principal investigator. “We are convening a multidisciplinary, cross-sector, and international group of experts to better understand the risks of data sharing and analytics and how PETs can and cannot mitigate those risks.”

The DOE-NSF grants will enable FPF to establish a robust expert network with members from academia, industry, government, and civil society to discuss and develop best practices for advancing PETs. Its goals are to facilitate ethical data use, stimulate responsible scientific research and innovation, and enable individuals and society to benefit from data sharing and analytics.

The RCN will operate in two interrelated parts:

“Privacy-enhancing technologies are increasingly important in today’s data-driven landscape. They allow us to safeguard sensitive datasets and information needed to advance a broad research, development, and demonstration portfolio,” said Asmeret Asefaw Berhe, Director of DOE’s Office of Science. “This Research Coordination Network will help us move toward the shared goal of establishing new standards for data safety and security that will allow us to continue to develop the innovations and scientific discoveries we need to achieve our clean energy and industrial goals.” 

The awarded grants build on FPF’s years-long track record of convening private-sector stakeholders and regulators to discuss responsible data sharing and the deployment and regulation of PETs, including its Privacy Research and Data Responsibility RCN and Global PETs Network.

“This crucial investment represents our commitment to advancing the foundations of responsible AI and privacy-enhancing technologies,” said Dilma DaSilva, Acting Assistant Director for NSF’s Computer and Information Science and Engineering Directorate. “This effort supports research and development that enables individuals and society to benefit from the value derived from privacy preserving data sharing and analytics.”

The RCN will inform the public debate on PETs, provide useful information to policymakers, and contribute to the development of systems and products to support AI. For more information about the RCN and how to get involved, please contact [email protected]. To keep updated on similar issues and emerging topics, apply to join the Ethics and Data in Research Working Group.

The Research Coordination Network (RCN) for Privacy-Preserving Data Sharing and Analytics is supported by U.S. National Science Foundation (Award #2413978) and the Department of Energy (Award #DE-SC0024884).

RECs Report: Towards a Continental Approach to Data Protection in Africa

On July 28, 2022, the African Union (AU) released its long-awaited African Union Data Policy Framework (DPF), which strives to advance the use of data for development and innovation, while safeguarding the interests of African countries. The DPF’s vision is to unlock the potential of data for the benefit of Africans, to “improve people’s lives, safeguard collective interests, protect (digital) rights and drive equitable socio-economic development.” One of the key mechanisms that the DPF seeks to leverage to achieve this vision is the harmonization of member states’ digital data governance systems to create a single digital market for Africa. It identifies a range of focus areas that would greatly benefit from harmonization, including data governance, personal information protection, e-commerce, and cybersecurity.  

In order to promote cohesion and harmonization of data-related regulations across Africa, the DPF recommends leveraging existing regional institutions and associations that are already in existence to create unified policy frameworks for their member states. In particular, the framework emphasizes the role of Africa’s eight Regional Economic Communities (RECs) to harmonize data policies and serve as a strong pillar for digital development by drafting model laws, supporting capacity building, and engaging in continental policy formulation.
This report provides an overview of these regional and continental initiatives, seeking to better clarify the state of data protection harmonization in Africa and to educate practitioners about future harmonization efforts through the RECs. Section 1 begins by providing a brief history of policy harmonization in Africa before introducing the RECs and explaining their connection to digital regulation. Section 2 dives into the four regional data protection frameworks created by some of the RECs and identifies key similarities and differences between the instruments. Finally, Section 3 of the report analyzes regional developments in the context of the Malabo Convention through a comparative and critical analysis and, lastly, provides a roadmap for understanding future harmonization trends. It concludes that while policy harmonization remains a key imperative in the continent, divergences and practical limitations exist in the current legal frameworks of member states.

Read the Report

Brussels Privacy Symposium 2023 Report

The seventh edition of the Brussels Privacy Symposium, jointly co-organized by the Future of Privacy Forum and the Brussels Privacy Hub, took place at the U-Residence of the Vrije Universiteit Brussel campus on November 14, 2023. The Symposium presented a key opportunity for a global, interdisciplinary convening to discuss one of the most important topics facing Europe’s digital society today and in the years to come: “Understanding the EU Data Strategy Architecture: Common Threads – Points of Juncture – Incongruities.” 

