data privacy issues in west virginia and beyond: a

Consumer Law Scholarship The Center for Consumer Law and Education

6-24-2021

Data Privacy Issues in West Virginia and Beyond: A Data Privacy Issues in West Virginia and Beyond: A

Comprehensive Overview Comprehensive Overview

Jena Martin West Virginia University College of Law, [email protected]

Follow this and additional works at: https://researchrepository.wvu.edu/consumerlaw_scholarship

Part of the Consumer Protection Law Commons, and the Privacy Law Commons

Recommended Citation Recommended Citation Martin, Jena, "Data Privacy Issues in West Virginia and Beyond: A Comprehensive Overview" (2021). Consumer Law Scholarship. 1. https://researchrepository.wvu.edu/consumerlaw_scholarship/1

This Article is brought to you for free and open access by the The Center for Consumer Law and Education at The Research Repository @ WVU. It has been accepted for inclusion in Consumer Law Scholarship by an authorized administrator of The Research Repository @ WVU. For more information, please contact [email protected].

https://researchrepository.wvu.edu/

https://researchrepository.wvu.edu/

https://researchrepository.wvu.edu/consumerlaw_scholarship

https://researchrepository.wvu.edu/consumerlaw

https://researchrepository.wvu.edu/consumerlaw_scholarship?utm_source=researchrepository.wvu.edu%2Fconsumerlaw_scholarship%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/838?utm_source=researchrepository.wvu.edu%2Fconsumerlaw_scholarship%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1234?utm_source=researchrepository.wvu.edu%2Fconsumerlaw_scholarship%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages

https://researchrepository.wvu.edu/consumerlaw_scholarship/1?utm_source=researchrepository.wvu.edu%2Fconsumerlaw_scholarship%2F1&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

Data Privacy Issues in West Virginia and Beyond: A Comprehensive Overview1

Jena Martin, Professor of Law*

West Virginia University2

- with Contributions from the following Research Assistants: Cheryl Brown,3 Allyson Burrowes,4 Trista Campbell, 5 Jeremy Cook, 6 Jayda Guidry,7 Shawn Hogbin,8 Ashton Meyers, 9 and Julia Parillo. 10 February 2021

1

TABLE OF CONTENTS

TABLE OF CONTENTS ........................................................................................................................................ 1

I. INTRODUCTION ....................................................................................................................................... 3

II. HISTORY OF DATA PRIVACY ISSUES .......................................................................................................... 6

A. THE ERA OF BIG DATA ........................................................................................................................................... 6 1. Industry Practice ......................................................................................................................................... 7 2. Recent Federal Initiatives ............................................................................................................................ 9

III. CURRENT STATE LANDSCAPE ................................................................................................................. 13

A. OVERVIEW OF THE STATES .................................................................................................................................... 13 B. CALIFORNIA CONSUMER PRIVACY ACT (CCPA) ........................................................................................................ 14 C. WEST VIRGINIA .................................................................................................................................................. 14 D. THE UNIFORM LAW COMMISSION’S WORK ............................................................................................................. 15 E. OTHER INITIATIVES – REGULATING DATA BROKERS ................................................................................................... 18

IV. OVERVIEW OF DATA PRIVACY AROUND THE WORLD .............................................................................. 18

A. OVERALL VIEW ................................................................................................................................................... 18 B. SPOTLIGHT ON THE GDPR .................................................................................................................................... 19

V. SPECIAL ISSUES FOR CONSIDERATION .................................................................................................... 21

A. ALGORITHMS AND DATA PRIVACY .......................................................................................................................... 21 B. FINANCE AND BANKING INSTITUTIONS .................................................................................................................... 25

1. Alternative Credit Scoring ......................................................................................................................... 25 2. What is Weblining? ................................................................................................................................... 26 3. The Rise of Alternative Financial Institutions ............................................................................................ 28

C. BIG TECH AND DATA PRIVACY ............................................................................................................................... 32 1. How Big Tech Companies Gather Consumer Information ........................................................................ 33 2. Spotlight on the Big Four and Concerns of Competition ........................................................................... 34 3. Stricter Federal Privacy Laws and the Impact they will have on Big Tech ................................................ 35

D. DATA BROKERS .................................................................................................................................................. 36 1. How Data Brokers Collect Consumer Data ............................................................................................... 36 2. Types of Data Collected by Data Brokers .................................................................................................. 37 3. Ways that Data Brokers Use Data ............................................................................................................ 38 4. Why Consumers are at Risk....................................................................................................................... 38

E. THE INTERNET OF THINGS: BIOMETRICS, WEARABLES, AND SMART CARS ...................................................................... 39 1. Constitutional Law and IoT Devices ............................................................................................................... 40 2. Biometric Data & Data Privacy ................................................................................................................. 42 3. Biometric Data & Data Privacy – Spotlight on West Virginia ................................................................... 44

F. DATA PRIVACY AND THE INSURANCE INDUSTRY......................................................................................................... 45 1. DATA PRIVACY AND HEALTH INSURANCE ................................................................................................................. 45

2. Spotlight on West Virginia – Laws related to Insurance Companies and Medical Records...................... 48 G. DATA PRIVACY AND THE PANDEMIC ....................................................................................................................... 57

1. COVID-19 Contact Tracing Apps ............................................................................................................... 58 2. How a Tracing App Works ......................................................................................................................... 58 3. International Utilization of Tracing Apps .................................................................................................. 59 4. Contact Tracing Apps in the United States ............................................................................................... 59 5. Potential Dangers of Contact-Tracing Apps and Possible Legal Solutions ............................................... 60 6. Competing Legislative Solutions ............................................................................................................... 61

VI. CONSIDERATIONS FOR WEST VIRGINIA .................................................................................................. 63

2

A. POLICY LANDSCAPE ............................................................................................................................................. 63 B. SUMMARY OF INITIAL SURVEY ............................................................................................................................... 63 C. SUMMARIES OF FOCUS GROUP SESSIONS ................................................................................................................ 65

1. General topics and discussions for focus group sessions based on survey participants ........................... 65

VII. RECOMMENDATIONS & PROPOSED BEST PRACTICES .......................................................................... 72

A. THE PROS AND CONS OF VARIOUS REGULATORY FRAMEWORKS .................................................................................. 73 B. GENERAL PRINCIPLES FOR DEVELOPING A REGULATORY FRAMEWORK .......................................................................... 75

VIII. CONCLUSION .................................................................................................................................... 77

APPENDIX A: GLOSSARY OF TERMS ................................................................................................................ 79

APPENDIX B: FURTHER RESOURCES................................................................................................................. 81

APPENDIX C: KEY FEDERAL LAWS THAT IMPLICATE PRIVACY ........................................................................... 86



APPENDIX D - KEY DEBATES IN THE UNIFORM LAW COMMISSION ................................................................... 89

APPENDIX E - LIST OF OTHER CASES AND AUTHORITIES .................................................................................. 94

APPENDIX F - 50 STATE SURVEY MAP ........................................................................................................... 142

APPENDIX G - A TALE OF TWO POLICIES: ...................................................................................................... 143

3

I. Introduction

“In our personal lives, we are increasingly connected to the internet and dependent on the conveniences that [it] can offer. We use mapping functions to find our way, we have phones that respond to voice commands, and we [have]

internet connected personal assistants in our homes that perform a variety of functions. All of these collect data about us which can be widely shared. In addition, the increase in the capacity of data management allows the aggregation of data which can paint a detailed picture of our habits, interests, our wants and our needs. Indeed, it is now possible for

companies to make personal identification from otherwise anonymous data points.”11

“We now live in an age of personal information. Such personal information drives the economy and can be used to influence policy, our elections, our identities,' and even our moods.”12

There is not one facet of our lives that does not, on some level implicate data. Corporations use

data which, in turn, implicates everything from how and when we shop, how and when we sleep, to our ability to access financial information and credit cards. In fact, data itself has become a form of currency, it is no wonder then that businesses are spending a significant amount to try and control as much this currency as possible. As technology advances there are higher risks associated with what type of information, we – either wittingly or unwittingly – allow businesses to use, often times to our detriment. As awareness of these risks increases among consumers, there is a commensurate rise in call for a legislative response to this issue.

This white paper was commissioned by the Center for Consumer Law and Education, a joint initiative launched by West Virginia University and Marshall University to “coordinate[] the development of consumer law, policy, and education research to support and serve consumers.”13 As such, this paper has a dual purpose: in addition to providing a comprehensive overview of the many different legal issues that affect data privacy concerns (both nationally and in WV) this paper will document and discuss the result of a survey and specific focus groups that were undertaken throughout the fall of 2019 into January 2020 where individuals within the state provided valuable feedback regarding what they felt were the most pressing data privacy issues and what they would like in a law. These responses (along with the extensive research that was undertaken regarding other statutes, cases and responses across the nation and the world) were used to formulate best practices for legislative recommendations. My recommendations are informed by both qualitative research (information and comments made by our survey respondents and focus groups participants) and desk-based research regarding what other jurisdictions and experts in the field have done.

While the focus of this white paper is on businesses, there is a significant overlap between the work that businesses undertake, which implicates data privacy and the work of governmental officials (particularly law enforcement).14 The harms to consumers can be both direct and indirect.15 At a foundational level there are issues with the basic privacy of consumer data. For instance, there are numerous studies which show that, in certain instances, data that was collected under the providence of being anonymized, can in fact be used to “re-identify” individuals who participated in the studies on conditions of anonymity.16

In addition, the use of algorithms, including some fueled by machine learning, have continued to

gain prominence in corporate business models. While, in the strictest sense, these practices do not specifically fall within the ambit of data privacy issues, a discussion of these issues is nonetheless important and relevant. Specifically, many of the issues involving data privacy arise from the data sets

4

that companies now have access to and that machine learning algorithms now are trained on a routine basis. Scholars have found that these issues, if left unchecked, can lead to incredibly harmful results for individuals.17 That being the case, limiting access to such data sets can benefit both data privacy challenges and discriminatory practices. As a result, many of the best practices18 that are examined here also implicate machine learning formulas.

A Note on the Organizational Structure:

While we have tried to create an organizational structure that relates to the relevant issues as flagged in our table of contents, we should note that much of this is interconnected: for instance, health insurance information relates to biometric data as well as credit scores; companies’ use of AI can implicate a number of things, including issues related to discrimination, privacy and data brokers. In those instances, we have attempted to guide the reader by indicating other places in the white paper that may be relevant.

5

What’s at Stake

6

II. History of Data Privacy Issues

It is easy to think of data privacy – particularly the means by which others use your personal information – as something that has developed only recently. In fact, however, the issues surrounding data privacy have been present almost since the founding of the nation itself.19 The idea of keeping personal information private has been at the heart of debates of representatives,20 judicial opinions21 and laws and regulations on both the federal22 and the state level.23 For instance, in West Virginia a wiretap law, making it illegal for someone to monitor telephone conversations except under very limited circumstances, has been on the books since 1987.24

So what’s different now? In short, the quantity of data that companies can collect about you, the amount of companies that are collecting the data, and what they do with it once they have it. This has occurred in a system where the amount of information collected about you has become known as the system of Big Data.

A. The Era of Big Data

“There is no question that organizations are swimming in an expanding sea of data that is either too voluminous or too unstructured to be managed and analyzed through traditional means.”25

One of the biggest changes that impacted privacy in the last few decades has been businesses’

ability to collect, keep and utilize data digitally. While collecting an individual’s data records has been requested and used by corporations for decades, what a company was able to keep indefinitely was limited by the sheer physical space needed to house all the information. The volume of documents that needed to be stored resulted in corporations destroying files and developing document retention practices to delete older information. In addition, prior to the use of computer programs, any information that a corporation wanted to collate and categorize had to be done by a human being – usually by hand. So, for instance, if an insurance company wanted to check what type of information a claimant had previously disclosed in another claim, it would require an individual to do research to see what, if any claims a claimant had previously filed, spend some time checking to make sure that the two claims were filed by the same individual (and not just two people with the same names) and then request the relevant box (or boxes) from whatever storage facility held that information. Then, depending on how many boxes of information were generated by the claim, the individual claims adjuster would have to go through all that information (almost certainly paper files) and see if there was any relevant information that would impact the current claim. With so much time and effort involved, many companies rightly concluded that whatever information an adjuster might glean was

The Difference between Data and Big Data

In the era before “big data” … a Starbucks co-founder “explained how they used to write down the order of every single person who came into the store and add it to a filing system. That way, when the customer came back, they were able to tell them what they ordered the previous time to better cater to their needs when they came back for a repeat purchase. Data collection like this was helpful to customers and positively received.” Now, however, the volume of data has removed the personal connection and replaced it with automation. From Forbes Magazine, The Rising Concern Around Data and Privacy.

https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-data-and-privacy/?sh=7c3699f3487e

7

not worth the time and expense to get. And so, the information would remain within the domain of that initial claim and that initial claim only.

Now however, documents that previously required thousands of square feet of space to store can be placed on a storage card that is the size of a thumb.26 Similarly, data that required thousands of hours to organize, collate, and sort can now all be done with the press of the button that activates a machine-learning algorithm. The effects of this switch are profound. Now, in theory, there are few limits to the amount of information that a business can acquire about you – leading some leading scholars to proclaim that many businesses know more about you then you know about yourself.27

As the business, SAS, noted:

The importance of big data doesn’t revolve around how much data you have, but what you do with it. You can take data from any source and analyze it to find answers that enable 1) cost reductions, 2) time reductions, 3) new product development and optimized offerings, and 4) smart decision making. When you combine big data with high-powered analytics, you can accomplish business-related tasks such as:

• Determining root causes of failures, issues and defects in near-real time.

• Generating coupons at the point of sale based on the customer’s buying habits.

• Recalculating entire risk portfolios in minutes.

• Detecting fraudulent behavior before it affects your organization.28 A succinct definition of big data is “data that is so large, fast or complex that it’s difficult or

impossible to process using traditional methods.”29 Under this definition, the key hallmarks for big data involved what has now become known as the “3 Vs.” As SAS states:

Volume: Organizations collect data from a variety of sources, including business transactions, smart (IoT) devices, industrial equipment, videos, social media and more. In the past, storing it would have been a problem – but cheaper storage on platforms like data lakes … have eased the burden. Velocity: With the growth in the Internet of Things,[30] data streams in to [sic] businesses at an unprecedented speed and must be handled in a timely manner. RFID tags, sensors and smart meters are driving the need to deal with these torrents of data in near-real time. Variety: Data comes in all types of formats – from structured, numeric data in traditional databases to unstructured text documents, emails, videos, audios, stock ticker data and financial transactions.31

As with many developments, the law has not kept pace with the change in technology.

1. Industry Practice

How Companies Use Your Data

8

Industry practice, in the form of self-regulation, is another means by which data privacy

initiatives have moved forward. For instance, the Fair Information Practice Principles are an evolving framework that has been adopted as guidelines to address consumer privacy.32 This trend has become accelerated in the wake of the European Union’s passage of the General Data Privacy Regulation (GDPR).33 Specifically, the GDPR requires corporations to develop codes of conduct relating to how they handle consumers’ data. While the GDPR allows corporations flexibility regarding what is in each specific code, it does require some minimal discussion regarding how the corporation handles data processing.34

However, for many corporations, there are limits to what a data privacy code of conduct can

do. For instance, many corporations’ entire business models are based upon the use of consumers’ data.35 As a result, any framework that would require a business to stop using data altogether would not be feasible because consumer data has rapidly become the primary way that these corporations generate a profit.

Origination: Creation & Capture

Raw data created, captured, sent to data

lakes from internet activity, point of sale,

apps, previously processed and stored data, etc. High risk of

card information exposure or theft.

Cleaning

Unnecessary or innacurate data

removed, remaining data classified and

organized. Vulnerable if not adequately secured, may still be encrypted.

Input

Transfer to CRM programs or data

warehouses, converted to machine-readable form.

Personal information may be vulnerable.

Processing

Algorithms applied, data processed depending on type and intended use. Becomes unencrypted. Personally identifiable

information is vulnerable.

Output & Interpretation

Translated into readable forms, charts, graphs,

tables. Interpreted. High risk of exposure of

personal data.

Storage, Retention, Deletion

Processed data is stored for later use or deleted.

High risk for personal information hacking,

breach, exposure, theft.

Collection

Raw data gathered from origination,

extracted from data lakes, warehouses. Risk of breach, information

may or may not be encrypted or otherwise

unidentifiable.

9

In addition, many consumers (including West Virginia residents) recognize the benefit that can come from businesses using your data. For example, during our focus groups, WV residents cited the ease, convenience, and access that comes from having corporations know and remember certain aspects of your data – such as marketing preferences and order history.

As such, most people seem to agree that the solution isn’t banning the collection and use of

consumer data altogether, rather it is finding solutions that allow for corporations to use consumer information responsibly.

2. Recent Federal Initiatives

There have been calls for the federal government to enact a national law on the issue of data

privacy.36 These calls have accelerated in recent years. For instance, in November 2019 competing bills related to data privacy were introduced in Congress: the Consumer Online Privacy Rights Act (COPRA) and the Consumer Data Privacy Act (CDPA). Each law was an attempt to expand data privacy protection. Specifically, the laws each attempted to regulate corporations’ use of consumer data, including by: (1) requiring companies to provide transparent privacy policies; (2) develop and maintain policies that are reasonably designed to prevent cybersecurity attacks; (3) conduct privacy risk assessments, and (4) “provide consumers a right to access, correct, and delete personal data.”37 However, neither of these initiatives resulted in federal legislation. It’s worth noting that, if a federal law were to be adopted, it would largely pre-empt the work that many states are undertaking in this area. To that end, some are urging federal lawmakers to allow states to tackle the issue first – instead of passing a federal law.

The Federal Trade Commission (FTC) has also been involved in the data privacy space.

Specifically, they are the primary38 federal agency examining data privacy issues, using their authority under Section 5 of the FTC Act to do so. The agency has used two legal theories to advance their arguments: (1) that the relevant company’s actions with regard to data privacy amounted to fraud and,

(2) that the relevant corporation’s conduct amounted to an unfair practice.39

In addition to lawmaking efforts, the President’s Council of Advisors on Science and Technology (PCAST) has been actively involved in the issue of data privacy. Examining their position on these issues offers a crucial perspective regarding where the federal government’s position might be.

Finally, the Department of health and Human Services has been actively involved in data privacy

issues, releasing a number of COVID-19 privacy related actions.40

Barriers to Federal Lawsuits for Data Privacy According to one researcher one of the biggest barriers to lawsuits moving forward, particularly in federal court, is the ability for plaintiffs to show that they had an actual injury. Why? Since most companies will refund the money for any economic harm that was suffered by the plaintiff. Unfortunately, any other harm would not be addressed in the courts. Fadja Tassey, Current Topics in Internet Law Data Breach Law School Student Scholarship at 14 (2018)

10

Current Notice and Consent Framework Cannot Effectively Protect Privacy41

• PCAST argues that the current privacy consent and notice framework is no longer feasible because of the constant and vast amounts of data that are gathered from every available source.42 It is unreasonable to believe that consumers are able or even willing to read every website or company’s terms of service, and to understand the legal ramifications of a user agreement or for consumers to do this every time they visit new websites.43 The Council “believes that the responsibility for using personal data in accordance with the user’s preferences should rest with the provider rather than with the user.”44 To achieve this, “third parties

chosen by the consumer (e.g., consumer‐protection organizations, or large app stores) could intermediate” where “a consumer might choose one of several ‘privacy protection profiles’ offered by the intermediary, which in turn would vet apps against these profiles.”45 Regulation and Privacy Protection Should Focus on Use Rather than Collection

• PCAST also states that “it is the use of a product of analysis, whether in commerce, by government, by the press, or by individuals, that can cause adverse consequences to individuals,” that this “is the most feasible place to protect privacy,” and

where regulation efforts should be focused.46 Further, “notice and consent fundamentally

places the burden of privacy protection on the individual” which “creates a non‐level playing field in the implicit privacy negotiation between provider and user.”47 Arguing that this non-level playing field is a sort of “market failure,” PCAST states that “in other contexts, market failures like this can be mitigated by the intervention of third parties who are able to represent significant numbers of users and negotiate on their behalf.”48 This third-party intervention could be implemented by allowing consumers “to associate themselves with one of a standard set of privacy preference profiles (that is, settings or choices) voluntarily offered by third parties.”49

• Additionally, “by vetting apps, the third‐party organizations would automatically create a marketplace for the negotiation of community standards for privacy” and “the Federal government (e.g., through the National Institute of Standards and Technology) could

encourage the development of standard, machine‐readable interfaces for the communication

In December 2020, then President

Trump signed into law the

Internet of Things

Cybersecurity Improvement

Act.

The Act, which relates to IoT

Technology requires that federal

agencies address cybersecurity

issues “throughout the

acquisition and operation of

Internet of Things devices by the

Federal Government.”1 The Act

requires that the Director of the

National Institute of Standards

and Technology develop rules

regarding the “appropriate use

and management by agencies of

Internet of Things devices” The

Act also requires that guidelines

be developed that relate to “the

reporting, coordinating,

publishing, and receiving of

information about— (A) a security

vulnerability relating to

information systems owned or

controlled by an agency

(including Internet of Things

devices owned or controlled by an

agency); and (B) the resolution

of such security vulnerability;

and (2) for a contractor

providing to an agency an

information system (including an

Internet of Things device).”

https://www.congress.gov/116/bills/hr1668/BILLS-116hr1668enr.pdf



11

of privacy implications and settings between providers and assessors.”50 However, PCAST also stated that

To implement in a meaningful way the application of privacy policies to the use of personal data for a particular purpose (i.e., in context), those policies need to be associated both with data and with the code that operates on the data. For example, it must be possible to ensure that only apps with particular properties can be applied to certain data. The policies might be expressed in what computer scientists call natural language (plain English or the equivalent) and the association done by the user, or the policies might be stated formally, and their association and enforcement done automatically. In either case, there must also be policies associated with the outputs of the computation, since they are data as well. The privacy policies of the output data must be computed from the policies associated with the inputs, the policies associated with the code, and the intended use of the outputs (i.e., the context). These privacy properties are a kind of metadata. To achieve

a reasonable level of reliability, their implementation must be tamper‐proof and “sticky” when data are copied.51

• Finally, PCAST points out that “privacy policies and the control of use in context are only effective to the extent that they are realized and enforced” and “technical measures that increase the probability that a violator is caught can be effective only when there are regulations and laws with civil or criminal penalties to deter the violators.”52 If that happens,

“then there is both deterrence of harmful actions and incentive to deploy privacy‐protecting technologies.”53

The Consumer Bill of Rights

• For the commercial or private sector, the Consumer Privacy Bill of Rights (CPBR) was introduced in 2012 to address “obligations for data holders, analyzers, and commercial users” and “consumer empowerments.”54 PCAST believes this is a valid start, but “discussions [were]

focused on the collection, storage, and retention of data, with an emphasis on the ‘small‐data’

contexts that motivated CPBR development,” and this will not be adequate to address a framework focused on regulation of usage rather than collection.55 Instead, “PCAST believes that such a focus will not provide a technologically robust foundation on which to base future policy that also applies to big data,” and “the increasing complexity of applications and uses of data undermines even a simple concept like ‘notice and consent.’”56

• These are framed in terms of consumer rights, including the “right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data:” the “right to reasonable limits on the personal data that companies collect and retain;” the “right to secure and responsible handling of personal data;” and the “right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.”57

12

Consumer Empowerments

• Under the CPBR, consumer empowerments are framed in terms of “a right to exercise control over what personal data companies collect from them and how they use it,” “a right to easily understandable and accessible information about privacy and security practices,” and “a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.”58 Because these “empowerments have become practically impossible for the consumer to exercise meaningfully, they need to be recast as obligations of the commercial entity that actually uses the data or products of data analysis.”59 To make notice and consent or other privacy empowerments workable, “the burden should no longer fall on the consumer to manage privacy for each company with which the consumer interacts by a framework like ‘notice and consent,’” but “rather, each company should take responsibility for conforming its uses of personal data to a personal privacy profile designated by the consumer and made available to that company (including from a third party designated by the consumer).”60 In

other words, “the burden of conforming to a consumer’s stated personal‐privacy profile should fall on the company, with notification to the consumers by a company if their profile precludes that company’s accepting their business.”61 The Council states that “since companies do not like to lose business, a positive market dynamic for competing privacy practices would thus be created.”62

Notice and Consent Going Forward

• Besides recommending that data privacy policy be focused on use rather than collection, PCAST also recommended “policies and regulation, at all levels of government, should not embed particular technological solutions, but rather should be stated in terms of intended outcomes.”63 In other words, “policy should address the purpose (the ‘what’) rather than the mechanism (the ‘how’)” because “regulating control” of “inappropriate disclosures…no matter how the data are acquired, is more robust” in protecting data than the traditional notice and consent framework.64

• PCAST also recommended that, “with coordination and encouragement from OSTP [Office of Science and Technology Policy], the NITRD [Networking and Information Technology

Research and Development] agencies should strengthen U.S. research in privacy‐related technologies and in the relevant areas of social science that inform the successful application of those technologies.”65 It points out that much of this technology is currently present, however, further research is necessary “in the technologies that help to protect privacy, in the

social mechanisms that influence privacy‐preserving behavior, and in the legal options that are robust to changes in technology and create appropriate balance among economic opportunity, other national priorities, and privacy protection.”66 Additionally, “investment is needed not only in privacy topics ancillary to security, but also in automating privacy protection for the broadest aspects of use of data from all sources” because “the creation of tools that analyze the panoply of National, state, regional, and international rules and regulations for inconsistencies and differences will be helpful for the definition of new rules and regulations, as well as for those software developers that need to customize their services for different markets.”67

• Another recommendation stated, “the United States should take the lead both in the

international arena and at home by adopting policies that stimulate the use of practical privacy‐

13

protecting technologies that exist today,” that “this country can exhibit leadership both by its convening power (for instance, by promoting the creation and adoption of standards) and also

by its own procurement practices (such as its own use of privacy‐preserving cloud services).”68

This can have a positive impact on data use and privacy because “by requiring privacy‐ enhancing services from cloud‐service providers contracting with the U. S. government, the government should encourage those providers to make available sophisticated privacy enhancing technologies to small businesses and their customers, beyond what the small business might be able to do on its own.”69

Taken together, these policies and initiatives highlight much of the current thinking regarding how

data privacy should be managed nationally. However, while these initiatives have been developing nationally, momentum has also been gathering within states around the country to find ways to address data privacy concerns.

III. Current State Landscape

There has been a range of reactions amongst the states with regard to how each is addressing data privacy issues. Most of the momentum has been around a push for the state legislatures to pass laws to address the issues. 70 However, in some states, courts have been actively involved in shaping what each consumer may already avail themselves of in connection with their data.71 This is consistent with the general types of remedies that consumers currently have access to, namely: “common law of torts, statutory rights, and regulatory law.”72 There are challenges to each particular category of remedy. For instance, for those consumers wishing to access the courts, the current legal theories that have (or can be used) were originally developed before the rise of big data. As such, the current causes of

actions (either ones that sound in contract or sound in tort) can be stymied. One researcher noted, “with data being transferred through multiple relationships, it is difficult for courts to determine who is obligated to whom. Therefore, the lack of traceability in data breach cases can create an almost insurmountable burden of proof for plaintiffs due to the fact that privity can potentially exist between multiple relationships.”73

A. Overview of the States

To some extent, each state in the

U.S. has been working to address data privacy concerns. For instance, all 50 states have passed laws that require businesses to notify individuals if the corporation has been affected by a data breach.74 Many of these laws pre-dated

Another Limitation of Data Notification Laws While much of the earliest regulatory focus was on requiring companies to notify consumers whenever it was collecting consumer data, more recent initiatives have moved beyond this. Why? Because, as researchers have pointed out, a major flaw of the data notification system currently in place in most states is that “it reacts to data breaches rather than prevents them which, in effect, circumvents the legislative purpose of ‘allow[ing] consumers to protect themselves against identity theft’ and ‘mitigat[e] damages resulting’ from data breaches.”1 Fadja Tassey, Current Topics in Internet Law Data Breach Law School Student Scholarship (2018)

14

the era of big data. There is also a patchwork of state laws regulating the collection of information by individuals.75 In addition, judicial opinions in various states around the nation have contributed to the development of law regarding what corporations can and cannot do with consumer data. While a comprehensive discussion of case law in each of the 50 states is beyond our scope,76 the map (found in Appendix G) does provide an overview regarding our assessment of how each state is handling issues surrounding data privacy. As the map shows, in most jurisdictions there is some basic protection for various ways that consumers and businesses interact around the issue of data privacy. However, many argue that states need to go beyond that and, instead, enact laws that provide a more comprehensive framework for data privacy. In that regard, the state of California has taken the lead with regard to this issue, enacting the California Consumer Privacy Act in 2018.

B. California Consumer Privacy Act (CCPA)

The CCPA is the most comprehensive state law on the issue of data privacy. The law, which came into effect in January 2020, gives consumers rights as outlined below77:

(1) the right to be aware of the types of personal information being collected, (2) the right to be aware of whether personal information is being shared and/or sold and to

whom, (3) the right to opt out of having personal information sold, (4) the right to access the personal information that has been collected, (5) the right to service free of discrimination if one chooses to exercise the rights outlined

above78. Another key characteristic of the CCPA is its expansive definition of personal information.

Under the law, personal information includes any information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”79 As such, things such as “IP addresses, browsing history, internet search information, geolocation data, biometric data, work history” and “education information” are all included under personal information.

In order to comply with the law, businesses must give consumers methods to request

information about their personal information and request information about their personal information if it’s being sold to a third party. In an instance where an individual has made this request, businesses have 45 days to comply.

C. West Virginia

While West Virginia has not enacted a comprehensive data privacy law, some statutes within the state touch on current data privacy issues. As indicated above, West Virginia passed data breach notification legislation in 2008.80 The law provides that any entity that has been subject to an unauthorized acquisition of a consumer’s personal data must notify the affected consumer. Although the statute does not provide a specific timeline, it does say that notification must occur “without unreasonable delay.”81 In addition to West Virginia’s data breach law, the state has also passed a law that limits the ability of businesses to access voter registration (a significant data source for many corporations) for commercial use. However, the law, in the words of one commentator, provides only “minimal statutory protection for voter data.” 82 As he notes, while “the state does restrict access

15

to telephone numbers, email addresses, and identification numbers (including Social Security numbers). … names, addresses, political parties, and registration status are all publicly available.”83 D. The Uniform Law Commission’s Work

In addition to laws that have already been enacted in various states, there is an effort underway to create a uniform state law on the issue of data privacy. The benefit of having a uniform law across states is that it allows businesses, individuals and lawyers to operate under generally the same framework while at the same time providing some discretion for particular legislatures if they would like to address needs that are more specific to their state. In addition, the process of drafting a uniform law is comprehensive, allowing many different stakeholders to participate in the process and give voice to any concerns that may arise.

The Uniform Law Commission

(ULC) is the oldest and largest organization in the country to gather these different stakeholders for the purposes of drafting uniform laws. In

2018, the ULC turned its sights on the issue of data privacy. First, it convened a study committee to determine whether a uniform law should be drafted to address data privacy issues. More recently, after the ULC decided that a uniform law was appropriate, they organized a drafting committee to begin the process of developing such a law. Keep in mind, that even when a law is successfully drafted, it is still up to each individual state to enact the law in their jurisdiction. They can do so as-is or with modifications. Either way, examining the current drafting act is another way for legislators, policy makers, individuals and industry to understand the concerns of stakeholders regarding the use of data and how lawmakers are hoping to regulate these issues.

The ULC calls its current law-making effort on the subject the Collection and Use of

Personally Identifiable Data (“CUPID”) Act. The law is meant to regulate commercial enterprises that collect and use personal data from their consumers. While the drafting process has undergone several phases, the committee hopes that a vote on CUPID will occur in the summer of 2021.

Why you should worry about your voter registration data being used by businesses

According to the FTC, “[data brokers] obtain the information from other data brokers that either hire people to visit local offices to compile the information or that have relationships with these offices that allow them to acquire this information automatically (e.g., through an online portal). The data brokers identified nearly twenty-five other data brokers from which they obtain state and local government information.” However, if you live in West Virginia … The state does restrict the use of this information to “noncommercial use.” Specifically, Under WV Code § 3-2-20 (c): “Lists of registered voters may be obtained for noncommercial purposes in data format on disk or as a printed list provided by the clerk of the county commission at a cost of one cent per name. No data file prepared under this subsection may include the registrant's telephone number, email address, Social Security number or driver's license number or nonoperator's identification number issued by the Division of Motor Vehicles.”

https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf

16

The drafting process has not been without controversy. Indeed, the committee members seem split regarding how expansive to make the protections of CUPID. The majority approach (which is the main draft that the drafting committee is working on) currently provides an expansive approach to data privacy. However, Commissioner Larry Metz created an “alternative draft” for the committee to consider. As Commissioner James Bopp, Jr. notes, this alternative draft provides for a much narrower view of regulation both in terms of which businesses were subject to regulation and what specific types of data was protected.84 In addition, this alternate draft allows a business to comply with CUPID by complying with other, similar privacy regimes.

Many of the issues highlighted in CUPID are ones that should be considered by lawmakers in any instance where data privacy is enacted. The issues flagged include the following: How Do you Define Data?

• The current draft’s definition of what is considered “personally identifiable information” has led both to arguments that the definition is too narrow and too expansive. These arguments don’t seem to align neatly between industry and privacy advocates. For instance, Microsoft has stated that the latest CUPID draft defined personal data much too narrowly to benefit consumer privacy; specifically, “it would cover only data associated with direct identifiers, and not the broader category of data that is ‘identifiable.’” Additionally, (according to the company) some of the definitions added to the draft “when combined with the narrow definition of ‘personal data,’ would mean that the bill fails to cover vast categories of modern data sets with serious privacy impacts.”85

How States Define your Data

17

What Data to Regulate?

• One of the areas of debate is whether publicly available data should fall under this law. In addition, if the data at issue also falls within the ambit of other regulated laws and statutes (such as HIPAA, FCRA and others), then many commentators have asked that this type of data be exempt from CUPID.

What Businesses to Regulate?

• Similarly, there has been a split regarding what industries need to comply with CUPID. In April, a banking coalition submitted a comment to the ULC arguing that the financial industry is already subject to extensive regulation,86 and “in recognition of the robust legal and regulatory privacy framework financial institutions are subject to, we strongly urge the Drafting Committee to adopt the proposed language revising the Draft Act’s Gramm Leach Bliley Act (GLBA) exception so that it is not limited to information subject to the GLBA, but instead exempts financial institutions subject to the GLBA.”87 However, not all industry groups favor this approach. Main Street Privacy Coalition, a business trade association that includes retailers, builders and hotels, submitted a comment arguing that the law should not include exemptions for those sectors seeking them because that would put the heaviest and most disproportionate burden on “consumer-facing businesses” like those represented by the Coalition.

Who has the Right to a Remedy?

• One of the longest running debates regarding any new major regulatory initiative is how to enforce it if businesses fail to comply. One way is to grant a state (or federal) agency the exclusive right to enforce the law. Another way is to give consumers an exclusive right to sue. A third option is to provide complementary powers – where both the agency and the consumer are able to pursue against a business that violates the law. Based on our survey results, for West Virginians, a combined approach is the one that is generally preferred by the state’s residents (see Section VI for a detailed analysis regarding state residents). In contrast, at least some industry commentators are not in favor of allowing consumers to have a private right of action in any form. For instance, the American Property Casual Insurance Company submitted a comment in April 2020 stating that it “strongly opposes” a private cause of action, arguing that it “serves only as a gotcha exercise and not as a tool to correct and punish egregious corporate behavior,”88 and “will only create a patchwork of legal opinions, which will erode the uniformity objectives of [the] Discussion Draft.”89 Further, it argued that a private cause of action may not “provide consumers any tangible benefits in the event of a concrete violation.”90 Another insurance company coalition submitted a comment with similar arguments.91

Who Should Police the Industry?

• Another question that has been raised regarding the current draft of the CUPID Act is how compliance should be policed. One possible framework would be to have businesses submit information regarding their policies and privacy assessments to the relevant regulatory agency for review and comment. Another structure would, instead, rely on the industry to police itself. For instance, a business could comply with the law by submitting a statement stating that it was in compliance with CUPID without providing any additional information. To the extent that the CUPID Act leans in that direction, privacy advocates and consumer groups have expressed concern that a self-policing framework would not provide adequate protection.

18

Other Issues at Stake in the CUPID Act

• In addition to the issues flagged above, the current draft of the CUPID Act has implications for the following issues that affect data privacy: (1) how much data a data processor is allowed to keep and collect; (2) whether businesses need consumer consent for the use of any personally identifiable data (as opposed to just specific categories of data), and; (3) the method by which consumers can opt-in or opt-out for having their data used. For a current copy of the ULC’s draft CUPID law see Appendix D.

One of the things that regulators often overlook is that, in many instances, businesses would welcome regulation if it would lead to a more streamlined process. Rather than having to tackle a myriad of various legislative frameworks, businesses would just have to tackle one.92 In that regard, some industry insiders have stated that they would ultimately prefer to have a uniform regulatory standard (allowing them to comply with one standard rather than countless frameworks).93

E. Other initiatives – Regulating Data Brokers

Legislatures have also taken other tacks to regulate data privacy. For instance, in January 2019, Vermont became the first state to regulate data brokers directly. The law requires all data brokers operating in the state to register with the state, shining a spotlight on an industry that many people depict as murky.94 In addition, the law “requires companies to spell out whether there’s any way for consumers to opt out of their data collections, to specify whether they restrict who can buy their data, and to indicate whether they’ve had any data breaches within the past year.”95 The hope is that, by requiring these businesses to register, states can help consumers become more informed regarding what happens to their data.96 California has since passed similar legislation, with other states (including Washington and Hawaii) also considering bills. However, none of the state laws require companies to disclose what consumer information they possess; instead they are only required to explain what policies they have in effect for consumers who wish to know.

Registering data brokers, in turn, seems to be part of a larger trend in 202097 for states to

consider many different aspects of data privacy regulation.

IV. Overview of Data Privacy Around the World

The issue of data privacy is a universal one. Because of its implication to the world-wide economy, countries around the world have taken steps to address the issue – using various regulatory frameworks at their disposal. In this section we provide a brief overview, highlighting laws that have gone into effect on this issue. For a complete examination of what each country has enacted, we would recommend this database by DLA Piper for further research.98

A. Overall View Generally speaking, countries have focused on several key categories in the development of a data

privacy law. They include: (1) the definition of personal information; (2) the level of comprehensiveness that each country has chosen to engage in – with some countries developing data

https://www.dlapiperdataprotection.com/

19

privacy laws that are broad in scope and others enacting laws that are narrower in nature; (3) whether to create a governmental agency to oversee these issues; (4) collection, disclosure, and use protocols for relevant companies. For instance, in 2019, Hong Kong began deliberations on potential amendments to its data privacy ordinance consistent with the themes listed above.99 Similarly, when the European Union developed the General Data Privacy Directive (the GDPR) it examined all of these parameters and their impact on consumers and companies.100 Many of the issues that countries confront stem from their pre-existing use of technology and the data generated by these uses. For example, Hong Kong is a hub of international business operations for many multi-national corporations doing business in Asia, and as a result, any data privacy law enacted would have a

significant impact on these corporations. In China, an estimated 20 million surveillance cameras operate in the country - some of these are capable of facial recognition technologies.101

B. Spotlight on the GDPR The General Data Protection Regulation (“GDPR”) came into effect May 2019 and applies to all members of the European Union. It is largely viewed as a world leader in effective data privacy legislation. The GDPR replaces the more than 20-year-old “data protection directive” that was the EU’s previous data protection framework. The EU considers protection of personal data a fundamental right. In addition to outlining the rights of individuals and the obligations on businesses and organizations covered by the regulation,

the GDPR also addresses “controllers” and “processors” specifically. Moreover, it differentiates personal data from sensitive personal data, both of which are covered under the regulation. As a general matter, the GDPR is effective at providing an over-arching regulatory framework on data privacy. However, there are some aspects related to data privacy that are outside the purview of the GDPR. For instance, Article 2 of the GDPR makes clear that the regulation only applies to activities that fall with the scope of EU law.102 In addition, States that are engaging in otherwise relevant activities are exempt from GDPR application if the aim of the State activity is related to national security. 103 The GDPR also addresses genetic and biometric data. Specifically, the law clearly defines and categorizes genetic and biometric data as “sensitive personal data,” allowing for stricter scrutiny of this type of data. 104 Genetic data is defined as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person, in particular, from an analysis of a biological sample from the natural person in question.” 105 Biometric data, in turn, is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural

The GDPR in a Nutshell

The General Data Privacy Regulation (GDPR) is a

law enacted in the EU that dictates how companies

can use your data.

According to Forbes Magazine:

“GDPR also forces companies to allow their

users the right to access their data, the right

for them to take that data and use it

elsewhere, as well as the right for consumers

to request that you erase their personal data

completely from your records. … The penalties

for breaking the GDPR’s guidelines are harsh,

with fines of up to 20 million euros, or up to 4%

of your annual revenue, whichever is greater”

https://www.forbes.com/sites/forbestechcouncil/2020/12/14/the-rising-concern-around-consumer-data-and-privacy/?sh=7c3699f3487e

20

person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.” 106 Any information that falls within these “special category of personal data,”107 cannot, with limited exceptions be processed.108 As such, the GDPR has narrowed the types of processing that can be done with sensitive data.

In addition, the GDPR established the European Data Protection Board (the Protection Board).109 The Protection Board is a separate agency with supervisory authority over issues related to the GDPR.110 Its specific duties extend to both supervising the implementation of the GDPR as well as enforcing the regulation for Member States.111 The Protection Board sets guidelines, recommendations and best practices to promote compliance with the Articles of the GDPR. The Board will also monitor the supervisory authorities of member countries to ensure the regulation is being correctly applied.112 Finally, the Board will create reports on the protection of personal data and advise the EU on proposed amendments. Under Article 51 of the GDPR, every Member State must create at least one independent public authority to oversee the application of this regulation. It is expected that these authorities, although independent, would cooperate with a lead supervisory authority.113 The GDPR lays out conditions, establishment rules, tasks, and powers for these supervisory authorities in Articles 53-58.114 Some of these tasks include overseeing and enforcing the application of this regulation, ensuring controllers and processors understand their obligations, providing data subjects with information of their rights under this regulation, and handling complaints from data subjects.115 Supervisory authorities also have the power to carry out investigations, order the controllers or processors to provide information, issue “reprimands, impose

temporary or definitive limitations” or bans, and “impose fines.”116

Comparing the US regulatory approach to

data privacy with the European Union

Jennifer Bauer, WVU Law Class of 2016, has

written extensively on issues related to data privacy.

For instance, in an article she wrote while at WVU

Law, Bauer identified six key differences between

data privacy frameworks in the U.S. and in Europe

at the time:

I. There is a fundamental presumption in the

EU that data cannot be processed in the EU

without a legal basis. In the US, Bauer

notes, “it is presumed permissible … unless

limited by law.”

II. There are significant more contractual limits

in the EU, a person cannot contract away

their right to privacy. In the US, they can.

III. The EU has a comprehensive data protection

coverage framework. The US has

approached it sector by sector.

IV. Bauer also states that “Privacy is a

fundamental right on par to freedom of

expression in the EU; whereas it is an

interest that is often secondary to more

explicit constitutional rights, like freedom of

speech in the United Sates.”

V. The EU has a much broader definitional

scope regarding what is personal data than

in the US.

VI. Finally, Bauer writes that, In the EU, “each

member-state has an independent authority

dedicated to data protection.” The US

doesn’t.

Jennifer Bauer, Playing Off-Key: Trans-Atlantic

Data Regulation in a Discordant World, 119 W.V.

L. Rev. 793, 798 -799 (2016)

21

*****

V. Special Issues for Consideration

The particular challenges and obstacles to a robust data privacy framework will depend

substantially on the specific industry where the issue arises. For instance, data privacy issues for the health care industry will be different than the issues faced by the financial industry. While there may some overlap in the challenges that each industry faces, examining the specific issues that are facing particular industries will help provide a comprehensive understanding regarding what’s at stake for businesses and communities.

A. Algorithms and Data Privacy

One of the biggest changes in the use of technology has been the advent of machine learning

(Artificial Intelligence, or AI) algorithms. This, combined with the unprecedented amount of data now available, has resulted in the automation of tasks and decisions that were previously relegated to individuals.117

In the words of Amy Cyphert, a data privacy expert at West Virginia University: Machine learning is an umbrella term to describe a special subset of algorithms wherein a computer is programmed to revise the code it is using as it works, based on the results it is generating. Frequently in machine learning, the algorithm works to identify patterns in the data it is examining, develop certain rules from those patterns (or “learns” from them), and then uses those rules to categorize the next set of data it looks at.118

The CCPA and the GDPR are considered among the two most expansive enactments on data privacy. As such, it’s worth comparing what each law regulates. Both the GDPR and CCPA want to give individuals data protection. Each are very similar on the rights they create for individuals. Articles 12-22 of the GDPR establish the rights of the data subject. Similarly to the CCPA, these rights include: 1) right to access, 2) right to be forgotten, 3) right to rectify inaccurate personal data, 4) right to object, and 5) the right to bring an action. Although the names of the rights may be different, they mainly share the same concept and give the same rights. However, the GDPR and the CCPA do differ. The GDPR is being performed on a much larger scale. Unlike the CCPA, which only applies to California citizens, the GDPR protects all individuals regardless of nationality or citizenship. Rules are also established for controllers and processors that operate in the EU to abide by the regulation even when processing data outside of the EU. The GDPR is also much larger in content and depth. The GDPR is almost 5 times larger than the CCPA. This allows the GDPR to be more specific and create a better framework for application.

22

AI algorithms can perform “data mining” by processing data from an almost unlimited number of sources, including user interaction with websites and email accounts, social media, location data on smartphones, online financial activity, data sensors, and data entry by humans into databases.119 Algorithms that utilize machine learning can “learn” by incorporating each piece of successive data, building on what it has already learned from previous data sets. Based on the data collected, algorithms can be programmed and trained to produce an output that a business then uses, for example, to assist with marketing or to target specific areas. In addition, the algorithm may be asked to provide a recommended ‘best’ course of action (or choice) for a new piece of data given all the previous data it has ‘seen.’ A business can choose to follow this choice and charge higher interest rates and insurance premiums, hire certain candidates for employment, terminate employment based on results from algorithmic formulas, or determine where resources should be utilized. Many businesses who choose to deploy these tactics do so in the name of efficiency and cost-reduction, but often without realizing the biases that may be programmed into the algorithm as well.

