On September 12, 2023, Delaware became the 13th state to adopt a consumer data privacy act, joining Florida, another state to recently adopt consumer privacy laws, and others in providing resident consumers with rights regarding their personal information. Delaware’s Personal Data Privacy Act (the “PDPA”) goes into effect on January 1, 2025, but businesses should be careful not to be lulled into a false sense of time security — the Delaware Department of Justice will begin a public outreach campaign beginning July 1, 2024, to educate consumers of their rights. Businesses should expect residents of Delaware to know their data privacy rights and how to exercise them.
Additionally, the PDPA may apply to a larger number of businesses compared to other data privacy acts. Not only is Delaware a popular state for forming a business — businesses often enjoy certain tax benefits there — but the threshold to be subject to the PDPA is low compared to other data privacy acts. Businesses that service residents of Delaware or operate in Delaware and either (1) control or process the personal data of 35,000 or more residents; or (2) control or process the personal data of 10,000 or more residents and derive more than 20% of its gross revenue from the sale of personal data, are subject to the PDPA.[1] Compared to the California Consumer Privacy Act (“CCPA”), which applies to businesses operating in California that (1) have a gross annual revenue more than $25 million; (2) handle the personal information of 100,000 or more residents; and (3) derive at least 50% of their annual revenue from selling or sharing that personal data, the PDPA is more likely to apply to more businesses.
Data Privacy Moves Among Key Companies, Business Sectors
Not only are new consumer data privacy acts, like the PDPA, contributing to the complex web of data privacy laws, businesses should also consider how new technologies are increasingly changing the ways data is collected, used, and shared. Increasingly, collected data isn’t limited to what we share through our computer screens or even related to the services or products being used. Understanding how and why data will be collected in the future will help guide your policies and procedures regarding consumer data.
In recent news, X, formerly Twitter, disclosed that it intends to collect more data from users, such as biometric data, employment history, and search history. The social media platform announced changes to its privacy policy that would take effect on September 29, 2023, but a deeper review of the terms revealed the extent of X’s intent to capture more personal data.[2] Although casting a wide net for consumer data isn’t uncommon, the focus on personal data like employment history and search history isn’t — especially for a social media platform like X.
In other news, the Mozilla Foundation, a nonprofit organization researching compliance with privacy standards, surveyed car manufacturers’ privacy practices.[3] The report found that car manufacturers were collecting data sets from their drivers that were not necessarily related or necessary to operating a vehicle, such as calendar information, personal photos, generic information, and immigration status. Further, the report claims that 84% of manufacturers surveyed shared collected data with third parties and data brokers, and 76% of the surveyed manufacturers claimed the right to sell personal data collected.
In addition to the trend of over-collecting data beyond what is necessary or relevant to the service or product being used, there has also been a shift toward feeding collected data to artificial intelligence. X intends to use data collected under its updated privacy policy to train its proprietary machine learning of artificial intelligence models.[4] Similarly, Zoom updated its terms of service to permit the remote conference service to use data collected from users to train or test artificial intelligence or machine learning.[5] Interestingly, after media coverage and public backlash, Zoom clarified that it would not use a user’s audio, video or chat data to train its models without customer consent.
Conclusion
More than ever, businesses need to maintain a comprehensive and current privacy policy to navigate the increasingly complex state of data collection. Any business utilizing modern web design tools (like cookies and web beacons), sharing user data with third parties (like payment processors), or collecting data beyond the obvious scope of the service or product being provided is likely collecting more user data than they realize. Not only does a privacy policy explain to users how and why a business collects and/or shares their data, but it also helps businesses comply with data privacy acts like the PDPA by housing required disclosures and statements regarding consumer rights.
Finally, businesses should regularly monitor how and why data is collected and/or used by other companies, including their peers, competitors, and service providers — not only to be knowledgeable on competitive practices but also to anticipate how new technologies could violate data privacy laws. Often, the fine line between what is acceptable and unacceptable continues to be blurred.
[1]https://legis.delaware.gov/json/BillDetail/GenerateHtmlDocument?legislationId=140388&legislationTypeId=1&docTypeId=2&legislationName=HB154
[2]https://www.fastcompany.com/90947743/twitter-x-privacy-policy-biometric-data-elon-musk
[3]https://www.theverge.com/2023/9/6/23861047/car-user-privacy-report-mozilla-foundation-data-collection
[4] https://www.socialmediatoday.com/news/x-adds-new-privacy-policy-notes-biometric-info-job-history-and-ai-model/692518/
[5] https://stackdiary.com/zoom-terms-now-allow-training-ai-on-user-content-with-no-opt-out/
[View source.]