With the program of the Symposium, the organizers aimed to transversally explore three key topics that cut through the Data Strategy legislative package of the EU and the General Data Protection Regulation (GDPR), painting an intricate picture of interplay that leaves room for tension, convergence, and the balancing of different interests and policy goals pursued by each new law. Throughout the day, participants debated the possible paradigm shift introduced by the push for access to data in the Data Strategy Package, the network of impact assessments from the GDPR to the Digital Services Act (DSA) and EU AI Act, and debated the future of enforcement of a new set of data laws in Europe. 
Attendees were welcomed by Dr Gianclaudio Malgieri, Associate Professor of Law & Technology at Leiden University and co-Director of the Brussels Privacy Hub, and Jules Polonetsky, CEO at the Future of Privacy Forum. In addition to three expert panels, the Symposium opened with Keynote addresses by Commissioner Didier Reynders, European Commissioner for Justice, and Wojciech Wiewiórowski, the European Data Protection Supervisor. Commissioner Reynders specifically highlighted that the GDPR remains the “cornerstone of the EU digital regulatory framework” when it comes to the processing of personal data, while Supervisor Wiewiórowski cautioned that “we need to ensure the data protection standards that we fought for, throughout many years, will not be adversely impacted by the new rules.” In the afternoon, attendees engaged in a brainstorming exercise in four different breakout sessions, and the Vice-Chair of the European Data Protection Board (EDPB), Irene Loizidou Nikolaidou, gave her closing remarks to end the conference.

The following Report outlines some of the most important outcomes from the day’s conversations, highlighting the ways and places in which the EU Data Strategy Package overlaps, interacts, supports, or creates tension with key provisions of the GDPR. The Report is divided into six sections: the above general introduction; the ensuing section which provides a summary of the Opening Remarks; the next three sections which provide insights into the panel discussions; and the sixth and final section which provides a brief summary of the EDPB Vice-Chair’s Closing Remarks.

Editor: Alexander Thompson

Read the Report

Colorado’s Approval of Global Privacy Control: Implications for Advertisers and Publishers

The privacy laws of both Colorado and California require organizations to recognize Universal Opt-Out Mechanisms (UOOMs), a tool through which a person can invoke their opt out rights broadly across all the websites they visit. While California has required responding to certain UOOMs since July 2021, the Colorado Attorney General has only recently approved their first tool – the Global Privacy Control – as valid within the scope of the state law. This sets the stage for organizations within the law’s jurisdiction to take appropriate action necessary to ensure that they are recognizing and responding to any person’s use of the GPC. Below we provide information for what organizations need to know about UOOMs going forward, including particular implementation challenges that must be addressed to avoid enforcement actions for falling afoul of the law.

Background

Governor Polis signed the Colorado Privacy Act (CPA) in July 2021, making Colorado the third state to pass a comprehensive privacy law. Among other things, the act requires the Colorado Attorney General to conduct a special process for approving Universal Opt Out Mechanisms (UOOMs) for people to use as a means of invoking their opt out rights. Under Colorado law, covered entities will be required to honor these UOOMs beginning July 1, 2024. 

The Colorado AG’s office closed applications for UOOM tools on November 6, 2023. After a public comment period, the Colorado AG announced that only one tool – the Global Privacy Control (GPC) – would be acknowledged on the exclusive public list of acceptable UOOMs in Colorado.

The recognition of the GPC as a valid UOOM in Colorado leaves adtech vendors, advertisers, and publishers in a broadly similar place in both California and Colorado once enforcement begins this summer: Publishers will have to respond to valid GPC requests in both states; advertisers and vendors will have to adjust business practices accordingly. Although implementations of GPC must still satisfy the requirements of the CPA, Colorado’s decision aligns their enforcement of opt-out rights with those in California, creating momentum toward a national standard.

What should Advertisers, Publishers, and Other Organizations Know About the GPC and UOOMs in U.S. law

1. Implementations of GPC must still satisfy the requirements of CPA

Under the CPA, UOOMs in Colorado must satisfy three categories of rules. By selecting a single UOOM tool, the Colorado AG’s office has indicated that this is the only tool “recognized in so far as the UOOM or any authorized implementations meet the requirements of [the Colorado Privacy Act].” 

The first and second of these rules relate to Notice and Choice under Rule 5.03 and Default Settings under Rule 5.04. The notice and choice requirements ask UOOM vendors to ensure that the signal represents an “affirmative, freely given, and unambiguous choice to opt out” of targeted advertising and data sales. The requirements for default settings seek to ensure the choice remains a genuine opt-OUT with respect to the device. The default browser installed on the device cannot simply negate the selection in a user interface to transform the user-facing mechanism into what would appear to be an opt-IN for the user. For browsers or browser extensions that do not come pre-installed on the device and that are marketed as tools for exercising a user’s opt out rights, the consumer’s decision to install and use these tools is considered an affirmative, freely given, and unambiguous choice.