AI algorithms can and do produce results that disproportionately discriminate based on race,

sex, gender, or socioeconomic status, whether such discrimination originates at the program’s data processing levels or from human data entry and “teaching” contributions. This can result in lawsuits alleging discrimination.120 One challenge in litigating these claims arises because software and computer algorithms are made up of unique source codes, formulas, and processes, and are therefore subject to trade secret protection under federal and state trade secret protection laws.121

Computer programs, algorithms, and the data sets they use are protected as trade secrets, and under both state and federal law this protection is extremely broad.122 Under state law and the Uniform Trade Secret Act, a trade secret is defined as

information including a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.123

Under federal law and the Defend Trade Secrets Act, a trade secret is defined as

all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.124 Forty-seven states have adopted the Uniform Trade Secret Act.125 The Act requires a court to

“preserve the secrecy of an alleged trade secret by reasonable means.” Similarly, the Defend Trade Secret Act protects trade secrets and requires courts to issue orders to preserve confidentiality in

23

litigation.126 It also provides “immunity from liability for confidential disclosure of a trade secret to the government” or “if made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal.”127

Algorithmic calculations which result in disparate impact or discrimination can give rise to

causes of action under anti-discrimination laws. However, as a result (at least in part) of trade secret protection, litigating these claims presents a challenge. While courts have allowed discovery of trade secret information under certain conditions and subject to protective orders to preserve confidentiality of the information, a lack of an overall law on data privacy and its intersection with machine learning

can lead to incalculable harm for individuals. At least one scholar has proposed this “whistle-blower provision” as one method to hold companies accountable for the use of algorithms and discriminatory results arising from their use.128 Other scholars have argued that businesses should be transparent regarding the information being inputted into these algorithms to minimize bias or discriminatory outcomes129

Spotlight on a Proposed law: the Algorithmic Accountability Act

In the wake of increasing recognition of the role that AI and algorithms Congress has begun to consider their impact. Specifically, In 2019, The Algorithmic Accountability Act was proposed. The bill requires businesses generating more than $50 million in annual revenue to conduct an impact assessment of high-risk systems. These systems would include any system that: “ (1) raises security or privacy concerns, (2) involves the personal information of a significant number of people, or (3) systematically monitors a large, publicly accessible physical location.”

The Federal Trade Commission would be tasked with promulgating related rules.

and overseeing compliance. The Bill has not been passed into law and is still pending.

https://www.congress.gov/bill/116th-congress/house-bill/2231?overview=closed

24

*****

How Computers Learn

The idea of machine learning was largely regulated to science fictions even a generation ago. However, thanks to advances in technology and the advent of big data, Artificial Intelligence (AI) seems here to stay. But how does AI actually work?

Computer technology has developed to the point where formulas can now “learn” and “teach” themselves by incorporating each piece of successive data, building on what it has already learned through algorithmic processes from previous data. For example, one type of machine learning is “classification.”

According to one Pedro Domingos, A “classifier is a system that inputs (typically) a vector of

discrete and/or continuous feature values and outputs a single discrete value, the class.” As a result, the algorithm eventually becomes capable of taking in unlimited data, processing it, and returning specific results. Based on this mined data and its processing, machine learning algorithms then can calculate what a business, non-profit entity, or government agency should do, such as market and advertise to target areas, charge higher interest rates and insurance premiums, hire certain candidates for employment, terminate employment based on results from algorithmic. formulas, or determine where resources should be utilized.

Machine learning algorithms receive this mined data from an almost unlimited number of

sources, including user interaction with websites and email accounts, social media, GPS services on smartphones, online financial activity, and data entry by humans into databases serving numerous entities and industries. Essentially, each time an individual logs into an email account, performs internet searches, browses web pages, shops or pays bills online, or uses a phone app, data is generated and disseminated across online platforms and databases to be gathered and used by AI machine learning algorithms. In fact, simply carrying a cell phone allows a constant stream of location data to be accessed, essentially allowing a computer to track not only location, but length of travel.

https://cacm.acm.org/magazines/2012/10/155531-a-few-useful-things-to-know-about-machine-learning/fulltext

25

B. Finance and Banking Institutions

For many consumers, banking and financial institutions represent the lifeblood of their economic world. Credit cards are used to buy every day and essential items, banking institutions examine a consumer’s credit history to decide whether to extend a mortgage, and most consumers buy cars and other major purchases with credit. All of these interactions with the banking industry allow these institutions to collect an enormous amount of data from consumers. Many of the practices surrounding how they collect and use this data implicates data privacy.

Banks and credit card companies (collectively the “institutions”), using the consumer’s online

presence, create account profiles of individual customers outside of those created for the customer’s dashboard.130 These profiles are used internally by the banks and credit card companies to “rank” their clients. 131 This ranking is then used by its employees to not only decide how much time and effort to devote to that customer, but to also make instantaneous decisions regarding which credit score category to place the customer in for loan interest rates. 132

Because of the amount of data they collect over a wide swath of customer behavior, banking

and credit institutions have developed highly sophisticated tools for profiling. These institutions profile and evaluate their customers, and then label each individual on the basis of such information to allow them to make fast decisions. These decisions extend beyond what type of interest rate to charge or whether to accept or deny your loan application. It can also extend to the level of customer service you receive. Moreover, the speed with which bankers can access this information allows them to “retrieve detailed information on a customer as they wait on the phone” or wait for an online application to finish processing.133 Indeed, some banks have expanded their profile to such an extent that they can “determine whether, for example, you are left on hold with your bank for a lengthy five minutes or a mere five seconds.”134

This control by banks and other institutions over human finances has a number of implications for AI. As we mentioned before, in many ways, the internet – through AI formulas – is developing a “mind” of its own. Specifically, the information collected on the web allows “commercial decision-makers to manipulate technology in such a way as to identify persons according to a multitude of variables and categories.”135 The profiling of individuals happens without that individual’s knowledge. Online profiling results in the individual being marked with an “identity tag” through an array of methods “such as ‘cookies,’ web bugs, and personal data input such as zip codes.”136

For the banking industry and financial institutions this has resulted in online profiling to

determine what type of product to sell to these consumers. Online profiling happens on many different levels. On one level, banks engage in “information steering [which] includes activities that have traditionally been deemed problematic-because of their discriminatory potential-such as steering certain categories of persons to opportunities for financial discounts, lending opportunities, and preferential low-interest rates.”137

1. Alternative Credit Scoring Alternative credit scoring arose as a method of assessing consumers who lacked a traditional

credit score and uses behavioral or other non-financial data to examine creditworthiness. In theory, this gives consumers more opportunities to access credit. According to a report by the Obama administration in 2016, “many Americans lack access to affordable credit due to thin or non-existent

26

credit files.”138 Big data offered an opportunity to use alternative data in assigning scores to those with inadequate financial histories, giving them a better chance to access credit and loans. The initial goal was to generate credit scores for consumers having little to no credit history who were being left behind in gaining credit and other opportunities, paving the way to making credit widely available despite a lack of traditional credit scoring metrics for the “credit underserved” or “credit invisible.”139 However, now, this alternative credit scoring model has led to many unintended consequences.

Alternative credit scoring uses data that may be unrelated to individual creditworthiness to flag

credit applicants or existing customers as higher credit risks.140 Data is mined from every available source, machine learning algorithms generate data sets for credit scoring, and this data often has little to do with traditional financial credit-scoring variables and creditworthiness. For example, Facebook has become a “huge repository of data” which “has strong indicators of users’ socioeconomic status - where they attend school, where they work, who their friends are, and more.”141 Additionally, factors like where people shop, their internet browsing history, where they live, other social media activity,

and any data gathered electronically can be used to generate these scores,142 and that carries risks of disparate impact on certain consumers.143

While the initial intent was to expand credit opportunities for a larger number of consumers,

and to expand lenders’ business opportunities, scholars and experts have raised alarms about the danger inherent in using big data to generate credit scores based on behavioral and other alternative factors, particularly the risk of digital redlining or “weblining.”

2. What is Weblining?

Weblining takes its name from the term redlining, the illegal and discriminatory practice of

classifying applicants and consumers based on zip codes rather than individual creditworthiness.144 The vast amount of data generated by consumers using smartphones and other technology allows companies to amass and analyze all of this data to use in a consumer’s profile,145 with many data points having the potential to be used as proxies for race.146 At its most pernicious, weblining often results in customers in one category paying more for the same services “or [denying] some customers service based on [a] presumed behavior.”147 This is aggravated by the use of alternative credit scoring factors and opaque algorithms that make determinations without the consumer, or even the institution, knowing why.

A Hypothetical on Weblining Klara and Kara are twins who graduated with JD/MBA Degrees from West Virginia University. Upon graduation they moved to separate parts of the country. Klara accepted a job at a law firm in a wealthy suburb of New York while Kara landed an associate position with a firm in Southern West Virginia. Settled into their new positions, each found time to make their first big purchases since graduation, a new vehicle. Klara found a Land Rover Discovery, which was luxurious but still affordable and Kara found a Subaru Legacy that she thought would be perfect for her area. Both women, having almost identical credit history, applied for financing for their prospective new vehicles. When the offers came back, they called each other so to discuss their financing options. They were shocked to find out that the interest rates offered to them were drastically different. Klara was offered a 3% interest rate while Kara was offered a 6% rate. Why would these rates be so different if the twins had almost identical credit history, were the same age, had the same JD degree, and were both gainfully employed?

27

The operating business models of many companies is to mine, purchase, and otherwise acquire vast amounts of data from an almost unlimited number of sources to either sell as data sets or to develop scoring algorithms. For example, a European company offers a data algorithm which claims to

develop and deploy custom scoring models that combine a lender’s internal data with thousands of pieces of external data such as location-based information, web search results, behavioural tracking, device technical details, mobile app data and much more. This enables lenders to accurately predict borrower payment behavior, helping them make informed and more profitable credit decisions in real time. We work with lenders of all kinds – some of the largest banks in the world, payday lenders, P2P lending platforms, microfinance providers, leasing companies, insurance providers, e-commerce platforms and telecoms. In the field of consumer lending and where online channels play an important role in client acquisition, we can improve credit quality and loan acceptance rates.148 Cosmos, another website, also lists companies offering alternative data sets for credit scoring

and ad targeting, including one which states, “Cosmos includes an extensive collection of consumer audiences that include demographics, past purchases, life events, household income and more.” 149 A company named MGI Geodata offers a data set titled “Consumer Styles,” which purports that its “approach makes use of the principle that people with similar backgrounds and ages normally settle down in the same neighborhood.”150 The company also claims this data set is “available for 51 countries on five continents.”151 Gravy Analytics is a U.S. company offering a data set called “Personas Data” which purports to be “based on the verified, real-world visits of over 150 million mobile devices to millions of commercial places of interest, 2,000+ leading brand locations, and over 1 million events each month.”152 It further claims “companies use Gravy Personas in a wide range of applications including consumer psychographic analysis, competitive and cross-shopper insights, to enhance customer intelligence, personalize targeting, and more.”153 These are only a few examples of companies offering this type of service and data sets, indicating a high demand for these data and algorithms for alternative credit scoring.

For many years banks and credit card companies have used their customers’ zip codes as

part of their “customer profile.” Now that these institutions are gaining more of an online presence, this process has become opaque, and thus more difficult for a consumer to determine all the reasons why the bank took any negative action that it did. 154

There are, however, some remedies currently available to customers who believe that they have been discriminated against. For instance, “the Federal Trade Commission (“FTC”) asserted companies must correct for biases that could be incorporated into automated processes at both the collection and analytic stages, and ‘balance the predictive value of the model with fairness considerations.’ ”155 When institutions decide to censor “offensive content and prejudiced results” that occur through its data collection processes, it “must provide transparency into [its] decisions and actions.”156

There has also been additional scrutiny on this practice by Congress. In testimony before the

U.S. House of Representatives Task Force on Financial Technology, a number of issues were raised regarding the impact in the financial industry for data privacy concerns. Among the issues raised were:

28

the discriminatory aspects of targeted advertising; the use of social media in lending decisions; the use of consumer behavioral data.

For instance, during testimony, the sub-committee examined the use of behavioral or other

alternative data to assess which consumers should see certain ads or receive certain offers and interest rates for credit and borrowing. As one staff attorney stated, “educational data can be inherently discriminatory because there are “obvious racial disparities in educational and occupational attainment.”157

Social media data is also problematic because “the use of social media profiles, particularly

friend networks, raises serious concerns about racial disparities” 158 and “although not yet widely used in the United States, one company, Lenddo, which operates in twenty different countries, may deem a consumer to be less creditworthy if he or she is friends on Facebook with someone who was late paying a loan back to Lenddo.” 159 Further, “neighborhood is another way that creditors have based creditworthiness by association [and] given the degree of residential housing segregation that exists in the U.S., location can function as a proxy for race and income, and its use by creditors would reflect racial and socio-economic disparities.” 160 Additionally, “most people’s friends and family are likely to be of the same race, class, and cultural background.”161

Finally, according to the same testimony, behavioral data is problematic because it “includes

information about how consumers interact with a web interface or answer specific questions, or data about how they shop, browse, use devices, or move about their daily lives.”162 Moreover, “the use of behavioral data has also shown indications of racial bias, despite relying on seemingly racially neutral algorithms.” 163 For example, “in 2013, Latanya Sweeney, a professor of government at Harvard University, led a research project that concluded that Google searches of names more likely associated with black people often yielded advertisements for a criminal records in that person’s name.” 164

3. The Rise of Alternative Financial Institutions

Many issues regarding weblining and its resulting discriminatory practices has been

exacerbated by the rise of other financial institutions that may not be subject to the same level of scrutiny as traditional banks. For example, technological advances allowed “financial technology firms,” also referred to as “fintech companies” or “marketplace lenders,” to emerge, and “these new algorithmic lenders are usually non-bank financial companies that operate mostly online and use financial technology to market themselves to prospective borrowers, evaluate borrower creditworthiness, and match prospective borrowers to sources of credit.” 165 These companies have evolved into what one scholar calls “algorithmic lending 2.0” companies, which use every source and every piece of available data in scoring consumers for credit and lending.166 For example, Merrill Lynch owns a company named “ZestFinance,” and that company’s “CEO has proudly stated that ‘all data is credit data’ – that is, predictive analytics can take virtually any scrap of information about a person, analyse whether it corresponds to a characteristic of known-to-be-creditworthy people, and extrapolate accordingly.” 167 However, using non-financial behavioral or demographic data carries a risk of digital redlining because “even an algorithm that has been specifically constructed to avoid considering a prospective borrower’s race might nevertheless discriminate against a prospective borrower by using proxies for race.” 168 These proxies may include “zip code, surname, and college attendance data.” 169 In one well-known and often-cited case, a credit card customer in 2008 discovered that American Express had unexpectedly lowered his credit limit because, according to the company, “[o]ther customers who ha[d] used their card at establishments where [Kevin] recently

29

shopped have a poor repayment history with American Express.”170 This customer was not the only one to have American Express lower a credit limit based on an algorithm, and the company only stopped doing it out of public embarrassment.

In 2014, the FTC released a comment it received relating to issues of price discrimination.

According to the comment, certain companies had been targeting people for subprime mortgage advertising based on racial and economic profiling and exploiting “financially distressed households,” with targeted advertising for sub-prime payday loans and scam “mortgage modification” programs. The comment points out that

companies like Wells Fargo listing houses for sale have collected zip codes of online browsers and directed those buyers towards neighborhoods of similar racial makeup. This online discrimination parallels the broader reality of companies like Wells Fargo illegally steering an estimated 30,000 black and Hispanic lenders [the author likely meant borrowers] from 2004 to 2009 into more costly subprime mortgages or charging them higher fees than comparable white borrowers.171

Further, leading up to the subprime mortgage and financial crisis of 2008,

online companies would…sell information about users identified as likely prospects to mortgage companies, which in turn would contact them. Customers targeted through these online leads for subprime mortgages were disproportionately low income, black and Latino. Usually unaware that better deals existed, studies showed that people of color offered these subprime mortgages were 30% more likely to be charged higher interest rates compared to white borrowers with similar credit ratings. 172

Additionally, as these subprime mortgages’ low introductory interest rates expired, “many

families saw their mortgages balloon above the value of their homes” 173 and “illegal scam ‘mortgage modification’ firms emerged promising to help homeowners in advertisements appearing when people searched for keywords such as ‘stop foreclosure,’ then took money from those families without helping them at all.” 174 The Treasury Department stepped in, ordered Google to stop soliciting ads from abusive lenders, and “[used] its TARP authority to shut down ads from 85 of the companies.”175

Payday lenders were particularly predatory in using big data information to “offer extremely

high-interest loans in exchange for a commitment for repayment from a person’s next paycheck.” 176 These companies and loans were “banned or severely restricted as exploitative in multiple states and the Consumer Financial Protection Bureau (CFPB) has held hearings specifically on abuses in the industry, with CFPB head Richard Cordray saying ‘some payday lenders [are] engaged in practices that present an immediate risk to consumers and are clearly illegal.’ ”177

While regulators have stepped in to stop these types of egregious and obvious instances of

discrimination and consumer exploitation by companies targeting ads based on internet activity, the problem of digital redlining evidently persists. Some of the world’s largest companies have been involved in weblining, in the past few years. For example, findings from a 2016 Bloomberg report indicated that Amazon Prime’s algorithm often excluded from same day delivery many consumers who lived in communities of color. 178 Indeed, African Americans in some cities were much less likely to have access to same-day delivery services.179 Even when locations were within close proximity, the availability of Prime’s services seemed to be tied to race: for instance, “in NYC, same-day delivery

30

included many surrounding suburbs but entirely excluded the predominantly minority borough of the ‘Bronx and some majority-black neighborhoods in Queens.’ ” 180 Amazon denied any discriminatory intent and instead blamed the results on how data was being used by its formulas.181

Facebook has also been involved in digital redlining. For instance, in 2019, Facebook settled

a number of lawsuits brought by individuals alleging that it allowed various companies to place targeted advertisements on its platform.182 According to the allegations, these ads often disbarred those “with a certain ‘ethnic affinity’” from being presented housing ads and women from being presented job listings in male dominated industries.183 It was further alleged that in order to provide this service, Facebook placed individuals into over “50,000 categories such as ‘English as a second language,’ ‘disabled parking permit,’ or ‘Telemundo.’ ” 184 Following settlements, Facebook’s advertisers are no longer permitted to use characteristics such as race and gender for targeted advertisements. However, a study found that, even after the settlement, advertising discrimination on Facebook persists.185 In addition, Facebook’s practices were the subject of an investigation and action by the Housing and Urban Development agency (HUD). Specifically, the agency charged Facebook with housing discrimination based on their practices. 186 HUD officials had stated in 2018 that “ ‘[t]he Fair Housing Act prohibits housing discrimination including those who might limit or deny housing options with a click of a mouse,’ and ‘[w]hen Facebook uses the vast amount of personal data it collects to help advertisers to discriminate, it’s the same as slamming the door in someone’s face.’ ”187

As mentioned above, government agencies will use their powers to stop and prohibit abusive

consumer targeting and lending when it is evident. As noted earlier, data privacy is not regulated on a federal level, except to the extent that it intersects other federal laws. For instance, the Equal Opportunity Credit Act, the Fair Credit Reporting Act, and the FTC Act’s unfair or deceptive acts prohibition, among others, offers some protection against alternative credit scoring data.188 However, at least one source has pointed out gaps in these laws which may allow credit companies and other lenders to target certain customers, or even engage in violations, if they are targeting demographics and neighborhoods rather than individuals. 189 For example, according to a recent study, “ ‘[i]t is highly unlikely, given the size of the data set and the sources of information, that the companies that provide big data analytics and the users of that data are meeting … FCRA obligations.”190 In addition, if companies that provide alternate credit scoring, rather than providing personalized assessments of an individual, aggregate data within an individual’s neighborhood or use other indicators such as an IP address used by multiple people, then they are likely outside of the ambit of the law.191 Finally, the law does not expressly prohibit companies from considering other data points that, while seemingly unrelated, can be used as proxies for a consumer’s race or other immutable characteristics.192

Another law that is used within the context of the banking industry is the Equal Credit Opportunity Act (ECOA). This law “prohibits credit discrimination on the basis of race, color, religion, national origin, sex, marital status, age, or because a person receives public assistance.”193 Plaintiffs can show violations of ECOA either by showing (1) disparate treatment – that they were intentionally discriminated against because of their race or other protected factor, or (2) disparate impact – that the alleged practice disproportionately affects a particular protected group.194

However, proving violations of ECOA is often challenging. The FTC has pointed out that “in most cases, a company’s advertisement to a particular community for a credit offer that is open to all to apply is unlikely, by itself, to violate ECOA, absent disparate treatment or an unjustified disparate impact in subsequent lending.”195 Further, it may be difficult to impossible for consumers to prove disparate impact or treatment, because

31

to the extent that a lender wishes to implement a lending policy that deliberately singles out members of a particular racial, ethnic, or other group, the lender likely can employ facially-neutral proxy variables in its scoring model as stand-ins for characteristics like race. Second, to the extent that lending decisions accord less favorable treatment to a protected class, the lender may be able to claim that its “objective,” data- driven, modeling processes are proof that the disparate impact is grounded in business necessity. 196

Finally, the FTC has some jurisdiction over the banking industry, to the extent that the

industry’s practices violate the Federal Trade Commission Act. The Act, “prohibits unfair or deceptive acts or practices,”197 even within the context of big data. For instance, the FTC requires that “at a minimum, companies must not sell their big data analytics products to customers if they know or have reason to know that those customers will use the products for fraudulent or discriminatory purposes.”198 However, as one scholar points out, while “some FTC investigations have resulted in consent orders in which companies agree to implement measures to prevent future violations … this is a reactive, rather than proactive stance, and it is further hobbled by limited firepower, with only forty full-time employees working on privacy issues.” 199 Further, the FTC’s enforcement power is limited: the agency can only issue fines if a company violates a consent order.200 Moreover, some believe that the amount of fines currently levied are “ ‘small in relation to the gravity of the violations.’ ” 201

Moreover, “to establish that an act or practice is unfair, a … Regulator must first prove that

the algorithmic lender’s act or practice causes a substantial injury.” Here, “substantial injury means any sort of non-speculative and non-trivial harm” 202 which is sometimes difficult to adequately prove because of the “opaque nature of algorithms.” 203 Unfortunately, there is currently no way for an individual to view the personal information being held by these institutions or to correct any inaccuracies in their data profile. As such, there is limited accountability into the process or data points that lead to either weblining or steering consumers to particular markets.204 This runs the risk that consumers are being denied credit or being charged higher interest rates based on outdated or false information.205 Moreover, even if the information used by banks was entirely accurate (regarding, for instance, what zip code a consumer lives in) the particular algorithm used by that bank may draw general conclusions (i.e., people in that zip code tend to default on their loans) that ends up discriminating against a particular consumer, because that conclusion does not apply to her specific situation (i.e., that consumer has outstanding credit).206

32

Ever wonder how banks can approve you for a loan within seconds without checking your credit?

By using neural networks, defined by Marcy Peck as “information processors that mimic human brain behavior to predict a consumer’s future online behavior based on past behavior,” banks can gather information (such as all available data that’s out there) that they use to make predictions regarding whether you’ll repay your loan. Specifically, in the words of researchers, Hernandez, Eddy, and Muchmore, companies “subscribe to ‘neural networks’ ” and use “them to instantly access profiles of existing and potential customers,” allowing them “to make a snap decision about who qualifies as a low-risk or high-risk potential customer.” Gary Hernandez, Katherine J. Eddy, Joel Muchmore, Insurance Weblining and Unfair Discrimination in Cyberspace, 54 SMU L. Rev. 1953 at 1968-71 (2001). Marcy Peek, Passing Beyond Identity on the Internet: Espionage & Counterespionage in the Internet Age, 28 Vt. L. Rev. 91 at 98 (2003).

Additionally, institutions routinely share their customer’s personal data with other

institutions.207 This can be problematic because those institutions not only share the data that has been collected but also any profiles that have already been created for the individual. 208 Moreover, given the level of sensitivity regarding the type209 of data that financial institutions, in particular, collect, any breach of a financial institution’s systems can result in untold harm to the consumer. 210

C. Big Tech and Data Privacy

“Big Tech” companies is one way of referencing those companies whose business model is primarily (or exclusively) derived from using technological innovations.211 There are only a handful of companies that fall within this category and their names are ubiquitous to most consumers: Alphabet (Google’s parent company), Amazon, Apple, Facebook, and Microsoft.212 And, due to their size and influence,213 the decisions they make regarding how to use a consumer’s digital data have significant reverberations around the world.

33

For much of their lifespan, companies that fell within the Big Tech category were often viewed favorably by consumers and the media. Many of these companies have popular origin stories – often started by college dropouts in their dorm rooms or garages – that pit their founders as outsiders and upstarts against the establishment.214 However, this popular narrative has frayed over time. For instance, since Facebook’s data sharing practices with Cambridge Analytica (a political data analytics firm that “used data improperly obtained from Facebook to build voter profiles” )215 emerged, legislators as well as consumers have questioned the ways in which Big Tech uses data. An investigation into the underlying strategies of Big Tech companies began in June 2019 which gave the public a first look at Big Tech’s real approach toward data privacy.216 In July 2020, CEOs from four of the Big Tech companies appeared before Congress to discuss their role in this anti-competition framework.217

1. How Big Tech Companies Gather Consumer Information

There are several ways in which Big Tech companies obtain users’ information: asking for it, tracking them indirectly, and obtaining it from third-parties.218 Companies ask consumers directly for their data, usually when signing up for an account or making a purchase. Big Tech companies pull consumer data from various sources on the internet using cookies. Cookies allow companies to track what their users are looking at on the internet and which sites they have visited. Companies also purchase data from third-parties that collect, analyze, and sell consumer and business data for targeted advertising campaigns.219 Some people consider the sale of data as the harvesting and commercializing by third parties (typically through data brokers). In 2012, Apple created its own tracking software known as “Identifier for Advertisers” (IDFA). Every consumer who uses an Apple device is assigned a unique IDFA in order to facilitate targeted advertising.220 The IDFA has been used by Facebook and other developers to learn a consumer’s particular patterns and habits, including what apps they use, what purchases they make within those apps and which websites they visit.221

Facebook is one of the largest tech companies that gathers and stores a vast amount of consumer data. Indeed, Facebook’s business model centers around the data it gathers from mobile apps that people “share” on Facebook’s site. In addition, “more than 85,000 iOS apps had installed Facebook code that relays data back to the company as of December 2020, according to analytics firm MightySignal.”222 The tech giant uses algorithms to determine what information each user sees when

How Companies Encrypt Your Data Although each of these Big Tech corporations are different, they each share a key characteristic that impacts data privacy, the use of encryption. As Sunny Keon Kang notes, there are three different types of encryption methods that are being used today: encryption at-rest, encryption in-transit, and encryption in-use. Encryption at-rest is the method used to protect the information that is stored in your phone, while encryption in-transit is the method used to protect emails and texts while they are being sent. Encryption in-use allows companies to perform analytics on users’ data while in an encrypted format. This gives them the insight they need without being able to view any private data. Sunny Seon Kang, Don’t Blame Privacy for Big Tech’s Monopoly on Information, Just Security (Sept. 18, 2020),

https://www.justsecurity.org/72439/dont-blame-privacy-for-big-techs-monopoly-on-information/)

34

they log into their account each time. Over the years, the algorithms have gotten more complex and narrowly targeted to each user based on the data that has been collected about the individual. Apple’s CEO, Tim Cook, claims “that the disinformation perpetuated by social [media] companies using algorithms is damaging society.”223 He has also stated in the past that “some companies had ‘weaponized’ users’ personal information in what he described as a ‘data-industrial complex.’”224 Because of this and the stricter laws coming into effect in the EU, Apple plans to update its data privacy policy in the spring of 2021.

The chart below provides an overview of the different ways that these corporations use your data. For a deeper dive into the data privacy of two specific companies, Alphabet (Google) and Apple, see Appendix F.

225

2. Spotlight on the Big Four and Concerns of Competition

“[Google search logs in 2001 were] like a continuous poll of public interests and preferences, a rolling picture of what people worried about, lusted after, and what kind of flu was spreading in their communities.”226

Big Tech companies, like Facebook, Google, Apple, and Microsoft currently dominate their

specific sectors of the tech industry. These companies are capitalizing on consumer data that is obtained at little to no cost and using it as a commodity for their business model. For many, this is problematic. As Makan Delrahim, current chief of the Department of Justice’s Antitrust Division notes, “without competition, a dominant firm can more easily reduce quality – such as by decreasing privacy protections – without losing a significant number of users.227 More and more, litigators are linking these issues (such anti-competition practices) to a data privacy framework. As Delrahim claims, “[a]lthough privacy fits primarily within the realm of consumer protection law, it would be a grave mistake to believe that privacy concerns can never play a role in antitrust analysis.”228 As such, the House Antitrust subcommittee’s questioning of each of the four tech companies can provide some insight regarding concerns Congress has with these monopolies and their impact on the larger issues of data privacy, as well as the specific legal challenges that each company might face.

35

Google

• The House Antitrust subcommittee questioned Google about its dominance in web searches and the digital advertising industry. The subcommittee also challenged Google on how it controls its search verticals so that it can traffic its ad business. Later, the Justice Department filed an “antitrust lawsuit against Google alleging that the tactics Google uses to preserve a monopoly for its search engine are anticompetitive”229 and that the company uses unlawful business agreements with its partners to limit its competitors market share.230

• Google currently handles approximately 90% of all web searches in the United States. It also brings in around $160 billion in annual sales just in its advertising businesses.231 As such, the subcommittee’s concerns regarding Google’s monopoly seems well-founded: this gives Google control over the data of many Americans (approximately 90% according to the percentage of web searches it currently processes each year).

• Google was also questioned as to why they were using their “dominance as the most popular mobile software”232 to force their partners to bundle Google apps.

Apple

• The House subcommittee questioned Apple on its in-app “sales tax.” Apple refers to this tax as a commission. Currently, Apple collects a 30% commission on all transactions made within its app store. Companies are losing revenue from this because there is no alternative platform for companies to get their apps to Apple users, other than the Apple Store.233

Facebook

• The key theme of the subcommittee’s questioning of Facebook revolved around competition and acquisitions. For instance, Mark Zuckerberg, Facebook CEO, could not answer the question “who is your biggest competitor?” when asked by the Senate Judiciary and Commerce Committees in 2018.234 Facebook has faced scrutiny from Congress for consistently buying out competitors in its market, most notably Instagram and WhatsApp. This has been viewed as anticompetitive and possibly illegal.235

• Facebook consistently continues to absorb its competitors and with that, consolidates more user data.236 For instance, the access to more user data gives Facebook greater possibilities to generate revenue. The acquisition of Instagram and WhatsApp “generated profitable insights on targeting ads to a greater population, and created valuable feedback data for Facebook’s services and technologies.”237 3. Stricter Federal Privacy Laws and the Impact they will have on Big Tech

Because of the lack of federal regulation, companies must abide by more than 100 different privacy laws to be compliant.238 As many have argued one advantage for corporations of a national data privacy law is the clarity and consistency it could create among the states. For instance, Google Chief Privacy Officer Keith Enright has stated that “tech companies have to work to ensure any legislation passed provides as much clarity for organizations and citizens as possible.”239 More recently, tech executives have expressed their interest in stricter data privacy regulations in the U.S., asking that it be similar to the new privacy law in the EU.240 However, there is speculation regarding how any

36

new law may impact the practices for Big Tech. One theory argues that Big Tech companies that are able to spend more money on becoming legally compliant will benefit from the stricter rules and firmer legal enforcement, since these companies have the ability to access vast amounts of consumer information that they will not lose once the new laws come into effect.241 Another theory holds that if new laws are strictly applied, like in the EU’s General Data Protection Regulation (GDPR), it will alter the ways in which Big Tech companies obtain, store, and use consumers’ personal data. This would then cause a chain reaction in the advertising business for these companies “weakening their advantage over existing or potential new competitors.”242

Regardless of the future regarding Big Tech and data privacy regulation – the system that these companies have created has unwittingly brought a new sector into the spotlight: data brokers. These data brokers are now commanding increased scrutiny from regulators, in part because their practices have been largely unregulated and under the radar.

D. Data Brokers243 Data brokers obtain consumer information directly and indirectly and then compile that data into data sets for each individual. Data brokers then sell the consumer information to companies, individuals, and other data brokers. Most people don’t know that data brokers exist or who they are because these brokers have an indirect relationship with the consumers from whom they obtain information.244 As William Chalk notes, they typically avoid “all things consumer-facing and opt instead to harvest information on people in secret, trading it amongst themselves like the valuable asset it has become.”245 For instance, most Americans don’t realize that when they use their digital devices, data brokers collect their personal information and store that data to “compile exhaustive dossiers about

them.”246 Each dossier contains a data set of information on each individual person that has been collected over time from various sources. As one source notes, “data brokers collect information from public records, online activity, … purchase history,”247 brand loyalty cards, and many other places. It is specifically the collection and use of this information that has led many laws to focus on the definition of

personally identifiable information (PII) within the framework of data privacy.248 As researchers Jamie Pinchot, Adman Chawdhry, and Karen Paullet note: “data privacy is the concept that personally identifiable information (PII) and other data about an individual should only be accessible to authorized parties.”249

1. How Data Brokers Collect Consumer Data There are many data broker companies currently operating in the United States, using various tactics for accumulating information. For instance, some information is knowingly released by consumers, through their participation in various initiatives and studies. 250 However, as noted by Pinchot, Chawdhry, and Paullet:

Big Tech under Regulator spotlight In addition to data privacy laws big tech has also faced scrutiny for the content that they allow on their platforms. For instance, according to CNBC, in December 2020, the British government announced a plan to allow regulators more power regarding the posting of “illegal or toxic content.”

https://www.cnbc.com/2020/12/15/uk-online-harms-bill-tech-giants-face-big-fines-and-blocked-sites.html

37

the majority of this data is being generated behind the scenes as metadata [not readily apparent to the user] that is captured when users interact with mobile apps and websites, and from sensors embedded in smartphones, smartwatches, fitness trackers, home assistant devices such as Amazon Echo or Google Home, and other electronic devices.251

Data brokers then “infuse that data into machine-learning algorithms and build segmented profiles of similar groups of people.”252 These profiles are then compiled into lists that are sorted by interest. For example, if you were to browse the internet looking at baby products, you most likely will be placed onto a list of people who are pregnant or recently had a baby. If you search fitness articles and workouts, you may be placed on a list for fitness enthusiasts. Currently, there aren’t any federal laws regulating data brokers or how they collect and use consumer information. As such, there is no federal remedy for individuals to opt-out of having their information collected and their location tracked.253 This creates a paradox: companies that are regulated under the Fair Credit Reporting Act (FCRA) must provide consumers with a report of their personal data and correct any information that is incorrect. However, because data brokers are not subject to federal regulation, they are not subject to the FCRA. As a result, much of the data that is now used to judge a consumer’s economic stature and credit worthiness falls outside of the ambit of the FCRA.254 Moreover, under the current regulatory structure, if consumers wish to know what’s in their “data set” file, these data brokers are under no obligation to show them.255 And, while (as discussed in Section II.E.) there are currently some state laws now requiring data brokers to register, the vast majority of states do not. And, because these companies tend to remain in the shadows, it makes it that much more difficult for consumers to understand the process they need to under-take to opt-out;256 there is not a “opt-out of all” button that allows consumers to remove themselves from being monitored by all data broker companies. Therefore, individuals would need to contact each brokerage company to find out what their opt-out options are.257

2. Types of Data Collected by Data Brokers Data brokers collect two types of data from consumers – raw data and derived data. Raw data is the data that is collected directly from a wide array of sources including social media, public records, and loyalty cards. Derived data is the information that these companies infer about customers by obtaining their browser history, location, demographic data, and more.

Data brokers collect a wide variety of information on individuals, including name, alias names, social security number, date of birth, and telephone numbers. This information is often referred to as personally identifiable information (PII). But digital dossiers of individuals do not stop with PII. Dossiers collected by data brokers also contain a wealth of information about an individual’s demographic data, employment history, court and public records history, social media data, financial data, travel data, purchase behavior and real estate and vehicle ownership (Mirani & Nisen, 2014). This includes current and past employers, vehicles, driver’s license information, professional licenses, concealed weapons permits, liens, legal judgments, arrest and court records, lawsuits, marriages, divorces, and worker’s compensation claims (Hoofnagle, 2003). This larger set of data contained in a digital dossier is often referred to as sensitive personal information (SPI) and can be used on its own or in combination with PII to identify, locate, or contact an individual.258

38

3. Ways that Data Brokers Use Data

There are generally three categories of data brokerage firms: (1) firms that generate marketing

and advertising campaigns; (2) risk mitigation firms; and (3) people-searching firms.259 Firms that focus on marketing develop dossiers on consumers that are then used for targeted advertising campaigns. Risk mitigation firms provide products that are designed to prevent fraud.260 Lastly, people-searching firms use data that has been collected to provide individuals with information on other individuals.

Marketing Products

• Data brokers collect consumers’ data in order to sell it to customers for advertising purposes. Ad spaces on websites and social media platforms are sold on a real-time auction where the advertiser with the highest bid wins and their ad is shown.261

• As the Wall Street Journal reports: The auction—called real-time bidding or RTB—is handled automatically by computers in mere milliseconds as a website loads or an app opens. Data gets passed between the ad exchange offering the ad space and the bidders trying to win the auction, which can contain sensitive information about consumers. To conduct the auction, the ad exchange shares whatever data it has on the consumer with the bidders. That data can sometimes include the exact location of the phone if the display ad is in a mobile application where the consumer has enabled location tracking. It can also include any demographic information that the ad exchange has on the consumer. … [M]ost ad exchanges allow even the losers of the auction to keep the data on the consumer which can then be sold to data brokers who collect and sell such information. Ad-tech firms, such as IQM Corp., “listen” to these auctions to gather data from the bidstream to resell it. IQM works with political campaigns.262

Risk Mitigation Products

• Risk mitigation brokerage firms sell data to insurance providers, businesses looking to complete employee background checks, and other instances where risk mitigation comes into play.263

People Searching Products

• People search brokerage firms provide information to websites that allow individuals to search for other individuals such as truthfinder.com, the white pages, and Spokeo.com. These practices, in particular, can raise privacy concerns. As Pinchot, Chawdry and Paullet note: “[P]eople-search websites can provide a wealth of information ready to be exploited by doxxers, stalkers and abusers.”264

4. Why Consumers are at Risk

Data brokers mostly operate in relative anonymity.265 Consumers are generally unaware that most of their digital information is being tracked, collected, and sold. As such, they are unaware of their increased risk of data breaches, discrimination and stereotyping, and inaccurate consumer digital dossiers being generated about them. If a major data broker were to suffer a data breach it could potentially expose the information of hundreds of millions of people.266 Moreover, even though data

39

brokers can claim that the data they collect is anonymous, “recent studies have proven just how quickly re-identification can occur with only a few data points.”267 Besides the inherent risk of the aggregation and storage of the data that is collected, consumer profiling through the creation of data sets can lead to racial, religious and income discrimination.268 This type of discrimination is referred to as technological redlining.269 If digital dossiers are misused in a negative way, it could drastically impact consumers’ lives.270 “Digital dossiers could have major impacts on job seekers, educational program applicants, politicians, and others.”271 Digital dossier inaccuracies are another risk that consumers face when it comes to how data brokers collect and store information. As Pinchot, Chawdry and Paullet note: “if there is inaccurate information in a person’s digital dossier, it could severely impact that person’s business, education, retail, health, and government-related transactions. Data brokers are using what is called ‘consumer scores.’ ” 272 Data brokers collect information directly and indirectly about consumers, compile that data into data sets for each individual, and then sell the information to companies, individuals, and other data brokers. Most consumers are unaware of what data brokers are and what they do. In addition, with the advent of “the Internet of Things” (discussed below) the availability of the type of information for data brokers to mine has increased exponentially.

E. The Internet of Things: Biometrics, Wearables, and Smart Cars

In addition to tests measuring indicators like blood pressure, wellness programs often involve taking detailed online health assessments that can include questions on alcohol consumption and pregnancy plans. Many programs employ wearable devices that track step counts, sleep and heart rates. Some privacy experts fear that by opting in, individuals may put their data at risk. Wellness programs

that are run as part of group health plans are covered by HIPAA, the nation’s main health-privacy law. However, many others aren’t, leaving protection for employee data more porous.273

As technology has moved forward even more, the ability of businesses to apply traditional software and data collection to everything from cars, watches, and appliances, this type of data collection has all become bundled into a term inelegantly discussed as the internet of things (IOT). In this section, we discuss some of the special issues that arise with this type of technology.

The Internet of Things (“IoT”) is a phrase that encompasses all smart objects that use sensors to relay information back to systems that collect data. Smart objects include wearables (FitBit, AppleWatch, etc.), smart phones, smart automobiles, smart home products (GoogleHome, Alexa, etc.), as well as other devices. The world of IoT is expanding everyday into an integrated global network leading some to believe that it will eventually connect everything with everyone. As one scholar notes:

People, machines, natural resources, production lines, logistics networks, consumption habits, recycling flows, and virtually every other aspect of economic and social life will be linked via sensors and software to the IoT platform, continually feeding Big Data to every node - businesses, homes, vehicles - moment to moment, in real time.274

IoT devices present a two-fold issue. On one hand, the development of IoT has helped law

enforcement solve cases more efficiently. However, with the expansion of IoT comes an increased concern about privacy and security, particularly as it will rely increasingly on the data gathered by

40

corporations. Because law enforcement efforts would have to rely on businesses that interact with these consumers directly, constitutional amendments may be present that would not otherwise arise.275

Given the rise of IoT devices and their ability to produce almost incalculable data on people, scholars, activists and policy makers have become increasingly vocal regarding the need for protections related to a consumer’s data privacy. In the wake of limited protections under statute for consumers concerned about these privacy implications, some have looked to constitutional law to see if there are any protections naturally embedded there. 1. Constitutional Law and IoT Devices

The Fourth Amendment protects the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”276 When this amendment was written, its drafters did not imagine a digital world like the one we live in today. Because there have been so many technological advancements since the drafting of the Fourth Amendment, lawmakers and courts must look at the issues that come with these advancements to determine if the privacy and security issues raised within these technologies are covered under the Fourth Amendment, or if new laws need to be developed to protect individuals.277 Fourth Amendment protections are particularly applicable to claims involving IoT devices because given the level of privacy accorded to things that surround your home or your person, Fourth Amendment issues are more likely to apply.

The courts have developed two approaches to determining a violation under the Fourth

Amendment – the reasonable expectation of privacy theory and the physical intrusion theory. The physical intrusion theory was the first theory to be developed in Kyllo v. United States in 2001. The reasonable expectation of privacy theory was developed in 2012 by Justice Harlan in the Jones v. United States case. After the Jones case, the courts must now analyze both theories to determine if a search under the Fourth Amendment has occurred. “Neither theory has been fully developed to reflect the digital world, and the Court's most recent Fourth Amendment and technology case, Riley v. California, only adds to the uncertainty.”278 Understanding how the constitutional law implications in this area intersects with a particular technological advancement can also help lawmakers craft policies that are tailored to a specific consumer use or need. As such, in the next section, we tackle some of the most widely-used technologies that are currently on the market and examine how these technologies may implicate the Fourth Amendment. Smart Homes

• One of the larger components of smart devices are those that encompass the realm of a “smart home.” These devices include smart lightbulbs, smart appliances, smart faucets, smart televisions, as well as the devices that allow them to work via voice command. All of these devices are capable of revealing “a data trail of your daily habits, patterns, and preferences.”279 Ultimately, this reveals the personal lifestyle details about the privacies inside of individuals’ homes; even revealing intimate details of their daily patterns.

• An individual’s most private space, their home, has been guarded with special protections via the Fourth Amendment. “In no quarter does the Fourth Amendment apply with greater force than in our homes.”280 How far does the Fourth Amendment extend into the digital world? If

41

data trails are streaming from our homes, is that data protected under the Fourth Amendment? Right now, the status of the amendment’s protection to data privacy issues within the house is unclear.281 Wearables

• Wearable technology, often referred to as wearables, is a component of smart devices that are worn by an individual. The most popular wearables are devices that track various information related to health and fitness. There are also other wearables that take photos and can even reorder your shopping list (i.e. Amazon Echo Frames). Wearable devices connect with the users’ smart phones to track information more seamlessly. As with other smart devices, these are also subject to snooping, hacking, and violating the users’ privacy.

• Do wearables fall within the category of “effects” under the protection of the Fourth Amendment? The courts have not fully addressed this issue to-date, thus, giving lawmakers a reason to develop privacy and security protections for users of these devices. Smart Automobiles (smart car)

• Smart car is an umbrella term for a vehicle with advanced electronics, such as GPS navigation, Web and email access, voice controls, keyless entry and activation, and systems that control the vehicles distance to other vehicles. Other key features of smart cars include WiFi capabilities and OnStar road assistance. There are also some smart cars that “record speed and distance, and will literally call the police on you when you leave the scene of a hit and run.”282 There have been instances where hackers have demonstrated an ability to take control of smart cars from across the world, establishing cause for security concerns.

Smartphones

• Smartphones are essentially tiny handheld computers with internet access and the capability of running applications. There are currently 3.8 billion people in the world who own a smartphone.283 These numbers are increasing every year. Not only do adults carry around smartphones but their children do as well. In addition, smartphones can easily be tracked via cell-site data information and the GPS information housed inside of the device. Since the Fourth Amendment provides protection over the security of a consumer’s papers, one issue that has arisen is whether the Fourth Amendment will protect the electronic equivalent of this within the context of data stored on an individual’s phone.