The final requirement for UOOMs in the CPA is to follow Technical Specifications under Rule 5.06. The technical specification requirements make the tool “universal” in the sense that it can automatically transmit the opt-out to multiple publishers while remaining in compliance with other requirements, like the notice and choice requirements and the default settings requirements, and without unfairly disadvantaging controllers.

It is noteworthy that the AG’s office distinguishes between “the UOOM” – the GPC in this case – and “any authorized implementations” of the UOOM. Several organizations, including FPF, expressed broad support of the GPC while correctly observing that the GPC is a protocol-level technical specification and is implementable in valid and invalid ways in user-facing tools. Actual implementations of the GPC vary significantly in their interface and functionality. However, it is not clear what is required for an implementation to be “authorized”. One may read the language to require some additional recognition by the Colorado AG’s office (which has not produced a list of authorized implementations) or instead to include those implementations recognized by the creators of the GPC, which lists several implementations that support the GPC on their website. It is even possible that “authorized implementations” may even refer to other authorized, yet-to-be-approved UOOMs and have nothing to do with the GPC.

Based on this analysis, it is technically possible for publishers to receive an invalid GPC signal originating from a tool that fails to implement other requirements of the CPA. However, discerning the validity of GPC signals as they are received may require publishers to implement otherwise invasive means, like browser fingerprinting.

2. GPC will be a multi-state enforcement priority for 2024

Despite the limitations of approving a technical specification, the decision in Colorado to recognize only the Global Privacy Control marks an alignment with California that the GPC should be a clear priority for organizations looking to avoid an enforcement action in 2024. Controllers in Colorado and businesses in California should earnestly implement appropriate means to receive these signals and respond in their advertising technology stack. Industry preparation should include some mechanism for differentiating data that has been opted-out of sale or sharing from data that has not.

The Colorado AG also indicated that the current public list (which, again, consists solely of the GPC) will be “prioritized for enforcement,” meaning publishers will likely be required to respond to GPC opt-out requests as soon as the enforcement date of July 1, 2024 rolls around. Any relevant on-going or concluded investigations in California since the AG settlement with Sephora have not resulted in publicly announced enforcement actions. However, it has remained an area of active interest, including recent discussions by the California Privacy Protection Agency (CPPA) regarding the possibility of requiring browser vendors to implement a feature allowing users to express their opt-out preferences to publishers.1

3. Novel mechanisms may still be reconsidered in upcoming years

In naming the GPC as the current exclusive UOOM recognized in Colorado, Colorado AG also indicated that this did “not exclude additional UOOMs from meeting the requirements” in the future. This could mean the other shortlisted opt out mechanisms (i.e., the OptOut Code or the Opt-Out Machine) or some tool that has not yet been developed may be able to be approved in the future. However, the process for submitting applications is uncertain. The website is no longer accepting submissions, and although it may be opened to new submissions in the future, no plans for doing so are currently public.

The Colorado AG also indicated that when it does accept new applications, it will also seek public comments on them in a similar process. The three applications listed in the shortlist each took different approaches to standardizing expression of user opt out preferences. The OptOut Code proposal focused on prepending a code to human-readable device names, the Opt-Out Machine proposed an automated email-based opt out mechanisms, and the Global Privacy Control (GPC) proposed using their HTTP-based protocol-level specification in Colorado, having already been recognized as a UOOM in California.

Challenges Ahead for Enforcement

Enforcement of the Colorado Privacy Act’s requirements for opt-outs will begin later this year. Although the Colorado AG selected the GPC, they did not reveal their rationale or respond substantively to the concerns raised during the comment process. As a result, specific enforcement techniques and investigative approaches are hard to predict. At least four enforcement challenges exist for Colorado: (1) responding to the GPC alone may not be enough to ensure compliance with the CPA, (2) confirmation of signals by controllers is not required making verification of the receipt of valid signals difficult, (3) invalid GPC signals are difficult to detect definitively, and (4) the current move toward enforcement is happening at a time of transition in the industry at large.

First, responding to the GPC alone is not enough for compliance with the CPA. Although the GPC specification includes optional requirements allowing publishers to confirm to users that they have received the GPC signal, this confirmation is not technically tied to any advertising that appears on the publisher site. In other words, it is possible for a publisher site to continue serving targeted ads while confirming to users that their GPC opt-out signal has been received, either intentionally or accidentally. The Colorado AG will need some mechanism for discerning whether any advertising displayed was targeted or not. For people who have invoked the GPC, publishers are likely to replace targeted advertising with contextual advertising, and these ads may be served by similar ad servers, making discernment challenging. (The opt-out also applies to the sale of personal data, but that would not be immediately obvious to an enforcement agency in a single web browsing session regardless of the GPC configuration.) 

Second, optional confirmation requirements in the GPC specification are not strictly required by the CPA. Although confirmation may be useful for users, advertisers, and publishers seeking to test their configuration of their GPC tool of choice, their utility as part of regulatory enforcement remains unclear, and without them it is unclear how Colorado enforcement agencies will determine whether a signal has been received and responded to. It is worth noting here that California’s recently proposed revisions to the California Consumer Privacy Act (CCPA) would require businesses to display the status of the consumer’s choice.2

Third, invalid implementations of the GPC can transform the opt-out into a user-facing opt-in. Developers of privacy-oriented browsers and browser extensions have evinced a desire to make the user’s experience of setting up both the browser and the GPC as fast and easy as possible, but the legal environment is inherently complex. The installation and configuration process for these tools will be critical to ensuring that GPC signals are valid in each jurisdiction where they are intended to apply. The GPC signal does not embed information on which browser, extension or tool sent the signal. This can make it difficult for organizations seeking to determine a mechanism’s validity and investigators seeking to respond to GPC signals sent using an invalid mechanism or configuration.  Investigators will also have to determine if the person covered by the signal is a Colorado resident.

Finally, enforcement of the CPA comes at a time when the industry is transitioning away from the third-party cookie and toward new advertising APIs, presenting an additional challenge for discernment of targeting information. Publishers will need to be able to connect receipt of the GPC signal to their new infrastructure for advertising APIs during this transition. Similarly, Colorado’s enforcement will need to be able to verify compliance with the CPA, including responses to valid GPC signals, during this industry transition. Many other states are considering comprehensive privacy laws, some with subtly different opt out rights. Colorado has indicated that they prefer a harmonious, multi-state approach where possible, but this possibility remains an open question as states consider new approaches to privacy.

Conclusion

Colorado’s adoption of the GPC as the only valid universal opt out mechanism, for now at least, represents a critical step for vendors, advertisers, publishers, and users.  Broad alignment with California marks this as important outside of Colorado as well, particularly with other states adopting or considering comprehensive privacy laws. Although some challenges and open questions remain, covered entities should earnestly work towards compliance to be able to honor these UOOMs beginning July 1, 2024.

1 Note that this requirement may complicate the default setting requirements discussed earlier given Colorado’s differentiation between a browser that comes pre-installed on a device and one that does not.

2 See page 40, in § 7025 on Opt-out Preference Signals.

FPF Health & Wellness: Mapping the 2024 Health Privacy Landscape, A 2023 Retrospective

In 2024, health and wellness-focused companies are increasingly integrating AI to streamline their services–with the expansion of AI-enabled digital health, the universe of potential health inferences will also expand, triggering new concerns about patient and consumer privacy. At this intersection of reproductive health privacy and AI concerns, state legislators and federal regulators appear poised to take more action on health data privacy, with specific attention to reproductive health privacy and genetic data privacy. As we look ahead to further developments, it is prudent to look back and understand exactly where the regulatory landscape stands and how we got here…

In 2023, health data privacy developments were nearly all related to the continuing development of privacy law responses to the Supreme Court’s Dobbs decision and subsequent moves by states to bar access to certain reproductive health care services and to criminally prosecute individuals seeking access to that care. As reproductive health care remains in jeopardy in several states, we expect that reproductive health data privacy will continue to drive broader action on health data privacy. In this 2023 retrospective, FPF has identified the top themes of health legislation and regulation while looking ahead to 2024. 

FPF Joins the NIST Artificial Intelligence Safety Consortium

The Future of Privacy Forum (FPF) is collaborating with the National Institute of Standards and Technology (NIST) in the U.S. Artificial Intelligence Safety Institute Consortium to develop science-based and empirically backed guidelines and standards for AI measurement and policy, laying the foundation for AI safety across the world.

This initiative will help prepare the U.S. to address the capabilities of the next generation of AI models or systems, from frontier models to new applications and approaches, with appropriate risk management strategies.