Who’s Watching Whom? Your Television and Data Privacy Like many other devices around your house, your television has become smart – most of these devices are now connected to the internet, allowing consumers to access programming through apps (like Hulu and Netflix) as well as through more traditional networks. But, with these new smart T.V.’s just as you are watching T.V. your T.V. is watching you: collecting data on your viewing preferences. This can result in customized T.V. advertisements that would have been unheard of a generation ago. As Marck Andrejevic notes: “Mass advertising (like mass politics) accords a degree of anonymity to the ‘general public” toward whom advertising appeals are directed. The promise of mass customization, by contrast, shatters this anonymity: messages can be addressed not just to particular groups or subcultures but to specific individuals.” For some, this may be a benefit (for instance, participants in the Morgantown focus group felt that customized ads were a plus). For others, this is a privacy concern. Either way, it is something that should be considered in any policy decision going forward. For further discussion of the customization of ads, see Marck Andrejevic, iSpy: Surveillance and Power in the Interactive Era (2007).

42

2. Biometric Data & Data Privacy Biometric data identifiers are comprised of various personal traits, such as fingerprints, voice, facial features, and walking gait. According to some scholars, the data privacy implications for biometric data are among the most crucial to protect. As one article notes, “because biometric identifiers cannot be changed if compromised, it is increasingly crucial that this data be protected by law.”284 There are currently no federal laws or regulations which protect biometric information of individuals. Some states have taken into their own hands to develop privacy laws regulating the use and storage of biometric data.285 Illinois, Texas, and Washington are the only states that have enacted biometric privacy statutes. 286 There have been seven other states that have attempted to pass legislation on the subject matter but have been unsuccessful. 287 According to at least one commentator, Illinois is considered to have the most protective biometric data privacy law in the nation.288 Its stringent because (1) it provides for a private right of action, even when no actual harm has occurred; and (2) it touches many business who work outside of Illinois, so long as “they conduct any operations that involve the collection or use of biometric data in Illinois.”289 As technology advances, more devices are using biometrics as a “security” feature. But as this advance gains in popularity, the risk of personal identifiers becoming exploited or stolen also increases. “Experts have warned that hackers can use this biometric data for leverage, leaving those affected by a breach dealing with the fallouts for years.”290 Because the widespread use of biometrics is still fairly new, there is a lack of knowledge among the public regarding the collection and use of biometric data. For instance, most people may not realize that biometric data is currently being obtained by the government, and private companies, including third parties. Companies, such as Facebook, have created a “climate favorable to their use of customers’ biometric data, largely without their knowledge or consent.”291 Both private companies and the government have been collecting biometric data for longer than many people realize. The FBI claims to hold the “world’s largest and most efficient repository of biometric and criminal history information”292 within its Next Generation Identification program (NGI). It began its national fingerprint collection in 1924 and founded the Biometric Center of Excellence in 2007. Other government agencies, such as the Departments of Justice, Homeland Security, Defense, State and other agencies work collectively to send biometric data to the Office of Biometric Identity Management (OBIM).

43

Moreover, just as is the case with data collection surrounding other technologies, what

information is being collected about an individual has become increasingly opaque. For instance, as of August 2017, the NGI’s program has been exempt from the Privacy Act of 1974, meaning that “the FBI will no longer have to disclose whether an individual’s biometrics are included in the NGI database, and no longer needs consent to amend an individual’s profile within the program.”293 The federal government has launched several pilot programs for the collection of biometric data within airports. These programs monitor travelers leaving the U.S. using facial recognition software to verify the identity of travelers through the comparison of live scans and the individuals passport photo. Because there are no federal regulations on biometric data, there is no guarantee that the data collected by the government will be destroyed in a timely manner, or at all. Private companies typically use a person’s smartphone to collect biometric data. “Whether a phone uses the increasingly ubiquitous fingerprint to unlock, iris scans, or an advanced technology like the new iPhone X and Samsung Pass 3D facial screening, each one records a user’s biometric data and stores that information on the phone.”294 Technology giants are not the only private companies monitoring and storying biometric data. Biometric data is also collected within newer video games to create personal profiles, amusement parks to prevent ticket fraud, and wearable fitness trackers to collect health data. Most users are unaware that they have no legal protection from their biometric data being collected and stored.

A Hypothetical on Genetic Information and Law Enforcement Q: Jackie purchased an ancestry kit through Ancestry.com. She was so excited to finally learn her heritage and family background. She completed the kit as instructed and sent her DNA sample using the packaging that came with the kit. She waited a few weeks and then finally received her results. A month later, she received an email update from Ancestry that stated her DNA was being sent to the FBI to be used for research. Jackie never signed anything to consent to the use of her DNA being used for research. Does she have a claim against Ancestry.com? A: Currently, law enforcement is only allowed to access a consumer’s genetic information in the U.S. if it is requested pursuant to a valid warrant, or other legal order (such as a grand jury subpoena). However, given the nature of DNA, the effect of a valid warrant is vast: even if you had not used a genetic testing kit, you could still fall within law enforcement’s radar if any of your relatives had submitted this information to a genetic testing company. Moreover, given how much information is willingly being submitted by consumers, the amount of information that law enforcement can now access is vast. See Eric Rosenbaum, 5 Biggest Risks of Sharing Your DNA with Consumer Genetic Testing Companies, CNBC (June 16, 2018) See more here (Why Your Ancestors May Haunt You)

https://www.cnbc.com/2018/06/16/5-biggest-risks-of-sharing-dna-with-consumer-genetic-testing-companies.html

44

3. Biometric Data & Data Privacy – Spotlight on West Virginia

West Virginia University (WVU) has taken a leadership role in the state over its response to the coronavirus pandemic. For instance, when the COVID-19 pandemic hit, researchers at the Rockefeller Neuroscience Institute (RNI) switched gears and refocused their efforts on detecting COVID-19 symptoms. As a result, they produced a new digital platform that can detect COVID-19 symptoms up to three days before a patient experiences any symptoms. According to Dr. Ali Rezai, “the holistic and integrated neuroscience platform developed by the RNI continuously monitors the human operating system, which allows for the accurate prediction of the onset of viral infection symptoms associated with COVID-19.”295 In order to collect data on the disease, researchers are using the RNI app, wearable technology (mainly the Oura Ring – a ring that user’s wear that captures relevant information), and artificial intelligence (AI) guided models. With the use of these, researchers are able to predict the onset of symptoms with over 90 percent accuracy. “The neuroscience-based study monitors individuals holistically – integrating physiologic measures with psychological, cognitive, and behavioral biometrics.”296 Participates are tasked with monitoring various indicators like stress, anxiety, memory issues, and other “human resilience and recovery functions.” The Oura Ring monitors the patient’s physiological data, including “onset of increased body temperature, heart rate variability, resting heart rate, respiratory rate, sleep and activity patterns, and ‘readiness,’ [which is] a health metric combining long-term sleep and activity trends with short-term behaviors. The following includes a list of functions recorded within the RNI platform:

Why your ancestors may haunt you Recently, genetic testing has recently become very popular. They are used for a variety of different purposes. For instance, some over-the-counter test kits allow individuals to submit their DNA and in return receive their ancestral background (such as Ancestry). Other tests, such as 23andMe) use your DNA to report your risks for certain health predispositions. Both companies allow its users to participate in clinical research. Like biometric data, data based on your DNA is considered particularly important. As one scholar notes “genetic information may be particularly sensitive because it is immutable and uniquely identifiable. Genetic information, because it is hereditary, may also implicate genetically related family members, as well as a racial or ethnic group.” As such, concerns have been raised as to whether consumers of these products could be exploited not just by the commercial transactions between the consumer and company, but also by research conducted by the companies. As __ notes, when consumers sign up for an account with either company, they consent to the transaction but “the transaction can still be problematically exploitative.”

45

AUTONOMIC & SENSORY NERVOUS SYSTEM Heart Rate Variability Respiratory Temperature

SLEEP Quantity Quality Circadian Rhythms

FUNCTIONAL Movement Physical Activity

COGNITIVE Fatigue Attention Memory

BEHAVIORAL & PSYCHOSOCIAL Symptoms Exposure Questions Stress Questions

Recovery Questions Wellness Questions Nutrition Sense of Smell

The patients are undergoing continuous real-time “non-intrusive, secure, and safe” monitoring in order to allow the RNI researchers to predict the onset of COVID-19 as well as their recovery.

The use of this data by researchers highlights the challenges that legislatures may face in crafting a workable data privacy framework. For instance, although, as a research institution, WVU is required to undertake strict standards to protect participants’ data and privacy, voluntary opt-in programs created by corporations may not face the same level of scrutiny. In addition, there is always a risk of that data making it into the hands of a third-party or a chance of the data being hacked. Finally, if the health information is voluntarily shared by the consumer with her insurance company, then a whole host of other issues implicating data privacy may arise. F. Data Privacy and the Insurance Industry The insurance industry interacts with just about every aspect of a consumers’ life. We have health insurance for when we’re sick, car insurance for when we drive and home or renter’s insurance for our home and possessions. All of these transactions involve the collection of data which, by its nature, implicates data privacy. Examining how insurance companies use data in some key areas can help shed light on issues that may need to be addressed. 1. Data Privacy and Health Insurance

Unlike many other industries that intersect with data privacy, the health care industry is already a significantly regulated industry. Federal laws that touch on records kept by hospital and medical providers are heavily regulated and enforced. Nevertheless, data privacy issues in this industry are still ongoing – particularly in regard to: (1) whether the data that is generated falls within the definition of “personal health information” and (2) whether the data has been collected by players, other than covered medical providers who may not be subject to these legal structures and yet whose impact in this area might cause significant damage to individuals.

46

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) governs privacy of medical records and information, and state laws are required to adhere to its requirements unless those state laws and regulations are more stringent.297 HIPPA protects “personally identifiable health information” (also known as personal health information, or “PHI”) from disclosure under the HIPPA Privacy Rule, which governs medical record privacy.298 In an informational document published online, the HHS Office of Civil Rights explicitly stated that “you have privacy rights whether your information is stored as a paper record or stored in an electronic form [Electronic Health Records (EHRs)]. The same federal laws that already protect your health information also apply to information in EHRs.”299 It does allow states to implement and enforce mandatory reporting requirements.300

While HIPPA offers significant protections, due to gaps in the law, and the ability of entities

not covered by the law to share information with those that are, a cottage industry of third-party apps have recently begun collecting information about consumers indirectly related to their health and aggregating that information to offer new services or even discounts for good behavior. Unfortunately, some of that information has also been used to detrimentally affect everything from premium costs to employment opportunities, creating a vast data privacy concern that remains unresolved.

Regulations promulgated under HIPPA define “protected health information” as “individually

identifiable health information” transported or stored in “electronic media” or “any other form or medium.”301 Under these regulations, “individually identifiable health information” means “health information that (1) ‘identifies’ or can reasonably ‘be used to identify’ an individual; (2) is ‘created or received by a health care provider, health plan, employer or health care clearinghouse’; and (3) relates to an individual’s physical or mental health, healthcare provision, or payment for provision of health care.” 302 Data can be de-identified and not considered “individually identifiable health information” under circumstances where an expert concludes that there is minimal risk that such information could be used to re-identify an individual or the entity lacks “actual knowledge” that the information could be used to identify an individual.303

The HIPPA Privacy Rule only applies to “covered entities;” which are defined as “health

plans,”304 “health care providers,”305 and health care clearinghouses; “hybrid entities,” which operate using health and non-health related information; and “business associates” which are third party users of the data who are bound to adhere to the requirements of the Privacy Rule as if they were covered entities.306

But the “social determinants of health,” such as information an individual might post about

themselves on social media websites which is subsequently collected by other third parties would not

Playing in the Shadows of Health Care For decades, individuals who were concerned about how their health information was being used could find solace in HIPAA – the Health Insurance Portability Act. Under HIPAA, covered providers were prohibited from sharing your health information without your consent. But now, with the advent of big data, many other companies are using public and semi-public sources to create a medical profile for you that they can then sell to interested businesses. Because of the way that these companies collect their data, they do not fall within the ambit of the law.

Playing in the Shadows of Health Care For decades, individuals who were concerned about how their health information was being used could find solace in HIPAA – the Health Insurance Portability Act. Under HIPAA, covered providers were prohibited from sharing your health information without your consent. But now, with the advent of big data, many other companies are using public and semi-public sources to create a medical profile for you that they can then sell to interested businesses. Because of the way that these companies collect their data, they do not fall within the ambit of the law.

47

be covered under the Privacy rule. To illustrate this problem, a group of scientists in 2018 took large sets of health data, removed protected health information, and reverse-engineered the information to identify 95 percent of individuals.307 With many people willingly identifying minor details about themselves in this manner, companies (including insurance companies) can use that information in manner that would not fall under the protections provided by HIPPA or the Privacy Rule, since it is not considered personal health information.

In addition, other laws that would seem, at first glance, provide supplemental protection for

consumer’s health-related information also have gaps. For instance, the Fair Credit Reporting Act (FCRA) does not require entities to provide notice to consumers before sharing that data with third parties, as its primary purpose is to ensure accuracy of consumer information and how that information is to be used. 308 It permits this through the use of “consumer reports” which are communications by a credit reporting agency that is “ ‘used or expected to be used’ to evaluate a consumer for credit, insurance, employment or another permissible purpose under the Act.”309 When a consumer report is used to take an “adverse action” against a consumer based on information in the consumer report, users of that information must notify the consumer. Adverse actions include refusing to grant credit, reducing insurance coverage, and denying employment. 310

Under this framework, insurance companies can leverage data in full compliance with both

HIPPA and the FCRA to sell products that rely on de-identified personal information sold to or purchased from a third-party data broker. For example, Optum—a company under the ownership of UnitedHealth Group—has amassed the “medical diagnoses, tests, prescriptions, costs and socioeconomic data of 150 million Americans going all the way back to 1993.”311 The company has stated on its marketing materials that it uses information such as education, net worth, family structure, and race in tandem with this historical information for patient medical outcomes and costs, but does not use it for pricing health plans.312 IBM Watson Health also utilizes information about social and economic factors to assess potential markets by surveying 80,000 Americans a year, asking questions such as whether participants “trust their doctors, have financial problems, go online, or own a Fitbit.”313 This allows IBM Watson Health to determine whether a particular region might be a good investment for insurers in the future, but this aggregate data is also subject to errors and inaccuracies.314

On March 9, 2020, the Centers for Medicare & Medicaid Services (CMS) and the Office of

the National Coordinator for Health Information Technology issued a final rule dealing with patient access to data and information blocking, among other things.315 Information blocking, a new concept developed by provisions of the 21st Century Cures Act, prevents access to electronic health information about an individual’s medical treatment history.316 Notably, despite privacy concerns related to non-HIPPA protected information obtained from third parties, CMS stated that it lacks the authority to regulate this type of information and that the FTC must take up that mantle.317 Further, CMS emphasized that health plans must educate any new customers on the risks of sharing health information with third parties by posting resources on a public website.318

West Virginia has already experienced a similar ordeal with non-informed consumers suffering

real-world consequences as a result of sharing voluntary non-HIPPA protected data as part of health care services and insurance benefits. In 2018, the West Virginia Public Employee Insurance Agency (“PEIA”) launched a new initiative in partnership with Human called Go365.319 The program required workers to participate in routine medical screenings in exchange for “wellness points” that would lower rates.320 But in addition to awarding points for wearing a Fitbit and tracking steps, the program also included personal questions in its screening such as “How much sexual activity do you perform

48

in a week? Is it vigorous?”321 Individuals who did not want to participate in the program were charged an additional $25 per month for their insurance plan, and the program was discontinued on March 30, 2018, following demands by the teachers’ strike in Charleston, West Virginia.

In addition, the current legal framework for addressing the pandemic has highlighted

significant issues with regard to data privacy and health-related issues. For instance, as one article notes “(HIPAA) provides some protections for health-related information in the United States, but it applies only to health care providers [and other included by contract].”322 As such, to the extent that information related to Covid-19 is being collected and used by companies outside of HIPAA’s ambit, there is currently no specific protection with regard to how the information is protected from a privacy standpoint. This issue is exacerbated by the fact that most of the information currently being used by the state and federal government to address the pandemic is not being collected by providers covered under HIPAA but rather by technology companies such as Google.323

The use of algorithms has also resulted in discriminatory practices in the healthcare industry,

some of which could be avoided with more stringent data privacy laws. For instance, a healthcare algorithm owned by United Health returned results that disparately impacted black patients, flagging more white patients for extra treatment even though the black patients were equally ill and needed the same level of care.324 In addition, insurance industry algorithms are used often in pricing and administering insurance policies, and also often result in disparate or discriminatory treatment for non-white consumers.325 Typically, while it is obvious these outcomes do occur, it is often unclear how or why they occur. However, in the case of the United Health algorithm, the researchers were able to analyze the process and determined that “bias does not emerge from the particulars of the algorithm, but from [the] outcome the algorithm was asked to predict (also known as its ‘label’).”326 Further, this happens because something as commonplace as cost is used as the “label,” while factors such as white patients having better access to care and being more financially able to seek it than equally ill black patients are not used in the data sets as labels.327 The algorithm simply did not have data indicating who was financially able to seek treatment and who was not, or who needed treatment and did not seek it for whatever reason, and could therefore not calculate an accurate or fair result.328

The researchers also point out that they “heard from many organizations concerned that the

algorithms they rely on are similarly biased. Most aren’t sure how to identify bias, and even more uncertain of what to do about it.”329 This indicates that most, if not all, instances of disparate impact and discrimination from the use of AI algorithms likely occur inadvertently, simply the result of missing pieces of key data needed to calculate accurate and equal results.

2. Spotlight on West Virginia – Laws related to Insurance Companies and Medical Records

As mentioned before, right now for consumers and companies alike, our data is a form of

currency. It is no wonder then that corporations are spending significant efforts to hold onto that

currency as much as possible. Insurance companies’ fight over medical record data is one example of

the lengths to which these companies will go to hold onto this valuable information.

In many ways, West Virginia law is at the forefront of data privacy within medical record

retention practices. This is largely thanks to the work of the Romano Law Office,330 which has been

active in litigating issues concerning insurance companies’ use of data in their claim handling decisions.

49

While these cases developed before the era of Big Data, many of the resulting court opinions that

could be applied to our modern framework. Indeed, part of the particular challenges of data collection

and data privacy is that businesses now use the data that they have collected in ways that were not

initially considered when the data was first captured.331 As such, it is worth examining West Virginia’s

approach to these issues under state common law to determine if there are any best practices that can

be used for future data privacy laws.

The rise of big data heightens the risk of data security breaches and inadvertent dissemination

of private medical information. Generally speaking, HIPPA preempts state law except when the state

law offers greater protections for health information. To that end, the West Virginia Supreme Court

and Northern District of West Virginia have upheld privacy policies for medical records. Medical

records privacy is protected under federal law, West Virginia Insurance Commission (WVIC)

regulations, and West Virginia court opinions. West Virginia recognizes individuals’ privacy interests

in their own medical records and upholds this policy to the extent permitted by law. Medical protective

orders are generally issued to preserve this privacy interest, and so long as the orders allowed for good

cause, state and federal required retention periods, reporting requirements, and other statutory or

regulatory law, they have been upheld by the West Virginia Supreme Court and the U.S. District Court

for the Northern District of West Virginia. This suggests that big data practices could violate this

policy and law if private medical information is being stored indefinitely, on an unnecessarily large

scale, and at significant risk of accidental or uncontrolled dissemination caused by inadequate

safeguards. Therefore, studying the law in WV could provide some guidance regarding what legislators

should consider codifying into law.

While West Virginia has no code section explicitly outlining a blanket protection for medical

records, provisions in other code sections require it. For example, West Virginia law332 authorizes the

creation of the West Virginia Health Information Network “under the oversight of the Health Care

Authority to promote the design, implementation, operation and maintenance of a fully interoperable

statewide network to facilitate public and private use of health care information in the state.”333 Other

laws restrict disclosure except with the patient’s authorization or the “best interest to those having a

need to know, in compliance with state confidentiality laws and [HIPPA].”334 In addition, the law

provides that “health information, data and records of the network shall be exempt” from Freedom

of Information Act disclosures.335

HIPPA and corresponding state code sections address privacy of medical records related to

healthcare providers and health insurers, and WVIC provides regulations to protect the privacy of

medical records related to all insurance companies doing business in West Virginia. Under W. Va.

C.S.R. 114-57-15.1, “a licensee shall not disclose nonpublic personal health information about a

consumer or customer unless an authorization is obtained from the consumer or customer whose

nonpublic personal health information is sought to be disclosed.”336 This regulation is based on the

federal law, which obligates financial institutions,337 to enact safety measures to prevent disclosure of

non-public consumer information.338 However, West Virginia regulations do not require authorization

50

or prohibit disclosure for “insurance functions performed by or on behalf of the licensee,”339 including

but not limited to disclosures permitted under HIPPA, claims administration and management, or

fraud and other reporting requirements.340

Additionally, the WVIC requires insurers to implement “a comprehensive written information

security program that includes administrative, technical and physical safeguards for the protection of

consumer information. The …safeguards included in the …program shall be appropriate to the size

and complexity of the licensee and the nature and scope of its activities.”341 Insurers are also required

to retain all records related to liability claims for “(1) the current calendar year plus five (5) calendar

years” or “(2) from the closing date of the period of review for the most recent examination by the

commissioner; or (3) a period otherwise specified by statute as the examination cycle for the

insurer.”342

Guiding Hypothetical Mary and Jeri were involved in a car accident near Elkins, Randolph County WV. Jeri was at fault and Mary sustained life-threatening injuries which required a long hospitalization and rehabilitation period. Mary filed a lawsuit against Jeri and Jeri’s automobile liability insurer, Nationwide, to recover medical expenses and lost wages resulting from the accident and her injuries. Nationwide seeks discovery of Mary’s medical records to use in defending this litigation. Mary is concerned about how her private medical records and information will be used, stored, and disseminated to entities other than Nationwide and its counsel. She is also worried about what happens to her medical records and information after the end of the litigation. She does not want to simply release all of her medical records to Nationwide and allow the company to wrongly disclose them or keep them forever in its computer database. Mary wonders if she has any legal recourse to ensure her private medical information stays protected while in Nationwide’s possession during and after this lawsuit ends, or if her records are disclosed without her permission.

As discussed in the following sections, West Virginia courts have recognized and enforced

HIPP’s mandate to keep individuals’ non-public medical information private to the extent permitted

by law. The primary method of upholding an individual’s privacy interest against unauthorized

dissemination and excessive retention periods is the issuance of appropriate Medical Protective Orders

(MPOs) at a trial court’s discretion. The West Virginia Supreme Court and the U.S. District Court for

the Northern District of WV have upheld MPOs as a matter of policy and law, so long as (1) good

cause was established and (2) the orders accommodated requisite retention and fraud reporting

requirements under state and federal law.343

MPOs are issued by courts to protect the confidentiality of medical information obtained in

discovery and to regulate how the information may be used.344 Appropriate MPOs generally require

(1) destruction and return of medical records, information, copies, or summaries, after required state

and federal retention periods; (2) certification of destruction from a defendant’s counsel or other

authorized person; (3) a prohibition on disclosing information, restricting it to those necessary for

51

claims handling and litigation; and (4) a signed acknowledgement of the order by anyone receiving

disclosure of information.345 West Virginia courts have broad discretion to manage discovery and

regulate how medical records and information may be used by issuing appropriate MPOs, and an

abuse of discretion standard is used in reviewing these orders.346 Protective orders must comply with

state and federal law regarding mandatory retention periods and reporting requirements.347 In our

hypothetical, Mary could request that the Circuit Court of Randolph County issue an MPO with these

terms and provisions to uphold her protected privacy interest in her medical records as a matter of

policy. Based on West Virginia common law, the Court would likely grant her request and issue an

appropriate MPO.

For example, in State ex rel. State Farm Mut. Auto. Ins. Co. v. Bedell (Bedell I), a plaintiff sued State

Farm for failing to pay an underinsured motorist claim and sought damages for injuries and emotional

distress caused by her husband’s death.348 State Farm requested authorization to obtain her and her

husband’s medical records.349 The Circuit Court of Harrison County issued a MPO prohibiting

electronic scanning of the records and required they be destroyed or returned at the end of litigation.350

The order did not address good cause or allow for retention periods required by WVIC regulations,

and the West Virginia Supreme Court refused to uphold it on those grounds.351

A second MPO was issued in the same case, this time addressing good cause and allowing for

WVIC regulations, and the insurance companies again opposed plaintiff’s request.352 In its ruling, the

judge sided with the plaintiff, reasoning that “’a person’s medical profile is an area of privacy infinitely

more intimate, more personal in quality and nature than many areas already judicially recognized and

protected.’”353 The Court observed that all parties “agreed and conceded that a protective order is an

appropriate means of protecting the privacy interests [plaintiffs] have in their confidential medical

records” and “fundamental to the privacy of medical information is the ability to control [its]

circulation.”354 The Court also cited federal law in its policy reasoning, stating “as the parties have

acknowledged before this Court, federal law requires the entry of protective orders to protect litigants

whose medical records will be disclosed during the course of legal proceedings.”355 Further, the Court

observed that Congress had enacted that legislation “to promote a strong federal policy in favor of

protecting the privacy of patient medical records.”356 Because good cause had been established and

the MPO allowed for statutory and regulatory retention periods, the Court upheld the second

protective order by denying the writ,357 indicating they were also upholding state common law and

federal privacy policies.

State ex rel. State Farm Mut. Auto. Ins. Co. v. Marks encompassed two consolidated personal

injury actions.358 Each plaintiff requested MPOs against State Farm and Nationwide Mutual, and the

insurers objected to the entry of the orders.359 The Circuit Court of Harrison County consolidated the

cases and affirmed both orders, holding that they were consistent with West Virginia law and public

policy, and entered a Combined Order Affirming Medical Protective Orders Entered in These Civil

Actions.360 The Circuit Court also explicitly included medical records and information obtained before

the MPO was entered.361 On appeal, the WV Supreme Court upheld the lower court’s orders.

52

In Small v. Ramsey, a federal court in WV was asked to determine whether a proposed MPO

was proper.362 The Court reasoned that the insurers admitted that the plaintiff had a right to privacy

of his medical records, and WVIC regulations “construed by the West Virginia Supreme Court”

prohibit insurers from “disclosing non-public personal health information without authorization by

the individual.”363 Although the Court found no language in HIPAA which would extend privacy

requirements to liability insurers, it concluded that “the patchwork of laws and regulations are not

adequate to protect the privacy interest of the individual in his medical records recognized by the West

Virginia Supreme Court of Appeals.”364 It then entered a MPO which required destruction, return,

certification, and restrictions on dissemination.365

The District Court in Marks also pointed out the West Virginia Supreme Court’s policy

reasoning in Child Protection Group v. Cline which stated “West Virginia recognizes the individual’s right

to privacy with respect to his or her medical records” and “’there is no question that disclosure would

cause an invasion of privacy’” because “an individual’s medical records are classically a private

interest.”366 The Court also quoted Crump v. Beckley Newspapers Inc., observing that this privacy interest

“appears to be a common law recognition” under West Virginia law, and invasion of privacy can

include “(1) an unreasonable intrusion upon the seclusion of another; (2) an appropriation of another’s

name or likeness; (3) unreasonable publicity given to another’s private life; and (4) publicity that

unreasonably places another in a false light before the public.”367 This suggests that under West

Virginia common law, a plaintiff may have a cause of action for invasion of privacy if medical

information is misused or disclosed without authorization. In our hypothetical, if Nationwide discloses

or disseminates Mary’s medical records without her permission, she may be able to bring suit for

invasion of privacy under Child Protection Group v. Cline and Crump v. Beckley Newspapers, Inc.

As outlined below, from 2010-2012 State Farm and Nationwide Insurance appealed MPOs

and sought writs of prohibition against their enforcement, raising numerous issues in both the WV

Supreme Court of Appeals and the US District Court for the Northern District of West Virginia. The

primary MPO term appealed was destruction and return of medical records, information, summaries,

and copies. Even after MPO orders accommodating retention periods were entered, these companies

presented the same arguments in an attempt to have that term eliminated or modified to allow

indefinite retention and dissemination at their discretion. The following sections list each of these

arguments and how the court decided. Given the rise of Big Data and the incentives that companies

have to use and monetize this information, the data privacy issues are significant.

Good Cause

• For any protective order to be issued, W. Va. R. Civ. P. 26(c) requires “particular and specific

demonstration of fact” and not “vague fears articulated by [a plaintiff],” and a plaintiff bears

the burden of showing this.368 A protective order will not be given “simply because a party

possesses a protected interest in the information sought to be discovered.”369

53

• The defendant insurers in Bedell I argued that good cause was not shown because medical

records are protected by state insurance regulations and internal insurance company practices,

and the plaintiff could not demonstrate particular and specific facts concerning electronic

storage.370 The WV Supreme Court agreed, holding that plaintiff had not shown particular and

specific facts for good cause because (1) the Circuit Court did not require or address it on the

record, and (2) plaintiff presented no evidence that her records would not be protected by

safeguards already in place by WVIC and insurance company electronic storage.371

• After the Circuit court found and addressed good cause in issuing the second MPO in that

case, State Farm and Nationwide objected and presented the same argument.372 This time, the

WV Supreme Court held that (1) the Circuit court on the record established good cause

“through particular and specific fact of plaintiff’s expectations of privacy” and (2) the WV

Supreme Court in Bedell I had only addressed the issue of electronic storage, which “did not

preclude a subsequent protective order complying with the requirements specified in Bedell

I.”373

• In State Farm v. Marks, defendants again presented this argument, alleging that existing WVIC

regulations were adequate protection for plaintiffs’ medical records.374 The Court rejected the

argument and held that insurers’ compliance with state privacy regulations did not exempt

them from complying with protective orders because this would violate the separation of

powers doctrine by (1) “enlarging” WVIC’s authority beyond its legislative delegation and (2)

“usurp[ing] the exclusive province of the court to regulate discovery in matters over which it

presides.”375 The Court declined to give “preferential treatment and special exemptions from

medical protective orders” and upheld the Circuit court’s combined order affirming the MPOs

in the consolidated cases.376

• The defendant insurers again argued lack of good cause in Small v. Ramsey.377 The U.S. District

Court held that plaintiff met good cause requirements because (1) there is a privacy interest

and right to protect medical records and control dissemination; (2) insurance companies

intended to disseminate records, removing control over them; (3) the Court was not banning

all use, only limiting to what was needed to comply with state and federal law; (4) a plaintiff

does not lose control over privacy of non-public medical records by virtue of being injured

and involved in litigation.378

• In our hypothetical, Mary can allege to the Circuit Court that she has an expectation of privacy

in her medical records. If the Court addresses this particular and specific fact and finds good

cause on the record in issuing the appropriate MPO, Mary’s MPO would likely be upheld by

the West Virginia Supreme Court and the U.S. District Court for the Northern District of

WV.

Definition of Medical Records

54

• State Farm and Nationwide also attempted to define “medical records” and “medical

information” differently regarding compliance with the destruction and return requirement in

MPOs, presumably to allow them to keep documents containing information taken from

medical records.379 The WV Supreme Court in Bedell II analyzed the Circuit court record and

plain meaning of the terms in the MPO, and found that the Circuit court intended to use the

terms interchangeably.380 In State ex. rel. State Farm v. Marks, the Court declined to define the

terms differently for Nationwide because that was the Circuit Court’s territory and was settled

in Bedell II.381 The US District Court in Small v. Ramsey simply stated that the terms are

synonymous.382 These holdings affirmed the MPO term requiring that all summaries and

copies containing medical records and information be destroyed and returned.

State and Federal Retention Requirements

• WVIC regulations require insurance companies to retain all records related to claims “for the

lesser of: (1) The current calendar year plus five (5) calendar years; (2) From the closing date

of the period of review for the most recent examination by the commissioner; or (3) A period

otherwise specified by statute as the examination cycle for the insurer.383

• In all of these cases, insurers argued that destruction of “medical records and any documents

containing medical information”384 would interfere with their statutory and regulatory

retention obligations under West Virginia law.385 In Bedell I, the WV Supreme Court held that

a protective order which interferes with retention requirements under the law will not be

upheld.386 The WV Supreme Court upheld the subsequent MPO and denied the insurance

companies’ request.387 The Court in State Farm v. Marks upheld the MPO in that case because

destruction and return of the records was not required until after six years, which was later

than the mandatory retention period.388 The U.S. District Court in Small v. Ramsey found that

the MPO was proper because its six-year retention limit also accommodated statutory and

regulatory requirements.389

• The insurers also argued that MPO terms limiting retention periods conflicted with statutory

and regulatory obligations under other states’ laws, specifically Illinois and New York.390 The

WV Supreme Court in Marks held that the MPO at issue allowed for Illinois law because

insurers could request permission to remove records from files, and there was no indication

this would be denied.391 Additionally, the MPO accommodated New York law because its

retention period is 6 years, the period of restriction specified in the order.392 The US District

Court in Small v. Ramsey held that the MPO allowed for compliance with Illinois and New

York law, and a copy of the medical records would be under court seal to request a copy for

compliance after Small received proper notice.393

• In West Virginia, insurers have also argued that an order to destroy records would interfere

with their compliance with the Medicare Secondary Payer Act, which requires insurance

companies to notify Medicare if claims are paid to a Medicare recipient.394 The WV Supreme

55

Court rejected this argument in State Farm v. Marks because the six-year restriction was

adequate to meet this obligation.395 Similarly, the U.S. District Court in Small v. Ramsey upheld

the MPO because determination of plaintiff’s Medicare status would occur at the time any

settlement or judgment was paid; identification and Medicare reimbursements would be paid

then and within the protective order’s six-year time restriction.396

Fraud Detection Obligations and Retention Requirements

• Another argument that insurers have made is that MPOs requiring destruction or return of

medical information would impede statutory and regulatory duties to report suspected fraud

under WVIC regulations.397 In State Farm v. Marks, the WV Supreme Court rejected this

argument and held that (1) the MPO adequately addressed concerns and (2) does not require

destruction or return until after retention requirement periods, and therefore could be met

within the order’s time restriction.398

• The US District Court in Small v. Ramsey also rejected this argument, holding that (1) an

insurance company must have a reasonable belief fraud has been, is or will be committed, (2)

Executive Order 13181399 restricts judicial authorities from obtaining medical and insurance

records unless there is good cause for investigation, and no good cause was apparent in this

case, and (3) supplying National Insurance Crime Bureau and Insurance Services Office with

medical records is not required by WV or federal law, and is inappropriate because they are

not involved in litigation and could not obtain medical records on their own.400

Burdensome Compliance with Medical Protective Orders

• The insurers also argued that destruction or return of medical records would create an

unreasonable burden on insurance companies because their computer systems could not be

modified to remove pieces of information from files.401 The WV Sup. Ct. in State Farm v. Marks

held this argument was without merit, because computer files can be modified and computer

systems can remove only medical information from files.402 Further, inconvenience or

difficulty does not equal impossibility in complying with this term, and the order was upheld.403

• In Bedell II, the WV Supreme Court upheld the MPO and also rejected this argument, reasoning

that destruction and return, and certification of destruction, is a well-recognized provision of

medical protective orders in many jurisdictions including West Virginia.404 Further, HIPAA

requires medical protective orders and provisions for the return of information when litigation

ends, and the MPO in this case required nothing more than the same after the statutory and

regulatory retention periods.405 The US District Court in Small v. Ramsey bluntly stated that

“what the insurer’s IT departments created they can modify.”406

Destruction of Business Records to Comply with MPOs

• The WV Supreme Court in Bedell II also addressed the argument that destruction of medical

records, and information contained in documents constitutes destruction of business records

56

or attorney-client files.407 The Court again rejected this argument, reasoning that medical info

can be removed and the remainder preserved for business record or attorney files.408 The Court

also reasoned that the second MPO at issue included only “medical records, medical

information, or any copies or summaries thereof;” claims files, business files, attorney-client

files, or other litigation documents would remain intact.409 Further, destruction and

certification is necessary to protect a plaintiff’s privacy interests in medical information.410

Constitutional Issues

• In Small v. Ramsey, State Farm and Nationwide relied on Sorrell v. IMS Health to argue that their

First Amendment rights would be violated if they were not permitted to disseminate the

medical information provided to it as needed.411 In Sorrell, the state of Vermont passed

legislation to prevent pharmacies from selling “prescriber (physicians) identifying information

to ‘data miners’ without the prescriber’s consent,” who then sold it to manufacturers who then

provided it to others to market certain medications to prescribers.412 The U.S. District Court

rejected this argument and distinguished Sorrell by observing that it applied to pharmaceutical

sale and marketing of prescriber (physician) information and not dissemination of individuals’

private medical records.413 Further, “obtaining [the plaintiff’s] medical records through

discovery within civil action does not constitute speech as contemplated in Sorrell.”414

However, the Court also hinted that restricting dissemination of information obtained outside

a court’s discovery process could be subject to stricter “prior restraint” scrutiny under the First

Amendment.415

• Additionally, the WV Supreme Court in State Farm v. Marks reasoned that insurers could

communicate information required by law, which would not violate a First Amendment

right.416 The Court then pointed out that the Supreme Court of the United States had denied

certiorari in Bedell II, indicating no Constitutional import with the MPO term restricting access

of the information to only those involved in claim management and litigation.417

• The insurers also argued that the MPOs’ destruction of records terms violated the

Constitution’s due process and full faith and credit clauses because of their retention and

reporting obligations in West Virginia and other states.418 The U.S. District Court rejected this

argument in Small v. Ramsey, holding that no due process violation existed because the MPO’s

time restriction allowed for compliance with statutory and regulatory obligations.419 Similarly,

the West Virginia Supreme Court in Marks found violation of the full faith and credit clause

did not exist because the MPO’s time restriction permitted compliance with other states’ and

courts’ requirements.420

Many of the issues that arise within the context of medical records may have particular resonance

with individuals and society in general in light of the pandemic.

57

G. Data Privacy and the

Pandemic

In many ways, the COVID-19 pandemic has shown a spotlight on many issues that intersect with data privacy. The issues involved range from privacy and contact tracing apps, an increase in cyber security attacks (since more personnel are working from home), and the intersection between social media and surveillance. However, by far the greatest potential harm to data privacy is the use of contact tracing apps. For instance, the pandemic has highlighted the use of technology to curtail the spread of the disease through contact tracing applications. The type of data collected with contact tracing apps varies greatly, depending on the software developer. For many, contact tracing applications that use centralized databases are cause for concern since these systems provide an opportunity for hackers to gather data held in a single location.421 Decentralized systems are more popular due to having less risk; as such, they are being pushed by companies such as Apple and Google as they release their application programming interface (API) to different countries. How these companies utilize this technology, for how long, and what they plan to do with any data gathered is still unclear. The response by various countries – to the data privacy implications of contact tracing apps and related technology used to address the pandemic – has also varied significantly. While some countries, like China, have used contact tracing apps significantly,422 countries like the United States hope to keep contact tracing data limited and as-necessary.423

Other Issues with Data Privacy and the Pandemic Due to governments requests for much of the public to stay at home, non-essential employees have in many cases been forced to bring their work home with them. This change provides opportunity for bad actors seeking to take advantage of home Internet’s weaker infrastructure and the use of personal devices. The types of increased risks that have been associated with bad actors wishing to take advantage of the situation surrounding COVID-19 include increased likelihood of phishing attacks, cyber attacks on company networks due to a lack of IT staff, and a higher likelihood of cyber attacks to disrupt remote operations.1 With the increased usage of telecommunication services such as Zoom, Microsoft Teams, and Skype, there have also been concerns regarding the security of this type

of software. One concern has been “Zoombombing” in which an unwanted actor interferes in a telecommunication conference, either to actively disrupt or quietly listen in, potentially putting confidential information that may be discussed at risk of being overheard.1 There have also been questions regarding the data security of using some telecommunication software, such as Zoom, which has faced lawsuits for allegedly failing to protect users’ data from other sites who could use it for marketing or other purposes.

Outside of businesses, governments have also been engaging in activity that heightens data security risks. In particular, there has been a call from governments to social media companies and telecommunications providers to track whether or not individuals are utilizing social distancing guidelines by collecting location data from their cellphones.1 In addition, using geolocation data from cell phones or other devices, the government can track the locations of individuals and use this information to break up gatherings and potentially prosecute offenders. In times of emergency and health pandemics, it is not uncommon for certain liberties to be restricted in the public interest. However, such use of technology and the sharing of information between private companies and the government raises a number of questions that are at the heart of the data privacy debate, such as:

• What information is being collected and shared?

• What can the information be used for?

• How long is it kept and is it being stored securely?

58

1. COVID-19 Contact Tracing Apps In the case of the pandemic, contact tracing is being used to alert and monitor people who have both tested positive for the COVID-19 virus and those they have come into recent contact with who are now at a higher risk of contracting the virus.424 After a person has tested positive for the virus, public officials would then reach out to that person in order to monitor their health and instruct them on how to properly quarantine.425 While contact tracing can be done without the use of technology (for instance, when teachers keep a roster of where there students sit in each class), the ability to trace each person’s contact with someone who has tested positive is rendered significantly easier with the use of technology. For instance, a contact tracing app can use Bluetooth technology to determine an individual’s location and trace how close they have come to someone who has tested positive.426 Google and Apple have announced that they are developing apps that utilize Bluetooth technology in order to accomplish this tracing, similar to geolocation tracking technology being utilized to encourage and enforce social distancing.427 2. How a Tracing App Works On May 26, 2020, the first tracing app developed by Google and Apple was released in Switzerland.428 Switzerland had required the Swiss army and hospital workers, to download the Swiss COVID App prior to its public rollout.429 The tracing activated by the app is automatic, and is meant to inform people who both have the app if one of them has become infected with COVID-19.430 This app utilizes API (application programming interface) software to access permissions within the iPhone or Android software in order to achieve the tracing. In this app, however, Apple and Google have “forbidden participants from gathering users' location data, among other restrictions.”431 The data that is collected will vary, depending on if a tracing app utilizes a centralized or decentralized database to gather its data, as illustrated in the flowchart below:

432 As illustrated to the left, if a tracing app utilizes a centralized database, it is collecting data not only from the user’s phone but also data from other phones the user comes into contact with. In a decentralized model, the phone only provides its own data to the cloud database and does not serve as a means to collect data from other phones. Google and Apple are opting for a decentralized approach with the API they are currently offering.433 As one commentator notes, “this aims to cut the risk of either hackers or the authorities using the database of who met whom and for how long for other purposes.”434According to Apple and Google, “[Twenty-two] countries, as well as some US states, had requested access to its API.”435 However, other countries are utilizing different API and competing tracing apps, and not all of them are voluntary.436 Google and Apple themselves also intend to avoid an opt-in system eventually,

59

avoiding the user needing to download an app by having the contact tracing system built into the phone itself.437 3. International Utilization of Tracing Apps How different countries are utilizing tracing apps has varied immensely. According to the Israeli government, the use of existing smartphone surveillance technology by Shin Bet, Israel’s internal security service, assisted in the detection of over 4,000 COVID-19 cases.438 The Australian government utilized a local app to trace virus cases, and due to fewer participants than expected, is considering using the decentralized API from Google and Apple.439 European countries are more cautious about allowing open use of this type of tracing app; many apps have been country-based because of country-level variations in health privacy laws, trust in government, and regime type.440 China, the epicenter of the first outbreak, has had a much different approach to the utilization of contact tracing applications. While their internal workings are incredibly similar, many parts of China are considering utilizing tracing apps beyond the scope of the COVID-19 pandemic.441

The government’s virus-tracking software has been collecting information, including

location data, on people in hundreds of cities across China. But the authorities have set few limits on how that data can be used. And now, officials in some places are loading their apps with new features, hoping the software will live on as more than just an emergency measure. Zhou Jiangyong, the Communist Party secretary of the eastern tech hub of Hangzhou, said this month that the city’s app should be an “intimate health guardian” for residents, one that is used often and “loved so much that you cannot bear to part with it,” according to an official announcement.442

China uses a multitude of apps, where users provide personal information in addition to information pertaining to a user’s health condition and travel history to enroll in one of the country’s virus-tracking systems.443 “The software uses this and other data to assign a color code — green, yellow or red — that indicates whether the holder is an infection risk. Workers posted outside subways, offices and malls stop anyone without a green code from entering.”444 Talks of expanding this color system are already taking place in Hangzhou, where the original Chinese contact-tracing app was pioneered.445 There, officials are considering expanding the app to create a health code, ranking citizens with a “personal health index” on a score of 0–100 – a number calculated by monitoring how much a person sleeps, how many steps they take, and health habits like smoking or drinking.446 4. Contact Tracing Apps in the United States Currently, tracing apps in the United States have been primarily opt-in, voluntary, and promoted on a state-by-state basis. In North and South Dakota, both state governors promoted the use of the “Care19” app.447 This free application does not utilize the Google and Apple API, and instead was created by the business ProudCrowd.448 Once a user downloads the app, they are assigned an ID number, and the app caches the location of the person when they reside in a location for at least ten minutes.449 If a person has tested positive, the Department of Health then asks the user for consent to share the location history of the user with the state.450 This app relies on Wi-Fi data, cellular tower data, and GPS in order to track users.451 “Around 29,600 people—approximately 1.5 percent of

60

the combined population of both states—have downloaded the app. As of April 2020, only 17,031 people were actively using it.”452 Utah has also utilized a voluntary app developed by the company Twenty called “Healthy Together,” which “relies on a combination of GPS, WiFi, IP address, cellular location data and Bluetooth to identify contacts.”453 While North and South Dakota’s app utilizes anonymous location data, Utah’s does not and has stated that “[p]ublic health officials and a limited number of development employees with Twenty Holdings, Inc. will have access to your name, phone number, and location data for COVID-19 tracing purposes only.”454 As a result, the majority of states are opting for a more human based approach to tracking the spread of COVID-19.455 This may be due, in part, to a large public concern for privacy regarding these types of contact-tracing applications, as evidenced by a study performed by Baobao Zhang, Sarah Kreps, and Nina McMurry.456 The study focused on American perceptions of privacy, particularly in relation to contact-tracing apps by conducting a survey. The results of this survey showed that the American people were not very receptive to these apps versus other methods of handling the spread of the virus. “We find widespread reluctance among the public: support for contact tracing apps is lower than for expanding traditional contact tracing or introducing new measures like temperature checks and centralized quarantine.”457 The survey was conducted between March 30 and April 1, 2020 with 1,964 participants.458 In this survey, the participants were presented with a variety of policies regarding COVID-19, with some being more invasive than others, and then were asked about their support for the policies with which they were presented.459 Another question was presented specifically regarding contact-tracing applications and the likelihood one would download the app under different circumstances.460 The results of this survey revealed that only about 30% of the population would likely download a contact tracing app.461 There was a little variance as to whether or not one would download the app if it were under a centralized (27%) or decentralized model (34%). Individuals who had contact with the virus were far more likely to be interested in downloading the app.462 However, the largest finding as a part of this study was the misunderstanding of technology surrounding these applications: “most importantly, we uncover considerable degrees of misunderstanding about the technology, with open-ended [sic] survey responses suggesting that digital contact tracing would entail individual location tracking by the government, for example. We conclude that a public education campaign focused on privacy-preserving features must accompany any roll-out of the technology to overcome misconceptions about its operation.”463 5. Potential Dangers of Contact-Tracing Apps and Possible Legal Solutions There are many cybersecurity and privacy questions that remain unanswered as this data is collected around the world. A large concern is the treasure trove of personal data being gathered by the government and its possible accessibility to hackers.464 Another concern is the speed in which these apps are being developed, leaving room for bugs and vulnerabilities.465 Particularly apps built with a centralized database prove to be a larger concern than those that are decentralized, as they create “a single target for hackers who could steal or expose reams of data that could be used to identify infected people.”466 Besides the worries of bad actors taking advantage of data, another fear is that allowing this type of mass surveillance opens the door to mass government surveillance of the public.467

61

Trying to provide information that is useful to health providers while also protecting the privacy and data of users is a difficult balancing act to achieve. There is a push for data that is being gathered to be anonymous, but some commercial apps actively collect personal data that may be of use to hackers.468 Some of the questions that arise in this context, as noted by Glenn A. Brown and Shalin R. Sood, include:

(1) What information is being shared with the task force? (2) How is the information being kept secure? (3) What conditions are being placed on the use of this data? (4) What are the processes and procedures in place for destroying the data (or

returning it) once it is no longer useful to the task force? (5) Will the data be used for additional purposes beyond tracking COVID-19 (e.g.,

for law enforcement purposes)?469 6. Competing Legislative Solutions In the prior Congressional session, two bills were proposed to Congress – one by Republicans and one by Democrats – specifically targeting data collection from these tracing apps during the COVID-19 pandemic.470 The bills would have addressed gaps that have emerged with the use of data and HIPPA – specifically the fact that the makers of contract tracing apps generally do not fall within HIPPA’s definition of covered medical providers. The Democratic endorsed bill is titled the Public Health Emergency Privacy Act.471 The Republican endorsed bill is titled the COVID-19 Consumer Data Protection Act.472 While both bills aim to focus on the protection of user data, their overall goals and utilization vary. The Public Health Emergency Privacy Act473

• The Public Health Emergency Privacy Act aims to build public trust with the contact tracing apps and encourage their widespread use in order to fight the spread of COVID-19.474 “This measure sets strict and straightforward privacy protections and promises: your information will be used to stop the spread of this disease, and no more…Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19,” explained Virginia Senator Richard Blumenthal regarding the proposed bill.475

As Jessica Davis (reporting for Health IT Security) notes:

To encourage user participation, the bill would give individuals control over participation, requiring tech companies to provide opt-in consent and meaningful transparency into privacy and security practices. The proposal also empowers private and public enforcement that includes rulemaking from an “expert agency” but also recognizing state legislation and enforcement. The proposed legislation would mandate that all data collected through contact tracing apps would be limited to public health use and prohibit the use of health data for any discriminatory, unrelated, or intrusive purposes, such as commercial advertising or efforts to bar access to employment, insurance, and the like. Further, the bill would prevent potential misuse of health data by

62

government agencies with no public health role. The apps would also be required to provide regular reports on the impact of digital collection tools on civil rights. If passed, the apps would be required to employ strengthened data security and integrity protections, including data minimizations and accuracy, while requiring tech firms to delete the data once the public health emergency has ended. The bill would also ensure the protection of voting rights by “prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps.”476

• The bill has currently been endorsed by a number of privacy stakeholders, with the hope that it will lay a foundation for protections in the future.477

COVID-19 Consumer Data Protection Act478

• The goal of the COVID-19 Consumer Data Protection Act legislation is to grant users a say in how their information is obtained by tracing apps and provide for greater transparency in the data collection process of such apps.479 As Ms. Davis reports:

The proposal is designed to ensure businesses are held accountable for any misuse of data collected to fight the COVID-19 pandemic and would require companies under Federal Trade Commission jurisdiction to obtain explicit consent from users to collect, process, or transfer personal health, geolocation, proximity, or device data for contact tracing. The bill mandates strict privacy disclosures at the point of collection into how data will be handled, to which companies it will be transferred, and how long it would be retained. Companies will be required to establish clear definitions around aggregate and de-identified data and to adopt technical and legal safeguards to protect consumer data from being reidentified. Further, companies would be mandated to allow users to opt-out of the collection, processing, or transfer of their personal health data and other personal information collected by the apps. The platforms would need to provide transparency reports to the public that detail data collection activities related to the pandemic… If passed, the bill would also give state attorneys general the power to enforce the act.480

• The bill’s primary focus is the security of individuals’ data and sanctions against businesses that misuse this data, and the hope that businesses would provide more transparency with the use of user data.481 No action was taken on either bill.