“As an organization that has been at the forefront of responsible data practices for more than a decade, FPF is honored to be included in the list of influential and diverse stakeholders involved in the U.S. AI Safety Institute Consortium assembled by the National Institute of Standards and Technology. We look forward to contributing to the development of safe and trustworthy AI that is a force for societal good.” 

Jules Polonetsky, CEO, FPF

The consortium includes more than 200 member companies and organizations that are on the frontlines of creating and using the most advanced AI systems and hardware, the nation’s largest companies and most innovative startups, civil society and academic teams that are building the foundational understanding of how AI can and will transform our society, and representatives of professions with deep engagement in AI’s use today.

The consortium will be housed under the U.S. AI Safety Institute (USAISI) and will contribute to priority actions outlined in President Biden’s landmark Executive Order, including developing guidelines for red-teaming, capability evaluations, risk management, safety and security, and watermarking synthetic content. Additional information on this Consortium can be found here.

The Garden State Joins the Comprehensive Privacy Grove

On January 16, 2024, Governor Murphy signed S332 into law, making New Jersey the thirteenth U.S. State to adopt a comprehensive privacy law to govern the collection, use, and transfer of personal data. S332 endured a long and circuitous route to enactment, having been introduced in January 2022 and amended six times before being passed by both chambers during the waning hours of New Jersey’s legislative session. The law will take effect on January 15, 2025. S332 bears a strong resemblance to other laws following the Washington Privacy Act (WPA) framework, particularly those passed in Delaware, Oregon, and Colorado. Nevertheless, S332 diverges from existing privacy frameworks in several significant ways. In this blog we highlight eight unique, ambiguous, or otherwise notable provisions that set S332 apart in the U.S. privacy landscape.

1. Private Right of Action Confusion

One ongoing controversy regarding S332 is whether the law could provide the basis for a private right of action. S332 specifies that the New Jersey Attorney General has “sole and exclusive authority” to enforce a violation of S332 and that nothing in the law shall be construed as providing the basis for a private right of action for violations of S332. A late amendment removed language stating that S332 should not be construed as providing the basis for a private right of action “under any other law.” Industry members raised concerns that the removal of this language opens up the possibility of private lawsuits by tying alleged violations of the law to causes of action under other laws. In his signing statement, Governor Murphy attempted to assuage industry fears by noting that “nothing in this bill expressly establishes such a private right of action” and “this bill does not create a private right of action under this law or under any other law.” Some industry members remain unconvinced, however, and continue to advocate for clarifying amendments.

2. Data Protection Assessments Prior to Processing

New Jersey joins the majority of state privacy laws in requiring that controllers conduct a data protection assessment (DPA) for any data processing activity that “presents a heightened risk of harm to a consumer.” New Jersey is notable, however, for explicitly requiring that the DPA occur before initiating any such high risk processing activities. Prior to New Jersey, only the Colorado Privacy Act’s implementing regulations required that DPAs occur prior to initiating processing. Following the NetChoice v. Bonta litigation, which saw California’s Age-Appropriate Design Code Act preliminarily enjoined, this requirement could raise First Amendment concerns if it is interpreted as a prior restraint on speech.

3. Thresholds for Applicability

S332 is notable for not including a revenue threshold in its applicability provisions. The law applies to controllers that control or process the personal data of either (a) at least 100,000 New Jersey residents annually, or (b) at least 25,000 New Jersey residents annually and the controller derives revenue from the sale of personal data. Prong (b) differs from the majority of existing privacy frameworks, which tend to require that the controller derive at least a certain percentage of revenue from personal data sales (e.g., 25%) to be covered. This is another similarity between S332 and the Colorado Privacy Act, which sets the same thresholds. 

The carve outs in S332 are similar to those in the Delaware Personal Data Privacy Act. S332 includes data-level exemptions for protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) and “personal data collected, processed, sold, or disclosed by a consumer reporting agency” insofar as those processing activities are compliant with the Fair Credit Reporting Act (FCRA). With respect to the financial industry, S332 joins the majority of states by providing entity-level and data-level exemptions for financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act (GLBA). Notably, however, S332 does not contain exemptions for nonprofits, higher education institutions, or personal data regulated by the Family Educational Rights and Privacy Act (FERPA).