63

VI. Considerations for West Virginia

In West Virginia [in 2018], a statewide teacher’s strike was partly spurred by the introduction of Go365, an app used to track steps, sleep and heart rate. Failure to earn a certain number of points through the system would result in a $500 hike in the employee’s annual insurance deductible. “People felt really violated,” said Tega Toney, 34, an 11th-grade social-studies teacher in Oak Hill, W.Va. “It was a Big Brother issue.” The program was later abandoned.482

In many ways, West Virginia is uniquely poised to address data privacy issues within the state and

take a leadership position within the nation. For instance, while the state currently has little in the way of broadband access and is ranked low in regard to its residents’ access to technology, this could provide the opportunity for the state’s legislatures to take a proactive, thoughtful approach to issues such as data privacy and cybersecurity that are embedded in advancing the technology platform of the state. To that extent, checking in with residents and industry representatives regarding how they view data and data privacy provides a unique opportunity for the legislature to take a proactive stance using qualitative data amassed from conversations with each of these groups. Our discussions with both highlighted that, particularly with regard to data breaches, there is a cost to both consumers and businesses.483

A. Policy Landscape

To gather information for this report, we undertook two major steps. First, we conducted a

survey of 500 West Virginians regarding their initial outlook and perspective on issues regarding data privacy. Then, we followed up with willing participants and conducted a series of focus groups across the state, to ask more detailed questions from residents regarding their access to data. While the majority of the pool from the focus groups was drawn from the initial survey pool, we did conduct two subsequent focus groups (in Morgantown WV) made up entirely of non-survey takers. These focus groups were unique in that it they were the only focus groups which consisted entirely of individuals in the under 30 age group.

B. Summary of Initial Survey

The initial survey is what provided the breadth of the answers (quantitative research), while

the subsequent focus groups allowed us to go into more depth with participants (qualitative research). Thus, the combination of the two allows us to have both breadth and depth.

The initial survey asked a series of questions regarding the resident’s use of technology and

their concern for issues falling within the category of “data privacy.” For instance, one question asked participants: “do you ever worry about how much information is available about you on the internet?” A more pointed follow up question asked, “Do you ever worry about your personal information being collected by companies?” In response, 75% of those polled expressed some concern for companies using their information with over half of respondents indicating that they worried about it (an additional 18% of respondents stated that they worried about it “sometimes.”).

In addition:

64

• Over 50% of respondents had personally experienced some sort of data breach (defined as having their information stolen or compromised).

• 42% of respondents indicated that they had their personal information collected without their knowledge and consent.

• 41% indicated that they had their information shared without their knowledge or consent.

• 34% of respondents had their personal information stolen (i.e., social security number, credit card or banking information, and medical information)

• Nearly a third of respondents had had their email or social networking account compromised in some way.

In addition, those being polled were generally split regarding whether they trust various categories of businesses with a slight majority in most categories indicating that they trusted the specific industry. The one exception was West Virginians’ view of their personal bank. In that instance, 80% of respondents indicated that they generally trusted their primary bank to some degree.484 Most residents surveyed in West Virginia who were affected by some sort of data breach they indicated that some remedy was available to them. For instance,

• 38 % had access to free credit monitoring so that their credit score isn't affected.

• 31% indicated that they had access to a formal complaint system.

• 25 % indicated that they had access to compensation in the form of discounts, refunds, or free services.

• 25 % indicated that they had access to monetary compensation.

• 23% indicated that they credit score freezes available.

• 15 % indicated that they had access to fines from government agencies.485

Survey responses also demonstrate that many residents in West Virginia would like to see some specific remedy for data privacy harm. For instance, the strongest percentage of remedies that respondents chose were: (1) fines from government agencies and (2) free credit monitoring. A large minority (33%) also indicated that they would like to see credit score freezes as part of a system of remedies. This seems to indicate that many respondents were primarily concerned with identity theft issues or issues that would negatively affect their credit score.486

Survey results also seem to indicate that, among initial participants, those who were in the under

30 age group were among the least trustful of the various entities surveyed. For instance, only 45% of people under the age of 30 trusted email providers either a little or a lot – making it the lowest percentage by age group.487 Similarly, the under 30 age group also displayed the lowest level of trust for cell phone carriers (48% versus the next highest category – those 65 and over, who registered their trust level at 51%). Similarly, those in the under 30 age group registered the least amount of trust for online retailers – coming in at 49% (which was the same level of trust of those aged 65 and over).488

65

This low level of trust by this age group may also affect the businesses’ future earning potential. For instance, according to a 2019 report 81% of consumers have indicated that they would not use a brand that they did not trust.489

These results stand at odds with the type of responses we saw during our focus group meetings.

For instance, in the Morgantown focus group (which was made up entirely of university students at either undergraduate or graduate level), the participants were unanimous in their general positive feelings for technology and those companies that use technology. (see section VI. c for further information). One possible explanation is that the “under 30 group” may be too broad because 18-24-year-olds (who represented the group at the focus group) fall into a generation that has experienced a different interaction with technology than those between the ages of 24 and 30.

The survey results seem to be on par with other surveys conducted in this area.490 For instance,

a 2019 survey conducted by the Pew Research Center found a majority of respondents feel that “data collection poses more risks than benefits.”491

C. Summaries of Focus Group Sessions

From August 2019 – February 2020, we conducted a series of focus groups to gather further

information from West Virginia residents regarding their views on data privacy. All of the focus groups met in person, in the following West Virginia counties: Berkeley, Kanawha, Harrison and Monongalia. In all we conducted five focus group interviews.

As mentioned earlier, the methodology of the focus groups (which occurred over a 90-minute

period) was designed to complement the quantitative research that was compiled from survey results by supplementing that with qualitative research.492 The interviews proceeded as follows. The questions began with generalized, open-ended questions designed to solicit the focus group participants’ views in the most unbiased way. Then we began asking about their views on specific scenarios in order to clarify and challenge their positions vis-à-vis the research that we had uncovered to date.

For instance, after requesting background information regarding the occupation and internet

usage of each participant, the first question asked participants “what concerns (if any) do you have regarding your interaction with technology?” For the more detailed questions, participants were given specific scenarios and asked their opinions regarding how they would react if confronted with the situation.

Participants in the Morgantown focus group represented both the residents who fit into the 18 – 24 age group and those who had not previously participated in the survey. In general, their responses reflected a low level of concern for how their data was being utilized. Instead, many of the participants discussed the value that they believed that they were obtaining from having companies access their data.493 Focus Groups Derived from Initial Survey Participants

1. General topics and discussions for focus group sessions based on survey participants

66

After confirming that each focus group participant had significant internet usage to participate in the focus group, we generally494 proceeded with the same set of questions which delved into the topic areas and relied on the same general set of questions in the following subject areas: (1) specific concerns regarding how their data is used; (2) a comparison between their views on privacy in email versus delivered mail; (3) their views regarding “public v. private” data; (4) corporate transparency; (5) targeted ads; and (6) collection and use of inaccurate information. Internet Usage:

• All participants indicated that they access the internet at least once a week using a variety of devices, with a majority stating that the primary device they use to access the internet are their phones. Almost all participants explained that they use their phones for multiple purposes (e.g., social media, work, etc.).

Concerns:

• Focus group participants expressed a number of concerns surrounding data privacy issues. Overall, the most widely held concern was corporate vulnerability to cybersecurity attacks. However, other concerns raised by participants included:

1. Corporations collecting and using their data without consumers’ consent. 2. Corporations using inaccurate data. 3. Corporations sharing consumers’ data with third parties with little information provided

to consumers regarding who has access to their information. 4. Consumers having little knowledge or control regarding how their information is being

used. Mail vs. Email:

• A majority of participants indicated that they were unaware that their email correspondences were not protected or secure. The participants all believed that information exchanged via email should be protected, in the same way as letters arriving in their mailboxes. Three participants agreed that even if they had nothing to hide, they would be bothered by someone looking through a letter sent through the US Postal Service.

Public vs Private Data:

• Participants believe that information protected via login should be protected, as use of a login, two factor authentication, or other security measures fosters the assumption of both security and privacy. Conversely, information not protected by a login may be sold because there is no assumption of privacy on the consumer end. One participant explained that unless she is looking up something, neither companies nor the government should review her communications. She explained that technology has made it so fewer people communicate in person, resulting in much of today’s conversations taking place through email, Facebook, and other services.

Transparency:

• Focus group participants had differing views regarding how transparent corporations need to be regarding the collection and use of their data. For instance, one participant believed a lack of transparency in the collection and sale of data was the price to be paid for the internet

67

existing. However, he believes this becomes a gray area when this data is used maliciously or to bombard those who are troubled. His conclusion was that all companies should be required to be transparent with how they use and sell information; if they cannot be transparent, they should not be allowed to sell user information.

Targeted Ads:

• There was a decided split regarding corporate use of consumer data to provide targeted ads to its clients. For instance, some participants were in favor of the practice because they felt it gave them access to advertisements that aligned with their interests. However, most participants were uncomfortable with services selling consumer data to third parties for any purposes, specifically advertising purposes, without their consent.

Insurance and Credit Score:

• Participants were uncomfortable with an insurance company using one’s credit score or location as a factor in determining their rates. One participant was just concerned with the idea of using one’s credit score for purposes in which it wasn’t intended (e.g. hiring). He believes that employers should be restricted in their use of public information without making the potential employee aware prior to its use. Regarding the use of location in the determination of insurance qualification, one participant stated that this should not be a factor unless the area has a high frequency of incidents resulting in vehicular damage.

Personal Information and Health Insurance:

• Participants disagreed with use of this information to determine whether or not one qualifies for health insurance. One participant equated this to digging through his trash. The same participant believes that health insurance companies, like life insurance companies, should be required to come to the individuals house to ask them questions directly to make their determination.

Data Privacy and Discriminatory & Predatory Practices:

• Participants were universal in their desire to have established prohibitions for predatory tactics against race, socioeconomic status, etc. They believe that this information is biased and irrelevant. One participant explained that as a realtor she was required to follow the FHA guidelines and expects there to be similar guidelines applied to data privacy. She believes the FHA guidelines could serve as a model for future legislation regarding weblining.

Use of Information:

• Many participants have become resigned to companies having their information. Participants indicated that they are fine with companies using data for consumer statistics and/or for improvements in their services. However, participants seemed uneasy with the use of their data for any other purposes not related to the use of that particular service. Some participants are bothered by companies using their information to recommend items to them based on their previous purchase history; one explained that this feels as though the company is trying to make decisions for her.

Inaccurate Profile Info:

• Participants seemed to be split between stating that they would simply delete their account in this situation, and stating that they would want their information corrected and to have

68

recourse to ensure the situation does not happen again. Several participants indicated that if they were unable to delete the account, they would then attempt to rid it of the inaccurate information. One participant stated that she would not be very concerned about correcting the information because she believes it is better that the company have incorrect information about her than correct information, unless the information is potentially harmful (e.g. involving criminal history). Another participant simply stated that she believes it would be her fault if she failed to read the terms and conditions of the service, even if the terms of service were silent and updated.

Credit Monitoring:

• Multiple participants indicated that they would like free credit monitoring as a remedy to loss or misuse of financial information. Participants also found notifications received by credit monitoring services of strange or fraudulent activity helpful.

Nothing to Hide:

• Several participants feel as though they have “nothing to hide” in regard to their online data and information. Other participants feel as though even if they have nothing to hide, they would not like their information available to others without their consent. One participant, age 29, explained that she is unconcerned about the information available about her on social media and expects that her internet browsing is being tracked. For instance, some participants are not bothered by Amazon’s IoT device, Alexa, recording their conversations as they have “nothing to hide” and are aware that the device listens to their conversations, while others find Amazon’s practices regarding Alexa to be an invasion of privacy.

Filing a Lawsuit:

• Most participants felt they should have access to remedies in the event of a violation of data privacy. For those participants who believed that filing a lawsuit was one way to provide a remedy, a number of different processes and outcomes were discussed. In addition, participants noted that the sensitivity of the information illegally accessed should be a factor for calculating damages and for initial notification.

One participant believes the law should ensure the following in order to ease the process of filing

a lawsuit for violations of data privacy:

a. Victims should gain complete, post-breach access to the data impacted. b. Legal costs should be covered by the responsible party. c. Part of the typical award should include free credit reports each year as well as daily

credit score notifications. d. Limitations on length of time and types of information companies may retain.

Factors considered by participants in determining whether or not they would file suit for data privacy violations include:

• How deeply they were impacted.

• Whether or not they knew the offender personally.

• Level of certainty that they incurred a loss (financial, etc.).

• Alternatives (i.e., settling out of court).

69

Remedies:

• Participants all seem to agree that they would like companies who abuse or lose consumer data to be fined per incident and that the fine should be significant enough to prevent reoccurrence or limit the data retained by the company. Multiple participants indicated they would have preferred their situations been handled through prevention, ensuring that it does not happen to another user again. One participant mentioned that they would like the ability to edit incorrect personal information about oneself online based on the sensitivity of the information. Multiple participants state that they would want free credit monitoring and notifications as an initial step taken by responsible companies. Some participants believe that if a company repeatedly disregards data privacy laws, criminal charges should be considered, or the CEO should begin to incur fines based on salary. One participant mentioned that in his personal experience, he found that it was easier for the individual to abuse his information than it was for him to have the issue resolved. He was required to provide a certified letter, DL, SS card, bank statements, and three months for his issue to be resolved. Another participant mentioned that companies should alert those who have failed to read its terms of service.

The Morgantown Focus Groups The Morgantown focus groups study has two specific, distinguishing factors from the previous focus groups. First, unlike the other focus participants, none of the participants in the Morgantown groups had participated in the initial survey.495 Additionally, the Morgantown focus group participants universally fell into the youngest age group of all the participants – with all participants being between the ages of 18-25. Internet Usage:

• Participants reported using the internet for approximately 4 to 8 hours each day. The device used to access the internet seemed to be determined by their dominant online activities. Participants who reported spending a majority of their time online studying or doing homework tended to use computers as the primary device to access the internet; these same participants reported using internet on their phones primarily for social media. Participants who reported spending a majority of their time on the internet shopping or using social media tended to use cell phones as their primary device to access the internet.

Concerns:

• Focus group participants indicated concerns about both cybersecurity and privacy. However, there was a distinct difference between the two groups: the focus group held on February 19th had participants whose concerns primarily centered around cybersecurity and much less on other issues related to privacy, while the prioritization of the concerns of the February 26th focus group were reversed.

• Participants of the February 19th focus group indicated hacks and breaches as their primary concern; these same participants were less concerned about the information collected about them so long as the information was protected. Participants of the February 26th focus group indicated that they were most concerned about the types of information being collected and

70

how this information would be used. Participants of this focus group indicated that their degree of concern was relative to the sensitivity of the information collected.

Mail vs. Email:

• Participants of both focus groups indicated feelings of discomfort at the idea of their physical mail being read. Both groups indicated that this troubled them more than their emails being read because their privacy would be invaded by another person rather than a machine. Participants also indicated that one should not be required to pay additional costs to ensure the privacy of physical mail.

Public vs Private Data:

• Although not explicitly stated within the focus group transcripts, it seems as though participants perceive physical mail to be a more private/personal form of correspondence than emails. Participants felt most uncomfortable with the idea that someone at the post office would be reading their correspondences.

Transparency:

• Many participants indicated that failing to read the terms and conditions places fault on the consumer even if the consumer was unaware of what he/she had agreed to. Participants stated that to combat this, companies should make consumers aware of relinquishing their rights to privacy by placing this in bold at the top of the terms and conditions.

Data Privacy and Discriminatory & Predatory Practices:

• Regarding the use of algorithms and machine learning, participants believed that this technology is not yet up to the standards required to make decisions related to identification of individuals. Rather than being used to make decisions, participants argued that algorithms and machine learning should be used to assist humans in making decisions.

Inaccurate Profile Info:

• Focus group participants indicated that they would be most concerned if the inaccurate profile information affected their dating life, job prospects or altered some other aspect of their life substantially; under these circumstances, participants would be more willing to lodge a formal complaint. Participants believe the development of an organization similar to the Better Business Bureau would be beneficial for filing complaints concerning inaccurate data.

Credit Monitoring:

• Credit monitoring was listed as a potential remedy by participants. Use of Information:

• Participants of the February 19th focus group indicated that they were less concerned about the collection of their information (e.g., by Google Home). Participants stated that this information was being collected by other companies and services, so collection did not bother them- especially if the collection benefitted them through improvement of the algorithm used by the company or service.

71

Nothing to Hide:

• Participants did not indicate that they had “,nothing to hide.” Rather, they indicated that numerous other services and companies have already collected data about them which makes them less concerned that this collection of their personal information is taking place. It seems like participants have just surrendered to having their personal information collected.

Filing a Lawsuit:

• Participants indicated that their decision to file a lawsuit would be dependent on the severity of the harm that was caused. Participants indicated that in order to file a lawsuit the harm would have to be substantial and/or life changing. Participants would be more likely to file a lawsuit if (a) they did not have to pay for legal expenses and (b) the process would be handled through a state agency and (c) they would receive compensatory damages.

Remedies:

• Participants indicated that companies should explain to the victim how they plan to or have already improved security measures to ensure the harm does not occur again. Participants also discussed a tiered system for fines based on the sensitivity of compromised information, with higher rates for repeat offenders and companies with greater gross revenue. In contrast to the tiered system, some participants argued that a substantial flat rate fine may be a better deterrent for companies. Finally, participants also indicated that the victim should receive damages in the amount that was lost.

Focus Group Recommendations: At the end of each focus group session, participants were asked to provide their insight regarding what an “ideal data privacy law would look like.” Below are their recommendations.

1. Restrictions on Data Retention: Participants would like the law to place restrictions on who is able to retain sensitive data and for how long they may retain the information. The law should also include specifications for how companies can and can’t get rid of consumer data.

2. Unlimited Access to Credit Report. Participants are in favor of free credit monitoring and believe that everyone should have total access to their credit report at all times.

3. Stiff Penalties and/or Fines. Participants all believe that there should be stiff penalties

and/or fines per incident of data misuse or loss. Participants agree that fines should be large enough to prevent repeat offenses (e.g. 10,000 per incident/per person). The specific amount of the fine may be based on the company’s revenue or CEO’s salary. Some participants believe that repeat offenders should be punished through fining corporate executives a percentage of their income while others believe repeat offenses should receive criminal penalties.

4. Option to Opt-in/out. Participants would like the option to opt-in or out of the collection

and use of their personal data. Services that do not offer consumers this option should be prohibited from selling consumer data.

72

5. Public vs. Private Data. Participants indicated that they wanted the law to acknowledge the difference between public and private data and require companies to handle information accordingly. Specifically, services that require a log-in, two-factor authentication, or other security measures should require heightened data privacy on the premise that there is an assumption of security and confidentiality on the consumer’s end.

6. Personal Ownership and Ability to Correct. Participants want personal ownership of their

data. One participant suggested that there should be a website that houses the entirety of one’s online information and allows for the correction of incorrect information by the affected individual.

7. Protection of Emails. Participants would like information exchanged via e-mail to be

protected, just as letters in your mailbox.

8. Prohibition of Prejudicial Ad Targeting. Participants would like the law to prohibit racial or socioeconomic based targeting. One participant suggested that to prevent this there should be some form of anonymity on purchase behavior.

Many of these suggestions have been adopted by other legal frameworks. VII. Recommendations & Proposed Best Practices

“We all need reminding sometimes that if we are not paying for the product, we are the product.”496

In the two years since this report was first proposed, technology and its attendant data privacy interests has continued to move forward at a light-speed pace. The amount of data that can be stored and processed continues to expand rapidly, the way that data can be collected and used has continued to evolve beyond what early proponents have conceived of, and yet, the law has been slow to catch up to all of these developments.

When something evolves at such a rapid pace, providing recommendations and thoughts on best

practices is an exercise fraught with peril – for fear that something proposed on a Tuesday will be rendered obsolete by Friday. And yet, a significant part of this work was initiated to do exactly that: provide a road map for best practices for legislators, policy makers and businesses – based on feedback collected by affected communities. So, with much trepidation, we proceed.

Specifically, we arrange our discussion in this area in two parts. First, we provide an overview of

the current methodologies that are being used (or contemplated) as a regulatory framework. Second, we provide our takeaways regarding what best practices we believe should govern any regulatory framework. We should state that, in light of these rapid changes to our industry and to our world, these best practices recommendations should be viewed as general principles that should underlie the relevant parties as they develop laws, regulations or policies to address these concerns. Providing for more general principles instead of specific standards or recommendations would allow those who draft such laws to consider this framework even as the underlying technology continues to change. Also, to the extent that these principles align with information and recommendations that have been proposed by others, we try and include all known proposers here.

73

A. The Pros and Cons of Various Regulatory Frameworks

There are many regulatory structures that are already being considered (or have been adopted) throughout the world. here, we highlight some key regulatory initiatives and discuss their benefits and drawbacks. Notice and Consent

What it is: Requires consent at the point of data collection. Data subject has the right to opt-in and opt-out. The process of opting-out should be just as easy as opting-in.497 Benefits: It is the responsibility of the controller to demonstrate that the data subject consented to having his or her data processed.498 Individuals have the right to withdraw their consent at any time without “affect[ing] the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.”499 Drawbacks: Most people don’t read privacy policies and if they do, they usually don’t understand what they are reading. If they do understand what they are reading, they may not have enough background knowledge to make an informed decision on the matter. Providing consent at the point of collection does not give specifics about what happens to that data once it is collected. What happens when it is sold to third parties? “[T]he original notice and consent does nothing to limit the downstream uses of that data.”500

Control What it is: The California Consumer Privacy Act of 2018 (CCPA) is one example of a Control framework. It gives the consumer the right to know what personal information is collected about them and how it is used; the right to delete the personal information companies collected from them; the right to opt-out from the sale of their personal information to third parties; and the right to non-discrimination for exercising their rights under the CCPA.501 This specific legal system gives the consumer control over various stages of the data collection and use process. Benefits: You have the right to know what information companies have collected about you and you have the right to have that personal information deleted by that company and its third parties.502 Also, because you have the right to non-discrimination, companies cannot deny you services or their product, charge you a different fee, or treat you any differently because you exercised your rights under the CCPA.503 Drawbacks: Although you may request to have a business delete your personal information which they collected from you, as well as have their third parties do the same, many exceptions allow businesses to keep the information.504 In addition, a business may not be able to complete your transaction if you ask it to delete or stop selling your personal information and that information is necessary for the business to complete the transaction.

Accountability (Private Right of Action: Attorney General / Agency Function) What it is: A private right of action gives an individual whose privacy rights are violated the right to sue the violating company directly. Federal law does not currently afford a private

74

right of action but several states allow for individuals private right of action.505 Currently the FTC is the government authority tasked with enforcing privacy. If Congress were to create a new data protection agency, it could address the shortfalls of FTC’s current authority. Benefits: By setting up a new agency Congress would be “provd[ing] opportunities to create a structure that is better suited to enforcing privacy, including by maintaining some degree of stability or independence across presidential administrations.”506 “Without a private right of action, individuals have to rely on federal or state enforcers, like the FTC, to protect their privacy. While there is some opposition to a private right of action from companies and policymakers, it would offer several benefits.”507 A new agency could possibly restructure interactions with international privacy and data protection counterparts, “as such an agency may be better suited to interact with other international data protection authorities.”508 Drawbacks: One of the largest concerns with creating a new agency is the amount of time it would take to setup and take to work efficiently.509

Data Privacy Wrappers What it is: Creates a consent framework around the data use. The framework would create data “wrappers” describing the type of material contained within the framework without revealing the details about the content. Benefits: Data wrappers are created at the instant the data is created. There are rules about how and when the data can be accessed and used, “essentially acting as a virtual ‘lock’ against unauthorized use.”510 Drawbacks: The system would require significant details about the processes and types of uses that users are willing to agree to. Mundie suggests creating a new “agency that would be responsible for establishing and enforcing such standards on a large scale.”511

Regulating Data Use

What it is: Changing the focus from data collection to data use. Because there is currently so much information being collected about individuals, it is impossible to keep track of everything that is being collected and everything that individuals have consented to. Therefore, the focus must shift to a point of use rather than a point of collection. Benefits: Give more control to what happens to data once it is collected. Allows individuals to know how their data is used when it is sold to third parties. The use of an individual’s data is very important to the individual, regulating data use is a very big benefit. Drawbacks: Because there is so much data being collected on individuals, it is impossible for each individual to keep track of each data point individually. Therefore, people can only engage in “’privacy self-management selectively.’”512

Clarifying the Due Process Standard

75

What it is: Clarifying and establishing the due process requirements for digital transaction surveillance. The government agencies can currently use many different types of digital surveillance and intelligence methods in today’s environment. Benefits: The new system would streamline the authorization levels into three: (1) warrant, (2) Terry Order, or (3) subpoena. Drawbacks: This system would rely extensively on the court system to examine and interpret the standard, potentially causing extensive delays for consumers and uncertainties for business.

Consumer Data Identification

What it is: “Legislation could require the creation of a centralized mechanism, such as an Internet portal, where data brokers can identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”513 Benefits: It is also recommended that Congress consider legislation that would require data brokers to: “(1) allow consumers to access their own information; (2) allow consumers to suppress the use of this information; (3) disclose to consumers the data brokers’ sources of information, so that, if possible, consumers can correct their information at the source; and (4) disclose any limitations of the opt-out option, such as the fact that close matches of an individual’s name may continue to appear in search results.”514 Drawbacks: Not all individuals would be interested in accessing their own information. The older population would most likely have a difficult time with accessing the portal in order to correct their data/information.

B. General Principles for Developing a Regulatory Framework

In constructing our recommendations, we have taken a deliberate tact. Rather than providing specifics for policy recommendations that could easily be rendered irrelevant with the next change in technology, we have framed our recommendations as “General Principles,” foundational guidelines that we hope will withstand the transformative nature of technology. To that end, should these Principles seem too simplistic, we would encourage you to review them within the context of, and be informed by, all the work that has gone into the research, development and drafting for this project. In addition, we should note that others (most critically, the participants of our focus groups) have provided specific recommendations for a data privacy law. We do not re-hash those specifics here.

***** General Principle #1 - Begin with the End in Mind Given that issues with technology seem to impact consumers of data privacy to a disproportionate degree than it does big businesses, the first recommendation would start by considering how any data privacy policy or law would affect the consumer, the end-user first. Will it place an onerous burden on the individual? Is it something easy to use and accessible for those affected? So, to that extent, initiatives that require consumers to scroll through unclear notices without a clear means of opting out regarding what businesses do with their data, seems unworkable.

76

Beginning with the end in mind also seems to favor laws and policies that focus on data use rather than data collection, since data use is the natural ending point of data collection. General Principle #2 – Data as a Property Right Most of the focus group participants discussed in general terms issues surrounding data with a very specific ownership interest. For these focus group members, the data was theirs and for many focus group members the general theme was that this information was being taken and used without their consent. While some of the younger focus group participants didn’t mind sharing their data, particularly if they felt that they were receiving something in return (such as access to personalized recommendations), the key to a successful implementation of this rule is to make sure that the consumer is truly sharing or relinquishing their data of their own free will, instead of being tricked or deceived into doing it. In addition, framing these issues as property rights can help highlight why authorities as diverse as the European Union and the WV Supreme Court provide heightened protection for different types of data – information regarding our medical health is viewed as a particularly precious resource. As such, we should ascribe a particularly high value to its collection and use. General Principle #3 – Create a Centralized Agency Having a central agency that is tasked with overseeing data privacy has several key advantages. First, it establishes a central location where consumers, policy makers and industry can turn to regarding what the definitive standard is for data privacy issues. Second, allowing a government agency to focus on this issue will provide a depth of expertise at the governmental level that legislators can tap into as new issues arise. Finally, having a regulatory intermediary would allow the government to move quicker (through its rulemaking process) than they would otherwise be able to with traditional legislation. This, in turn, would allow the government to react quickly (or move proactively) to the current technological issues that implicate a consumer’s data privacy. General Principle #4 – Don’t Forget the Impact of Machines As we hope we have shown, the impact of machines and machine-learning algorithms permeates every aspect of data privacy. As such, a comprehensive legal framework will need to address this head on. This can be done in one of two ways: either more stringent measurements can be put in place on the front end to prevent machines from accessing data that can lead to discriminatory decisions, or remedies can be provided on the back end that would allow individuals to see the information that has been used in various decisions and allow them to challenge these results. Regardless, the impact of these formulas needs to be part of the conversation. General Principle #5 - Consider all the Players As this white paper has shown, the network of constituents that are involved in data privacy issues is vast. While many of them (such as Big Tech companies) have garnered significant focus and attention, many more (such as data brokers) have largely escaped regulatory scrutiny. As such, developing a legal framework that allows all constituents to be considered is crucial. As a corollary to that, legislatures and policy makers should take care to make sure that the specific structure of the law accurately addresses the specific potential impact of each of the players. The same law, for instance, could provide only minimal access to a consumer’s data to some while allowing more permissive uses to others. General Principle #6 – Take Only What You Need

77

In addition to examining the who of data privacy, researchers have recommended that policy makers also examine the what. Specifically, some who write in this area have discussed being guided by the principle of data minimization.515 Under this framework., companies would only gather information that is central to their key business.516 This is in contrast to the more expansive collection methods that have been operating by corporations in the era of big data. Having a more focused structure of data collection would provide some relief to consumers who are concerned with the level of detail that corporations have currently amassed about them. General Principle #7 – Limit the Use of What you Take One of the big lessons that has been learned in the era of big data is that our uses of information can evolve at a rate that is directly proportional to our innovation and creativity. Thus, the data we collect today could be used in unimaginable ways in just a few years’ time. As such, it seems unfair to permit corporations to continue to use consumers’ information in ways that were originally inconceivable at the time that permission was granted. Making sure the law reflects this understanding would seem to be the most equitable solution, particularly in light of the fact that one of the central arguments of business – that the data captured is central to their business model – would not apply to situations like this. General Principle #8 – Make Privacy Easy to Understand Again and again, research has confirmed that corporate disclosures are rarely read and almost never understood by consumers. The language is often dense, long-winded and varies significantly from one corporation to another. But what if we required corporations to disclose privacy issues the same way that we require food companies to provide nutritional information? This is the approach that some companies, like Apple, are voluntarily taking. Having a uniform system that could be translated across companies and industries would be an easy way for consumers to make more informed decisions.517 General Principle #9 – Let Consumers Have Control A key part of the work of this white paper was to hear directly from consumers about what they want. Similarly, a key facet of any legislative progress should be one where consumers have a voice in the law being shaped, but also have some control of their data at the end. It could be in the form of a Do Not Trace List (similar to Do Not Call Lists), as has been proposed by researcher Michelle Kraft.518 Or it could be in more nuanced ways that have not yet been considered. But, keeping the focus on consumers will allow the choice to be retained by the consumers regarding how their data is used. General Principle #10 – No Need to Reinvent the Wheel519 If nothing else, we hope that this white paper highlights just how much work has already been done on the issue of data privacy. As such, legislators seeking to develop a data privacy framework can rely on the successes and failures of their predecessors, adjusting to adapt to the particular needs of the state.520 VIII. Conclusion As we hope this white paper has demonstrated, data privacy issues are intricate, interconnected and important to understand. Given the predominance of technology to all aspects of our lives, tackling the regulatory framework might be the single greatest undertaking of this era. Moreover, the rapidity with which technology is changing makes the issue even more pressing – consider the fact that most individuals between the ages of 40 and 50 have seen the development, dominance and now

78

disuse of a number of technologies: video-cassette tapes, facsimile machines, and computer floppy disks. There is no reason to assume that this trend will not continue – in fact it will likely accelerate. As such, developing foundational principles now – before our technology eclipses our moral regulation of it – will be a crucial legacy for us to leave to future generations.

79

APPENDIX A: GLOSSARY OF TERMS

Many of the terms that are used throughout this paper have developed specific meaning to the data privacy world. Here, RA Cheryl Brown offers a compilation of key definitions.

AI Algorithms – algorithms designed to make decisions by using and combining various types of data from different sources, analyzing it at very fast speeds, and learning from (in the case f machine learning algorithms) or acting on any “insights” they “derive” from it.521 AI algorithms and systems “learn and adapt as they compile information and make decisions.”522 According to Prof. Sam Perl, at Carnegie Mellon University, this is the process that AI uses:

machines use the historical data to train the algorithm which results in a Trained Model (this can take hours, days or even weeks. … Now you have a trained Model. You can provide your Model a new data point (or set of data) and ask your Model to make choices based upon what it has learned. This is called “inference” and it can often happen very quickly (and can seem instantaneous). How fast is dependent upon a lot of factors such as the speed of the computer it is running on and what kind of network it is running on.523

API (Application Programming Interface) – programming interfaces used by applications to interact and exchange data with each other.524 Newly written programs can contract to incorporate and use existing APIs needed to interact and exchange data with other programs.525 Contact tracing apps developed by public health agencies use APIs developed by Apple and Google.526 A user must “opt-in” to a notification system, after which a random ID for the device is generated by “the Exposure Notifications System” and Bluetooth is enabled for the exchange of data between phones.527 The random IDs change every 10-20 minutes to prevent identification or location of the user.528 Enabled phones in the same vicinity “work in the background to exchange” these random IDs via Bluetooth, even if the contact tracing or Bluetooth apps are not open.529 Clickwrap – serves as an electronic signature by clicking a box or button to agree to terms of service, end user license agreement, terms and conditions, a privacy policy, or other electronic agreement.530 Components to make a clickwrap agreement enforceable: (1) a user must affirmatively accept by clicking agree or accept. (2) terms of service must be prominently displayed and reasonable. (3) terms should be easily understood by an average person. (4) the agreement cannot “exploit unequal bargaining power” under the terms.531 It can require a user’s acceptance to access or use the service, but cannot be “we take all” but “leave you with nothing;”532 and (5) “specific consents must be distinguishable from the rest of the document,” and “not bury controversial terms of an agreement.”533 CRM Programs – Customer Relationship Management software, a central location for customer interactions and data which is used to improve customer service by allowing access to this data about customer behavior.534

80

Cybersecurity – “The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”535 Data analysis – the “process of cleaning, transforming, and modeling data” to discover and extract useful information on which to base business or other decisions.536 Data Lake – a centralized storage location for raw, unprocessed data, usually cloud-based, providing one place to save and access it.537 Data Mining – the process that uses large data sets to analyze patterns and predict outcomes using various software.538 Turning raw data into useful information allows businesses and organizations to learn about customers and structure marketing, advertising, and other aspects of their businesses.539 Data set – a file containing one or more records to be used by programs or for storage of information needed by applications or operating systems.540 Data sets can be cataloged, referenced by name, and organized according to how the sets will be accessed.541 Data Warehouse – storage location for data after processing, the data is processed and then uploaded into a data warehouse.542 Data wrapper – metadata or other data which is used to mask a set of different data to protect personally identifiable or other sensitive information.543 The Internet of Things (IoT) – the system of all devices and objects connected to the internet with the ability to collect and transfer data over a wireless network automatically without human input.544 Machine readable form – the necessary translation for computer programs to read and process data.545 Metadata – Supplemental data attached or related to other data, which describe the other data without revealing its content.546 Privacy Protection Profiles – proposed as a way to regulate usage of personal data, these would be developed and overseen by third-party intermediaries between consumers and data analyzers, processors, and other users.547

81

APPENDIX B: FURTHER RESOURCES EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: Seizing Opportunities, Preserving Values (2014), https://bigdatawg.nist.gov/pdf/big_data_privacy_report_may_1_2014.pdf. EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights (2016), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/2016_0504_data_discrimination.pdf. FEDERAL TRADE COMMISSION, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (2016), https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf. President’s Council of Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective. EXECUTIVE OFFICE OF THE PRESIDENT at §§ 4.2, 4.4, 4.5.4 (May 2014), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-may_2014.pdf Julie Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism, Oxford University Press (2019). Ronald Deibert et al (eds), Access Controlled: The Shaping of Power, Rights and Rule in Cyberspace, The MIT Press (2010). Margaret O’Mara, The Code: Silicon Valley and the Remaking of America, Penguin Press (2019). Lisa T. Alexander, Cyberfinancing for Economic Justice, 4 Wm. & Mary Bus. L. Rev. 309 (2013). Erdem Buyuksagis, Towards a Transatlantic Concept of Data Privacy, 30 Fordham Intell. Prop. Media & Ent. L.J. 139 (2019), https://heinonline.org/HOL/P?h=hein.journals/frdipm30&i=145&a=d3Z1LmVkdQ. Mary Donnelly and Maeve McDonagh, Health Research, Consent and the GDPR Exemption, European Journal of Health Law (Apr. 24, 2019), https://brill.com/view/journals/ejhl/26/2/article-p97_2.xml. Lauren Henry, Information Privacy and Data Security, 2015 Cardozo L. Rev. De-Novo 107 (2015), https://heinonline.org/HOL/P?h=hein.journals/denovo2015&i=77&a=d3Z1LmVkdQ. Gary Hernandez, Katherine J. Eddy, Joel Muchmore, Insurance Weblining and Unfair Discrimination in Cyberspace, 54 SMU L. Rev. 1953 (2001). Thomas M. Lenard & Paul H. Rubin, Big Data, Privacy and the Familiar Solutions, 11 J.L. Econ. & Pol'y 1 (2015), https://heinonline.org/HOL/P?h=hein.journals/jecoplcy11&i=5&a=d3Z1LmVkdQ.

https://bigdatawg.nist.gov/pdf/big_data_privacy_report_may_1_2014.pdf

https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/2016_0504_data_discrimination.pdf


https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf


https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-may_2014.pdf


https://heinonline.org/HOL/P?h=hein.journals/frdipm30&i=145&a=d3Z1LmVkdQ

https://brill.com/view/journals/ejhl/26/2/article-p97_2.xml


https://heinonline.org/HOL/P?h=hein.journals/denovo2015&i=77&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/jecoplcy11&i=5&a=d3Z1LmVkdQ

82

Brittany A. Martin, The Unregulated Underground Market for Your Data: Providing Adequate Protections for Consumer Privacy in the Modern Era, 105 Iowa L. Rev. 865 (2020), https://heinonline.org/HOL/P?h=hein.journals/ilr105&i=882.

Alex Mihaildis & Liane Colonna, A Methodological Approach to Privacy by Design within the Context of Lifelogging Technologies, 46 Rutgers Computer & Tech. L.J. 1 (2020), https://heinonline.org/HOL/P?h=hein.journals/rutcomt46&i=11&a=d3Z1LmVkdQ. Marcy Peek, Passing Beyond Identity on the Internet: Espionage & Counterespionage in the Internet Age, 28 Vt. L. Rev. 91 (2003).

Emmanuel Pernot-Leplay, EU Influence on Data Privacy Laws: Is the US Approach Converging with the EU Model?, 18 Colo. Tech. L.J. 25 (2020), https://heinonline.org/HOL/P?h=hein.journals/jtelhtel18&i=39&a=d3Z1LmVkdQ. Aliya Ramji , Deniz Tamer , Carina Barrera Cota , Renato Leite Monteiro , Caio Cesar C. Lima, Joseph Prestia & Kristina Subbotina, Managing Big Data Privacy and Security, 46 Int'l L. News 1 (2017), https://heinonline.org/HOL/P?h=hein.journals/inrnlwnw46&i=1&a=d3Z1LmVkdQ. Michael L. Rustad & Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 Fla. L. Rev. 365 (2019), https://heinonline.org/HOL/P?h=hein.journals/uflr71&i=381&a=d3Z1LmVkdQ. Michael Simpson, All Your Data are Belong to Us*: Consumer Data Breach Rights and Remedies in an Electronic Exchange Economy, 87 Col. L. Rev. 669 (2016), http://lawreview.colorado.edu/wp-content/uploads/2016/03/13.-87.2-Simpson_Final.pdf.

Richard Q. Sterns, Complementary Approaches or Conflicting Strategies: Examining CISA and New York's DFS Cybersecurity Regulations as a Harmonizing Framework for a Bilateral Approach to Cybersecurity, 26 Rich. J.L. & Tech. 1 (2020), https://heinonline.org/HOL/P?h=hein.journals/jolt26&i=215&a=d3Z1LmVkdQ. Omer Tene, Jules Polonetsky, Taming the Golem: Challenges of Ethical Algorithmic Decision Making, 19 N.C.J.L. & Tech. 135 (2017).

Fadja Tassey, Current Topics in Internet Law Data Breach Liability, Seton Hall Univ. Law School Student Scholarship 940 (2018), https://scholarship.shu.edu/student_scholarship/940.