4. Rulemaking

New Jersey becomes just the third state, after California and Colorado, to provide for rulemaking in its comprehensive privacy law. The Act charges the Director of the Division of Consumer Affairs in the Department of Law and Public Safety with promulgating rules and regulations necessary to effectuate the purposes of S332. This provision includes no details on the timeframe or substance of rulemaking, other than that the New Jersey Administrative Procedure Act applies. As the rulemaking process unfolds, this could be a valuable opportunity for stakeholders to seek clarity on some of S332’s ambiguous provisions.

5. Ambiguity on Authorized Agents and UOOMs

New Jersey joins Colorado, Connecticut, Delaware, Montana, Oregon, and Texas in allowing an individual to designate an authorized agent to exercise the individual’s right to opt out of processing for certain purposes. S332’s authorized agent provision has two ambiguities. First, subsection 8(a) specifies that an individual can designate an authorized agent to “act on the consumer’s behalf to opt out of the processing and sale of the consumer’s personal data.” (Emphasis added.) As written, this provision would create a broad opt-out right with respect to all processing, distinct from the explicitly established opt-out rights in the bill. It is more likely that this provision is intended to be limited to opting-out of processing for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. The second ambiguity is the qualifier that an individual can use an authorized agent designated using technology to opt-out of profiling only “when such technology exists.” It is not clear who or what determines the availability of such technology.

S332 also joins California, Colorado, Connecticut, Montana, Oregon, and Delaware in requiring that controllers allow individuals to opt-out of the processing of personal data for targeted advertising or the sale of personal data on a default basis through a universal opt-out mechanism (UOOM). Designed to reduce the burden on individuals’ attempting to exercise opt-out rights, UOOMs encompass a range of tools providing individuals with the ability to configure their devices to automatically exercise opt out rights through a preference signal when interacting with a controller through a desktop or mobile application. S332’s statutory requirements for a UOOM, however, are ambiguous and inconsistent with those in existing privacy frameworks. Specifically, one requirement is that a UOOM cannot “make use of a default setting that opts-in a consumer to the processing or sale of personal data.” (Emphasis added.) This is clearly inconsistent with the purpose of a universal opt-out mechanism, which is to opt individuals out of such processing.

6. Adolescent Privacy

S332 continues and builds upon a trend of increased privacy protections for adolescents (while legislating around the existing, largely preemptive COPPA regime for individuals 12 and under). For individuals whom the controller actually knows are 13-16 years old or willfully disregards their age, the controller must obtain consent from the teens before processing their personal data for the purposes of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects. Several states have iterated on adolescent privacy protection in recent years by requiring consent for these processing purposes. Delaware raised the bar when it required such consent for individuals aged 13 through 17, but it did not extend the opt-in consent requirement to profiling. Oregon was the first state to include profiling in the opt-in consent requirement, but its age range was slightly narrow at 13 through 15. New Jersey is unique and arguably goes the furthest by extending the opt-in consent requirement to cover individuals aged 13 through 16 and extending this requirement to profiling in furtherance of decisions that produce legal or similarly significant effects.

7. Expansive Definitions of Sensitive Data and Biometric Data

S332’s definitions of sensitive data and biometric data (which require opt-in consent to process) continue and build upon trends seen in stronger iterations of the WPA framework. S332’s definition of sensitive data includes additional categories seen in a minority of existing privacy frameworks, such as “status as transgender or non-binary” and “sex life.” 

S332’s definition of sensitive data also goes beyond the other WPA-style laws in two ways. First, the coverage of health data is slightly expanded to include mental or physical health treatment (in addition to condition or diagnosis). Second, sensitive data also includes “financial information,” which it specifies “shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.” This category is new to the non-California laws.

The definition of biometric data is also broader than in most of the WPA-style laws, which consistently define biometric data as “data generated by automatic measurements of an individual’s biological characteristics.” S332, in contrast, defines biometric data as “data generated by automatic or technological processing, measurements, or analysis of an individual’s biological, physical, or behavioral characteristics,” and it explicitly includes facial mapping, facial geometry, and facial templates in its list of examples. This language is similar to the definitions of biometric data and biometric identifiers in the Colorado Privacy Act Rules.

8. Expanded Right to Delete

Finally, S332 provides an expanded right to delete with respect to third party data, first observed in Delaware. When a controller has lawfully obtained an individual’s personal data from a third party and the individual submits a deletion request, the controller must either (a) retain a record of the deletion request and the “minimum data necessary” to ensure that the individual’s personal data remains deleted and not use that retained information for any other purpose, or (b) delete such data. This is different from the majority of states, which instead allow a controller that obtains personal data from third party sources to respond to a deletion request by retaining such data but opting the individual out of processing activities that are not subject to a statutory exemption (such as fraud prevention or cybersecurity monitoring).