Bryan Anderson, Could you get a digital dividend? Gavin Newsom wants Californians to profit from tech data, The Sacramento Bee (Feb. 13, 2019, 7:52 PM PST), https://www.sacbee.com/news/politics-government/capitol-alert/article226162205.html. Natasha Bernal, Twitter Under Fire for Selling Data to Advertisers, The Telegraph (Oct. 9, 2019, 5:30 PM), https://www.telegraph.co.uk/technology/2019/10/09/twitter-fire-profiting-millions-uk-users-data-sold-advertisers/.

https://heinonline.org/HOL/P?h=hein.journals/ilr105&i=882

https://heinonline.org/HOL/P?h=hein.journals/rutcomt46&i=11&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/jtelhtel18&i=39&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/inrnlwnw46&i=1&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/uflr71&i=381&a=d3Z1LmVkdQ

http://lawreview.colorado.edu/wp-content/uploads/2016/03/13.-87.2-Simpson_Final.pdf

http://lawreview.colorado.edu/wp-content/uploads/2016/03/13.-87.2-Simpson_Final.pdf

https://heinonline.org/HOL/P?h=hein.journals/jolt26&i=215&a=d3Z1LmVkdQ

https://scholarship.shu.edu/student_scholarship/940

https://www.sacbee.com/news/politics-government/capitol-alert/article226162205.html


https://www.telegraph.co.uk/technology/2019/10/09/twitter-fire-profiting-millions-uk-users-data-sold-advertisers/


83

Chris Campbell, Top Five Differences Between Data Lakes and Data Warehouses, Blue Granite (January 26, 2015), https://www.bluegranite.com/blog/bid/402596/top-five-differences-between-data-lakes-and-data-warehouses. Geoffrey Fowler, It’s the middle of the night. Do you know who your iPhone is talking to? The Washington Post (May 28, 2019, 8:00 AM EDT), https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/?wpisrc=nl_most&wpmm=1. Geoffrey Fowler, The spy in your wallet: Credit cards have a privacy problem, The Washington Post (Aug. 26, 2019, 12:00 AM EDT), https://www.washingtonpost.com/technology/2019/08/26/spy-your-wallet-credit-cards-have-privacy-problem/?wpisrc=nl_most&wpmm=1. Geoffrey A. Fowler, Nobody reads privacy policies. This senator wants lawmakers to stop pretending we do, The Washington Post (Jun 18, 2020), https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/. Michele Gilman, Data insecurity leads to economic injustice – and hits the pocketbooks of the poor most, The Conversation (Apr. 30, 2019, 6:43 AM EDT). https://theconversation.com/data-insecurity-leads-to-economic-injustice-and-hits-the-pocketbooks-of-the-poor-most-116231. James Glanz, Benedict Carey, Josh Holder, Derek Watkins, Jennifer Valentino-DeVries, Rick Rojas and Lauren Leatherby, Where America Didn’t Stay Home Even as the Virus Spread, The New York Times (April 2, 2020), https://www.nytimes.com/interactive/2020/04/02/us/coronavirus-social-distancing.html. Jefferson Graham and Laura Schulte, Wisconsin Workers Embedded with Microchips, USA Today (Aug. 1, 2017, 8:49 AM ET), https://www.usatoday.com/story/tech/talkingtech/2017/08/01/wisconsin-employees-got-embedded-chips/529198001/. Neema Singh Guliani, The tech industry is suddenly pushing for federal privacy legislation. Watch out., The Washington Post (Oct. 3, 2018, 8:23 AM EDT). https://www.washingtonpost.com/opinions/the-tech-industry-is-suddenly-pushing-for-federal-privacy-legislation-watch-out/2018/10/03/19bc473e-c685-11e8-9158-09630a6d8725_story.html. Chloe Hadavas, What Google’s Latest Data Privacy Announcement Actually Means, Slate (Jan. 16, 2020, 3:55 PM), https://slate.com/technology/2020/01/google-chrome-cookies-phase-out.html. Jones Day, States Propose Bills with CCPA-Like Provisions, JD Supra (Mar. 5, 2019), https://www.jdsupra.com/legalnews/states-propose-bills-with-ccpa-like-34541/. Kaspersky, How Data Breaches Happen, USA Kaspersky (2020), https://usa.kaspersky.com/resource-center/definitions/data-breach. Paul Kiel and Hannah Fresques, Where in The U.S. Are You Most Likely to Be Audited by the IRS?, ProPublica (April 2019), https://projects.propublica.org/graphics/eitc-audit.

https://www.bluegranite.com/blog/bid/402596/top-five-differences-between-data-lakes-and-data-warehouses


https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/?wpisrc=nl_most&wpmm=1


https://www.washingtonpost.com/technology/2019/08/26/spy-your-wallet-credit-cards-have-privacy-problem/?wpisrc=nl_most&wpmm=1


https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/


https://theconversation.com/data-insecurity-leads-to-economic-injustice-and-hits-the-pocketbooks-of-the-poor-most-116231


https://www.nytimes.com/interactive/2020/04/02/us/coronavirus-social-distancing.html


https://www.usatoday.com/story/tech/talkingtech/2017/08/01/wisconsin-employees-got-embedded-chips/529198001/


https://www.washingtonpost.com/opinions/the-tech-industry-is-suddenly-pushing-for-federal-privacy-legislation-watch-out/2018/10/03/19bc473e-c685-11e8-9158-09630a6d8725_story.html



https://slate.com/technology/2020/01/google-chrome-cookies-phase-out.html

https://www.jdsupra.com/legalnews/states-propose-bills-with-ccpa-like-34541/

https://usa.kaspersky.com/resource-center/definitions/data-breach


https://projects.propublica.org/graphics/eitc-audit

84

Rodney Lamp, New technology from WVU Rockefeller Neuroscience Institute aims to predict coronavirus symptoms, WBOY (July 15, 2020, 5:21 PM EDT), https://www.wboy.com/news/health/coronavirus/new-technology-from-wvu-rockefeller-neuroscience-institute-aims-to-predict-coronavirus-symptoms/. Law360, Walmart Sued After Ill. High Court Ruling On Biometric Privacy, Law360 (January 28, 2019, 10:31 PM EST), https://www.law360.com/articles/1122920/walmart-sued-after-ill-high-court-ruling-on-biometric-privacy. Ron Lieber, How to Protect Yourself After the Equifax Breach, The New York Times (Oct. 26, 2017), https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html. Bernard Marr, Smartphone Tracking Data And Artificial Intelligence Turn People’s Movements Into Detailed Insights And Profits, Forbes (Oct. 7, 2020, 12:20 AM EDT), https://www.forbes.com/sites/bernardmarr/2020/10/07/smartphone-tracking-data-and-artificial-intelligence-turn-peoples-movements-into-detailed-insights-and-profits/?sh=7af9fbde6bef. Louise Matsakis, The WIRED Guide to Your Personal Data (and Who Is Using It), Wired (Feb. 15, 2018, 7:00 AM), https://www.wired.com/story/wired-guide-personal-data-collection/. Dave Michels, This Post Will Self Destruct in 5 Seconds: Privacy concerns don't just happen in the consumer world and can be a major threat to enterprises. No Jitter (Aug. 26, 2020), https://www.nojitter.com/monitoring-management-and-security/post-will-self-destruct-5-seconds. Cindy Ng, A Guide on the Data Lifecycle: Identifying Where Your Data is Vulnerable, Varonis (March 29, 2020), https://www.varonis.com/blog/a-guide-on-the-data-lifecycle-identifying-where-your-data-is-vulnerable/. Kate Patrick, GAO Report: The Net Neutrality Debate Complicates Data Privacy, Government Technology (Feb. 21, 2019), https://www.govtech.com/policy/GAO-Report-The-Net-Neutrality-Debate-Complicates-Data-Privacy.html. Ziad Obermeyer, Brian Powers, Christine Vogeli, Sendhil Mullainathan, Algorithmic Bias In Health Care: A Path Forward, Health Affairs (Nov. 1, 2019), https://www.healthaffairs.org/do/10.1377/hblog20191031.373615/full/. Aarti Shahani, Microsoft President: Democracy is at Stake. Regulate Big Tech, NPR (Sept. 13, 2019, 12:18 PM ET), https://www.npr.org/2019/09/13/760478177/microsoft-president-democracy-is-at-stake-regulate-big-tech. David Shepardson and Diane Bartz, Trump administration plans two meetings on Big Tech on Wednesday, REUTERS (Sept. 21, 2020, 11:33 PM), https://www.reuters.com/article/us-usa-social-media-trump-idUSKCN26D0A0. Adam Tanner, How Data Brokers Make Money off of Your Medical Records, Scientific American (Feb. 1, 2016), https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/.

https://www.wboy.com/news/health/coronavirus/new-technology-from-wvu-rockefeller-neuroscience-institute-aims-to-predict-coronavirus-symptoms/


https://www.law360.com/articles/1122920/walmart-sued-after-ill-high-court-ruling-on-biometric-privacy


https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html

https://www.forbes.com/sites/bernardmarr/2020/10/07/smartphone-tracking-data-and-artificial-intelligence-turn-peoples-movements-into-detailed-insights-and-profits/?sh=7af9fbde6bef


https://www.wired.com/story/wired-guide-personal-data-collection/

https://www.nojitter.com/monitoring-management-and-security/post-will-self-destruct-5-seconds


https://www.varonis.com/blog/a-guide-on-the-data-lifecycle-identifying-where-your-data-is-vulnerable/


https://www.govtech.com/policy/GAO-Report-The-Net-Neutrality-Debate-Complicates-Data-Privacy.html


https://www.healthaffairs.org/do/10.1377/hblog20191031.373615/full/

https://www.npr.org/2019/09/13/760478177/microsoft-president-democracy-is-at-stake-regulate-big-tech


https://www.reuters.com/article/us-usa-social-media-trump-idUSKCN26D0A0


https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/


85

Catherine Thornbeck, New York probing Apple Card for alleged gender discrimination after viral tweet, ABC News (Nov. 11, 2019, 5:52 PM), https://abcnews.go.com/US/york-probing-apple-card-alleged-gender-discrimination-viral/story?id=66910300. Starre Vartan, Racial Bias Found in a Major Health Care Risk Algorithm, Scientific American (Oct. 24, 2019), https://www.scientificamerican.com/article/racial-bias-found-in-a-major-health-care-risk-algorithm/. Einat Weiss, Data Privacy Rules are Changing. How can Marketers Keep up? Harvard Business Review (Aug. 27, 2020), https://hbr.org/2020/08/data-privacy-rules-are-changing-how-can-marketers-keepup?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+harvardbusiness+%28HBR.org%29.

https://abcnews.go.com/US/york-probing-apple-card-alleged-gender-discrimination-viral/story?id=66910300


https://www.scientificamerican.com/article/racial-bias-found-in-a-major-health-care-risk-algorithm/


https://hbr.org/2020/08/data-privacy-rules-are-changing-how-can-marketers-keepup?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+harvardbusiness+%28HBR.org%29



86

APPENDIX C: KEY FEDERAL LAWS THAT IMPLICATE PRIVACY123

1 https://www.nacdl.org/Landing/ComputerFraudandAbuseAct#:~:text=The%20Computer%20Fraud%20and%20Abuse,fraud%20law%2C%20to%20address%20hacking.&text=The%20CFAA%20prohibits%20intentionally%20accessing,what%20%E2%80%9Cwithout%20authorization%E2%80%9D%20means. 2 https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285

https://www.nacdl.org/Landing/ComputerFraudandAbuseAct#:~:text=The%20Computer%20Fraud%20and%20Abuse,fraud%20law%2C%20to%20address%20hacking.&text=The%20CFAA%20prohibits%20intentionally%20accessing,what%20%E2%80%9Cwithout%20authorization%E2%80%9D%20means



87

APPENDIX C: KEY FEDERAL LAWS THAT IMPLICATE PRIVACY

3 https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285

88

APPENDIX C: KEY FEDERAL LAWS THAT IMPLICATE PRIVACY4

4 https://www.govtrack.us/congress/bills/106/s3188/summary

89

APPENDIX D - KEY DEBATES IN THE UNIFORM LAW COMMISSION548 Since early 2020, Trista Campbell, a third-year law student, has been an observer of the Uniform Law Commission’s draft of the CUPID Act (discussed in Section II). Below, Trista provides an overview of the “key debates” over various aspects of the ULC’s current draft. Since early 2020, Trista Campbell, a third-year law student, has been an observer of the Uniform Law Commission’s draft of the CUPID Act (discussed in Section II). Below, Trista provides an overview of the “key debates” over various aspects of the ULC’s current draft. Key Words and Definitions

• Observers have submitted numerous comments pertaining to the Definitions section of the draft act. The most commonly debated definitions are “de-identified,” “personal data,” “profiling,” “publicly available information,” and “sensitive data.” Below is a brief review of the issues relating to each of these keywords and definitions:

• DE-IDENTIFIED: It has been frequently recommended that the Draft Committee should follow the guidance of the Federal Trade Commission (“FTC”) regarding the deidentification of data. The FTC’s three-pronged test requires companies to: “(1) take reasonable measures to deidentify information; (2) make a public commitment to process data in a deidentified fashion and not attempt to reidentify data; and (3) contractually prohibit downstream recipients from reidentifying the data.” (emphasis added). One of the main recommendations of the observers would be to add the word “reasonably” to require deidentification efforts that are reasonable in light of the particular circumstances.

• PERSONAL DATA: There is a debate as to whether “personal data” should be defined broadly or narrowly. Those who advocate for it to be broadly defined claim that a broad definition is needed to meaningfully protect privacy and cabin misuse of information. Others think that the bill currently broadly defines “personal data” and recommends that the Committee provide a clearer definition. One commenter specifically recommends the Committee adopt the language used in Washington’s S.B. 6281, Section 3(22)(a), which defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Other commenters made similar suggestions, primarily that “personal data” should be linked to an identifiable person and not that which “describes a particular individual.”

• PROFILING: While one observer recommends adopting the definition of “profiling” used in the GDPR (Article 4(4)), another recommends that the ULC should strike the definition entirely, claiming it is overly broad to cover the necessary processing needed to complete a transaction. It is also a common recommendation that the language relative to profiling and automated decision-making should specifically exclude insurance underwriting.

• PUBLICLY AVAILABLE DATA: Observers have stated that the definition of “publicly available data” is too narrow and the definition should be struck from the draft in order to incorporate something more like the scoping definition in Section 3, which includes information “widely distributed in media.” One commenter claims that “the current approach goes against the long-standing practice of federal and state Freedom of Information Act

90

(“FOIA”) laws and is likely to violate the First Amendment.” “However, there are privacy implications when unrelated publicly available data is collected, subjected to an algorithm, and used for profiling or other commercial purposes. This issue has not been resolved by the committee.” (Issues Memo, May 20, 2020).

• SENSITIVE DATA: It is a commonality that the definition of “sensitive data” should be expanded upon to capture the full range of sensitive information protected by existing legislation and privacy frameworks. The recommended sensitive data to be added include: social security number, drivers’ license number, account numbers, passwords, data of children under the age of 16, and precise geolocation information.

Exemptions

• BUSINESS-TO-BUSINESS EXEMPTION: It has been recommended by multiple observers to exempt all B2B data from the act because businesses share data for legitimate reasons. If the draft were to unreasonably limit a business’s ability to share data with other businesses, this could cause harm to consumers.

• DPPA EXEMPTION: The Drivers Privacy Protection Act (“DPPA”) is a national privacy statute which protects consumers and their motor vehicle data. It is recommended that the Draft Act exempt the DPPA in order to meet consumer needs and to protect consumer expectations. Currently, the CCPA and most other privacy legislation includes this type of exemption. The exemption in the CCPA states "[t]his title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.)."

• EMPLOYMENT EXEMPTION: “The current draft exempts data collected by an employer about an employee in the context of the employment relationship. It has been argued this is too narrow and should extend to other forms of agency relationships.” (Issues Memo). Observers have suggested that the employment exemption be expanded to cover all types of “worker” including: agents, contractors, owners, directors, managers, and other non-employee workers. The Committee can protect consumers and recognize the modern workforce by exempting "data collected, used, or maintained in an employer-employee relationship, an employer-applicant relationship, a principal-agent relationship, or other work relationship." It has also recommended that the employment exemption also include information generated by employees in the course of performing their jobs, as well as emergency contact info and beneficiary info provided by the employee within the context of the employment relationship.

• GLBA EXEMPTION: The current draft carves-out an exemption to financial institutions which meet the Gram-Leach-Bliley Act (“GLBA”) definition of a financial institution. It is a common suggestion among observers that the exemption be changed to apply “to personal information collected, processed, sold, or disclosed pursuant to the federal GLBA.” The exemption should be for the data that is subject to the GLBA as opposed to a certain entity, because certain non-financial institutions have data that is subject to the GLBA.

Duties

• Most observers of the Draft Act have recommended deleting the Duties section of the draft, claiming it is unnecessary and adds business risk without any consumer benefit. Instead of

91

creating amorphous duty standards, the proposed legislation should clearly define obligations imposed on businesses that mitigate risks to consumers, while preserving the benefits to individuals and our economy that result from the responsible use of data. The two most hotly debated duties currently included within the Draft Act, “affirmative duties” and “duty of loyalty,” are discussed below.

• AFFIRMATIVE DUTY: Supporting the inclusion of affirmative duties on controllers in the Act, specifically the duties of purpose specification, data minimization, transparency, and data security, will put an obligation on companies to steward the data they collect responsibly. This obligation must be intact because companies shoulder the responsibility for protecting the privacy of consumer’ personal data. If not included in the Draft Act, solely granting consumers rights would effectively place the burden of regulating privacy on the shoulders of every consumer. This would require the consumer to make informed choices about which rights to exercise, when to exercise those rights, and with whom. It is recommended that the affirmative duty remain within the act to alleviate the burden on the consumer.

• DUTY OF LOYALTY: While there are a few in support of including the “duty of loyalty” in the Draft Act, those not in support view it as unclear and impractical, recommending that it be removed. There are currently no leading global privacy standards that incorporate the concept of a duty of loyalty or any type of fiduciary relationship between the data subject and the data processor. The inclusion of this duty serves as an impractical, indeterminable obligation for businesses, and may set-up new causes of action.

Consistency/Uniformity

• There is a consensus among commenters that because the bill encourages each state’s Attorney General (“AG”) to promulgate his/her own rules, the act will lead to inconsistent standards across the country. If the act were to include a mandatory coordination mechanism for state AGs to work jointly on specific cases enforcing uniform law, it would be helpful in keeping the standards consistent. This would help spread the burden of enforcement across AG offices, enhancing AG enforcement capabilities and minimizing unintended divergence in enforcement decisions, while minimizing risk to covered entities facing multiple AG inquiries on the same matter. Commenters encourage the ULC to remove the act’s broad regulatory authority to better ensure consistency among state standards for data privacy.

Consumer Protections

• Consumer protections include the rights to access, correct, delete, port, and opt-out of the processing of personal data. Commenters have come to a consensus that the Committee should take steps to ensure consumer data privacy enforcement responsibilities are placed within the purview of state AG offices only, which would lead to more consistent outcomes for consumers. This enforcement would also allow businesses to allocate funds to developing processes, procedures, and plans to facilitate compliance with new data privacy requirements.

• OPT-IN/OPT-OUT: Because digital advertising has been fundamental to the success of the Internet and digital economy, effective consumer privacy legislation must preserve the core benefits (providing significant benefits to consumers by connecting them with products and services that are more relevant to their interests, and providing opportunities for American businesses large and small to connect with consumers) while enhancing privacy protections.

92

It is viewed that the current approach within the Draft Act could impede functions that are essential to digital advertising. The consumers’ online experiences could be degraded by inhibiting the transfers of data they have come to expect.

• Not all observers reject the inclusion of an “opt-out” feature within the Draft Act. Some believe that consumers' right to opt out of data processing must include the ability to opt out of processing in furtherance of targeted advertising, and profiling in furtherance of certain consequential decisions. Those activities raise serious privacy concerns for consumers, and for that reason, it is recommended that the Committee continue designing the Act's opt out right to cover both advertising and consequential profiling.

Enforcement

• It is believed that a more nuanced, detailed discussion of the full panoply of enforcement options (regulatory actions, administrative hearings, alternative dispute resolution, injunctive relief, rights to cure, actions under consumer protection or UDAP statutes, and other options) is needed. Because there are a number of ways that private entities use public and private data to support government administration, it is argued that the requirements of the Draft Act should also extend to state and local governments. Without these governmental obligations, a private citizen would not be able to sue for the government misusing their privately obtained personal data. The liability would stop with the company that may have been forced to share the data as a part of its business regime.

• PRIVATE RIGHT OF ACTION: There is a robust outcry for the removal of the Private Right of Action (“PRA”) from the Draft Act, claiming that if the PRA remains, the bill will split enforcement authority between a state’s attorney general and the courts. This dual-enforcement regime will introduce even more uncertainty into calculations that businesses must make. A PRA creates controversy because of the regulatory uncertainty it introduces, the emphasis it creates on fulfilling technical requirements over more substantial privacy enhancing investments, and the lack of transparency that results from settlements.

• A private right of action distracts from the goal of meaningful and real privacy protections where a knowledgeable agency or regulator ensures that businesses are protecting data. Private lawsuits could sweep in technical non-compliance items and further erode uniformity. The current PRA would produce lawsuits without providing commensurate consumer benefits.

Data Privacy Assessments

• Commenters have observed that the required content of the assessments is overly proscriptive and does not permit sufficient flexibility depending on the nature of the processing, the nature of the data, and the entities’ assessments. The Committee is urged to consider flexibility in these requirements and/or delete this Section.

Safe Harbor Provision

• Many commenters are advocating for the addition of a safe harbor provision that encourages the development of industry-wide codes of conduct to create privacy and security standards. A self-regulated approach has been suggested because it would constitute compliance with the privacy regime. This would further eliminate the need for protracted rulemakings and instead allow regulation at the speed of innovation. This is the approach that has been used with

93

success in the Children’s Online Privacy Protection Act (“COPPA”) by providing flexibility and accountability.

94

APPENDIX E - LIST OF OTHER CASES AND AUTHORITIES Since the beginning of the work on this white paper, one of the major tasks that the research assistants have been working on was to collect and summarize all relevant authorities that may implicate data privacy. Below is a summary of the work that was done at the hands of the following RAs: Cheryl Brown, Trista Campbell, Jeremy Cook, and Ashton Meyers. Resources Section: Relevant Cases Appendix D List of Authorities and Case Summaries Statutes 15 U.S.C. §1681 Congressional findings and statement of purpose

(a) Accuracy and fairness of credit reporting The Congress makes the following findings: (1) The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system. (2) An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers. (3) Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers. (4) There is a need to ensure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy. (b) Reasonable procedures It is the purpose of this subchapter to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this subchapter.

15 U.S.C. §1681a(d)

(d) Consumer Report.— (1) In general.—The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for— (A)credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title. (2) Exclusions.—Except as provided in paragraph (3), the term “consumer report” does not include— (A)subject to section 1681s–3 of this title, any—

95

(i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons; (B)any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device; (C)any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and such person makes the disclosures to the consumer required under section 1681m of this title; or (D)a communication described in subsection (o) or (x).[1] (3) Restriction on sharing of medical information.—Except for information or any communication of information disclosed as provided in section 1681b(g)(3) of this title, the exclusions in paragraph (2) shall not apply with respect to information disclosed to any person related by common ownership or affiliated by corporate control, if the information is— (A)medical information; (B)an individualized list or description based on the payment transactions of the consumer for medical products or services; or (C)an aggregate list of identified consumers based on payment transactions for medical products or services.

15 U.S.C. § 1681a(k)(1)

(k)Adverse Action.— (1)Actions included.—The term “adverse action”— (A)has the same meaning as in section 1691(d)(6) of this title; and (B)means— (i)a denial or cancellation of, an increase in any charge for, or a reduction or other adverse or unfavorable change in the terms of coverage or amount of, any insurance, existing or applied for, in connection with the underwriting of insurance; (ii)a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee; (iii)a denial or cancellation of, an increase in any charge for, or any other adverse or unfavorable change in the terms of, any license or benefit described in section 1681b(a)(3)(D) of this title; and (iv)an action taken or determination that is— (I)made in connection with an application that was made by, or a transaction that was initiated by, any consumer, or in connection with a review of an account under section 1681b(a)(3)(F)(ii) of this title; and (II)adverse to the interests of the consumer. (2)Applicable findings, decisions, commentary, and orders.—

96

For purposes of any determination of whether an action is an adverse action under paragraph (1)(A), all appropriate final findings, decisions, commentary, and orders issued under section 1691(d)(6) of this title by the Bureau or any court shall apply.

15 U.S.C. §1681e(b) (b)Accuracy of report

Whenever a consumer reporting agency prepares a consumer report it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.

15 U.S.C. § 1691(d)(6)

(d) Reason for adverse action; procedure applicable; “adverse action” defined (6)For purposes of this subsection, the term “adverse action” means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the amount or on substantially the terms requested. Such term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit.

15 U.S. Code § 6801. Protection of nonpublic personal information (a)Privacy obligation policy

It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. (b)Financial institutions safeguards. In furtherance of the policy in subsection (a), each agency or authority described in section 6805(a) of this title, other than the Bureau of Consumer Financial Protection, shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards— (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

15 U.S. Code § 6805.Enforcement (a) In general. Subject to subtitle B of the Consumer Financial Protection Act of 2010 [12 U.S.C. 5511 et seq.], this subchapter and the regulations prescribed thereunder shall be enforced by the Bureau of Consumer Financial Protection, the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission with respect to financial institutions and other persons subject to their jurisdiction under applicable law, as follows: (6) Under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled, subject to section 6701 of this title.

15 U.S. Code 6805(a)(6) (a)In general

97

Subject to subtitle B of the Consumer Financial Protection Act of 2010 [12 U.S.C. 5511 et seq.], this subchapter and the regulations prescribed thereunder shall be enforced by the Bureau of Consumer Financial Protection, the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission with respect to financial institutions and other persons subject to their jurisdiction under applicable law, as follows: (6)Under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled, subject to section 6701 of this title.

18 U.S.C. § 1839(3) (2016) Definitions (3)the term “trade secret” means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if— (A)the owner thereof has taken reasonable measures to keep such information secret; and (B)the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information;

18 U.S.C. § 1835(a), (b) (2016) Orders to preserve confidentiality

(a)In General.— In any prosecution or other proceeding under this chapter, the court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of trade secrets, consistent with the requirements of the Federal Rules of Criminal and Civil Procedure, the Federal Rules of Evidence, and all other applicable laws. An interlocutory appeal by the United States shall lie from a decision or order of a district court authorizing or directing the disclosure of any trade secret. (b)Rights of Trade Secret Owners.— The court may not authorize or direct the disclosure of any information the owner asserts to be a trade secret unless the court allows the owner the opportunity to file a submission under seal that describes the interest of the owner in keeping the information confidential. No submission under seal made under this subsection may be used in a prosecution under this chapter for any purpose other than those set forth in this section, or otherwise required by law. The provision of information relating to a trade secret to the United States or the court in connection with a prosecution under this chapter shall not constitute a waiver of trade secret protection, and the disclosure of information relating to a trade secret in connection with a prosecution under this chapter shall not constitute a waiver of trade secret protection unless the trade secret owner expressly consents to such waiver.

18 U.S.C. § 1833(b) (2016) Exceptions to prohibitions

(b)Immunity From Liability for Confidential Disclosure of a Trade Secret to the Government or in a Court Filing.— (1)Immunity.—An individual shall not be held criminally or civilly liable under any Federal or State trade secret law for the disclosure of a trade secret that— (A)is made— (i)in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and

98

(ii)solely for the purpose of reporting or investigating a suspected violation of law; or (B)is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. (2)Use of trade secret information in anti-retaliation lawsuit.—An individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the court proceeding, if the individual— (A)files any document containing the trade secret under seal; and (B)does not disclose the trade secret, except pursuant to court order. (3)Notice.— (A)In general.— An employer shall provide notice of the immunity set forth in this subsection in any contract or agreement with an employee that governs the use of a trade secret or other confidential information. (B)Policy document.— An employer shall be considered to be in compliance with the notice requirement in subparagraph (A) if the employer provides a cross-reference to a policy document provided to the employee that sets forth the employer’s reporting policy for a suspected violation of law. (C)Non-compliance.— If an employer does not comply with the notice requirement in subparagraph (A), the employer may not be awarded exemplary damages or attorney fees under subparagraph (C) or (D) of section 1836(b)(3) in an action against an employee to whom notice was not provided. (D)Applicability.— This paragraph shall apply to contracts and agreements that are entered into or updated after the date of enactment of this subsection. (4)Employee defined.— For purposes of this subsection, the term “employee” includes any individual performing work as a contractor or consultant for an employer. (5)Rule of construction.— Except as expressly provided for under this subsection, nothing in this subsection shall be construed to authorize, or limit liability for, an act that is otherwise prohibited by law, such as the unlawful access of material by unauthorized means.

42 USC § 300jj(9) (2016) 21st Century Cures Act (9)Interoperability The term “interoperability”, with respect to health information technology, means such health information technology that— (A)enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user; (B)allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (C)does not constitute information blocking as defined in section 300jj–52(a) of this title.

42 U.S.C. 1395y(b)(8). Medicare Secondary Payer Act (MSP).

99

Insurers are obligated to report claims payments made to any person covered by Medicare payments for the same claims or injuries, so that the Secretary is able “to make an appropriate determination concerning coordination of benefits, including any applicable recovery claim.” 45 CFR § 160.203 (HIPAA) General rule and exceptions.

A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law. This general rule applies, except if one or more of the following conditions is met: (a) A determination is made by the Secretary under § 160.204 that the provision of State law: (1) Is necessary: (i) To prevent fraud and abuse related to the provision of or payment for health care; (ii) To ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation; (iii) For State reporting on health care delivery or costs; or (iv) For purposes of serving a compelling need related to public health, safety, or welfare, and, if a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or (2) Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law. (b) The provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter. (c) The provision of State law, including State procedures established under such law, as applicable, provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention. (d) The provision of State law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals.

45 CFR 160 For a full version of these provisions combined with 45 CFR 162 and 45 CFR 164(A) and (E), see Department of Health and Human Services, HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013) available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es. 45 CFR 162 For a full version of these provisions combined with 45 CFR 162 and 45 CFR 164(A) and (E), see Department of Health and Human Services, HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013) available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es.

100

45 CFR 164(A), (E) For a full version of these provisions combined with 45 CFR 162 and 45 CFR 164(A) and (E), see Department of Health and Human Services, HIPAA Administrative Simplification Regulation Text 45 CFR Parts 160, 162, and 164 (Unofficial Version, as amended through March 26, 2013) available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf?language=es. 45 C.F.R. 164.512(b)(1)(ii)

(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

45 C.F.R. §164.514(b)(2(i)(R), (b)(2)(ii) (b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if: (2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed: (R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and (ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. 42 U.S.C. 300gg-91(a)(2)

(2)Medical care The term “medical care” means amounts paid for— (A)the diagnosis, cure, mitigation, treatment, or prevention of disease, or amounts paid for the purpose of affecting any structure or function of the body, (B)amounts paid for transportation primarily for and essential to medical care referred to in subparagraph (A), and (C)amounts paid for insurance covering medical care referred to in subparagraphs (A) and (B).

45 C.F.R. 164.502(e)

(e) (1) Standard: Disclosures to business associates. (i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. (ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.

101

(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).

45 C.F.R. 164.504(e)

(e) (1) Standard: Business associate contracts. (i) The contract or other arrangement required by § 164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable. (ii) A covered entity is not in compliance with the standards in § 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. (iii) A business associate is not in compliance with the standards in § 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor's obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible. (2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; (E) Make available protected health information in accordance with § 164.524;

102

(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528; (H) To the extent the business associate is to carry out a covered entity's obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation. (I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity's compliance with this subpart; and (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. (iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. (3) Implementation specifications: Other arrangements. (i) If a covered entity and its business associate are both governmental entities: (A) The covered entity may comply with this paragraph and § 164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and § 164.314(a)(2), if applicable. (B) The covered entity may comply with this paragraph and § 164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and § 164.314(a)(2), if applicable. (ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in § 160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and § 164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and § 164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained. (iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate. (iv) A covered entity may comply with this paragraph and § 164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with §§ 164.514(e)(4) and 164.314(a)(1), if applicable. (4) Implementation specifications: Other requirements for contracts and other arrangements.

103

(i) The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary: (A) For the proper management and administration of the business associate; or (B) To carry out the legal responsibilities of the business associate. (ii) The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if: (A) The disclosure is required by law; or (B)(1) The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and (2) The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached. (5) Implementation specifications: Business associate contracts with subcontractors. The requirements of § 164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by § 164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

PHS Section 1861(u), 42 U.S.C. 1395x(u) Definitions

(u)Provider of services The term “provider of services” means a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, or, for purposes of section 1395f(g) and section 1395n(e) of this title, a fund.

Public Health Service Act (PHS) Section 2791(a)(2)

Repealed. Pub. L. 97–35, title VI, § 683(a), Aug. 13, 1981, 95 Stat. 519 W.V. Code §16-29G-1 Purpose.

(a) The purpose of this article is to create the West Virginia Health Information Network under the oversight of the Health Care Authority to promote the design, implementation, operation and maintenance of a fully interoperable statewide network to facilitate public and private use of health care information in the state. (b) It is intended that the network be a public-private partnership for the benefit of all of the citizens of this state. (c) The network is envisioned to support and facilitate the following types of electronic transactions or activities: (1) Automatic drug-drug interaction and allergy alerts; (2) Automatic preventive medicine alerts; (3) Electronic access to the results of laboratory, X ray, or other diagnostic examinations; (4) Disease management; (5) Disease surveillance and reporting; (6) Educational offerings for health care providers;

104

(7) Health alert system and other applications related to homeland security; (8) Links to evidence-based medical practice; (9) Links to patient educational materials; (10) Medical record information transfer to other providers with the patient's consent; (11) Physician order entry; (12) Prescription drug tracking; (13) Registries for vital statistics, cancer, case management, immunizations and other public health registries; (14) Secured electronic consultations between providers and patients; (15) A single-source insurance credentialing system for health care providers; (16) Electronic health care claims submission and processing; and (17) Any other electronic transactions or activities as determined by legislative rules promulgated pursuant to this article. (d) The network shall ensure the privacy of patient health care information.

W.Va. Code 33-41-5(a) A person in the business of insurance having knowledge or a reasonable belief that fraud or another crime related to the business of insurance is being, will be or has been committed shall provide to the commissioner the information required by, and in a manner prescribed by, the commissioner. WV Code 46A-2A-101 et seq Definitions

As used in this article: (1) "Breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or the entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure. (2) "Entity" includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies or instrumentalities, or any other legal entity, whether for profit or not for profit. (3) "Encrypted" means transformation of data through the use of an algorithmic process to into a form in which there is a low probability of assigning meaning without use of a confidential process or key or securing the information by another method that renders the data elements unreadable or unusable. (4) "Financial institution" has the meaning given that term in Section 6809(3), United States Code Title 15, as amended. (5) "Individual" means a natural person. (6) "Personal information" means the first name or first initial and last name linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted nor redacted: (A) Social security number;

105

(B) Driver's license number or state identification card number issued in lieu of a driver's license; or (C) Financial account number, or credit card, or debit card number in combination with any required security code, access code or password that would permit access to a resident's financial accounts. The term does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. (7) "Notice" means: (A) Written notice to the postal address in the records of the individual or entity; (B) Telephonic notice; (C) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures, set forth in Section 7001, United States Code Title 15, Electronic Signatures in Global and National Commerce Act. (D) Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000 or that the affected class of residents to be notified exceeds one hundred thousand persons or that the individual or the entity does not have sufficient contact information or to provide notice as described in paragraph (A), (B) or (C). Substitute notice consists of any two of the following: (i) E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents; (ii) Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; or (iii) Notice to major statewide media. (8) "Redact" means alteration or truncation of data such that no more than the last four digits of a social security number, driver's license number, state identification card number or account number is accessible as part of the personal information.

WV Code 62-1D-1 Short Title

This act shall be known and may be cited as the "West Virginia Wiretapping and Electronic Surveillance Act."

W.Va. C.S.R. 114-15- 4.2(b) For the purpose of examination, analysis and review activities conducted pursuant to W. Va. Code §33-2-9 or this rule, an insurer or related entity licensed to do business in this state shall maintain its books, records and documents in a manner so that the commissioner can readily ascertain during an examination the insurer's compliance with the insurance laws and rules of this state, the standards outlined in the NAIC Financial Conditions Examiner Handbook, and with the standards outlined in the NAIC Market Regulation Handbook, including, but not limited to, company operations and management, policyholder service, marketing, producer licensing, underwriting, rating, complaint/grievance handling, and claims practices. a. For an insurer subject to 114CSR51 or 114CSR53, the insurer or related entity shall, in addition, maintain its books, records, and documents in a manner so that the practices of

106

the entity regarding network adequacy, utilization review, quality assessment and improvement and provider credentialing may be ascertained during a market conduct examination. b. All insurer records within the scope of this rule must be retained for the lesser of: 1. The current calendar year plus five (5) calendar years; 2. From the closing date of the period of review for the most recent examination by the commissioner; or 3. A period otherwise specified by statute as the examination cycle for the insurer. c. The producer of record shall maintain a file for each policy sold, and the file shall contain all work papers and written communications in his or her possession pertaining to the policy documented therein. These records shall be retained for the current calendar year plus additional years as set forth in subdivision b of this subsection. d. During an examination of the insurer, the insurer shall provide a copy of the written contract entered into with each third party vendor or service provider as requested by an examiner within the time frames set forth in subsection 4.9 of this section.

W. Va. C.S.R. 114-57-15.1

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

W.Va. C.S.R.114-57-15.2

Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional

107

insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

W. Va. C.S.R. 114-62-3.1

Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information. The administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

California Consumer Privacy Act (CCPA) § 1798.125(a) (2018)

(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data. (b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data. (2) A business that offers any financial incentives pursuant to this subdivision shall notify consumers of the financial incentives pursuant to Section 1798.130. (3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. (4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature. (Amended by Stats. 2019, Ch. 757, Sec. 5. (AB 1355) Effective January 1, 2020. Superseded on January 1, 2023; see amendment by Proposition 24.)

CCPA § 1798.140(o) (2018) (o) (1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

108

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. (B) Any categories of personal information described in subdivision (e) of Section 1798.80. (C) Characteristics of protected classifications under California or federal law. (D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. (E) Biometric information. (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement. (G) Geolocation data. (H) Audio, electronic, visual, thermal, olfactory, or similar information. (I) Professional or employment-related information. (J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (2) “Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. (3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

Illinois Biometric Information Privacy Act (IBIPA) 740 ILCS 14/1 (2008)

Short title. This Act may be cited as the Biometric Information Privacy Act.

Texas Business and Commerce Code § 503.001 (2011 ??) (a) In this section, “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry. (b) A person may not capture a biometric identifier of an individual for a commercial purpose unless the person:

(1) informs the individual before capturing the biometric identifier;  and (2) receives the individual's consent to capture the biometric identifier. (c) A person who possesses a biometric identifier of an individual that is captured for a commercial purpose: (1) may not sell, lease, or otherwise disclose the biometric identifier to another person unless: (A) the individual consents to the disclosure for identification purposes in the event of the individual's disappearance or death; (B) the disclosure completes a financial transaction that the individual requested or authorized;

109

(C) the disclosure is required or permitted by a federal statute or by a state statute other than

Chapter 552, Government Code;  or (D) the disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant; (2) shall store, transmit, and protect from disclosure the biometric identifier using reasonable care and in a manner that is the same as or more protective than the manner in which the person stores, transmits, and protects any other confidential information the

person possesses;  and (3) shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires, except as provided by Subsection (c-1). (c-1) If a biometric identifier of an individual captured for a commercial purpose is used in connection with an instrument or document that is required by another law to be maintained for a period longer than the period prescribed by Subsection (c)(3), the person who possesses the biometric identifier shall destroy the biometric identifier within a reasonable time, but not later than the first anniversary of the date the instrument or document is no longer required to be maintained by law. (c-2) If a biometric identifier captured for a commercial purpose has been collected for security purposes by an employer, the purpose for collecting the identifier under Subsection (c)(3) is presumed to expire on termination of the employment relationship. (d) A person who violates this section is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the civil penalty. (e) This section does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution, as those terms are defined by 15 U.S.C. Section 6809 .

WASH. REV. CODE ANN. 19.375 RCW Biometric Identifiers (2017)

RCW 19.375.010 Definitions. The definitions in this section apply throughout this chapter, unless the context clearly requires otherwise. (1) "Biometric identifier" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. "Biometric identifier" does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996. (2) "Biometric system" means an automated identification system capable of capturing, processing, and storing a biometric identifier, comparing the biometric identifier to one or more references, and matching the biometric identifier to a specific individual. (3) "Capture" means the process of collecting a biometric identifier from an individual. (4) "Commercial purpose" means a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier. "Commercial purpose" does not include a security or law enforcement purpose.

110

(5) "Enroll" means to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual. (6) "Law enforcement officer" means a law enforcement officer as defined in RCW 9.41.010 or a federal peace officer as defined in RCW 10.93.020. (7) "Person" means an individual, partnership, corporation, limited liability company, organization, association, or any other legal or commercial entity, but does not include a government agency. (8) "Security purpose" means the purpose of preventing shoplifting, fraud, or any other misappropriation or theft of a thing of value, including tangible and intangible goods, services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services, or any person. RCW 19.375.020 Enrollment, disclosure, and retention of biometric identifiers. (1) A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. (2) Notice is a disclosure, that is not considered affirmative consent, that is given through a procedure reasonably designed to be readily available to affected individuals. The exact notice and type of consent required to achieve compliance with subsection (1) of this section is context-dependent. (3) Unless consent has been obtained from the individual, a person who has enrolled an individual's biometric identifier may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose unless the disclosure: (a) Is consistent with subsections (1), (2), and (4) of this section; (b) Is necessary to provide a product or service subscribed to, requested, or expressly authorized by the individual; (c) Is necessary to effect, administer, enforce, or complete a financial transaction that the individual requested, initiated, or authorized, and the third party to whom the biometric identifier is disclosed maintains confidentiality of the biometric identifier and does not further disclose the biometric identifier except as otherwise permitted under this subsection (3); (d) Is required or expressly authorized by a federal or state statute, or court order; (e) Is made to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose inconsistent with the notice and consent described in this subsection (3) and subsections (1) and (2) of this section; or (f) Is made to prepare for litigation or to respond to or participate in judicial process. (4) A person who knowingly possesses a biometric identifier of an individual that has been enrolled for a commercial purpose: (a) Must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or under the control of the person; and (b) May retain the biometric identifier no longer than is reasonably necessary to: (i) Comply with a court order, statute, or public records retention schedule specified under federal, state, or local law; (ii) Protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability; and

111

(iii) Provide the services for which the biometric identifier was enrolled. (5) A person who enrolls a biometric identifier of an individual for a commercial purpose or obtains a biometric identifier of an individual from a third party for a commercial purpose pursuant to this section may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new terms of use or disclosure. (6) The limitations on disclosure and retention of biometric identifiers provided in this section do not apply to disclosure or retention of biometric identifiers that have been unenrolled. (7) Nothing in this section requires an entity to provide notice and obtain consent to collect, capture, or enroll a biometric identifier and store it in a biometric system, or otherwise, in furtherance of a security purpose. RCW 19.375.030 Application of consumer protection act. (1) The legislature finds that the practices covered by this chapter are matters vitally affecting the public interest for the purpose of applying the consumer protection act, chapter 19.86 RCW. A violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act, chapter 19.86 RCW. (2) This chapter may be enforced solely by the attorney general under the consumer protection act, chapter 19.86 RCW. RCW 19.375.040 Exclusions. (1) Nothing in this chapter applies in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley act of 1999 and the rules promulgated thereunder. (2) Nothing in this chapter applies to activities subject to Title V of the federal health insurance privacy and portability act of 1996 and the rules promulgated thereunder. (3) Nothing in this chapter expands or limits the authority of a law enforcement officer acting within the scope of his or her authority including, but not limited to, the authority of a state law enforcement officer in executing lawful searches and seizures. RCW 19.375.900 Finding—Intent—2017 c 299. The legislature finds that citizens of Washington are increasingly asked to disclose sensitive biological information that uniquely identifies them for commerce, security, and convenience. The collection and marketing of biometric information about individuals, without consent or knowledge of the individual whose data is collected, is of increasing concern. The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual's biometric identifiers in a database.

General Data Protection Regulation (GDPR), Art. 2(a) (2016) Material scope

112

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

GDPR, Art. 2(b) and Recital 16 (2016) Material scope This Regulation does not apply to the processing of personal data: (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; Recital 16: This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union. GDPR, Art 4(13) (2016) Definitions

(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

GDPR, Art. 4(14) (2016) Definitions (14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

GDPR Art. 7 Conditions for Consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

GDPR Art. 9 (2016) Processing of special categories of personal data 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data,

113

biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject; (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; (e) processing relates to personal data which are manifestly made public by the data subject; (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3; (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

114

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

GDPR Article 40(2)-40(5) (2016) Codes of conduct

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to: (a) fair and transparent processing; (b) the legitimate interests pursued by controllers in specific contexts; (c) the collection of personal data; (d) the pseudonymisation of personal data; (e) the information provided to the public and to data subjects; (f)the exercise of the rights of data subjects; (g) the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained; (h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32; (i) the notification of personal data breaches to supervisory authorities and the communication of such personal data breaches to data subjects; (j) the transfer of personal data to third countries or international organisations; or (k) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79. 3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in point (e) of Article 46(2). 2Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects. 4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56. 5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory authority which is competent pursuant to Article 55. 2The supervisory authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

GDPR Article 51(1) (2016)

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the

115

fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).

GDPR Art. 53 (2016) General conditions for the members of the supervisory authority 1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: – their parliament; – their government; – their head of State; or – an independent body entrusted with the appointment under Member State law. 2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers. 3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned. 4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.

GDPR Art. 54 (2016) Rules on the establishment of the supervisory authority 1. Each Member State shall provide by law for all of the following: (a) the establishment of each supervisory authority; (b) the qualifications and eligibility conditions required to be appointed as member of each supervisory authority; (c) the rules and procedures for the appointment of the member or members of each supervisory authority; (d) the duration of the term of the member or members of each supervisory authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure; (e) whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment; (f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment. 2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

GDPR Art. 55 (2016) Competence

1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

116

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. 2In such cases Article 56 does not apply. 3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

GDPR Art. 56 (2016) Competence of the lead

1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. 2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. 3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead supervisory authority without delay on that matter. 2Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory authority informed it. 4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article 60 shall apply. 2The supervisory authority which informed the lead supervisory authority may submit to the lead supervisory authority a draft for a decision. 3The lead supervisory authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3). 5. Where the lead supervisory authority decides not to handle the case, the supervisory authority which informed the lead supervisory authority shall handle it according to Articles 61 and 62. 6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

GDPR Article 57(1)(a)-(v) (2016) Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: (a) monitor and enforce the application of this Regulation; (b) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; (c) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; (d) promote the awareness of controllers and processors of their obligations under this Regulation; (e) upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

117

(f) handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary; (g) cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; (h) conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority; (i) monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices; (j) adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2); (k) establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4); (l) give advice on the processing operations referred to in Article 36(2); (m) encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5); (n) encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5); (o) where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7); (p) draft and publish the requirements for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; (q) conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; (r) authorise contractual clauses and provisions referred to in Article 46(3); (s) approve binding corporate rules pursuant to Article 47; (t) contribute to the activities of the Board; (u) keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and (v) fulfil any other tasks related to the protection of personal data.