FPF Announces International Technology Policy Expert as New Head of Artificial Intelligence

FPF has appointed international technology policy expert Anne J. Flanagan as Vice President for Artificial Intelligence (AI). In this new role, Anne will lead the privacy organization’s portfolio of projects exploring the data flows driving algorithmic and AI products and services, their opportunities and risks, and the ethical and responsible development of this technology.

Anne joins FPF with almost 20 years of experience in international strategic technology governance and development. She has a proven track record of bringing together stakeholders worldwide, including businesses, governments, academics, and civil society organizations, to co-design policy frameworks that address our time’s most intractable technology policy issues.

“Anne is a true leader of efforts to establish policies and standards for emerging technologies,” said Jules Polonetsky, CEO of FPF. “The vast amounts of data that enable AI and the myriad uses are creating some of the most exciting opportunities for progress, but also some of the gravest risks the world has faced. We’re eager for Anne to build on FPF’s extensive current portfolio of AI projects and open up new initiatives.”

As Deputy Head of Division for Telecommunications Policy & Regulation at the Department of Communications, Climate Action, and Environment in Ireland, Anne was responsible for developing Ireland’s technical policy positions and diplomatic strategy regarding EU legislation on telecommunications, digital infrastructure, and data. She represented Ireland in the EU Digital Single Market Strategic Group at the European Commission and the Working Party on Telecommunications and Information Society at the Council of the European Union. Anne also played a crucial role in the EU’s early approach to AI governance, contributing to the foundational work on the EU’s Digital Single Market. 

Since moving to the U.S. in 2019, Anne has held several senior positions in technology policy, including at the World Economic Forum’s Centre for the Fourth Industrial Revolution and, most recently, Reality Labs Policy at Meta Platforms Inc. In all of these senior roles, her research and expertise has helped technology business leaders shape responsible and sustainable technology development.

 “I have seen global leaders, from governments to CEOs, struggle with developing AI in an ethical and responsible manner,” said Flanagan. “This is complicated by the unprecedented speed in AI innovation and an intersection with other emerging technologies and policy issues. As we think about managing AI, human centricity needs to be at the forefront of any approach, and therefore, the importance of data stewardship becomes vital. I’m excited for this opportunity at such a distinguished organization as the Future of Privacy Forum, where these concerns are already front and center. I look forward to working towards building sustainable and trustworthy policy solutions with diverse stakeholders globally.” 

Since 2015, FPF has worked with corporate, civil society, and policy stakeholders to develop best practices for managing risks posed by AI and has worked to assess whether data protection practices such as fairness, accountability, and transparency are sufficient to answer the ethical questions they raise. More recently, FPF explored the challenges and responsible applications regarding AI in the workplace with its 2023 Best Practices for AI and Workplace Assessment Technologies and updated its 2020 report, The Spectrum of Artificial Intelligence and accompanying Spectrum of Artificial Intelligence Infographic. Additional FPF AI projects include Automated Decision-making Under the GDPRGenerative AI for Organizational Use: Internal Policy Checklist, Unfairness By Algorithm: Distilling the Harms of Automated Decision-Making and more. 

Anne holds a Masters in Economics and Political Science from Trinity College Dublin, a Masters in International Relations from Dublin City University, and a Masters of Business Administration from Trinity College Dublin. A former appointee to the UK Government’s International Data Transfers Expert Council, Anne is also a Member of the Board of Advisors of the Innovation Value Institute (IVI) at Maynooth University and a recognized Woman Leader in Data and AI at WLDA.tech.

7 Essential Tips to Protect Your Privacy in 2024

Today, almost everything we do online involves companies collecting personal information about us. Personal data is collected and used for various reasons – like when you use social media, shop online, redeem digital coupons at the store, or browse the internet. 

Sometimes, information is collected about you by one company and then shared or sold to another. While data collection can benefit both you and businesses – like connecting with friends, getting directions, or sales promotions – it can also be used in invasive ways unless you take control.

You can protect your personal data and information in many ways and control how it is shared and used. On this Data Privacy Day or Data Protection Day in Europe, recognized annually on January 28 to mark the anniversary of Convention 108, the first binding international treaty to protect personal data, the Future of Privacy Forum (FPF) and other organizations are raising awareness and promoting best practices for data privacy. 

FPF is partnering with Snap Inc. to provide a privacy-themed Snapchat filter to spread awareness of the importance of data privacy to your networks. Share the pictures you took using our interactive lens on social media using the hashtag #FPFDataPrivacyDay2024.