GDPR Article 58 (2016) Powers

1. Each supervisory authority shall have all of the following investigative powers: (a) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; (b) to carry out investigations in the form of data protection audits; (c) to carry out a review on certifications issued pursuant to Article 42(7); (d) to notify the controller or the processor of an alleged infringement of this Regulation; (e) to obtain, from the controller and the processor, access to all personal data and to all information necessary for the performance of its tasks;

118

(f) to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. 2. Each supervisory authority shall have all of the following corrective powers: (a) to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; (c) to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation; (d) to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; (e) to order the controller to communicate a personal data breach to the data subject; (f) to impose a temporary or definitive limitation including a ban on processing; (g) to order the rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; (h) to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; (i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; (j) to order the suspension of data flows to a recipient in a third country or to an international organisation. 3. Each supervisory authority shall have all of the following authorisation and advisory powers: (a) to advise the controller in accordance with the prior consultation procedure referred to in Article 36; (b) to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal data; (c) to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation; (d) to issue an opinion and approve draft codes of conduct pursuant to Article 40(5); (e) to accredit certification bodies pursuant to Article 43 to issue certifications and approve criteria of certification in accordance with Article 42(5); (f) to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2); (g) to authorise contractual clauses referred to in point (a) of Article 46(3); (h) to authorise administrative arrangements referred to in point (b) of Article 46(3); (i) to approve binding corporate rules pursuant to Article 47. 4. The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter. 5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities

119

and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation. 6. Each Member State may provide by law that its supervisory authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. 2The exercise of those powers shall not impair the effective operation of Chapter VII.

GDPR Article 68 (2016) European Data Protection Board

1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality. 2. The Board shall be represented by its Chair. 3. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. 4. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law. 5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. 2The Commission shall designate a representative. 3The Chair of the Board shall communicate to the Commission the activities of the Board. 6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

GDPR Article 70(1)(a), (b) (2016)

1. The Board shall ensure the consistent application of this Regulation. 2To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular: (a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; (b) advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation

120

Cases and Case Summaries Whalen v. Roe, 429 U.S. 589 (1977) Board of Ed. Of Independent School Dist. No. 92 of Pottawotomie City. v. Earls, 536 U.S. 822 (2002) Gonzaga Univ. v. Doe, 122 S. Ct. 2268 (2002) Owasso Indep. Sch. Dist. No. 1-011 v. Falvo 534 U.S. 426 (2002) NASA v. Nelson, 562 U.S. 134 (2011) Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) Lewart v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011) FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3rd Cir. 2015) Dehoyos v. Allstate Corp., 345 F.3d 290, 293 (5th Cir. 2003) United States v. Miami Univ. 294 F. 3d 797 (6th Cir. 2002) Remijas v. Nieman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) In re Remington Arms Co., 952 F.2d 1029, 1030 (8th Cir. 1991) Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) Eichenberger v. ESPN, Inc. 876 F.3d 979 (9th Cir. 2017) Patel v. Facebook, Inc. No. 18-15982 (9th Cir. Aug. 8, 2019) LabMD, Inc. v. FTC, 678 Fed. Appx. 816 (11th Cir. 2016) Yershov v. Gannet Satellite Info. Network, Inc. 820 F. 3d 482. (U.S. App 2016) **In re Michael Stores (2017) In re Michaels Stores Pin Pad Litigation, 830 F. Supp. 2d 518 (N.D. Ill. 2011) In re Google, Inc. Privacy Policy Litigation., 58 F. Supp. 3d 968 (N.D. Cal. 2014) Small v. Ramsey, 280 F.R.D. 264 (N.D. W. Va. 2012). In re Vizio, Inc. Consumer Privacy Litig., 238 F. Supp. 3d 1204, 1217 (C.D. Cal. 2017) Electronic Privacy Information Center v. US Department of Education Civil Action No. 12-0327 Sept. 9, 2013 U.S. Dis. Ct. D.C. Brown v. Mortensen, 30 Cal. App. 5th 931, 242 Cal. Rptr. 3d 67 (2019) Connor v. First Student, Inc., 5 Cal. 5th 1026, 423 P.3d 953 (2018) Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186, 129 N.E.3d 1197 Bridgestone Ams. Holding, Inc. v. Mayberry, 878 N.E.2d 189, 190 (Ind. 2007). In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014) Dalton v. Educ. Testing Serv., 294 A.D.2d 462 (App. Div. 2nd Dept. 2002) Arons v. Jutkowitz, 9 N.Y.3d 393, 880 N.E.2d 831 (2007) State ex re. ESPN v. Ohio State Univ., 132 Ohio St. 3d 212 (2012) Ojo v. Farmers Grp., Inc., 356 S.W.3d 421 (Tex. 2011) R. K. v. St. Mary's Med. Ctr., Inc., 229 W. Va. 712, 735 S.E.2d 715 (2012) State ex rel. State Farm Mut. Auto. Ins. Co. v. Bedell, 697 S.E.2d 730 (2010) State ex rel. State Farm Mut. Auto. Ins. Co. v. Bedell, 719 S.E.2d 722 (2011) State ex rel. State Farm Mut. Auto. Ins. Co. v. Marks, 741 S.E.2d 75 (2012) Faris v. Harding, W.Va. Circ. Harrison (No. 10-C-123-1) (2012)

Cases Related to Data Privacy Within Banking and Credit Institutions

Claire Cherry v. Amoco Oil Company (1980)

Plaintiff, Claire Cherry, applied for a gasoline credit card through Amoco Oil Company, Defendant, and was denied. She claims that her denial was based on her zip code being located in a predominantly non-white neighborhood. Amoco admitted in Plaintiff’s denial

121

letter and during testimony that it uses a scoring system that assigns “low ratings to those zip code areas in which it has had unfavorable delinquency experience.”5 If the Plaintiff (having shown the same level of income and other information) had lived in a zip code area rated 3 or above, she would have been granted a credit card by Amoco.6

Plaintiff attempted to show “that the percentage of applicants in various low-rated zip code areas correlated to the percentage of black population in each of said zip code areas.”7 The Court ruled that the evidence presented was not enough to make out a prima facie case because it only showed that all the factors taken into effect as a whole had a tendency “to reject a disproportionate number of persons living in predominately black areas.”8 The Court ruled that there was “insufficient evidence from which to draw a conclusion as to whether Amoco’s use of zip code ratings treats otherwise qualified white applicants and otherwise black applicants in a significantly different manner.”9 Judgement was granted to the Defendant and Plaintiff was ordered to pay costs.10

Although this case was ruled in favor of the Defendant, it is a significant case that brought attention to ranking systems used by banking and credit institutions.

Isaac v. Norwest Mortgage (now Wells Fargo) (2002) Ruth Isaac, Plaintiff, filed suit against Wells Fargo, Defendant, in May of 1999 alleging that Defendant uses zip codes to segregate potential homebuyers.11 In June 2000, Plaintiff amended her complaint to add the Association of Community Organizations from Reform Now (ACORN) as an additional Plaintiff.12 Defendant then moved for summary judgement.13 Plaintiffs were able to demonstrate that the “Community Calculator,” which was housed on Wells Fargo’s website, collected zip code information from its customers. It then used that information to “steer” customers toward “neighborhoods where that person’s race predominated.”14 The “Community Calculator generated a list of the five ‘best matching communities’ within 50 miles of the target area, including the area of departure; the community in which Isaac resides; the community in which approximately 237 ACORN members reside; and a community in Fort Worth, Texas.15 The Calculator then assigned each community with a lifestyle indicator – both primary and other.16Plaintiffs were not able to show that they have standing because they did not show that either “suffered a distinct and palpable injury as a result of Norwest’s alleged conduct.17 Defendant’s motion for summary

5 Cherry v. Amoco Oil Company, 490 F.Supp. 1026 (U.S. Dist. Ct. N. 1980). 6 Id. at 1028. 7 Id at 1030. 8 Id. 9 Id. at 1031. 10 Id. at 1032. 11 Isaac v. Northwest Mortg. 2002 U.S. Dist. LEXIS 9354 (N. Dist. Texas 2002). 12 Id at 3. 13 Id. at 4. 14 Hernandez, Eddy, Muchmore, supra, at 1968. 15 Isaac v Norwest Mortg. (2002) at 12. 16 Id. 17 Id. at 26.

122

judgement was granted because Plaintiff did not show any genuine issue of material fact pertaining to the standing issue.18

City of Memphis v. Wells Fargo Bank, N.A. (2011)

Plaintiffs, City of Memphis and Shelby County, alleged that Defendant, Wells Fargo, engaged in discriminatory lending practices by targeting African-American homebuyers and steering them toward loans outside of their financial capacity.19 Defendants filed a motion to dismiss which was denied. The Court held that Plaintiffs had standing because they alleged sufficient facts, and Plaintiffs “adequately pled their claim that Wells Fargo’s lending practices had a disparate impact on African-Americans in Memphis and Shelby County in violation of the FHA.”20 This significance of this case in our research pertaining to data privacy is the “steering” of customers to loans that they could not afford. “Wells Fargo gave its employees discretion about steering customers to products more profitable for Wells Fargo.”21 The company had software that was designed “to filter loans to make sure that applicants were offered the best loans for which they qualified, but the filters were regularly evaded and did not work.”22

Cases on Data Privacy IoT and the 4th Amendment

Katz v. United States

The Supreme Court established the reasonable expectation of privacy theory, a two-prong test to determine whether an individual has a reasonable expectation of privacy. First, the individual must have “exhibited an actual (subjective) expectation of privacy. Second, the court must determine if the “individual’s subjective expectation of privacy is one that society is prepared to recognize as ‘reasonable.’”23

Kyllo v. United States

The physical intrusion theory was used in the Kyllo case. The court determined that “[w]here, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.”24

Jones v. United States

The Supreme Court applied Justice Harlan’s concurrence in the Katz case in ruling that a person’s “reasonable expectation of privacy” is violated when a GPS tracking device is placed on a person’s vehicle in order to track that person’s movements on public streets.25

Riley v. California

18 Id. 19 City of Memphis v. Wells Fargo Bank, N.A. 2001 U.S. Dist. LEXIS 48522 (West. Dist. Of Tenn. 2011). 20 Id. at 52. 21 Id. at 6. 22 Id. at 7. 23 Katz v. United States, 398 U.S. 347, 361 (1967). 24 Kyllo v. United States, 533 U.S. 27, 121 S. Ct. 2038, 150 L. Ed. 2d 94 (2001). 25 Jones v. United States, 565 U.S. 400, 132 S. Ct. 945 (2012).

123

“Riley involved the Court's first attempt to reconcile smartphone data and Fourth Amendment doctrine. The case itself asked whether police need a warrant to search a smartphone incident to arrest.”26 The Supreme Court ultimately ruled that, when a cellphone is seized due to an incident of arrest, absent exigent circumstances, the government may not complete a warrantless search on the contents of the cellphone. A warrant must be obtained prior to a search of the data contained within the cellphone.27

United States v. Adkinson

The Court of Appeals held that a search and seizure does not violate the Fourth Amendment when (1) a private party provides the data information, unless the private party is acting as an agent of the government, and (2) the defendant consented to the privacy policy which allows the private party to collect and share its users’ cell-site location information.28

Because of the rapid advancement of technology in our world, lawmakers and the courts must develop laws that protect individuals from privacy and security issues that stem from technology and the data information trails they leave behind.

Cases related to Algorithms and Discrimination Lumpkin v. Farmers Group., Inc.

This case involved disparate impact on minority policy holders in insurance pricing, with the scoring and underwriting algorithm returning higher insurance rates for minorities than for white policy holders.29 The court interpreted the disparate impact doctrine to require a showing of “discriminatory effect or impact on members of a class protected by Title VIII.”30 The court stated that “direct proof of the defendant's discriminatory intent is not essential, although such evidence may bolster the discrimination claim.”31 Further, “a prima facie inference of racial discrimination may be drawn where the plaintiff is a member of a protected class, meets the objective criteria for the service requested, and was denied that service on the same terms as Caucasians, if statistics show that the majority of the services provided on those better terms were awarded to Caucasians.”32 The court went on to say that “to establish a disparate impact claim, a plaintiff must prove that a specific facially neutral policy or practice created statistical disparities so great as to be functionally equivalent to intentional discrimination, therefore disadvantaging protected class members.” Finally, the court pointed out that “the relevant inquiry is whether the policy or practice specifically identified by the plaintiff has a significantly greater discriminatory impact on members of a protected class.”33

26 Guthrie Ferguson, supra, at 573. 27 Riley v. California, 573 U.S. 373, 134 S. Ct. (2014). 28 United States v. Adkinson, 916 F.3d 605, 610 (2019). 29 Id. at 9. 30 Id. (citing English Woods Civic Assoc. v. Cincinnati Metro. Hous. Auth., 2004 U.S. Dist. LEXIS 26389, 33-34

(S.D. Ohio Dec. 17, 2004)). 31 Id (citing Arthur v. Toledo, 782 F.2d 565, 574-75 (6th Cir. 1986)). 32 Id (citing English Woods, at 34). 33 Id (citing Golden v. Columbus, 404 F.3d 950, 963-64 (6th Cir. 2005)).

124

Also in Lumpkin, the Court found relevancy and necessity in denying a motion to dismiss by the Defendants, who argued that Lumpkin “had failed to state a disparate impact claim because she had not provided any basis -- statistical, anecdotal, or otherwise -- for her assertion that the Defendants' policies have a disproportionate impact on minorities.”34 The court found that “in her complaint, Lumpkin has stated that certain undisclosed credit scoring variables are highly correlated with race and, therefore, that racial minorities as a group have lower credit scores than Caucasians and are charged higher prices for identical policies.”35 The court went on to state “because she alleges that the Defendants have never disclosed the scoring variables, Plaintiff Lumpkin cannot be expected to support this allegation with concrete facts or statistical data without conducting discovery.”36

Hous. Fed'n of Teachers, Local 2415 v. Hous. Indep. Sch. Dist.

This case concerned “the use of privately developed algorithms to terminate public school teachers for ineffective performance.”37 Teachers were evaluated using these algorithms developed by a private software company and brought suit alleging due process violation.38 The school district's motion for summary judgment on the teachers' procedural due process claim was denied; the court found that most teachers represented by the union had “a constitutionally protected property interest in continued employment during or beyond their current term,” and that “HISD's value-added appraisal system poses a realistic threat to deprive plaintiffs of constitutionally protected property interests in employment” because they were denied access to the computer algorithms and data necessary to verify the accuracy of their scores.”39 In denying summary judgment, the court pointed out the necessity of having access to these algorithms by stating, “HISD teachers have no meaningful way to ensure correct calculation of their EVAAS scores, and as a result are unfairly subject to mistaken deprivation of constitutionally protected property interests in their jobs.”40

Due process issues and claims arise when the government acts in a way that threatens to deprive a citizen of a life, liberty, or property interest, requires the affected person be given notice and opportunity to be heard, and a decision by a neutral decisionmaker.41 To evaluate the claim, a court “must first consider whether there is sufficient evidence implicating a protected property right.”42 For example, in Houston Federation of Teachers, Local 2415 v. Houston Independent School District, an algorithm to assess teacher performance, and evaluate employment as a result, gave rise to due process issues concerning the teachers’ employment as a protected property interest.43

Cases Relating to Biometric Data Privacy In re Facebook Biometric Info Privacy Litig.

34 Lumpkin at 10. 35 Id. 36 Id. 37 Hous. Fed'n of Teachers, Local 2415 v. Hous. Indep. Sch. Dist., 251 F. Supp. 3d 1168, 1171 (S.D. Tex. 2017).. 38 See Id. at 1171-72. 39 Id. at 1173, 1174. 40 Id. 41 See Id. at 1170. 42 Id. 43 See Id.

125

Plaintiffs brought a class-action suit against Facebook in 2016 claiming that their “Tag Suggestions program collects and stores biometric data in violation of the Illinois Biometric Information Privacy Act (“BIPA”).44

BIPA requires private entities to provide notice and obtain consent when either "biometric identifiers or biometric information" are at issue. "Biometric identifiers" include "scan[s] of . . . face geometry" and "biometric information" includes "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." "Biometric identifiers do not include . . . photographs" and biometric information "does not include information derived from items or procedures excluded under the definition of biometric identifiers."45

Facebook currently retains the largest collection of biometric data by a private company. It has claimed to have “practically infinite” amounts of facial recognition data from its users. This data has helped train Facebook’s facial recognition technology used within its apps. “One of the inventors of facial recognition technology believes that Facebook’s database could allow its system to ‘recognize the entire population of earth.”46

In January 2020, Facebook agreed to settle the lawsuit and pay $550 million to Illinois users.47 Although this was a victory for privacy groups, the “settlement underscored the importance of strong privacy legislation.”48

Aguilar v. Rexnord, LLC

Plaintiff alleged that his employer “collected and stored” his fingerprints without his consent, violating the Illinois Biometric Information Privacy Act. In Rivera v. Google, LLC., Plaintiff brough suit against Google’s photo storing application, Google Photos, claiming privacy issues. Google Photos detects facial images and groups them based on similar facial features. In both Aguilar and Rivera, Plaintiffs were not successful in bringing their cases before the Court. The Court ruled in both cases that the Court lacked “subject matter jurisdiction because Plaintiffs have not suffered concrete injuries for Article III purposes.”49

Legislative Materials Regarding Examining the Use of Alternative Data in Underwriting and Credit Scoring to Expand Access to Credit: Hearing Before the H. Comm. on Financial Services Task Force on Financial Technology, 116th Cong. (July 2019) (testimony of Chi Chi Wu, National Consumer Law Center). Administrative and Executive Materials

Exec. Order No. 13181, 65 FR 81321 (2000). To Protect the Privacy of Protected Health Information in

Oversight Investigations, President Clinton, 2000.

44 In re Facebook Biometric Info. Privacy Litig., 2018 U.S. Dist LEXIS 81044 (N.D. Cal. May 14, 2018) 45 Id. (internal citations omitted) 46 Pope, supra note 281, at 785. 47 Singer, Natasha and Isaac, Mike, Facebook to Pay $550 Million to Settle Facial Recognition Suit, https://www.nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit-earnings.html, Jan. 28, 2020. 48 Id. 49 Rivera v. Google, Inc., 366 F. Supp. 3d 998, 33 (Dec. 2018).

126

Generally restricts investigative and prosecutorial authorities’ use of personal health care information gathered by health oversight authorities in the pursuit of individual criminal investigation unless a judicial officer has determined there is good cause after weighing the public interest and the need for disclosure against the potential injury to the patient, the physician patient relationship, and to the treatment services. [This EO is still in effect according to the Federal Register.] GET EXACT LANGUAGE

45 C.F.R. 164.512(e)(1)(ii)(B) (“HIPAA).

(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if: The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

45 C.F.R. 164.512(e)(1)(v) (“HIPAA”).

(e) Standard: Disclosures for judicial and administrative proceedings – (1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding: … (v) For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that: (A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and (B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

W.Va. C.S.R. 114-15-4.2(a)

For an insurer subject to 114 CSR 51 or 114 CSR 53, the insurer or related entity shall, in addition, maintain its books, records, and documents in a manner so that the practices of the entity regarding network adequacy, utilization review, quality assessment and improvement and provider credentialing may be ascertained during a market conduct examination.

W.Va. C.S.R. 114-15- 4.2(b) All insurer records within the scope of this rule must be retained for the lesser of: 1. The current calendar year plus five (5) calendar years; 2. From the closing date of the period of review for the most recent examination by the commissioner; or 3. A period otherwise specified by statute as the examination cycle for the insurer.

W.Va. C.S.R. 114-15-4.2(c).

The producer of record shall maintain a file for each policy sold, and the file shall contain all work papers and written communications in his or her possession pertaining to the policy documented therein. These records shall be retained for the current calendar year plus additional years as set forth in subdivision b of this subsection.

W. Va. C.S.R. 114-57-15.1

127

A licensee shall not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

W. Va. C.S.R. 114-57-15.2. Nothing in this section shall prohibit, restrict or require an authorization for the disclosure of nonpublic personal health information by a licensee for the performance of the following insurance functions by or on behalf of the licensee: claims administration; claims adjustment and management; detection, investigation or reporting of actual or potential fraud, misrepresentation or criminal activity; underwriting; policy placement or issuance; loss control; ratemaking and guaranty fund functions; reinsurance and excess loss insurance; risk management; case management; disease management; quality assurance; quality improvement; performance evaluation; provider credentialing verification; utilization review; peer review activities; actuarial, scientific, medical or public policy research; grievance procedures; internal administration of compliance, managerial, and information systems; policyholder service functions; auditing; reporting; database security; administration of consumer disputes and inquiries; external accreditation standards; the replacement of a group benefit plan; activities in connection with a sale, merger, transfer or exchange of all or part of a business or operating unit; any activity that permits disclosure without authorization pursuant to the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the U.S. Department of Health and Human Services; disclosure that is required, or is one of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out a transaction or providing a product or service that a consumer requests or authorizes; and any activity otherwise permitted by law, required pursuant to governmental reporting authority, or to comply with legal process. Additional insurance functions may be added with the approval of the commissioner to the extent they are necessary for appropriate performance of insurance functions and are fair and reasonable to the interest of consumers.

W. Va. C.S.R. 114-62-3.1

Each licensee shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of consumer information. The …safeguards included in the …program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities.

Secondary Sources Executive Reports EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: Seizing Opportunities, Preserving Values (2014), https://bigdatawg.nist.gov/pdf/big_data_privacy_report_may_1_2014.pdf. EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights (2016), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/2016_0504_data_discrimination.pdf.

https://bigdatawg.nist.gov/pdf/big_data_privacy_report_may_1_2014.pdf



128

EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (2016), https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf. FEDERAL TRADE COMMISSION, FTC Recommends Congress Require the Data Broker Industry to be More Transparent and Give Consumers Greater Control Over Their Personal Information, FTC.gov (May 27, 2014), https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more. President’s Council of Advisors on Science and Technology (PCAST), Big Data and Privacy: A Technological Perspective. EXECUTIVE OFFICE OF THE PRESIDENT at §§ 4.2, 4.4, 4.5.4 (May 2014), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-may_2014.pdf. Books and Collections Lori Andrews, I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy, Free Press, a Division of Simon & Schuster, Inc. at 76 (2011). Julie Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism, Oxford University Press (2019). Ronald Deibert et al (eds), Access Controlled: The Shaping of Power, Rights and Rule in Cyberspace, The MIT Press (2010). 4 Milgram on Trade Secrets § 14.02 (2019). Margaret O’Mara, The Code: Silicon Valley and the Remaking of America, Penguin Press (2019). Trade Secret Under State Law, 53 A.L.R.4TH 1046 (2015) (citing Uniform Trade Secrets Act of 1979 § 1(4), 14 ULA 542 (1979)); Am Jur 2d, Desk Book, Item No. 124. Journals and Law Review Articles Lisa T. Alexander, Cyberfinancing for Economic Justice, 4 Wm. & Mary Bus. L. Rev. 309 (2013). Solon Barocas & Andrew D. Selbst, Big Data's Disparate Impact, 104 CALIF. L. REV.. 671 (2016). Jennifer Bauer, Playing Off Key: Trans-Atlantic Data Regulation in a Discordant World, 119 WV LAW REV. 793, 813 (2016). Robert Brauneis & Ellen P. Goodman, Algorithmic Transparency for the Smart City, 20 Yale J. L. & Tech. 103 (2018). Matthew Bruckner, The Promise and Perils of Algorithmic Lenders’ Use of Big Data, 93 CHI.-KENT L. REV. 3 at 15, 28-29 (2018).





129

Erdem Buyuksagis, Towards a Transatlantic Concept of Data Privacy, 30 Fordham Intell. Prop. Media & Ent. L.J. 139 (2019), https://heinonline.org/HOL/P?h=hein.journals/frdipm30&i=145&a=d3Z1LmVkdQ. Nate Cullerton, Behavioral Credit Scoring, 101 GEO. L.J. 807 at 808 (2013). Amy B. Cyphert, Tinker-Ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students, 20 Nev. L.J. 457, 461–62 (2020). Amy Cyphert and Nicole McConologue, Mary Donnelly and Maeve McDonagh, Health Research, Consent and the GDPR Exemption, European Journal of Health Law (Apr. 24, 2019), https://brill.com/view/journals/ejhl/26/2/article-p97_2.xml. Andrew Guthrie Ferguson, The “Smart” Fourth Amendment, 102 CORNELL L. REV. 547 (2017). Charles Tait Graves and Brian D. Range, Identification of Trade Secret Claims in Litigation: Solutions for a Ubiquitous Dispute, 5 NW. J. TECH. & INTELL. PROP. 76 (2006). Lauren Henry, Information Privacy and Data Security, 2015 Cardozo L. Rev. De-Novo 107 (2015), https://heinonline.org/HOL/P?h=hein.journals/denovo2015&i=77&a=d3Z1LmVkdQ. Gary Hernandez, Katherine J. Eddy, Joel Muchmore, Insurance Weblining and Unfair Discrimination in Cyberspace, 54 SMU L. Rev. 1953 (2001). Kimberly Houser & Gregory Voss, GDPR: The End of Google and Facebook or a Paradigm in Data Privacy? 25 RICHMOND J. L. & INFO. TECH. 1, 104 (2018). Mikella Hurley & Julius Adebayo, Credit Scoring in the Era of Big Data, 18 YALE J.L. & TECH. 148 at 152 (2016). Sonia K. Katyal, Private Accountability in the Age of Artificial Intelligence, 66 UCLA L. REV. 54 (2019). Mary Kraft, Comment, Big Data Little Privacy: Protecting Consumers’ Data While Promoting Economic Growth, 45 U. DAYTON L. REV. 97, 121 (2020). Thomas M. Lenard & Paul H. Rubin, Big Data, Privacy and the Familiar Solutions, 11 J.L. Econ. & Pol'y 1 (2015), https://heinonline.org/HOL/P?h=hein.journals/jecoplcy11&i=5&a=d3Z1LmVkdQ. Mark MacCarthy, Standards of Fairness for Disparate Impact Assessment of Big Data Algorithms, 48 Cumb. L. Rev. 67 (2017). Brittany A. Martin, The Unregulated Underground Market for Your Data: Providing Adequate Protections for Consumer Privacy in the Modern Era, 105 Iowa L. Rev. 865 (2020), https://heinonline.org/HOL/P?h=hein.journals/ilr105&i=882.

https://heinonline.org/HOL/P?h=hein.journals/frdipm30&i=145&a=d3Z1LmVkdQ



https://heinonline.org/HOL/P?h=hein.journals/denovo2015&i=77&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/jecoplcy11&i=5&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/ilr105&i=882

130

Alex Mihaildis & Liane Colonna, A Methodological Approach to Privacy by Design within the Context of Lifelogging Technologies, 46 Rutgers Computer & Tech. L.J. 1 (2020), https://heinonline.org/HOL/P?h=hein.journals/rutcomt46&i=11&a=d3Z1LmVkdQ. Craig Mundie, Privacy Pragmatism; Focus on Data Use, Not Data Collection, 93 FOREIGN AFF. 28 (2014). Marcy Peek, Passing Beyond Identity on the Internet: Espionage & Counterespionage in the Internet Age, 28 Vt. L. Rev. 91 (2003).

Emmanuel Pernot-Leplay, EU Influence on Data Privacy Laws: Is the US Approach Converging with the EU Model?, 18 Colo. Tech. L.J. 25 (2020), https://heinonline.org/HOL/P?h=hein.journals/jtelhtel18&i=39&a=d3Z1LmVkdQ. Carra Pope, Biometric Data Collection in an Unprotected World: Exploring the Need for Federal Legislation Protecting Biometric Data, 26 J.L. & Pol’y 769 (2018). Charles Pults, America’s Data Crisis: How Public Voter Registration Data Has Exposed The American Public to Previously Unforeseen Dangers and How to Fix it, 105 IOWA L. REV. 1363, 1375 (2020). Aliya Ramji , Deniz Tamer , Carina Barrera Cota , Renato Leite Monteiro , Caio Cesar C. Lima, Joseph Prestia & Kristina Subbotina, Managing Big Data Privacy and Security, 46 Int'l L. News 1 (2017), https://heinonline.org/HOL/P?h=hein.journals/inrnlwnw46&i=1&a=d3Z1LmVkdQ. Neil Richards, Why Data Privacy Law is (Mostly) Constitutional, 56 WILLIAM & MARY L. REV. 1501, 1504 (2014-2015). Ira Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, 6 I/S A Journal of Law and Policy for the Information Society 355 (2011). Michael L. Rustad & Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 Fla. L. Rev. 365 (2019), https://heinonline.org/HOL/P?h=hein.journals/uflr71&i=381&a=d3Z1LmVkdQ. Rachel Schneider and Arjan Schutte, The Predictive Value of Alternative Credit Scores, Center for Financial Services Innovation at 5 (2007), https://s3.amazonaws.com/cfsi-innovation-files/wp-content/uploads/2017/02/05053225/The-Predictive-Value-of-Alternative-Credit-Scores.pdf. Andrew Selbst, Disparate Impact in Big Data Policing, 52 GA. L. REV. 109,113 (2017). Michael Simpson, All Your Data are Belong to Us*: Consumer Data Breach Rights and Remedies in an Electronic Exchange Economy, 87 Col. L. Rev. 669 (2016). Daniel J. Solove, A Brief History of Information Privacy Law in Proskauer on Privacy, PLI at 1-4 (2006). Richard Q. Sterns, Complementary Approaches or Conflicting Strategies: Examining CISA and New York's DFS Cybersecurity Regulations as a Harmonizing Framework for a Bilateral Approach to Cybersecurity, 26 Rich.

https://heinonline.org/HOL/P?h=hein.journals/rutcomt46&i=11&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/jtelhtel18&i=39&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/inrnlwnw46&i=1&a=d3Z1LmVkdQ

https://heinonline.org/HOL/P?h=hein.journals/uflr71&i=381&a=d3Z1LmVkdQ

131

J.L. & Tech. 1 (2020), https://heinonline.org/HOL/P?h=hein.journals/jolt26&i=215&a=d3Z1LmVkdQ. Fadja Tassey, Current Topics in Internet Law Data Breach Liability, Seton Hall Univ. Law School Student Scholarship 940 (2018), https://scholarship.shu.edu/student_scholarship/940. Omer Tene, Jules Polonetsky, Taming the Golem: Challenges of Ethical Algorithmic Decision Making, 19 N.C.J.L. & Tech. 135 (2017).

Newspapers and Online Sources A Private Right of Action is Key to Ensuring that Consumers Have Their Own Avenue for Redress, New America (2021), https://www.newamerica.org/oti/reports/enforcing-new-privacy-law/a-private-right-of-action-is-key-to-ensuring-that-consumers-have-their-own-avenue-for-redress/#:~:text=With%20a%20private%20right%20of,sue%20the%20violating%20company%20directly.&text=24%20The%20California%20Consumer%20Protection,result%20of%20the%20company's%20negligence. Reed Albergotti, On iPhones, Facebook and Apple Begin a War of Pop-Up Messages, The Washington Post (Feb. 1, 2021, 10:00 AM), https://www.seattletimes.com/business/technology/on-iphones-facebook-and-apple-begin-a-war-of-pop-up-messages/. Julia Agwin and Terry Parris, Jr. Facebook Lets Advertisers Exclude Users by Race, ProPublica (2016), https://www.propublica.org/article/facebook-lets-advertisers-exclude-users-by-race.

American Property Casual Insurance Company, Comment, Collection and Use of Personally Identifiable Data Act (April 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=25833e4d-ee53-755a-4ded-383e02e3bf97&forceDialog=0. Americans and Privacy: Concerned, Confused and Feeling a Lack of Control Over Their Personal Information, Pew Research (2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.

Bryan Anderson, Could you get a digital dividend? Gavin Newsom wants Californians to profit from tech data, The Sacramento Bee (Feb. 13, 2019, 7:52 PM PST), https://www.sacbee.com/news/politics-government/capitol-alert/article226162205.html. Betsy Atkins, Big Tech, Data Privacy and The Board’s Role, Forbes (Nov. 12, 2020, 3:34 PM), https://www.forbes.com/sites/betsyatkins/2020/11/12/big-tech-data-privacy-and-the-boards-role/?sh=ee467335bba1. Baker McKenzie, Privacy Update: Hong Kong Government Considering Amendments to the Personal Data (Privacy) Ordinance, Lexology (2020), https://www.lexology.com/library/detail.aspx?g=09ff9a20-f68c-4f98-aa00-5d7ffa3e48b4.

https://heinonline.org/HOL/P?h=hein.journals/jolt26&i=215&a=d3Z1LmVkdQ

https://scholarship.shu.edu/student_scholarship/940

https://www.newamerica.org/oti/reports/enforcing-new-privacy-law/a-private-right-of-action-is-key-to-ensuring-that-consumers-have-their-own-avenue-for-redress/#:~:text=With%20a%20private%20right%20of,sue%20the%20violating%20company%20directly.&text=24%20The%20California%20Consumer%20Protection,result%20of%20the%20company's%20negligence





https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=25833e4d-ee53-755a-4ded-383e02e3bf97&forceDialog=0


https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/




132

Natasha Bernal, Twitter Under Fire for Selling Data to Advertisers, The Telegraph (Oct. 9, 2019, 5:30 PM), https://www.telegraph.co.uk/technology/2019/10/09/twitter-fire-profiting-millions-uk-users-data-sold-advertisers/. Big Data Scoring: The Leader in Big Data Credit Scoring Solutions, What is Big Data Scoring? (2021), https://www.bigdatascoring.com/. Big Tech’s Shift to Privacy, International Association of Privacy Professionals (2019), https://iapp.org/media/uploads/2019/07/big-tech-shift-to-privacy-chart-final.pdf. James Bopp, Jr., Commissioner, Uniform Law Commission, ULC CUPID, Comment, Comparison Between Alternative Draft and Committee Draft (Aug. 4, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4686622f-b990-e782-96e6-a11fb3d05b14&forceDialog=0. Glenn A. Brown and Shalin R. Sood, Business in the Time of COVID-19: US Cybersecurity and Privacy Issues for You to Consider, THE NAT. L. REV., Vol. XI Num. 56 (Feb. 25, 2020), https://www.natlawreview.com/article/business-time-covid-19-us-cybersecurity-and-privacy-issues-you-to-consider. Chris Campbell, Top Five Differences Between Data Lakes and Data Warehouses, Blue Granite (January 26, 2015), https://www.bluegranite.com/blog/bid/402596/top-five-differences-between-data-lakes-and-data-warehouses. The Center for Consumer Law and Education, https://www.theccle.org/what-we-do. William Chalk, Landmark Laws: Data Brokers and the Future of US Privacy Regulation, CSO (Mar. 6, 2019), https://www.csoonline.com/article/3356458/landmark-laws-data-brokers-and-the-future-of-us-privacy-regulation.html. Te-Ping Chen, Your Company Wants to Know if You’ve Lost Weight, The Wall Street Journal (Feb. 11. 2019) https://www.wsj.com/articles/does-your-company-need-to-know-your-body-mass-index-11549902536. Clickwrap: Everything You Need to Know, Upcounsel (2020), https://www.upcounsel.com/clickwrap. Jeremy Conrad, Privacy Rights During a Pandemic and Beyond, Washington Lawyer 29, (July/August 2020). Datarade, Buy Consumer Behavior Data (2021), https://datarade.ai/data-categories/consumer-behavior-data. Datarade, Consumer Styles: A dataset by MBI Geodata (2021), https://datarade.ai/data-products/consumer-styles. Datarade, Personas Data: A dataset by Gravy Analytics (2021), https://datarade.ai/data-products/personas-data-gravy-analytics.



https://www.bigdatascoring.com/

https://iapp.org/media/uploads/2019/07/big-tech-shift-to-privacy-chart-final.pdf

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4686622f-b990-e782-96e6-a11fb3d05b14&forceDialog=0




https://www.theccle.org/what-we-do

https://www.csoonline.com/article/3356458/landmark-laws-data-brokers-and-the-future-of-us-privacy-regulation.html

https://www.csoonline.com/article/3356458/landmark-laws-data-brokers-and-the-future-of-us-privacy-regulation.html

https://www.wsj.com/articles/does-your-company-need-to-know-your-body-mass-index-11549902536


https://www.upcounsel.com/clickwrap

https://datarade.ai/data-categories/consumer-behavior-data


https://datarade.ai/data-products/consumer-styles


https://datarade.ai/data-products/personas-data-gravy-analytics


133

Thomas H. Davenport, Paul Barth, & Randy Bean, How ‘Big Data’ is Different, MIT Sloan Management Review (July 20, 2012), https://sloanreview.mit.edu/article/how-big-data-is-different/. Jessica Davis, Congressional Bills Target COVID-19 Contract Tracing App Privacy, HEALTH IT SECURITY, May 18, 2020, https://healthitsecurity.com/news/congressional-bills-target-covid-19-contract-tracing-app-privacy. Definition of Data Mining, The Economic Times (2021), https://economictimes.indiatimes.com/definition/data-mining; https://www.sas.com/en_us/insights/analytics/data-mining.html#:~:text=Data%20mining%20is%20the%20process,relationships%2C%20reduce%20risks%20and%20more Ali Dukakis, China rolls out software surveillance for the COVID-19 pandemic, alarming human rights advocates, ABC News (April 14, 2020 at 6:30 AM), https://abcnews.go.com/International/china-rolls-software-surveillance-covid-19-pandemic-alarming/story?id=70131355. Edelman, In Brands We Trust?, Edelman Trust Baromter (2019), https://www.edelman.com/sites/g/files/aatuss191/files/2019-07/2019_edelman_trust_barometer_special_report_in_brands_we_trust.pdf Carol A. Evans, Associate Director, and Westra Miller, Counsel, Division of Consumer and Community Affairs, Federal Reserve Board, From Catalogs to Clicks: The Fair Lending Implications of Targeted, Internet Marketing, Consumer Compliance Outlook, Third Issue (2019).

Exposure Notifications: Using technology to help public health authorities fight COVID‐19, Google (2020), https://www.google.com/covid19/exposurenotifications/. Emily Feng, In China, A New Call To Protect Data Privacy, NPR (Jan. 5, 2020 at 9:00 AM ET), https://www.npr.org/2020/01/05/793014617/in-china-a-new-call-to-protect-data-privacy. Andrew Ferguson, High-tech surveillance amplifies police bias and overreach, The Conversation (June 12, 2020) https://theconversation.com/high-tech-surveillance-amplifies-police-bias-and-overreach-140225?utm_medium=email&utm_campaign=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867&utm_content=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867+Version+A+CID_67e40c7307d4f29b813c70baed94457f&utm_source=campaign_monitor_us&utm_term=Police%20use%20technology%20to%20track%20protesters. Financial Services Joint Trade Association (FSJTA), Comment, FSJTA’s Comment on The Uniform Law Commission’s Collection and Use of Personally Identifiable Data Act (April 23, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c17a8ede-be6e-f3b9-07dc-42d0cc734ae4&forceDialog=0.

https://sloanreview.mit.edu/article/how-big-data-is-different/


https://healthitsecurity.com/news/congressional-bills-target-covid-19-contract-tracing-app-privacy


https://economictimes.indiatimes.com/definition/data-mining

https://www.sas.com/en_us/insights/analytics/data-mining.html#:~:text=Data%20mining%20is%20the%20process,relationships%2C%20reduce%20risks%20and%20more



https://abcnews.go.com/International/china-rolls-software-surveillance-covid-19-pandemic-alarming/story?id=70131355


https://www.google.com/covid19/exposurenotifications/

https://www.npr.org/2020/01/05/793014617/in-china-a-new-call-to-protect-data-privacy

https://theconversation.com/high-tech-surveillance-amplifies-police-bias-and-overreach-140225?utm_medium=email&utm_campaign=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867&utm_content=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867+Version+A+CID_67e40c7307d4f29b813c70baed94457f&utm_source=campaign_monitor_us&utm_term=Police%20use%20technology%20to%20track%20protesters







https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c17a8ede-be6e-f3b9-07dc-42d0cc734ae4&forceDialog=0

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c17a8ede-be6e-f3b9-07dc-42d0cc734ae4&forceDialog=0

134

Fingerprints and Other Biometrics, FED. BUREAU OF INVESTIGATION (discussing the FBI's Next Generation Identification program), https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics#:~:text=Fingerprints%20are%20a%20common%20biometric,%2C%20palmprints%2C%20and%20facial%20patterns.&text=It%20has%20used%20various%20forms,national%20fingerprint%20collection%20in%201924. Gizelle Fletcher, 5 Components of an Enforeceable Clickwrap Agreement, Pactsafe (2019), https://www.pactsafe.com/blog/5-components-of-an-enforceable-clickwrap-agreement. Geoffrey Fowler, It’s the middle of the night. Do you know who your iPhone is talking to? The Washington Post (May 28, 2019, 8:00 AM EDT), https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/?wpisrc=nl_most&wpmm=1. Geoffrey Fowler, The spy in your wallet: Credit cards have a privacy problem, The Washington Post (Aug. 26, 2019, 12:00 AM EDT), https://www.washingtonpost.com/technology/2019/08/26/spy-your-wallet-credit-cards-have-privacy-problem/?wpisrc=nl_most&wpmm=1. Geoffrey A. Fowler, Nobody reads privacy policies. This senator wants lawmakers to stop pretending we do, The Washington Post (Jun 18, 2020), https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown/. Michele Gilman, Data insecurity leads to economic injustice – and hits the pocketbooks of the poor most, The Conversation (Apr. 30, 2019, 6:43 AM EDT). https://theconversation.com/data-insecurity-leads-to-economic-injustice-and-hits-the-pocketbooks-of-the-poor-most-116231. James Glanz, Benedict Carey, Josh Holder, Derek Watkins, Jennifer Valentino-DeVries, Rick Rojas and Lauren Leatherby, Where America Didn’t Stay Home Even as the Virus Spread, The New York Times (April 2, 2020), https://www.nytimes.com/interactive/2020/04/02/us/coronavirus-social-distancing.html. William Goddard, How Do Big Companies Collect Customer Data, IT Chronicles (Jan. 14, 2019), https://itchronicles.com/big-data/how-do-big-companies-collect-customer-data/. Jefferson Graham and Laura Schulte, Wisconsin Workers Embedded with Microchips, USA Today (Aug. 1, 2017, 8:49 AM ET), https://www.usatoday.com/story/tech/talkingtech/2017/08/01/wisconsin-employees-got-embedded-chips/529198001/. Preston Gralla, Opinion, Amazon Prime and the Racist Algorithms, Computerworld (May 11, 2016), https://www.computerworld.com/article/3068622/amazon-prime-and-the-racist-algorithms.html. Yael Grauer, What are Data Brokers, and Why are They Scooping Up Information About You?, Vice (March 27, 2018), https://www.vice.com/en/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection. Andy Greenberg. The iOS Covid App Ecosystem Has Become a Privacy Minefield, Wired.com (Nov. 13, 2020 at 7:00 AM), https://www.wired.com/story/covid-19-ios-apps-privacy/.

https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics#:~:text=Fingerprints%20are%20a%20common%20biometric,%2C%20palmprints%2C%20and%20facial%20patterns.&text=It%20has%20used%20various%20forms,national%20fingerprint%20collection%20in%201924




https://www.pactsafe.com/blog/5-components-of-an-enforceable-clickwrap-agreement













https://www.computerworld.com/article/3068622/amazon-prime-and-the-racist-algorithms.html

https://www.vice.com/en/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection

https://www.vice.com/en/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection

https://www.wired.com/story/covid-19-ios-apps-privacy/

135

Neema Singh Guliani, The tech industry is suddenly pushing for federal privacy legislation. Watch out., The Washington Post (Oct. 3, 2018, 8:23 AM EDT). https://www.washingtonpost.com/opinions/the-tech-industry-is-suddenly-pushing-for-federal-privacy-legislation-watch-out/2018/10/03/19bc473e-c685-11e8-9158-09630a6d8725_story.html. Matthew Haag, DNA testing company admits to secretly sharing people’s genetic data with FBI, The Independent (Feb. 5, 2019), https://www.independent.co.uk/news/world/americas/dna-testing-fbi-data-breach-privacy-family-tree-bennett-greenspan-a8763521.html Chloe Hadavas, What Google’s Latest Data Privacy Announcement Actually Means, Slate (Jan. 16, 2020, 3:55 PM), https://slate.com/technology/2020/01/google-chrome-cookies-phase-out.html. Patience Haggin, Keach Hagey, and Sam Schechner, Apple’s Privacy Change Will Hit Facebook’s Core Ad Business. Here’s How., The Wall Street Journal (Jan. 29, 2021, 11:49 AM), https://www.wsj.com/articles/apples-privacy-change-will-hit-facebooks-core-ad-business-heres-how-11611938750. Stephanie Hall, Harnessing Data While Protecting Privacy, National Association of Manufacturers (Feb. 11, 2020), https://www.manufacturingleadershipcouncil.com/2020/02/11/harnessing-data-while-protecting-privacy/. Simon Handler and Lily Lui, The 5x5—Fighting COVID-19 with surveillance: Perspectives from across the globe, Atlantic Council (July 29, 2020), https://www.atlanticcouncil.org/blogs/new-atlanticist/fighting-covid-19-with-surveillance-perspectives-from-across-the-globe/. Health Insurers Are Vacuuming Up Details About You, ProPublica, Avail: https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates. Here are the Data Brokers Quietly Buying and Selling your Personal Information, Fast Company (Mar. 2, 2019), https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information. Tim Higgins, Apple, Facebook Trade Barbs Over Privacy-Focused Business Models, The Wall Street Journal (Jan. 28, 2021, 12:34 PM), https://www.wsj.com/articles/apple-to-roll-out-privacy-measures-despite-facebook-objections-11611810002. Holland & Knight, ONC, CMS Finalize Transforming Interoperability and Patient Access to Data Rules (Mar. 18, 2020), https://www.jdsupra.com/legalnews/onc-cms-finalize-transforming-68904/. International Association of Privacy Professionals, Fair Information Practice Principles, https://iapp.org/resources/article/fair-information-practices/. Bobbie Johnson, The US’s draft law on contact tracing apps is a step behind Apple and Google, MIT Technology Review (June 2, 2020), https://www.technologyreview.com/2020/06/02/1002491/us-covid-19-contact-tracing-privacy-law-apple-google/.




https://slate.com/technology/2020/01/google-chrome-cookies-phase-out.html

https://www.manufacturingleadershipcouncil.com/2020/02/11/harnessing-data-while-protecting-privacy/


https://www.wsj.com/articles/apple-to-roll-out-privacy-measures-despite-facebook-objections-11611810002

https://www.wsj.com/articles/apple-to-roll-out-privacy-measures-despite-facebook-objections-11611810002

https://www.jdsupra.com/legalnews/onc-cms-finalize-transforming-68904/

https://iapp.org/resources/article/fair-information-practices/

136

Jones Day, States Propose Bills with CCPA-Like Provisions, JD Supra (Mar. 5, 2019), https://www.jdsupra.com/legalnews/states-propose-bills-with-ccpa-like-34541/. Sunny Seon Kang, Don’t Blame Privacy for Big Tech’s Monopoly on Information, Just Security (Sept. 18, 2020), https://www.justsecurity.org/72439/dont-blame-privacy-for-big-techs-monopoly-on-information/. Kaspersky, How Data Breaches Happen, USA Kaspersky (2020), https://usa.kaspersky.com/resource-center/definitions/data-breach. Mandeep Kaur, What is an API and why are they important to developers? Medium, (Sep 19, 2018), https://medium.com/@mandeepkaur1/what-is-an-api-and-why-are-they-important-to-developers-98ad18d45b93. Leo Kelion, Coronavirus: First Google/Apple-based Contact-tracing App Launched, BBC NEWS, May 26, 2020, https://www.bbc.com/news/technology-52807635. Arjun Kharpal, Coronavirus could be a ‘catalyst’ for China to boost its mass surveillance machine, experts say, CNBC (Feb. 24, 2020 at 8:14 PM EST), https://www.cnbc.com/2020/02/25/coronavirus-china-to-boost-mass-surveillance-machine-experts-say.html. Paul Kiel and Hannah Fresques, Where in The U.S. Are You Most Likely to Be Audited by the IRS?, ProPublica (April 2019), https://projects.propublica.org/graphics/eitc-audit. Rodney Lamp, New technology from WVU Rockefeller Neuroscience Institute aims to predict coronavirus symptoms, WBOY (July 15, 2020, 5:21 PM EDT), https://www.wboy.com/news/health/coronavirus/new-technology-from-wvu-rockefeller-neuroscience-institute-aims-to-predict-coronavirus-symptoms/. Law360, Walmart Sued After Ill. High Court Ruling On Biometric Privacy, Law360 (January 28, 2019, 10:31 PM EST), https://www.law360.com/articles/1122920/walmart-sued-after-ill-high-court-ruling-on-biometric-privacy. Ron Lieber, How to Protect Yourself After the Equifax Breach, The New York Times (Oct. 26, 2017), https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html. Kim Lyons, Congress Investigating How Data Brokers Sells Smartphone Tracking Info to Law Enforcement, The Verge (June 25, 2020), https://www.theverge.com/2020/6/25/21303190/congress-data-smartphone-tracking-fbi-security-privacy. Douglas MacMillan, Data brokers are selling your secrets. How states are trying to stop them, The Washington Post (June 24, 2019 at 5:54 PM EDT), https://www.washingtonpost.com/business/2019/06/24/data-brokers-are-getting-rich-by-selling-your-secrets-how-states-are-trying-stop-them/. Joseph Marks and Tonya Riley, The Cybersecurity 202: Coronavirus Tracking Apps Spark Security Concerns, The Washington Post (May 5, 2020, at 7:43 AM EDT), https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-

https://www.jdsupra.com/legalnews/states-propose-bills-with-ccpa-like-34541/



https://medium.com/@mandeepkaur1/what-is-an-api-and-why-are-they-important-to-developers-98ad18d45b93


https://www.bbc.com/news/technology-52807635

https://www.cnbc.com/2020/02/25/coronavirus-china-to-boost-mass-surveillance-machine-experts-say.html


https://projects.propublica.org/graphics/eitc-audit





https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html

https://www.theverge.com/2020/6/25/21303190/congress-data-smartphone-tracking-fbi-security-privacy


https://www.washingtonpost.com/business/2019/06/24/data-brokers-are-getting-rich-by-selling-your-secrets-how-states-are-trying-stop-them/


137

202/2020/05/05/the-cybersecurity-202-coronavirus-tracking-apps-spark-security-concerns/5eb05603602ff15fb00246d2/. Bernard Marr, Smartphone Tracking Data And Artificial Intelligence Turn People’s Movements Into Detailed Insights And Profits, Forbes (Oct. 7, 2020, 12:20 AM EDT), https://www.forbes.com/sites/bernardmarr/2020/10/07/smartphone-tracking-data-and-artificial-intelligence-turn-peoples-movements-into-detailed-insights-and-profits/?sh=7af9fbde6bef. Louise Matsakis, The WIRED Guide to Your Personal Data (and Who Is Using It), Wired (Feb. 15, 2018, 7:00 AM), https://www.wired.com/story/wired-guide-personal-data-collection/. Dana Mattioli, Amazon Scooped up Data from Its Own Sellers To Launch Competing Products, The Wall Street Journal (Apr. 23, 2020 at 9:51 ET), https://www.wsj.com/articles/amazon-scooped-up-data-from-its-own-sellers-to-launch-competing-products-11587650015. Steven Melendez, A landmark Vermont law nudges over 120 data brokers out of the shadows, FastCompany (2019), https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law. Dave Michels, This Post Will Self Destruct in 5 Seconds: Privacy concerns don't just happen in the consumer world and can be a major threat to enterprises. No Jitter (Aug. 26, 2020), https://www.nojitter.com/monitoring-management-and-security/post-will-self-destruct-5-seconds. Microsoft Corporation, Comment, Microsoft Corporation Comment on The Uniform Law Commission’s Collection and Use of Personally Identifiable Data Act (Oct. 23, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4363ae45-1130-e4b2-d1cb-d35cd2403468&forceDialog=0. Taylor Moore, Trade Secrets and Algorithms as Barriers to Social Justice, Center for Democracy & Technology (August 2017). Cheryl Winokur Munk, Imagine a Nutrition Label—for Cybersecurity, The Wall Street Journal (Dec. 8, 2020, 9:00 AM ET), https://www.wsj.com/articles/imagine-a-nutrition-labelfor-cybersecurity-11607436000?mod=lead_feature_below_a_pos1. Na L, Yang C, Lo C, Zhao F, Fukuoka Y, Aswani A., Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning, JAMA Netw Open (2018), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2719130. National Association of Mutual Insurance Companies, Comment, Uniform Law Commission Collection and Use of Personally Identifiable Data Act (2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=7c4ce50f-53bd-eb67-c2fb-5b2849f41bbd&forceDialog=0 National Conference of State Legislatures, Security Breach Notification Laws, NCSL (2020), https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.



https://www.wired.com/story/wired-guide-personal-data-collection/

https://www.wsj.com/articles/amazon-scooped-up-data-from-its-own-sellers-to-launch-competing-products-11587650015




https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4363ae45-1130-e4b2-d1cb-d35cd2403468&forceDialog=0

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4363ae45-1130-e4b2-d1cb-d35cd2403468&forceDialog=0

https://www.wsj.com/articles/imagine-a-nutrition-labelfor-cybersecurity-11607436000?mod=lead_feature_below_a_pos1

https://www.wsj.com/articles/imagine-a-nutrition-labelfor-cybersecurity-11607436000?mod=lead_feature_below_a_pos1

https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx


138

Nathan Newman, Comment Letter on FTC Workshop to Examine Effects of Big Data on Low Income and Underserved Consumers, How Big Data Enables Economic Harm to Consumers, Especially to Low Income and Other Vulnerable Sectors of the Population, (2014). Cindy Ng, A Guide on the Data Lifecycle: Identifying Where Your Data is Vulnerable, Varonis (March 29, 2020), https://www.varonis.com/blog/a-guide-on-the-data-lifecycle-identifying-where-your-data-is-vulnerable/. Dom Nicastro, Is Using a Data Broker the Most Secure Marketing Strategy?, CMS Wire (Nov. 11, 2020), https://www.cmswire.com/digital-marketing/is-your-data-broker-the-most-secure-marketing-strategy/. Kate O’Flaherty, Apple’s Stunning iOS 14 Privacy Move: A Game Changer for all iPhone Users, Forbes (Jan. 31, 2021). Kate Patrick, GAO Report: The Net Neutrality Debate Complicates Data Privacy, Government Technology (Feb. 21, 2019), https://www.govtech.com/policy/GAO-Report-The-Net-Neutrality-Debate-Complicates-Data-Privacy.html. Jamie Pinchot, Adman Chawdhry, and Karen Paullet, Data Privacy Issues in the Age of Data Brokerage: An Exploratory Literature Review, Issues in Information, Vol. 19, Issue 3, pp. 92-100, (2018), https://doi.org/10.48009/3_iis_2018_92-100. Ziad Obermeyer, Brian Powers, Christine Vogeli, Sendhil Mullainathan, Algorithmic Bias In Health Care: A Path Forward, Health Affairs (Nov. 1, 2019), https://www.healthaffairs.org/do/10.1377/hblog20191031.373615/full/. Office for Civil Rights, Privacy, Security, and Electronic Health Records, U.S. DEPARTMENT OF HEALTH

AND HUMAN SERVICES (2021), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf. Ohio Lawyer, Complying With the World’s Most Stringent Biometric Privacy Law, BlankRome (Jan. – Mar. 2020), https://www.blankrome.com/publications/complying-worlds-most-stringent-biometric-privacy-law. Perkins Coie, Security Breach Notification Chart: West Virginia, https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html. Natalie A. Prescott, The Anatomy of Biometric Laws: What U.S. Companies Need to Know in 2020, National Law Review (Jan. 15, 2020), https://www.natlawreview.com/article/anatomy-biometric-laws-what-us-companies-need-to-know-2020. Max Rieper, 2020 Trends in State Privacy Legislation, Multistate (Mar. 3 2020), https://www.multistate.us/insider/2020/3/3/2020-trends-in-state-privacy-legislation.



https://www.cmswire.com/digital-marketing/is-your-data-broker-the-most-secure-marketing-strategy/

https://www.cmswire.com/digital-marketing/is-your-data-broker-the-most-secure-marketing-strategy/



https://doi.org/10.48009/3_iis_2018_92-100

https://www.healthaffairs.org/do/10.1377/hblog20191031.373615/full/

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf


https://www.blankrome.com/publications/complying-worlds-most-stringent-biometric-privacy-law


https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html


https://www.natlawreview.com/article/anatomy-biometric-laws-what-us-companies-need-to-know-2020


https://www.multistate.us/insider/2020/3/3/2020-trends-in-state-privacy-legislation

139

Tony Romm, DOJ Issues New Warning to Big Tech: Data and Privacy Could Be Competition Concerns, The Washington Post (Nov. 8, 2019, 3:22 PM), https://www.washingtonpost.com/technology/2019/11/08/doj-issues-latest-warning-big-tech-data-privacy-could-be-competition-concerns/. Sam Schechner, Privacy Problems Mount for Tech Giants, The Wall Street Journal (Jan. 21, 2019 at 6:30 AM ET), https://www.wsj.com/articles/privacy-problems-mount-for-tech-giants-11548070201. Elliot Setzer, Contact-Tracing Apps in the United States, LAWFARE, May 6, 2020, https://www.lawfareblog.com/contact-tracing-apps-united-states. Aarti Shahani, Microsoft President: Democracy is at Stake. Regulate Big Tech, NPR (Sept. 13, 2019, 12:18 PM ET), https://www.npr.org/2019/09/13/760478177/microsoft-president-democracy-is-at-stake-regulate-big-tech. David Shepardson and Diane Bartz, Trump administration plans two meetings on Big Tech on Wednesday, REUTERS (Sept. 21, 2020, 11:33 PM), https://www.reuters.com/article/us-usa-social-media-trump-idUSKCN26D0A0. Natasha Singer and Mike Isaac, Facebook to Pay $550 Million to Settle Facial Recognition Suit, https://www.nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit-earnings.html, Jan. 28, 2020. Christopher Sirk, What is CRM? Definition and a Beginner’s Guide to CRM, CRM.ORG (2021), https://crm.org/crmland/what-is-a-crm. Lena Solow, The Scourge of Worker Wellness Programs, The New Republic (Sept. 2, 2019), https://newrepublic.com/article/154890/scourge-worker-wellness-programs Adam Tanner, How Data Brokers Make Money off of Your Medical Records, Scientific American (Feb. 1, 2016), https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/. Byron Tau, Patience Haggin, Lawmakers Urge FTC Probe of Mobile Ad Industry’s Tracking of Consumers, The Wall Street Journal (July 31, 2020), https://www.wsj.com/articles/lawmakers-urge-ftc-probe-of-mobile-ad-industrys-tracking-of-consumers-11596214541. Byron Tau, Most Americans Object to Government Tracking of Their Activities Through Cellphones, The Wall Street Journal (Nov. 25, 2020), https://www.wsj.com/articles/most-americans-object-to-government-tracking-of-their-activities-through-cellphones-11606305601. Astra Taylor and Jathan Sadowski, How Companies Turn Your Facebook Activity into a Credit Score, The Nation, at 4 (July 15, 2015).

https://www.wsj.com/articles/privacy-problems-mount-for-tech-giants-11548070201

https://www.lawfareblog.com/contact-tracing-apps-united-states





https://crm.org/crmland/what-is-a-crm

https://newrepublic.com/article/154890/scourge-worker-wellness-programs



https://www.wsj.com/articles/lawmakers-urge-ftc-probe-of-mobile-ad-industrys-tracking-of-consumers-11596214541

https://www.wsj.com/articles/lawmakers-urge-ftc-probe-of-mobile-ad-industrys-tracking-of-consumers-11596214541

https://www.wsj.com/articles/most-americans-object-to-government-tracking-of-their-activities-through-cellphones-11606305601

https://www.wsj.com/articles/most-americans-object-to-government-tracking-of-their-activities-through-cellphones-11606305601

140

Termly Legal Team, Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP, Privacy Laws Around the World (Mar. 14, 2014), https://termly.io/resources/infographics/privacy-laws-around-the-world/. Catherine Thornbeck, New York probing Apple Card for alleged gender discrimination after viral tweet, ABC News (Nov. 11, 2019, 5:52 PM), https://abcnews.go.com/US/york-probing-apple-card-alleged-gender-discrimination-viral/story?id=66910300. Tracking COVID-19: Contact Tracing in the Digital Age, World Health Organization (Sept. 9, 2020), https://www.who.int/news-room/feature-stories/detail/tracking-covid-19-contact-tracing-in-the-digital-age. The Trust Opportunity: Exploring Consumer Attitudes to the Internet of Things, Internet Society (2019), https://www.internetsociety.org/resources/doc/2019/trust-opportunity-exploring-consumer-attitudes-to-iot/. Alexandra Twin, Reviewed by Amy Drury, Data Mining (Sep 20, 2020), https://www.investopedia.com/terms/d/datamining.asp Update About Proposed Federal Privacy Laws, One Trust (2020), https://www.onetrust.com/blog/update-about-proposed-federal-privacy-laws/. Starre Vartan, Racial Bias Found in a Major Health Care Risk Algorithm, Scientific American (Oct. 24, 2019), https://www.scientificamerican.com/article/racial-bias-found-in-a-major-health-care-risk-algorithm/. WebFX Team, What are Data Brokers – and What is Your Data Worth?, WebFx (March 16, 2020), https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/. Einat Weiss, Data Privacy Rules are Changing. How can Marketers Keep up? Harvard Business Review (Aug. 27, 2020), https://hbr.org/2020/08/data-privacy-rules-are-changing-how-can-marketers-keepup?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+harvardbusiness+%28HBR.org%29. Darrell M. West, What is Artificial Intelligence? A Blueprint For the Future of AI Series, Brookings (2018), https://www.brookings.edu/research/what-is-artificial-intelligence/. What is Big Tech and Why We Should Care, Allerin (Aug, 21, 2019), https://www.allerin.com/blog/what-is-big-tech-and-why-we-should-care. What is Data Analysis? Research, Types, Methods, Techniques, Guru99 (2021), https://www.guru99.com/what-is-data-analysis.html. What is a Data Lake? Examples and Solutions, Stitch (2021), https://www.stitchdata.com/resources/what-is-data-lake/; https://www.bluegranite.com/blog/bid/402596/top-five-differences-between-data-lakes-and-data-warehouses.



https://www.who.int/news-room/feature-stories/detail/tracking-covid-19-contact-tracing-in-the-digital-age


https://www.internetsociety.org/resources/doc/2019/trust-opportunity-exploring-consumer-attitudes-to-iot/

https://www.internetsociety.org/resources/doc/2019/trust-opportunity-exploring-consumer-attitudes-to-iot/

https://www.investopedia.com/terms/d/datamining.asp

https://www.onetrust.com/blog/update-about-proposed-federal-privacy-laws/






https://www.brookings.edu/research/what-is-artificial-intelligence/

https://www.allerin.com/blog/what-is-big-tech-and-why-we-should-care

https://www.guru99.com/what-is-data-analysis.html

https://www.stitchdata.com/resources/what-is-data-lake/



141

What is Data Processing? Talend (2021), https://www.talend.com/resources/what-is-data-processing/. What is a data set? IBM (2021), https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zconcepts/zconc_datasetintro.htm. What is IoT? Defining the Internet of Things (IoT), Aeris India (2021), https://www.aeris.com/in/what-is-iot/. Zack Whittaker, A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns, Tech Crunch (May 7, 2020 at 7:22 PM EDT), https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/. WVU Medicine, WVU Rockefeller Neuroscience Institute Announces Capability to Predict COVID-19 Related Symptoms Up to Three Days in Advance, (May 28, 2020), https://wvumedicine.org/news/article/wvu-rockefeller-neuroscience-institute-announces-capability-to-predict-covid-19-related-symptoms-up-/. Babao Zhang, et. al, Americans’ Perceptions of Privacy and Surveillance in the COVID-19 Pandemic, MIT, CORNELL UNI., May 20, 2020 (Working Paper). Raymond Zhong, China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears, NY Times, May 26, 2020, https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html.

https://www.talend.com/resources/what-is-data-processing/

https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zconcepts/zconc_datasetintro.htm


https://www.aeris.com/in/what-is-iot/


https://wvumedicine.org/news/article/wvu-rockefeller-neuroscience-institute-announces-capability-to-predict-covid-19-related-symptoms-up-/

https://wvumedicine.org/news/article/wvu-rockefeller-neuroscience-institute-announces-capability-to-predict-covid-19-related-symptoms-up-/

https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html

142

APPENDIX F - 50 STATE SURVEY MAP

Below is the 50 State Survey Map, which illustrates the comprehensiveness of legislation within each state based on various factors such as the presence of a breach notification period, data request procedures and ability to opt-out. For the development of this map, the presence of a factor within a states legislation was designated a point of 1 while the

absence of a given factor was designated zero points. Points were then totaled to develop this map.

143

APPENDIX G - A TALE OF TWO POLICIES: COMPARING THE DATA PRIVACY POLICIES OF APPLE AND FACEBOOK

RA Jayda Guidry, a recent graduate of West Virginia University, was tasked with examining the privacy statements of Apple and Facebook to see which one was more comprehensible and accessible to the typical consumer. Below is her

commentary:

“The largest difference I noticed between the two policies was regarding the designation of personal and non-personal information and how such information is treated. Apple distinguished

between personal and non-personal information throughout its policy, while Facebook never made this distinction. Because Facebook did not do this, I found it hard to follow the policy from

collection to use of information. Facebook is unclear about its use of the types of information outlined in its information collected section and when explaining use of information used blanketed

statements about use.

Apple also explained in detail the security measures in place for the protection of user information during transfer and storage while Facebook did not. Facebook also did not have a child policy or

explain how children’s information is handled, while Apple did. In regard to the sharing of information, Apple explained how information is to be handled by its partners while Facebook

stated that there were “strict restrictions” in place for third party use of information without explaining what these strict restrictions were.

Overall, I found Facebook’s privacy statement more difficult to follow and unclear compared to

Apple’s. It was difficult to understand how the different types of information were being used and there were various things that were left unmentioned such as security measures in place and child

policy.”

144

Comparison of Data Privacy Statements: Apple and Facebook

Collection of Information Information Collected (Apple)…………... Pages 1-3

Personal Information Collected ….….….. Page 1

Third-party Sources of P.I...……………... Page 2

Non-Personal Information Collected…..... Page 3

Treatment of Combined Information…..... Page 3

Information Collected (Facebook)……… Pages 1-2

User Provided Information……... …..…. Page 1

Device Information…….………………. Page 2

Third-Party Provided Information …...… Page 2

Use of Information

Use of Information (Apple)……………... Pages 1-3

Use of P.I. ……….…………………........ Pages 1-2

Use of non-P.I. …….…………………… Page 3

Use of Information (Facebook)………..... Pages 3-4

Cookie Policy

Cookie Use (Apple)……………………... Pages 3-4

Cookie Use (Facebook)………………… Pages 9-12

Sharing of Information

Sharing of Information (Apple)…………. Page 6 Sharing of Information (Facebook)..….... Page 4

Security and Retention Period

Retention Period (Apple)………...……... Page 7

Security (Apple)………………………… Page 6

Retention Period (Facebook)….……….. Page 8

Privacy Rights

Privacy Rights (Apple)………………….. Page 7

California and Nevada (Apple)………….. Page 8

Privacy Rights (Facebook)……………... Page 7

Child Policy

Child Policy (Apple)……………………. Page 8

Questions

Questions (Apple)…………..………….. Page 10 Questions (Facebook)………….………. Page 9

ENDNOTES

1 The information provided in this white paper is meant for educational and research purposes only. It is not intended to offer legal advice of any kind. * In addition to the research assistants listed as contributors, the following people provided incredible support for this project: Valarie Blake, Catherine Barrett, Amy Cyphert, Jonathan Marshall, Nicole McConologue, Stephanie Miller, David Romano, and Samuel Perl. 2 This paper is the direct result of the Ralph C. Young Fellowship, awarded by the CCLE to Prof. Martin in 2019. 3 WVU Law, Class of 2021 4 WVU Law, Class of 2021 5 WVU Law, Class of 2021 6 WVU Law, Class of 2020 7 West Virginia University, Class of 2020 8 WVU Law, Class of 2022 9 WVU Law, Class of 2021 10 WVU Law, Class of 2021 11 Memo to Scope and Program Committee from Study Committee for Uniform On-line Data Privacy Act Chair Harvey Perlman 12 Neil Richards, Why Data Privacy Law is (Mostly) Constitutional, 56 WILLIAM & MARY L. REV. 1501, 1504 (2014-2015). 13 The Center for Consumer Law and Education, https://www.theccle.org/what-we-do.

https://www.theccle.org/what-we-do

https://leg.mt.gov/bills/mca/title_0300/chapter_0140/part_0170/section_0040/0300-0140-0170-0040.html


http://wyoleg.gov/statutes/compress/title40.docx

https://www.leg.state.nv.us/nrs/nrs-603a.html#NRS603ASec010

https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf

https://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_enr.pdf

https://legiscan.com/NM/text/HB15/id/2358918/New_Mexico-2021-HB15-Enrolled.pdf

https://www.azleg.gov/ars/18/00552.htm

http://www.akleg.gov/basis/Bill/Text/25?Hsid=HB0065F

https://ipsc.hawaii.gov/wp-content/uploads/2013/10/Chapter-487N.pdf

https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm

http://www.kslegislature.org/li_2020/b2019_20/statute/050_000_0000_chapter/050_007a_0000_article/050_007a_0002_section/050_007a_0002_k/

https://nebraskalegislature.gov/laws/statutes.php?statute=87-802

https://legiscan.com/SD/text/SB62/id/1755542/South_Dakota-2018-SB62-Enrolled.pdf

https://oksenate.gov/sites/default/files/2019-12/os24.pdf

https://revisor.mo.gov/main/OneSection.aspx?section=407.1500

http://ga.elaws.us/law/10-1%7C34

https://www.legis.iowa.gov/docs/code/715c.pdf

https://www.legis.nd.gov/cencode/t51c30.html

https://www.oregonlegislature.gov/bills_laws/ors/ors646a.html

https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010

https://legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/sect28-51-105/

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

https://legiscan.com/AR/text/HB1943/id/1995625/Arkansas-2019-HB1943-Chaptered.pdf

http://legis.la.gov/Legis/Law.aspx?d=322030

https://legiscan.com/MS/text/HB277/id/2334265/Mississippi-2021-HB277-Enrolled.html

https://legiscan.com/AL/text/SB318/id/1748038/Alabama-2018-SB318-Engrossed.pdf

http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html

https://www.scstatehouse.gov/code/t39c001.php

https://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html

https://www.capitol.tn.gov/Bills/110/Bill/SB0547.pdf

https://apps.legislature.ky.gov/LAW/STATUTES/STATUTE.ASPX?ID=43326

https://www.legis.state.pa.us/WU01/LI/LI/US/HTM/2005/0/0094..HTM

https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67

https://www.revisor.mn.gov/statutes/cite/325E.61

https://docs.legis.wisconsin.gov/statutes/statutes/134/98

http://www.legislature.mi.gov/(S(wlrjn4i3p1uu52jgmypnsi0w))/mileg.aspx?page=GetObject&objectname=mcl-445-72

https://codes.ohio.gov/ohio-revised-code/section-1349.19

http://184.175.130.101/legislative/laws/2018/ic/titles/024#24-4.9

http://www.wvlegislature.gov/wvcode/Code.cfm?chap=46a&art=2A

https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392ES1

https://www.nysenate.gov/legislation/laws/GBS/899-AA

https://legislature.maine.gov/statutes/10/title10sec1348.html

https://legislature.vermont.gov/statutes/section/09/062/02435

http://www.gencourt.state.nh.us/rsa/html/XXXI/359-C/359-C-19.htm

https://malegislature.gov/laws/generallaws/parti/titlexv/chapter93h

https://cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b

https://legiscan.com/NJ/text/S52/id/2031939/New_Jersey-2018-S52-Chaptered.html

http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM

https://delcode.delaware.gov/title6/c012b/index.html

http://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=gcl&section=14-3504&enactments=False&archived=False




































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































14 See, e.g., Andrew Ferguson, High-tech surveillance amplifies police bias and overreach, The Conversation (June 12, 2020) https://theconversation.com/high-tech-surveillance-amplifies-police-bias-and-overreach-140225?utm_medium=email&utm_campaign=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867&utm_content=Latest%20from%20The%20Conversation%20for%20June%2012%202020%20-%201649615867+Version+A+CID_67e40c7307d4f29b813c70baed94457f&utm_source=campaign_monitor_us&utm_term=Police%20use%20technology%20to%20track%20protesters; see also https://www.independent.co.uk/news/world/americas/dna-testing-fbi-data-breach-privacy-family-tree-bennett-greenspan-a8763521.html (article that discusses how the company Family Tree was sharing consumers genetic information with the FBI without disclosing so with consumers). 15So, for instance, an investigative report by the Wall Street Journal shows how Amazon was using data it collected from third party sellers on its website to “scoop” other businesses on deals with its consumers. Dana Mattioli, Amazon Scooped up Data from Its Own Sellers To Launch Competing Products, The Wall Street Journal (Apr. 23, 2020 at 9:51 ET), https://www.wsj.com/articles/amazon-scooped-up-data-from-its-own-sellers-to-launch-competing-products-11587650015. While this might, at first, provide some advantage to consumers, research has shown that this often leads to long-terms harm to the consumers as businesses that are undercut then leave the field and monopolies form which often time leads to unattractive pricing for consumers who subsequently have no other options 16 Research Reveals de-identified patient data can be re-identified, Univ. of Melbourne (Dec. 18, 2017), https://about.unimelb.edu.au/newsroom/news/2017/december/research-reveals-de-identified-patient-data-can-be-re-identified?mod=article_inline 17 Amy B. Cyphert, Tinker-Ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students, 20 NEV. L.J. 457, 461–62 (2020) 18 See Section VII for Recommendations and Best Practices. 19 Lori Andrews, I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy, Free Press, a Division of Simon & Schuster, Inc. at 76 (2011). 20 Consumer Online Privacy Rights Act, S. 2968, 116th Cong. (2019-2020); Consumer Data Privacy and Security Act of 2020, S. 3456, 116th Cong. (2019-2020). See also, H.R. 2231 – The Algorithmic Accountability Act of 2019; 116th Congress, Discussion Draft, Data Protection Act of 2020 (2020). 21 Daniel J. Solove, A Brief History of Information Privacy Law in Proskauer on Privacy, PLI at 1-4 (2006). 22 See Section II.A. infra for a discussion of relevant federal laws. 23 See Section III.A infra for a discussion of relevant state laws. 24 WV Code 62-1D-1. 25 Thomas H. Davenport, Paul Barth, & Randy Bean, How ‘Big Data’ is Different, MIT Sloan Management Review (July 20, 2012), https://sloanreview.mit.edu/article/how-big-data-is-different/. 26 Minimalizing the space requirements for documents also allows corporations to keep records for significantly longer than they otherwise would. 27 Andrews, supra note 19 at 21-25. See also Lori Andrews, His Profit, Your Problem, New York Daily News (May 20, 2012), https://www.kentlaw.iit.edu/sites/ck/files/public/institutes-centers/islat/His-Profit-Your-Problem.pdf. 28 https://www.sas.com/en_us/insights/big-data/what-is-big-data.html. 29 https://www.sas.com/en_us/insights/big-data/what-is-big-data.html. 30 See Glossary for a quick definition. For the impact of these devices on data privacy see Section V.E. 31 https://www.sas.com/en_us/insights/big-data/what-is-big-data.html. 32 For a copy of the current FIPP, see International Association of Privacy Professionals, Fair Information Practice Principles, available at https://iapp.org/resources/article/fair-information-practices/. For a comprehensive discussion of the self-regulation debate within the context of data privacy, see Ira Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, 6 I/S A Journal of Law and Policy for the Information Society 355 (2011) (discussing the privacy debates and self-regulation within the context of the Clinton Administration and beyond). 33 Discussion of the GDPR happens in section IV. 34 GDPR Article 40(2)-40(5) (2016). For more information on the GDPR see Section IV.B infra. 35 Kimberly Houser & Gregory Voss, GDPR: The End of Google and Facebook or a Paradigm in Data Privacy? 25 RICHMOND J. L. & INFO. TECH. 1, 104 (2018). 36 See Rubinstein supra note 32 at 359. 37 Update About Proposed Federal Privacy Laws, One Trust (2020), https://www.onetrust.com/blog/update-about-proposed-federal-privacy-laws/. 38 In a recent keynote address Rebeca Kelly Slaughter, the recently appointed Chair of the FTC, has stated that issues surrounding data privacy are one of her agency’s top priorities. See Privacy Papers for Policymakers 2021 available at https://www.youtube.com/watch?v=DTjA7SgjKhw]







https://www.independent.co.uk/news/world/americas/dna-testing-fbi-data-breach-privacy-family-tree-bennett-greenspan-a8763521.html

https://www.independent.co.uk/news/world/americas/dna-testing-fbi-data-breach-privacy-family-tree-bennett-greenspan-a8763521.html



https://about.unimelb.edu.au/newsroom/news/2017/december/research-reveals-de-identified-patient-data-can-be-re-identified?mod=article_inline

https://about.unimelb.edu.au/newsroom/news/2017/december/research-reveals-de-identified-patient-data-can-be-re-identified?mod=article_inline


https://www.sas.com/en_us/insights/big-data/what-is-big-data.html



39 For a discussion of the FTC’s role in this area, see Michael Simpson, Comment - All Your Data Are Belong to Us, U. CO. LAW 670, 695-696 (2016). 40 See, e.g., https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html 41 This view, that the notice and consent system us not an effective way of protecting privacy, is shared by others. As Jennifer Bauer notes, “there is a growing recognition that the notice and consent system is flawed and a significant push for a more meaningful and nuanced form of consent than the current notice and consent or ‘privacy self-regulation’ framework presents.” Bauer, Playing Off Key: Trans-Atlantic Data Regulation in a Discordant World, 119 WV LAW REV. 793, 813 (2016). 42 President’s Council of Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective at x, 19, 47, 50 (May 2014), https://obamawhitehouse.archives.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf. 43 See Id. at 38. 44 Id. at xii. 45 Id. 46 Id at xii, 49. 47 Id. at xii, 38. 48 Id. at 38. 49 Id. at 40. 50 Id. at 41. 51 Id. at 41 (citing Craig Mundie, Privacy Pragmatism; Focus on Data Use, Not Data Collection, 93 FOREIGN AFF. 28 (2014)). 52 Id. at 42. 53 Id. 54 Id. at 43. 55 Id. 56 Id. at 44. 57 Id. at 43. 58 Id. at 44. 59 Id. 60 Id. 61 Id. at 45. 62 Id. 63 Id. at 50. 64 Id. 65 Id. 66 Id. at 50-51. 67 Id. at 51. 68 Id. at 52. 69 Id. 70 For instance, in 2019 alone nine states passed data breach notification laws. For a roundup of the states see here: https://www.dataprotectionreport.com/2019/06/nine-states-pass-new-and-expanded-data-breach-notification-laws/ 71 Simpson, supra note 41, at 685. 72 Id. This is also consistent with the broad categories of options that consumers wanted to avail themselves of, as expressed by West Virginia residents in response to the initial surveys and their participation during the focus group. See Section VI for further discussion. 73 Fadja Tassey, “Current Topics in Internet Law Data Breach,” Law School Student Scholarship 940 (2018) at 944. 74 National Conference of State Legislatures, Security Breach Notification Laws, NCSL (2020), https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 75 Simpson, supra note 41, at 689-690. 76 We do, however, highlight some key cases around specific issues discussed in subsequent sections. Summaries of these relevant cases can be found in Appendix E. 77 California Consumer Privacy Act (CCPA) § 1798.125(a) (2018). 78 W. Gregory Voss, Kimberly A. Hauser, Personal Data and the GDPR; Providing a Competitive Advantage for U.S. Companies, American Business Law Journal, (2019), https://onlinelibrary.wiley.com/doi/abs/10.1111/ablj.12139 79 See https://www.cda.org/Search/Article-Details/health-care-providers-exempt-from-new-state-privacy-law . See also CCPA § 1798.140(o) (2018).

https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html

https://www.dataprotectionreport.com/2019/06/nine-states-pass-new-and-expanded-data-breach-notification-laws/


https://onlinelibrary.wiley.com/doi/abs/10.1111/ablj.12139

https://www.cda.org/Search/Article-Details/health-care-providers-exempt-from-new-state-privacy-law

80 WV Code 46A-2A-101 et seq. 81 Id. See also Perkins Coie, Security Breach Notification Chart: West Virginia, https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html. 82 Charles Pults, America’s Data Crisis: How Public Voter Registration Data Has Exposed The American Public to Previously Unforeseen Dangers and How to Fix it 105 IOWA L. REV. 1363, 1375 (2020). 83 Id. 84 See, James Bopp, Jr., Commissioner, Uniform Law Commission, ULC CUPID, Comment, Comparison Between Alternative Draft and Committee Draft (Aug. 4, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4686622f-b990-e782-96e6-a11fb3d05b14&forceDialog=0. 85 See, Microsoft Corporation, Comment, Microsoft Corporation Comment on The Uniform Law Commission’s Collection and Use of Personally Identifiable Data Act (Oct. 23, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=4363ae45-1130-e4b2-d1cb-d35cd2403468&forceDialog=0. 86 Specifically, under the Gramm-Leach Bliley Act. 87 See, Financial Services Joint Trade Association (FSJTA), Comment, FSJTA’s Comment on The Uniform Law Commission’s Collection and Use of Personally Identifiable Data Act (April 23, 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c17a8ede-be6e-f3b9-07dc-42d0cc734ae4&forceDialog=0 (Comment submitted by American Bankers Association Consumer Bankers Association Credit Union National Association Independent Community Bankers Association National Association of Federal Credit Unions Securities Industry Financial Markets Association). 88 American Property Casual Insurance Company, Comment, Collection and Use of Personally Identifiable Data Act

(April 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=25833e4d-ee53-755a-4ded-383e02e3bf97&forceDialog=0. 89 Id. 90 Id. 91, National Association of Mutual Insurance Companies, Comment, Uniform Law Commission Collection and Use of Personally Identifiable Data Act (2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=7c4ce50f-53bd-eb67-c2fb-5b2849f41bbd&forceDialog=0. 92 Stephanie Hall, Harnessing Data While Protecting Privacy, National Association of Manufacturers (Feb. 11, 2020), https://www.manufacturingleadershipcouncil.com/2020/02/11/harnessing-data-while-protecting-privacy/. 93 Id. 94 Steven Melendez, A landmark Vermont law nudges over 120 data brokers out of the shadows, FastCompany (2019), https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law. 95 Id. 96 Douglas MacMillan, Data brokers are selling your secrets. How states are trying to stop them, The Washington Post (June 24, 2019 at 5:54 PM EDT), https://www.washingtonpost.com/business/2019/06/24/data-brokers-are-getting-rich-by-selling-your-secrets-how-states-are-trying-stop-them/. 97 See, Max Rieper, 2020 Trends in State Privacy Legislation, Multistate (Mar. 3 2020), https://www.multistate.us/insider/2020/3/3/2020-trends-in-state-privacy-legislation. 98 Termly Legal Team, Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP, Privacy Laws Around the World (Mar. 14, 2014), https://termly.io/resources/infographics/privacy-laws-around-the-world/. 99 Baker McKenzie, Privacy Update: Hong Kong Government Considering Amendments to the Personal Data (Privacy) Ordinance, Lexology (2020), https://www.lexology.com/library/detail.aspx?g=09ff9a20-f68c-4f98-aa00-5d7ffa3e48b4. 100 See infra Section IV. B. 101 Emily Feng, In China, A New Call To Protect Data Privacy, NPR (Jan. 5, 2020 at 9:00 AM ET), https://www.npr.org/2020/01/05/793014617/in-china-a-new-call-to-protect-data-privacy. According to NPR, legal enforcement in the country is weak and the government has not gone after illegal data brokers who sell personal information at extremely cheap rates. To demonstrate the ease, an artist in China created an exhibition comprised of 350,000 pieces of personal information purchased from these data brokers. 102 General Data Protection Regulation (GDPR), Art. 2(a) (2016). 103 GDPR, Art. 2(b) and Recital 16 (2016). 104 GDPR, Art. 4(14) (2016). 105 GDPR, Art 4(13) (2016).







https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=7c4ce50f-53bd-eb67-c2fb-5b2849f41bbd&forceDialog=0

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=7c4ce50f-53bd-eb67-c2fb-5b2849f41bbd&forceDialog=0


https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law

https://www.fastcompany.com/90302036/over-120-data-brokers-inch-out-of-the-shadows-under-landmark-vermont-law



https://www.multistate.us/insider/2020/3/3/2020-trends-in-state-privacy-legislation

https://termly.io/resources/infographics/privacy-laws-around-the-world/

https://www.lexology.com/library/detail.aspx?g=09ff9a20-f68c-4f98-aa00-5d7ffa3e48b4

https://www.npr.org/2020/01/05/793014617/in-china-a-new-call-to-protect-data-privacy

106 GDPR, Art. 4(14) (2016). 107 Article 9 of the GDPR (2016). 108 These exceptions include 1) giving explicit consent; 2) exercising specific rights or obligations in employment, social security, or social protection law; 3) necessary to protect vital interests or physically or legally incapable of giving consent; 4) in the course of legitimate activities of an association or foundation; 5) data is manifestly made public by the data subject; 6) necessary for substantial public interest in the basis of a Member State law; 7) public health and preventative or occupational medicine; or 8) archiving scientific, historical, or statistical research. 109 GDPR Article 68 (2016). 110 GDPR Article 70(1)(a), (b) (2016). 111 Id. 112 GDPR Article 70(1)(a) (2016). See also Paul Voigt, Axel von dem Bussche. “The EU General Data Protection Regulation (GDPR)”, Springer Science and Media LLC, 2017 113 GDPR Article 51(1) (2016). 114 GDPR Articles 53-58 (2016). 115 GDPR Article 57(1)(a)-(v) (2016). 116 GDPR Article 58 (2016). See also “Data Protection in the Internet”, Springer Science and Buisness Media LLC, 2020 117 Amy B. Cyphert, Tinker-Ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students, 20 NEV. L.J. 457 (2020) 118 Id. at 461–62 119 In addition to data collection, there has been a significant increase in the use sensors. These sensors, combined with a network of computers and devices, allows for the aggregation of very large datasets (previously too costly to create). One example of a well-known and often used dataset of images is available here, https://qz.com/1034972/the-data-that-changed-the-direction-of-ai-research-and-possibly-the-world/. With the internet of things, even more sensors will be deployed and datasets will get even bigger. 120 See Mark MacCarthy, Standards of Fairness for Disparate Impact Assessment of Big Data Algorithms, 48 Cumb. L. Rev. 67 (2017); EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: A Report on Algorithmic Systems, Opportunity, and Civil Rights (2016); FEDERAL TRADE COMMISSION, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues (2016). 121 See Trade Secret Under State Law, 53 A.L.R.4TH 1046 (2015) (citing Uniform Trade Secrets Act of 1979 § 1(4), 14 ULA 542 (1979)); Am Jur 2d, Desk Book, Item No. 124. 122 Taylor Moore, Trade Secrets and Algorithms as Barriers to Social Justice, Center for Democracy & Technology (August 2017). 123 Trade Secret Under State Law, supra note 120, at 542. 124 18 U.S.C. § 1839(3) (2016). 125 According to the Uniform Law Commission, the three states who have not include: Massachusetts, New York and North Carolina. 126 18 U.S.C. § 1835(a), (b) (2016). 127 18 U.S.C. § 1833(b) (2016). 128 Katyal, supra note 126, at 55. 129 See generally FEDERAL TRADE COMMISSION, supra note 119; EXECUTIVE OFFICE OF THE PRESIDENT, Big Data: Seizing Opportunities, Preserving Values (2014); EXECUTIVE OFFICE OF THE PRESIDENT, supra, note 119; Solon Barocas & Andrew

D. Selbst, Big Data's Disparate Impact, 104 CALIF. L. REV.. 671 (2016); Katyal, supra note 126, at 57; MacCarthy, supra note

119, at 69; Robert Brauneis & Ellen P. Goodman, Algorithmic Transparency for the Smart City, 20 Yale J. L. & Tech. 103 (2018); Andrew Selbst, Disparate Impact in Big Data Policing, 52 GA. L. REV. 109,113 (2017). 130Lisa T. Alexander, Cyberfinancing for Economic Justice, 4 WM. & MARY BUS. L. REV. 309 at 374 (2013). See also, Gary Hernandez, Katherine J. Eddy, Joel Muchmore, Insurance Weblining and Unfair Discrimination in Cyberspace, 54 SMU L. REV. 1953 at 1968-71 (2001). 131 See Alexander, supra note 130, at 374; Hernandez, Eddy, Muchmore., supra note 130, at 1970. 132 See Marcy Peek, Passing Beyond Identity on the Internet: Espionage & Counterespionage in the Internet Age, 28 Vt. L. Rev. 91 at 98 (2003). 133 Hernandez, Eddy, Muchmore, supra note 130, at 1970. 134 Peek, supra note 132, at 98. 135 Id. at 94. 136 Amitai Etzioni, The Privacy Merchants: What is to be Done?, 14 U. PA. J. CONST. L. 929 (2012). available at https://scholarship.law.upenn.edu/jcl/vol14/iss4/2 137 Id at 96. 138 EXECUTIVE OFFICE OF THE PRESIDENT, supra, note 119.

https://qz.com/1034972/the-data-that-changed-the-direction-of-ai-research-and-possibly-the-world/

https://qz.com/1034972/the-data-that-changed-the-direction-of-ai-research-and-possibly-the-world/

https://scholarship.law.upenn.edu/jcl/vol14/iss4/2

139 Rachel Schneider and Arjan Schutte, The Predictive Value of Alternative Credit Scores, Center for Financial Services Innovation at 5 (2007), https://pdfs.semanticscholar.org/788e/beb8beebe67c6d8087fb8f545682f4b5c2af.pdf?_ga=2.70882643.2117354664.1602950660-96623878.1602950660. 140 Mikella Hurley & Julius Adebayo, Credit Scoring in the Era of Big Data, 18 YALE J.L. & TECH. 148 at 152 (2016) available at https://yjolt.org/sites/default/files/hurley_18yjolt136_jz_proofedits_final_7aug16_clean_0.pdf. 141Astra Taylor and Jathan Sadowski, How Companies Turn Your Facebook Activity into a Credit Score, The Nation, at 4 (July 15, 2015). ), https://www.thenation.com/article/archive/how-companies-turn-your-facebook-activity-credit-score/. 142 Nate Cullerton, Behavioral Credit Scoring, 101 GEO. L.J. 807 at 808 (2013); Regarding Examining the Use of Alternative Data

in Underwriting and Credit Scoring to Expand Access to Credit: Hearing Before the H. Comm. on Financial Services Task Force on Financial Technology, 116th Cong. at 6 (July 2019) (testimony of Chi Chi Wu, National Consumer Law Center); Matthew Bruckner, The Promise and Perils of Algorithmic Lenders’ Use of Big Data, 93 CHI.-KENT L. REV. 3 at 15, 28-29 (2018), https://scholarship.kentlaw.iit.edu/cklawreview/vol93/iss1/1. 143 See, Regarding Examining the Use of Alternative Data (2019), supra note 141, at 7-8. 144 See, Hurley & Adebayo, supra note 139, at 151. 145 Id. 146 Id. at 152 147 Alexander, supra note 130, at 374. 148 Big Data Scoring: The Leader in Big Data Credit Scoring Solutions, What is Big Data Scoring? (2021), https://www.bigdatascoring.com/. 149 See Datarade, Buy Consumer Behavior Data (2021), https://datarade.ai/data-categories/consumer-behavior-data, a website listing numerous companies offering data sets for purchase in alternative credit scoring. 150 See Datarade, Consumer Styles: A dataset by MBI Geodata (2021), https://datarade.ai/data-products/consumer-styles. 151 Id. 152See Datarade, Personas Data: A dataset by Gravy Analytics (2021), https://datarade.ai/data-products/personas-data-gravy-analytics. 153 Id. 154 See Peek, supra note 132, at 105. 155 Omer Tene and Jules Polonetsky, Taming the Golem: Challenges of Ethical Algorithmic Decision Making, 19 N.C.J.L. &