Here are 7 quick, easy steps you can take to better protect your privacy online and when using your mobile device.

1. Check Your Privacy Settings on Social Media

Many social media sites include options on how to tailor your privacy settings to limit how data is collected or used. Snap provides privacy options that control who can contact you and many other options. Start with the Snap Privacy Center to review your settings. You can find those choices here.

Snap also provides options for you to view any data they have collected about you, including account information and your search history. Downloading your data allows you to view what information has been collected and modify your settings accordingly. 

Instagram allows you to manage various privacy settings, including who has access to your posts, who can comment on or like your posts, and manage what happens to posts after you delete them. You can view and change your settings here.

TikTok allows you to decide between public and private accounts, allows you to change your personalized ad settings, and more. You can check your settings here.

Twitter/X allows you to manage what information you allow other people on the platform to see and lets you choose your ad preferences. Check your settings here.

Facebook provides a range of privacy settings that can be found here.

In addition, you can check the privacy and security settings for other popular applications such as BeReal and Pinterest here. Be sure to also check your privacy settings if you have a profile on a popular dating app such as Bumble, Hinge, or Tinder.

What other social media apps do you use often? Check to see which settings they provide!

2. Limit Sharing of Location Data

Most social media apps and websites will ask for access to your location data. Do they need it for some obvious reason, like helping you with directions, showing your nearby friends, or perhaps a store location you’re looking for? If not, feel free to opt-out of location data. Be aware that location data is often used to personalize ads and recommendations based on locations you have recently visited. Allowing access to location services may also permit sharing of location information with third parties.

To check the location permissions allowed for apps on an iPhone or Android, follow the below steps.

iPhone

Android

3. Keep Your Devices & Apps Up to Date

Keeping software current and up to date is the only way to ensure your device is protected against the latest software vulnerabilities. Installing the latest security software, web browsers, and operating systems is the best way to protect against various online threats. By enabling automatic updates on your devices, you can be sure that your apps and operating systems are always up to date. 

Users can check the status of their operating systems in the settings app. 

For iPhone users, navigate to “Software Update,” and for Android devices, look for the “Security” page in settings.

4. Use a Password Manager

Utilizing a strong and secure password for each web-based account helps ensure your personal data and information are protected from unauthorized use. Remembering passwords for every account can be difficult, and using a password manager can help. Password managers save passwords as you create and log in to your accounts, often alerting you of duplicates and suggesting the creation of a stronger password. 

For example, if you use an Apple product when signing up for new accounts and services, you can allow your iPhone, Mac, or iPad to generate strong passwords and safely store them in iCloud Keychain for later access. Some of the best third-party password managers can be found here.

5. Enable Two-Factor Authentication

Two-factor authentication adds an additional layer of protection to your accounts. The first authentication is the standard username and password combination used for years. The second factor is a text message or email with a code sent to a personal device. This added step makes it harder for malicious actors to access your accounts. Two-factor authentication only adds a few seconds to your day but can save you from the headache and harm that comes from compromised accounts. To be even safer, use an authenticator app as your second factor. 

Remember to adjust your settings regularly, staying on top of any privacy changes and updates made on the web applications you use daily. Protect your data by being intentional about what you post online and encouraging others to look at the information they may share. By adjusting your settings and making changes to your web accounts and devices, you can better maintain the security and privacy of your personal data.

6. Use End-to-End Encryption for Secure Messaging

Using applications with secure end-to-end encryption, such as Signal and ProtonMail, ensures that only you and the intended recipient can read your messages. Other applications such as WhatsApp and Telegram are also end-to-end encrypted, though be sure to update your settings in Telegram as messages are not encrypted by default.

As many of us share sensitive information with our families and friends, it’s critical to be mindful of how our personal information is shared and who has access to it. 

What better time to reassess our data practices and think about this important topic than during Data Privacy Day?

7. Turning off Personalized Ads

Take control of how companies use your personal information to advertise to you by going into the settings of your applications. See below for how-to guides with quick, step-by-step instructions to turn off ad personalization for popular apps you may be using: 

If you’re interested in learning more about one of the topics discussed here or other issues driving the future of privacy, sign up for our monthly briefing, check out one of our upcoming events, or follow us on Twitter, LinkedIn, or Instagram

FPF brings together some of the top minds in privacy to discuss how we can all benefit from the insights gained from data while respecting the individual right to privacy.