TECH. 135 (2017). 156 Id. at 136, 137. 157 Regarding Examining the Use of Alternative Data (2019), supra note 141, at 6. 158 Id. at 7. 159Regarding Examining the Use of Alternative Data (2019), supra note 141, at 7. See also, Bruckner, supra note 141, at 28. 160 Regarding Examining the Use of Alternative Data (2019), supra note 141, at 7. See also, Banking on Your Data: The Role of Big Data in Financial Services: Hearing Before the House Financial Services Comm. Task Force on Financial Technology, 116th Cong. (2019) (testimony of Christopher Gilliard, PhD). 161 Regarding Examining the Use of Alternative Data (2019), supra note 141, at 7. 162 Id. 163 Id. 164 Regarding Examining the Use of Alternative Data (2019), supra note 141, at 8. See also, Bruckner, supra note 141, at 27. 165 Bruckner, supra note 141, at 5, 7, 11. 166 Id. at 15. 167 Bruckner, supra note 141, at 15. See also, Taylor and Sadowski, supra note 140, at 11. 168 Bruckner, supra note 141, at 29. 169 Id. 170 Hurley & Adebayo, supra note 139, at 150-51. See also, Andrews, supra note 19 at 35-36; Cullerton, supra note 141, at 816. 171 Nathan Newman, Comment Letter on FTC Workshop to Examine Effects of Big Data on Low Income and Underserved Consumers, How Big Data Enables Economic Harm to Consumers, Especially to Low Income and Other Vulnerable Sectors of the Population, at 6 (2014). 172 Id. at 8. 173 Id. 174 Id. 175 Id, at 9. 176 Id. at 8. 177 Id.

https://pdfs.semanticscholar.org/788e/beb8beebe67c6d8087fb8f545682f4b5c2af.pdf?_ga=2.70882643.2117354664.1602950660-96623878.1602950660

https://pdfs.semanticscholar.org/788e/beb8beebe67c6d8087fb8f545682f4b5c2af.pdf?_ga=2.70882643.2117354664.1602950660-96623878.1602950660

https://yjolt.org/sites/default/files/hurley_18yjolt136_jz_proofedits_final_7aug16_clean_0.pdf

https://www.thenation.com/article/archive/how-companies-turn-your-facebook-activity-credit-score/

https://scholarship.kentlaw.iit.edu/cklawreview/vol93/iss1/1

https://www.bigdatascoring.com/





178 Bruckner, supra note 141, at 3 179 Id. See also Michele E. Gilman. Five Privacy Principles (from the GDPR) the United States Should Adopt To Advance Economic Injustice https://arizonastatelawjournal.org/wp-content/uploads/2020/08/02-Gilman-Final.pdf 180 Bruckner, supra note 141, at 3-4. See also, Michelle E. Gilman, Five Privacy Principles (from the GDPR) the United States Should Adopt to Advance Economic Justice, 52 ARIZ. ST. L.J. 368 at 389 (2020); Preston Gralla, Opinion, Amazon Prime and the Racist Algorithms, Computerworld (May 11, 2016), https://www.computerworld.com/article/3068622/amazon-prime-and-the-racist-algorithms.html. 181 Bruckner, supra note 141, at 4. 182 Gilman, supra note 179, at 380. See also, Carol A. Evans, Associate Director, and Westra Miller, Counsel, Division of Consumer and Community Affairs, Federal Reserve Board, From Catalogs to Clicks: The Fair Lending Implications of Targeted, Internet Marketing, Consumer Compliance Outlook, Third Issue (2019). 183 Gilman, supra note 179, at 380-381. See also, Julia Agwin and Terry Parris, Jr. Facebook Lets Advertisers Exclude Users by Race, ProPublica (2016)(an ad experiment conducted by the writers investigating Facebook ad targeting), https://www.propublica.org/article/facebook-lets-advertisers-exclude-users-by-race. 184 Gilman, supra note 179, at 381. 185 Id. 186 Evans and Miller, supra note 181. 187 Id. 188 See FEDERAL TRADE COMMISSION, supra note 119, at ii. 189 Hurley & Adebayo, supra note 139, at 184. 190 Id. 191 Id. 192 Id. at 190. 193 FEDERAL TRADE COMMISSION, supra note 119, at iii. 194 Id. 195 FEDERAL TRADE COMMISSION, supra note 119, at iii. See also Hurley & Adebayo, supra note 28 at 191-192. 196 Hurley & Adebayo, supra note 139, at 191. 197 FEDERAL TRADE COMMISSION, supra note 119, at iv. 198 Id. 199 Gilman, supra note 179, at 408. 200 Id. 201 Id. 202 Bruckner, supra note 141, at 43, 45. 203 Id. 204 Peek, supra note 132, at 101. 205 Id. at 101-102. 206 Id. at 102. 207 Peek, supra note 132, at 99-100; Hernandez, Eddy, Muchmore, supra note 130, at 1965-66. 208 Peek, supra note 132, at 100; Hernandez, Eddy, Muchmore, supra note 130, at 1966. 209 Peek, supra note 132, at 103 (some categories of sensitive data include: medical, legal, racial or ethnic background, religion, and sexual orientation). See also, Hernandez, Eddy, Muchmore, supra note 130, at 1970 (“Companies can subscribe to ‘neural networks,’ which enable them to instantly access profiles of existing and potential customers.”). 210 See Peek, supra note 132, at 103. 211 What is Big Tech and Why We Should Care, Allerin (Aug, 21, 2019), https://www.allerin.com/blog/what-is-big-tech-and-why-we-should-care. 212 Microsoft is sometimes excluded from this list. See Kyle Daly, Big Tech’s Power, in 4 Numbers, Axios (Jul. 27, 2020) available at https://www.axios.com/big-techs-power-in-4-numbers-de8a5bc3-65b6-4064-a7cb-3466c68b2ea0.html. 213 One analysis of the combined annual revenues of Alphabet, Amazon, Apple and Facebook has stated that the combined annual revenue of the four companies equates to the GDP of Saudi Arabia, which is one of the 20 th richest countries in the world. https://www.axios.com/big-techs-power-in-4-numbers-de8a5bc3-65b6-4064-a7cb-3466c68b2ea0.html. 214 More recently, some writers have taken to re-examining this popular telling of these companies. For instance, one writer has undergone research that links the rise of many of these companies to their support from the military infrastructure, see generally Yasha Levine, Surveillance Valley: The Secret Military History of the Internet, PublicAffairs (2018). 215 Nicholas Confessore, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, THE NEW YORK TIMES (Apr. 4, 2018) available at https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html

https://arizonastatelawjournal.org/wp-content/uploads/2020/08/02-Gilman-Final.pdf



https://www.propublica.org/article/facebook-lets-advertisers-exclude-users-by-race

216 Betsy Atkins, Big Tech, Data Privacy and The Board’s Role, Forbes (Nov. 12, 2020, 3:34 PM), https://www.forbes.com/sites/betsyatkins/2020/11/12/big-tech-data-privacy-and-the-boards-role/?sh=ee467335bba1. 217 Id. 218 William Goddard, How Do Big Companies Collect Customer Data, IT Chronicles (Jan. 14, 2019), https://itchronicles.com/big-data/how-do-big-companies-collect-customer-data/. 219 Id. 220 Reed Albergotti, On iPhones, Facebook and Apple Begin a War of Pop-Up Messages, The Washington Post (Feb. 1, 2021, 10:00 AM), https://www.seattletimes.com/business/technology/on-iphones-facebook-and-apple-begin-a-war-of-pop-up-messages/. 221 Id. 222 Patience Haggin, Keach Hagey, and Sam Schechner, Apple’s Privacy Change Will Hit Facebook’s Core Ad Business. Here’s How., The Wall Street Journal (Jan. 29, 2021, 11:49 AM), https://www.wsj.com/articles/apples-privacy-change-will-hit-facebooks-core-ad-business-heres-how-11611938750. 223 Tim Higgins, Apple, Facebook Trade Barbs Over Privacy-Focused Business Models, The Wall Street Journal (Jan. 28, 2021, 12:34 PM), https://www.wsj.com/articles/apple-to-roll-out-privacy-measures-despite-facebook-objections-11611810002. 224 Sam Schechner, Privacy Problems Mount for Tech Giants, The Wall Street Journal (Jan. 21, 2019 at 6:30 AM ET), https://www.wsj.com/articles/privacy-problems-mount-for-tech-giants-11548070201. 225 Big Tech’s Shift to Privacy, International Association of Privacy Professionals (2019), https://iapp.org/media/uploads/2019/07/big-tech-shift-to-privacy-chart-final.pdf. 226 Levine, supra note 213, at 141. 227 Tony Romm, DOJ Issues New Warning to Big Tech: Data and Privacy Could Be Competition Concerns, The Washington Post (Nov. 8, 2019, 3:22 PM), https://www.washingtonpost.com/technology/2019/11/08/doj-issues-latest-warning-big-tech-data-privacy-could-be-competition-concerns/. 228 Id. 229 Id. 230 Id. 231 Id. 232 Id. 233 Id. 234 Sunny Seon Kang, Don’t Blame Privacy for Big Tech’s Monopoly on Information, Just Security (Sept. 18, 2020), https://www.justsecurity.org/72439/dont-blame-privacy-for-big-techs-monopoly-on-information/. 235 Id. 236 Id. 237 Id. 238 Schechner, supra note 222. 239 Id. 240 Id. 241 Id. 242 Id. 243 Congress has been actively examining data brokers for a number of years. Legislative initiatives include scrutinizing data broker activities and appear to be spending more on lobbying efforts these days, including: S. 2342 Data Broker List Act of 2019; HR 6675 Data Broker Accountability and Transparency Act of 2020; S. 3300 Data Protection Act of 2020. In addition, there have a number of hearings, including; Dec. 18, 2013, What Information Do Data Brokers Have on Consumers, and How Do They Use It?; October 3, 2017, “House Energy and Commerce Subcommittee Hearing on Equifax Data Breach”; June 11, 2019, Data Brokers and the Impact on Financial Data Privacy, Credit, Insurance, Employment and Housing 244 Yael Grauer, What are Data Brokers, and Why are They Scooping Up Information About You?, Vice (March 27, 2018), https://www.vice.com/en/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection 245 William Chalk, Landmark Laws: Data Brokers and the Future of US Privacy Regulation, CSO (Mar. 6, 2019), https://www.csoonline.com/article/3356458/landmark-laws-data-brokers-and-the-future-of-us-privacy-regulation.html 246 Byron Tau, Patience Haggin, Lawmakers Urge FTC Probe of Mobile Ad Industry’s Tracking of Consumers, The Wall Street Journal (July 31, 2020), https://www.wsj.com/articles/lawmakers-urge-ftc-probe-of-mobile-ad-industrys-tracking-of-consumers-11596214541. 247 WebFX Team, What are Data Brokers – and What is Your Data Worth?, WebFx (March 16, 2020), https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/. 248 See Section III for a discussion on how legislators in the U.S. have regulated PII.

https://iapp.org/media/uploads/2019/07/big-tech-shift-to-privacy-chart-final.pdf

https://www.congress.gov/bill/116th-congress/senate-bill/2342/text

https://www.govtrack.us/congress/bills/116/hr6675

https://www.congress.gov/bill/116th-congress/senate-bill/3300

https://www.commerce.senate.gov/2013/12/what-information-do-data-brokers-have-on-consumers-and-how-do-they-use-it

https://www.commerce.senate.gov/2013/12/what-information-do-data-brokers-have-on-consumers-and-how-do-they-use-it

https://www.c-span.org/video/?434786-1/lawmakers-grill-equifax-ceo-data-breach

https://www.c-span.org/video/?434786-1/lawmakers-grill-equifax-ceo-data-breach

https://www.banking.senate.gov/hearings/data-brokers-and-the-impact-on-financial-data-privacy-credit-insurance-employment-and-housing

https://www.banking.senate.gov/hearings/data-brokers-and-the-impact-on-financial-data-privacy-credit-insurance-employment-and-housing

249 Jamie Pinchot, Adman Chawdhry, and Karen Paullet, Data Privacy Issues in the Age of Data Brokerage: An Exploratory Literature Review, Issues in Information, Vol. 19, Issue 3, pp. 92-100, (2018), https://doi.org/10.48009/3_iis_2018_92-100 250 Id. 251 Id. 252 Dom Nicastro, Is Using a Data Broker the Most Secure Marketing Strategy?, CMS Wire (Nov. 11, 2020), https://www.cmswire.com/digital-marketing/is-your-data-broker-the-most-secure-marketing-strategy/ 253 Although, there has been. movement in this direction. For instance, in June 2019, the Consumer Education Foundation asked the FTC to “investigate the use of shadow that impact how people are allowed to shop and what offers they receive.” Joel Hrusha, You Can Now Request Some of the Secret Data Companies Compile about your Online Activities, ExtremeTech (Nov. 6, 2019), https://www.extremetech.com/computing/301552-you-can-now-request-some-of-the-secret-data-companies-compile-about-your-online-activities. 254 Here are the Data Brokers Quietly Buying and Selling your Personal Information, Fast Company (Mar. 2, 2019), https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information. 255 Although there is one company, Acxiom, which allows consumers to view all the data points that have been collected on them and even correct any information that is incorrect. WebFX Team, supra note 244. 256 Chalk, supra note 242. 257 Id. 258 Pinchot, Chawdhry, Paullet, supra note 246. 259 However, recently it has been reported that data brokers are now selling geolocation data to law enforcement agencies. As a result, the House Committee on Oversight recently launched an investigation to consider whether this amounted to “warrantless tracking.” Kim Lyons, Congress Investigating How Data Brokers Sells Smartphone Tracking Info to Law Enforcement, The Verge (June 25, 2020), https://www.theverge.com/2020/6/25/21303190/congress-data-smartphone-tracking-fbi-security-privacy. In addition, as Byron Tau reports, in 2018, the U.S. Supreme Court ruled “that a warrant is required to compel cellphone carriers to turn over location data to law enforcement … [the courts have not addressed] whether consumers have any expectation of privacy or due process in data generated from apps rather than carriers.” Byron Tau, Most Americans Object to Government Tracking of Their Activities Through Cellphones, The Wall Street Journal (Nov. 25, 2020), https://www.wsj.com/articles/most-americans-object-to-government-tracking-of-their-activities-through-cellphones-11606305601. 260 Id. 261 Byron and Haggin, supra note 243. 262 Id. 263 Pinchot, Chawdhry, Paullet, supra note 246. 264 Chalk, supra note 242. 265 Dom Nicastro, supra note 249. 266 Id. 267 Id. 268 Chalk, supra note 242. 269 Id. 270 Pinchot, Chawdhry, Paullet, supra note 255. 271 Id. 272 Id. 273 See e.g., Te-Ping Chen, Your Company Wants to Know if You’ve Lost Weight, The Wall Street Journal (Feb. 11. 2019) https://www.wsj.com/articles/does-your-company-need-to-know-your-body-mass-index-11549902536 274 Andrew Guthrie Ferguson, The “Smart” Fourth Amendment, 102 CORNELL L. REV. 547 (2017). 275 If the government were manufacturing and interacting with these technologies directly then the fourth amendment implications would be clearer. 276 U.S. Const. amend IV. 277 In addition to more traditional forms of data privacy issues, data privacy issues are now overlapping with more traditional forms of discriminations (such as employment discrimination). In many instances, the company may seem to have an innocuous or even beneficial reason for gathering the information. See e.g., Chen, supra note 270 (stating “Disney, Whole Foods and dozens of other companies have introduced programs to reward employees for meeting certain criteria on health indicators such as weight-to-height ratio and blood pressure. Some incentivize workers to hit a target number of step counts and eat well: One wellness provider, Vitality, works with 31,000 grocery stores to analyze participants’ food choices and award points for healthy purchases, which can be redeemed for prizes. While many employees are fans of the programs, which often sync with apps that track user data, others are raising questions about




who sees such data, where it could end up and whether such programs discriminate against those who don’t participate.”) Unfortunately, as the history of big data shows, much of the information that was once gathered for beneficial purposes later becomes the data that is used to discriminate against consumers. See Executive Office of the President, supra note 119; Bruckner, supra note 141, at 25. 278 Guthrie Ferguson, supra note 271, at 573. 279 Id. at 586. 280 Id. at 584. 281 Id. at 573, 575, 576. 282 Id. at 563. 283 OBERLO, Smartphone Users Worldwide from 2016 – 2021, available at https://www.oberlo.com/statistics/how-many-people-have-smartphones 284 Carra Pope, Biometric Data Collection in an Unprotected World: Exploring the Need for Federal Legislation Protecting Biometric Data, 26 J.L. & Pol’y 769 (2018). 285 Natalie A. Prescott, The Anatomy of Biometric Laws: What U.S. Companies Need to Know in 2020, National Law Review (Jan. 15, 2020), https://www.natlawreview.com/article/anatomy-biometric-laws-what-us-companies-need-to-know-2020. 286 Illinois Biometric Information Privacy Act (IBIPA) 740 ILCS 14/1 (2008); Texas Business and Commerce Code § 503.001 (201); WASH. REV. CODE ANN. 19.375 (2017). 287 There are two cases that specifically hold that no harm needs to have occurred: Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019) and Patel v. Facebook, Inc. No. 18-15982 (9th Cir. Aug. 8, 2019). 288 Ohio Lawyer, Complying With the World’s Most Stringent Biometric Privacy Law, BlankRome (Jan. – Mar. 2020), https://www.blankrome.com/publications/complying-worlds-most-stringent-biometric-privacy-law. 289 Id. 290 Pope, supra note 281, at 771. 291 Id. 292 See Next Generation Identification (NGI), FED. BUREAU OF INVESTIGATION, https://www.fbi.gov/services/cjis/fingerprintsand-other-biometrics/ngi (last visited May 1, 2018); see also, Fingerprints and Other Biometrics, FED. BUREAU OF INVESTIGATION (discussing the FBI's Next Generation Identification program), https://www.fbi.gov/services/cjis/fingerprints-and-other-biometrics#:~:text=Fingerprints%20are%20a%20common%20biometric,%2C%20palmprints%2C%20and%20facial%20patterns.&text=It%20has%20used%20various%20forms,national%20fingerprint%20collection%20in%201924. 293 Pope, supra note 281, at 780. 294 Id. at 781, 782. 295 WVU Medicine, WVU Rockefeller Neuroscience Institute Announces Capability to Predict COVID-19 Related Symptoms Up to Three Days in Advance, (May 28, 2020), https://wvumedicine.org/news/article/wvu-rockefeller-neuroscience-institute-announces-capability-to-predict-covid-19-related-symptoms-up-/#:~:text=The%20RNI%20platform%20uses%20the,with%20over%2090%20percent%20accuracy 296 Id. 297 See 45 CFR § 160.203 (HIPAA). 298 45 CFR 160, 45 CFR 162, and 45 CFR 164(A), (E). 299 Office for Civil Rights, Privacy, Security, and Electronic Health Records, U.S. DEPARTMENT OF HEALTH AND HUMAN

SERVICES (2021), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/privacy-security-electronic-records.pdf. 300 45 C.F.R. 164.512(b)(1)(ii). 301 45 C.F.R. §164. 302 Id. 303 45 C.F.R. §164.514. 304 Public Health Service Act (PHS) Section 2791(a)(2), 42 U.S.C. 300gg-91(a)(2). 305 PHS Section 1861(u), 42 U.S.C. 1395x(u). 306 45 C.F.R. Sections 164.502(e) and 164.504(e). 307 Na L, Yang C, Lo C, Zhao F, Fukuoka Y, Aswani A., Feasibility of Reidentifying Individuals in Large National Physical Activity Data Sets From Which Protected Health Information Has Been Removed With Use of Machine Learning, JAMA Netw Open (2018), https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2719130. 308 15 U.S.C. §1681. 309 15 U.S.C. §1681e(b), §1681a(d). 310 15 U.S.C. § 1681a(k)(1), 1691(d)(6).






311 Health Insurers Are Vacuuming Up Details About You, ProPublica, Avail: https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates. 312 Id. 313 https://www.healthleadersmedia.com/welcome-ad?toURL=/finance/health-insurers-are-vacuuming-consumer-data-could-be-used-raise-rates See also, id. 314 Id. As the ProPublica articles details: “In a separate conversation, a salesman from a different company joked about the potential for error. “God forbid you live on the wrong street these days,” he said. “You’re going to get lumped in with a lot of bad things.” 315 Holland & Knight, ONC, CMS Finalize Transforming Interoperability and Patient Access to Data Rules (Mar. 18, 2020), https://www.jdsupra.com/legalnews/onc-cms-finalize-transforming-68904/. 316 21st Century Cures Act, 42 USC § 300jj(9) (2016). 317 Holland & Knight, supra note 314. 318 Id. See also https://www.mondaq.com/unitedstates/healthcare/907352/onc-cms-finalize-transforming-interoperability-and-patient-access-to-data-rulesZ 319 Lena Solow, The Scourge of Worker Wellness Programs, The New Republic (Sept. 2, 2019), https://newrepublic.com/article/154890/scourge-worker-wellness-programs 320 Id. 321 Id. 322 Jeremy Conrad, Privacy Rights During a Pandemic and Beyond, Washington Lawyer 29, (July/August 2020) 323 Id. 324 Ziad Obermeyer, Brian Powers, Christine Vogeli, Sendhil Mullainathan, Algorithmic Bias In Health Care: A Path Forward, Health Affairs (November 1, 2019). 325 See Barocas & Selbst, supra note 129, at 676; MacCarthy,supra note 119, at 69; Dehoyos v. Allstate Corp., 345 F.3d 290, 293 (5th Cir. 2003); Lumpkin v. Farmers Grp., Inc., No. 05-2868 Ma/V, 2007 U.S. Dist. (W.D. Tenn. Apr. 26, 2007); Ojo v. Farmers Grp., Inc., 356 S.W.3d 421 (Tex. 2011). 326 Obermeyer, Powers, Vogeli, Mullainathan, supra note 323. 327 See Id. 328 See Id. 329 Id. 330 David Romano, the principal of the Rmano Law Office, is also the establishing donor and the chairman of the Center for Consumer Law and Education. As mentioned earlier, the CCLE is responsible for funding this paper. 331 Bauer, supra note 42, at 815.) 332 W.V. Code §16-29G-1. 333 W.Va. Code §16-29G-1. 334 W. Va. Code § 16-29G-1(a). 335 W. Va. Code § 16-29G-1(b). 336 W. Va. C.S.R. 114-57-15.1. 337 See 15 U..S. Code 6805(a)(6). 338 See 15 U.S.Code 6801(a), (b). 339 W.Va. C.S.R.114-57-15.2. 340 See W.Va. C.S.R. 114-57-15.2 for a full list of insurance functions permitting disclosure without authorization. 341 W. Va. C.S.R. 114-62-3.1 342 W.Va. C.S.R. 114-15- 4.2(b). 343 See State ex. rel. State Farm Mut. Auto. Ins. Co. v. Bedell, 226 W.Va. 138, 737-38 (2010), 697 S.E.2d 730, 145-46 (2010) (known as State Farm I or Bedell I). 344 State ex rel. State Farm Mut. Auto. Ins. Co. v. Marks, 230 W.Va. 517 at 520, 741 S.E.2d 75, 78. 345 Protective Order Granting Plaintiffs Protection for Their Confidential Medical Records and Medical Information at 1-4, Faris v. Harding, W.Va. Circ. Harrison (No. 10-C-123-1), 2012.; Protective Order Granting Plaintiff Protection for His Confidential Medical Records and Medical Information at 1-4, Huggins v. Woodward Video, W.Va. Circ. Harrison (No. 10-C-176-1), 2012. 346 See Marks, 230 W.Va. at 519-520, 741 S.E.2d at 77. 347 See Bedell, 226 W.Va. at 737-38, 697 S.E.2d at 145-46. 348 See Bedell, 226 W. Va. at 141, 697 S.E.2d 730, 733. 349 Bedell, 226 W.Va. at 141, 697 S.E.2d at 733. 350 Bedell, 226 W.Va. at 141-42, 697 S.E.2d at 733. 351 See Bedell, 226 W. Va. at 145, 697 S.E.2d at 748; See also W.Va. C.S.R. 114-15-4.2(a), (b).

https://www.healthleadersmedia.com/welcome-ad?toURL=/finance/health-insurers-are-vacuuming-consumer-data-could-be-used-raise-rates

https://www.healthleadersmedia.com/welcome-ad?toURL=/finance/health-insurers-are-vacuuming-consumer-data-could-be-used-raise-rates

https://www.jdsupra.com/legalnews/onc-cms-finalize-transforming-68904/

https://newrepublic.com/article/154890/scourge-worker-wellness-programs

352 See State ex. rel. State Farm Mut. Ins. Co. v. Bedell, 228 W. Va. 252, 258 (W.Va. 2011), 719 S.E.2d 722, 728 (2011) (known as State Farm II or Bedell II). 353 Bedell, 228 W.Va. at 269 (quoting Fritsch v. City of Chula Vista, 187 F.R.D. 614, 633 (S.D. Cal. 1999)), 719 S.E.2d at 739. 354 Bedell, 228 W.Va. at 269, 719 S.E.2d at 739. 355 Bedell, 228 W.Va. at 271-72, 719 S.E.2d at 741-42. 356 Bedell, 228 W.Va. at 272, 719 S.E.2d at 742. 357 Bedell, 228 W.Va. at 274, 719 S.E.2d at 744. 358 See Marks, 230 W.Va. at 522, 741 S.E.2d at 80. 359 See Marks, 230 W.Va. at 521, 741 S.E.2d at 79. 360 Combined Order Affirming Medical Protective Orders Entered in These Civil Actions at 1-5, Faris v. Harding, Huggins v. Woodward Video, W.Va. Circ. Harrison (No. 10-C-123-1, 10-C-176-1), 2012. 361 Id. at 4. 362 Id. at 267. 363 Id. 364 Id. 365 Id. at 284-88. 366 Id. at 275 (quoting Child Protection Group v. Cline, 177 W.Va. 29, 350 S.E. 2d 541 (W.Va., 1986). 367 Id. (quoting Crump v. Beckley Newspapers, Inc., 173 W.Va. 699, 320 S.E.2d 70 (1983). 368 See W. Va. R. Civ. P. 26(c); Bedell, 226 W. Va. at 146-47, 697 S.E.2d at 738-39; Bedell, 228 W. Va. at 256, 260-61, 719 S.E.2d at 730-31; Small, 280 F.R.D. at 269. 369Bedell, 228 W. Va. at 261, 719 S.E.2d at 731. 370 Bedell, 226 W. Va. at 143, 697 S.E.2d at 735. 371 Bedell, 226 W. Va. at 148, 697 S.E.2d at 740. 372 Bedell, 228 W. Va. at 258, 719 S.E.2d at 728. 373 Bedell, 228 W. Va. at 262-63, 719 S.E.2d at 732-33. 374 Marks, 230 W.Va. at 528, 741 S.E.2d at 87. 375 Marks, 230 W.Va. at 528-29, 741 S.E.2d at 86-87. 376 Marks, 230 W.Va at 528, 741 S.E.2d at 86. 377 Small, 280 F.R.D. at 268. 378 Id. at 269-70. 379 Bedell, 228 W. Va. at 266, 719 S.E.2d at 736. 380 Bedell, 228 W. Va. at 268, 719 S.E.2d at 738. 381 Marks, 230 W.Va. at 531, 741 S.E.2d at 89. 382 Small, 280 F.R.D. at 276. 383 W.Va. C.S.R. 114-15-4.2(a), (b). 384 http://www.courtswv.gov/supreme-court/calendar/2012/briefs/may12/12-0304petition.pdf 385 W.Va. C.S.R. 114-15-4.2(a) and (b). 386 Bedell, 226 W. Va. at 145, 697 S.E.2d at 737. 387 Bedell, 228 W. Va. at 264, 719 S.E.2d at 734. 388Marks, 230 W.Va. at 524, 741 S.E.2d at 82. 389 Small, 280 F.R.D. at 280. 390 Bedell, 228 W. Va. at 263, 719 S.E.2d at 733; Marks, 230 W.Va. at 525, 741 S.E.2d at 83; Small, 280 F.R.D. at 279, 281. 391 Marks, 230 W.Va. at 524, 741 S.E.2d at 82. 392 Marks, 230 W.Va. at 525-26, 741 S.E.2d at 83-84. 393 Small, 280 F.R.D. at 280-81. 394 Marks, 230 W.Va. at 523, 741 S.E.2d at 81; Small, 280 F.R.D. at 276. See also 42 U.S.C. 1395y(b)(8) (Medicare Secondary Payer Act). 395 Marks, 230 W.Va. at 524, 741 S.E.2d at 82. 396 Small, 280 F.R.D. at 277. 397 Bedell, 228 W. Va. at 263, 719 S.E.2d at 733; Marks, 230 W.Va. at 523, 741 S.E.2d at 81; Small, 280 F.R.D. at 277. See also W.Va. Code 33-41-5(a) for fraud reporting requirement. 398 Marks, 230 W.Va. at 524, 741 S.E.2d at 82. 399 Exec. Order No. 13181, 65 FR 81321 (2000). 400 Small, 280 F.R.D. at 277. 401 Marks, 230 W.Va. at 526, 741 S.E.2d at 84; Small, 280 F.R.D. at 281. 402 Marks, 230 W.Va. at 527, 741 S.E.2d at 85. 403 Marks, 230 W.Va. at 527, 741 S.E.2d at 85.

http://www.courtswv.gov/supreme-court/calendar/2012/briefs/may12/12-0304petition.pdf

404 Bedell, 228 W. Va. at 272, 719 S.E.2d at 742. 405 Bedell, 228 W. Va. at 271, 719 S.E.2d at 741. 406 Small, 280 F.R.D. at 281. 407 Bedell, 228 W. Va. at 265, 719 S.E.2d at 735. 408 Bedell, 228 W. Va. at 269, 719 S.E.2d at 739. 409 Bedell, 228 W. Va. at 269, 719 S.E.2d at 739. 410 Bedell, 228 W. Va. at 269, 719 S.E.2d at 739. 411 Small, 280 F.R.D. at 282. 412 Id. 413 Id. 414 Id. 415 Id. at 284. 416 Marks, 230 W.Va. at 528, 741 S.E.2d at 86. 417 Marks, 230 W.Va. at 528, 741 S.E.2d at 86. 418 Small, 280 F.R.D. at 280; Marks, 230 W.Va. at 527, 741 S.E.2d at 85. 419 Small, 280 F.R.D. at 280. 420 Marks, 230 W.Va. at 528, 741 S.E.2d at 86. 421 Zack Whittaker, A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns, Tech Crunch (May 7, 2020 at 7:22 PM EDT), https://techcrunch.com/2020/05/07/nso-group-fleming-contact-tracing/. 422 Many have argued that in fact China’s used contact tracing during the pandemic is part of a broader strategy to keep track of its citizens. See, Ali Dukakis, China rolls out software surveillance for the COVID-19 pandemic, alarming human rights advocates, ABC News (April 14, 2020 at 6:30 AM), https://abcnews.go.com/International/china-rolls-software-

surveillance-covid-19-pandemic-alarming/story?id=70131355 ; Arjun Kharpal, Coronavirus could be a ‘catalyst’ for China to

boost its mass surveillance machine, experts say, CNBC (Feb. 24, 2020 at 8:14 PM EST), https://www.cnbc.com/2020/02/25/coronavirus-china-to-boost-mass-surveillance-machine-experts-say.html. 423 Bobbie Johnson, The US’s draft law on contact tracing apps is a step behind Apple and Google, MIT Technology Review (June

2, 2020), https://www.technologyreview.com/2020/06/02/1002491/us-covid-19-contact-tracing-privacy-law-apple-google/. 424 Tracking COVID-19: Contact Tracing in the Digital Age, World Health Organization (Sept. 9, 2020),

https://www.who.int/news-room/feature-stories/detail/tracking-covid-19-contact-tracing-in-the-digital-age. 425 Id. 426 Id. 427 Id. 428 Leo Kelion, Coronavirus: First Google/Apple-based Contact-tracing App Launched, BBC NEWS, May 26, 2020, https://www.bbc.com/news/technology-52807635. 429 Id. 430 Id. 431 Id. 432 Id. 433 Leo Kelion, Apple and Google Release Marks 'Watershed Moment' for Contact-tracing Apps, BBC NEWS, May 20, 2020, https://www.bbc.com/news/technology-52740131. 434 Id. 435 Id. 436 Andy Greenberg. The iOS Covid App Ecosystem Has Become a Privacy Minefield, Wired.com (Nov. 13, 2020 at 7:00 AM), https://www.wired.com/story/covid-19-ios-apps-privacy/. 437 Elliot Setzer, Contact-Tracing Apps in the United States, LAWFARE, May 6, 2020, https://www.lawfareblog.com/contact-tracing-apps-united-states. 438 Simon Handler and Lily Lui, The 5x5—Fighting COVID-19 with surveillance: Perspectives from across the globe, Atlantic Council (July 29, 2020), https://www.atlanticcouncil.org/blogs/new-atlanticist/fighting-covid-19-with-surveillance-perspectives-from-across-the-globe/. 439 Id. 440 Babao Zhang, et. al, Americans’ Perceptions of Privacy and Surveillance in the COVID-19 Pandemic, MIT, CORNELL UNI., May 20, 2020 (Working Paper). 441 Raymond Zhong, China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears, NY Times, May 26, 2020, https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html. 442 Id.







https://www.wired.com/story/covid-19-ios-apps-privacy/



https://www.nytimes.com/2020/05/26/technology/china-coronavirus-surveillance.html

443 Id. 444 Id. 445 Id. 446 Id. 447 Supra note 437. 448 Id. 449 Id. 450 Id. 451 Id. 452 Id. 453 Id. 454 Id. 455 Id. 456 Supra note 437. Baobao Zhang and Nina McMurry are members of the Department of Political Science at the Massachusetts Institute of Technology. Sarah Kreps is a member of the Department of Government at Cornell University. 457 Id. at 1. 458 Id. at 3. 459 Id. at 5. 460 Id. at 9. 461 Id. at 3. 462 Id. 463 Id. 464 Joseph Marks and Tonya Riley, The Cybersecurity 202: Coronavirus Tracking Apps Spark Security Concerns, The Washington Post (May 5, 2020, at 7:43 AM EDT), https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/05/05/the-cybersecurity-202-coronavirus-tracking-apps-spark-security-concerns/5eb05603602ff15fb00246d2/. 465 See id. (“We know these apps are going to be buggy when they come out and that’s a cause for concern,” said Jon Callas, senior technology fellow at the American Civil Liberties Union and a former cybersecurity executive at Apple. “They’re being rushed out in months if not weeks. I expect at least one horrible security or privacy thing to happen.”) 466 Id. 467 Id. (“Amnesty International’s U.K. Director Kate Allen warned in a statement the United Kingdom's app is ‘opening the door to pervasive state surveillance and privacy infringement, with potentially discriminatory effects.’”) 468 Id. (a slew of commercial apps for checking coronavirus symptoms and sharing information about the disease ask for far more information such as users’ age, gender and zip code, all of which can be used to figure out a person’s identity.”) 469 Glenn A. Brown and Shalin R. Sood, Business in the Time of COVID-19: US Cybersecurity and Privacy Issues for You to Consider, THE NAT. L. REV., Vol. XI Num. 56 (Feb. 25, 2020), https://www.natlawreview.com/article/business-time-covid-19-us-cybersecurity-and-privacy-issues-you-to-consider. 470 Jessica Davis, Congressional Bills Target COVID-19 Contract Tracing App Privacy, HEALTH IT SECURITY, May 18, 2020, https://healthitsecurity.com/news/congressional-bills-target-covid-19-contract-tracing-app-privacy. 471 Id. 472 Id. 473 S.3663 - COVID-19 Consumer Data Protection Act of 2020, CONGRESS.GOV, https://www.congress.gov/bill/116th-congress/senate-bill/3663 (last accessed May 31, 2020). 474 Id. 475 Id. 476 Jessica Davis, Congressional Bills Target COVID-19 Contact Tracing App Privacy, HEALTH,IT, SECURITY (May 18, 2020) available at https://healthitsecurity.com/news/congressional-bills-target-covid-19-contract-tracing-app-privacy 477 See id. (“‘Importantly, the bill ensures an individual's right to seek redress for violations, and it bars against the use of pre-dispute arbitration agreements,” Justin Brookman, director of Consumer Privacy and Technology Policy for Consumer Reports, said in a statement. “These measures will help individuals trust contact-tracing or proximity-tracing programs, and they can serve as a model for more comprehensive protections down the road.’”) 478 S.3663 - COVID-19 Consumer Data Protection Act of 2020, CONGRESS.GOV, https://www.congress.gov/bill/116th-congress/senate-bill/3663 (last accessed May 31, 2020) 479 Supra note 470. 480 Id.





481 See id. (“‘It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk,’ [Tennessee Senator] Blackburn said in a statement. “Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.’”) 482 Chen, supra note 270. 483 This has also been echoed by researchers in this area. See, e.g., Simpson, supra note 41 at 682-84 (discussing the cost to both industry and consumers for data breaches). 484 Survey Results at 4. 485 Respondents were asked to indicate all that apply, so they percentage points add up to greater than 100%, indicating that at least some respondents had access to multiple remedies. In addition, some respondents indicated that they didn’t not know (or refused to answer – 9%) and almost 20% indicated that they had other options available. 486 However, part of the challenge in developing a scheme is that many individuals don’t even realize all the different ways that one’s credit score can be damaged. 487 The next highest level of trust was displayed by those 65 and over who registered their trust levels at 47% (Survey Results at 49). 488 Survey Results at 61. 489 https://www.edelman.com/sites/g/files/aatuss191/files/2019-07/2019_edelman_trust_barometer_special_report_in_brands_we_trust.pdf 490 https://www.internetsociety.org/resources/doc/2019/trust-opportunity-exploring-consumer-attitudes-to-iot/ 491 https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/ One note of caution about the results: the information compiled for the West Virginia survey was performed by researchers at the WVU College of Law. As such, the questions, data and methodology was not the same as what was done by other surveys. 492 Qualitative research is not really interested in size, rather it’s trying to go for depth. It’s trying to get a deep understanding of what people understand on an issue. It also allows us to cover a variety of situations and experiences. 493 For instance, __ a marketing major noted that she appreciated the fact that companies accessing her information could then provide her with targeted advertising that fit her needs. ___, a second year medical student discussed the benefits of data to advance medical research and procure life-saving measures. 494 For the final focus group session, in Morgantown WV, we added a few follow up questions surrounding certain topic areas. These questions were added based on the initial feedback we received in the initial focus groups, indicating that participants wanted more in-depth information comparing data privacy concerns to more traditional privacy concerns. 495 These participants were recruited using the university’s internal communications systems. 496 Kate O’Flaherty, Apple’s Stunning iOS 14 Privacy Move: A Game Changer for all iPhone Users, Forbes (Jan. 31, 2021). 497 GDPR Art. 7, Conditions for consent, https://gdpr-info.eu/art-7-gdpr/. 498 Id. 499 Id. 500 Bauer, supra note 42, at 820. 501 California Consumer Privacy Act (CCPA), https://oag.ca.gov/privacy/ccpa. 502 Id. 503 Id. 504 Id. 505 A Private Right of Action is Key to Ensuring that Consumers Have Their Own Avenue for Redress, New America (2021), https://www.newamerica.org/oti/reports/enforcing-new-privacy-law/a-private-right-of-action-is-key-to-ensuring-that-consumers-have-their-own-avenue-for-redress/#:~:text=With%20a%20private%20right%20of,sue%20the%20violating%20company%20directly.&text=24%20The%20California%20Consumer%20Protection,result%20of%20the%20company's%20negligence. 506 Id. 507 Id. 508 Id. 509 Id. 510 Bauer, supra note 42, at 820. 511 Id at 821. 512 Id at 820. 513 FEDERAL TRADE COMMISSION, FTC Recommends Congress Require the Data Broker Industry to be More Transparent and Give Consumers Greater Control Over Their Personal Information, FTC.gov (May 27, 2014), https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more 514 Id.

https://www.edelman.com/sites/g/files/aatuss191/files/2019-07/2019_edelman_trust_barometer_special_report_in_brands_we_trust.pdf

https://www.edelman.com/sites/g/files/aatuss191/files/2019-07/2019_edelman_trust_barometer_special_report_in_brands_we_trust.pdf



https://gdpr-info.eu/art-7-gdpr/

https://oag.ca.gov/privacy/ccpa





515 See, e.g., Brittany Martin, The Unregulated Underground Market for Your Data: Providing Adequate Protections for Consumer Privacy in the Modern Era, 105 IOWA L. REV. 865 (2020). 516 Id. at 897. 517 According to the Wall Street Journal, this is not a new proposal: “For years, consumer privacy advocates have pushed the idea of so-called nutrition labels for devices. Instead of telling consumers how much vitamin B or C a product has, these labels would tell the prospective purchasers how their data will be used and by whom.” https://www.wsj.com/articles/imagine-a-nutrition-labelfor-cybersecurity-11607436000?mod=lead_feature_below_a_pos1 518 Mary Kraft, Comment, Big Data Little Privacy: Protecting Consumers’ Data While Promoting Economic Growth, 45 U. DAYTON

L. REV. 97, 121 (2020). 519 We are not alone in suggesting that policy makers rely on pre-existing models. See, e.g., Cameron Kerry, Why Protecting Privacy is a Losing Game Today—and How to Change the Game, Brookings Institute (July 12, 2018) available at https://www.brookings.edu/research/why-protecting-privacy-is-a-losing-game-today-and-how-to-change-the-game/#_edn4 520 For instance, we would not suggest that the state of West Virginia should develop a data privacy law akin to the GDPR. The sheer scope of the constituents the law has to cover would render that unworkable. However, looking to the work of other state legislatures, to see the work that they have done to address the needs of their particular stakeholders, would be informative. 521 Darrell M. West, What is Artificial Intelligence? A Blueprint For the Future of AI Series, Brookings (2018), https://www.brookings.edu/research/what-is-artificial-intelligence/ . 522 Id. 523 Comment from Sam Perl, Feb. 15, 2021 (document on file with author). 524 Mandeep Kaur, What is an API and why are they important to developers? Medium, (Sep 19, 2018), https://medium.com/@mandeepkaur1/what-is-an-api-and-why-are-they-important-to-developers-98ad18d45b93. 525 Id. 526 Id. 527 Exposure Notifications: Using technology to help public health authorities fight COVID‐19, Google (2020), https://www.google.com/covid19/exposurenotifications/. 528 Id. 529 Id. 530 See Clickwrap: Everything You Need to Know, Upcounsel (2020), https://www.upcounsel.com/clickwrap. 531 Gizelle Fletcher, 5 Components of an Enforeceable Clickwrap Agreement, Pactsafe (2019), https://www.pactsafe.com/blog/5-components-of-an-enforceable-clickwrap-agreement. 532 Id. 533 Id. 534 See Christopher Sirk, What is CRM? Definition and a Beginner’s Guide to CRM, CRM.ORG (2021), https://crm.org/crmland/what-is-a-crm 535 https://us-cert.cisa.gov/ncas/tips/ST04-001 536 What is Data Analysis? Research, Types, Methods, Techniques, Guru99 (2021), https://www.guru99.com/what-is-data-analysis.html. 537 See What is a Data Lake? Examples and Solutions, Stitch (2021) https://www.stitchdata.com/resources/what-is-data-lake/; https://www.bluegranite.com/blog/bid/402596/top-five-differences-between-data-lakes-and-data-warehouses 538 See Definition of Data Mining, The Economic Times (2021), https://economictimes.indiatimes.com/definition/data-mining; https://www.sas.com/en_us/insights/analytics/data-mining.html#:~:text=Data%20mining%20is%20the%20process,relationships%2C%20reduce%20risks%20and%20more 539 See Alexandra Twin, Reviewed by Amy Drury, Data Mining (Sep 20, 2020), https://www.investopedia.com/terms/d/datamining.asp 540 See What is a data set? IBM (2021), https://www.ibm.com/support/knowledgecenter/zosbasics/com.ibm.zos.zconcepts/zconc_datasetintro.htm. 541 See Id. 542 See Id. 543 See Id. 544 What is IoT? Defining the Internet of Things (IoT), Aeris India (2021), https://www.aeris.com/in/what-is-iot/. 545 See What is Data Processing? Talend (2021), https://www.talend.com/resources/what-is-data-processing/ 546 See Craig Mundie, Privacy Pragmatism; Focus on Data Use, Not Data Collection, 93 FOREIGN AFF. 28 at 34 (2014).

https://www.brookings.edu/research/what-is-artificial-intelligence/


https://www.google.com/covid19/exposurenotifications/

https://www.upcounsel.com/clickwrap

https://www.pactsafe.com/blog/5-components-of-an-enforceable-clickwrap-agreement

https://crm.org/crmland/what-is-a-crm

https://us-cert.cisa.gov/ncas/tips/ST04-001











https://www.investopedia.com/terms/d/datamining.asp



https://www.talend.com/resources/what-is-data-processing/

547 See President’s Council of Advisors on Science and Technology, supra note 43, at x, 19. See also Mundie, supra note 541. 548 Uniform Law Commission, Draft, Collection and Use of Personally Identifiable Data (October 2020), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=dc8d8001-c53c-548e-1781-612161008619&forceDialog=0.

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=dc8d8001-c53c-548e-1781-612161008619&forceDialog=0

https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=dc8d8001-c53c-548e-1781-612161008619&forceDialog=0

data privacy issues in west virginia and beyond: a

Documents