State Privacy Laws (Part 2)

Question 1

What must online platforms consider under the California Age-Appropriate Design Code Act?

Answer 1

The best interests of child users.

Question 2

What does the Act prohibit by default regarding location data?

RE: California Age-Appropriate Design Code

Answer 2

Collecting, sharing, or selling children’s location data.

Question 3

Name five types of data breaches.

Answer 3

• Unintended disclosure
• Hacking/malware
• Payment card fraud
• Insider threats
• Physical loss

Question 4

What are the four steps in incident response?

Answer 4

• Confirm
• Contain
• Notify
• Follow up

Question 5

What are signs that may confirm a data breach?

Answer 5

• Multiple failed logins
• Inactive account use
• Unknown programs/devices
• After-hours access

Question 6

What actions are involved in containment?

Answer 6

• Isolate traffic
• Recover items
• Purge emails
• Contact cybersecurity
• Document actions

Question 7

What must be considered before notifying individuals of a breach?

Answer 7

• Legal requirements
• Timing
• Content
• Risk mitigation
• Data lost

Question 8

What are examples of follow-up actions after a breach?

Answer 8

• Training
• Audits
• Plan analysis
• DLP tools
• Pen testing
• Simulated exercises

Question 9

What is OMB M-17-12?

(Office of Management and Budget)

Answer 9

An OMB memo titled: ‘Preparing for and Responding to a Breach of PII’.

Question 10

What team is central to the M-17-12 framework?

Answer 10

Privacy Incident Response Team

(PIRT)

Question 11

What compliance documents are part of breach prep?

Answer 11

• Privacy Impact Assessments
• System Security Plan
• Authority to Operate

Question 12

What key steps are in the breach response framework?

Answer 12

• Scope of breach
• Assess impact
• Mitigate risk
• Notify individuals

Question 13

What responsibilities do vendors have under M-17-12?

Answer 13

• Train employees
• Encrypt PII
• Notify agency of breach
• Cooperate in investigation

Question 14

What are common features of state breach laws?

Answer 14

• Define PI
• Covered entities
• Thresholds
• Exceptions
• Penalties

Question 15

What is the base definition of personal information (PI) across all states?

Answer 15

First name/initial + last name AND SSN, license/ID number, or account/card.

Question 16

Who must be notified in a data breach?

Answer 16

• Affected individuals
• State AGs
• Agencies
• CRAs (~2/3 states)
• Third parties

Question 17

What is the most common timeframe for notification?

Answer 17

Within 45 days; 30 days preferred for national firms.

Question 18

When can breach notification be delayed?

Answer 18

• When criminal activity is suspected
• Law enforcement requests delay

Question 19

What is Puerto Rico’s notification timeline?

Answer 19

Notify Department of Consumer Affairs within 10 days.

Question 20

What should breach notification contain?

Answer 20

• Event description
• PII affected
• Protection plan
• Contacts
• Identity theft resources

Question 21

What is substitute notification?

Answer 21

Public notice on website/media if individual notice is burdensome.

Question 22

When must CRAs be notified of a breach?

Answer 22

Typically when 500 to 10,000+ residents are affected depending on state.

Question 23

What are common exceptions to breach notification?

Answer 23

• HIPAA/GLBA coverage
• Compatible policies
• Encrypted/redacted data

Question 24

What changes did the FCC make to breach rules in 2023?

Answer 24

Broadened ‘breach’ and ‘covered data’ to include any unauthorized access, use, or disclosure.

Question 25

**When** must the **FCC be notified** of a breach?

Answer 25

Within **7 days** if 500 or more individuals are affected.

Question 26

What does **Utah SB 127** require?

Answer 26

Entities must report system security breaches to: * AG * Utah Cyber Center

Question 27

What change did **Texas** make under its **Identity Theft Act** in 2023?

Answer 27

**Shortened breach** notification deadline from 60 **to 30 days**.

Question 28

What is **Nevada SB 370**?

Answer 28

A consumer **health data privacy law**.

Question 29

Who is considered a '**regulated entity**' under Nevada SB 370?

Answer 29

Any **business in NV** or **targeting NV residents** that determines purpose and means of processing consumer health data.

Question 30

What is '**consumer health data**' under Nevada SB 370?

Answer 30

Data identifying a consumer's **physical or mental health status**. ## Footnote Examples: general health, surgeries, medications, vitals, gender-affirming care, biometrics, genetics, geolocation.

Question 31

What **obligations** do regulated entities have under **NV SB 370**?

Answer 31

* Privacy policy * Voluntary consent * Administrative/technical/physical safeguards

Question 32

What **restrictions** are placed on data use under **NV SB 370**?

Answer 32

* No sale or sharing without written consent * No geofencing within 1,750 feet of medical facilities

Question 33

What is **GIPA**?

Answer 33

Illinois' **Genetic Information Privacy Act**, enacted in 1998.

Question 34

What type of information counts as '**genetic information**' under **GIPA**?

Answer 34

Data from **physicals** and family **medical histories**.

Question 35

Which states (and one municipality) have **laws** regulating automated decision-making (ADM)?

Answer 35

* California * Colorado * Connecticut * Virginia * New York City

Question 36

What is **profiling** under Colorado law?

Answer 36

Automated processing of PII to evaluate or **predict economic, health, preferences, behavior**, etc.

Question 37

What are examples of **high-risk ADM** activities?

Answer 37

* Financial services * Housing * Insurance * Education * Justice * Employment * Health care * Essential goods

Question 38

How does **NYC** regulate **ADM in hiring**?

Answer 38

Requires transparency for '**automated employment decision tools**'. | (AEDTs)

Question 39

What is **NYC Local Law 144** also known as?

Answer 39

NYC Bias Audit Law or AEDT Audit Law.

Question 40

What is an **AEDT**?

Answer 40

Computational tool using **ML/statistics/AI** that assists or replaces hiring decisions.

Question 41

What are the **key audit requirements** under NYC Local Law 144?

Answer 41

* Annual * Independent * Assess disparate impact by race, ethnicity, and sex

Question 42

What **notice** must candidates receive?

Answer 42

**10-day notice** before AEDT use, with option for alternative evaluation.

Question 43

**Who** enforces NYC Local Law 144?

Answer 43

NYC Department of Consumer and Worker Protection | (DCWP)

Question 44

What is **Colorado's SB21-169**?

Answer 44

A law protecting consumers from **unfair discrimination in insurance practices**.

Question 45

What does **CO SB21-169** prohibit?

Answer 45

Insurers from using ECDIS, algorithms, or predictive models that lead to unfair discrimination. ## Footnote ECDIS: External Consumer Data and Information Services

Question 46

What is **ECDIS**?

Answer 46

**External Consumer Data and Information Services** used to supplement or replace underwriting factors.

Question 47

What is **required** from insurers under **CO SB21-169**?

Answer 47

A Governance and Risk Management Framework for ECDIS use.

Question 48

What must **insurers** document and submit under **CO SB21-169**?

Answer 48

Comprehensive records and reports to the Division of Insurance (DOI).

Question 49

What is **Verifiable Parental Consent**? | (VPC)

Answer 49

A process requiring reasonable efforts to ensure that a **parent is notified and authorizes** the collection, use, or disclosure of a child’s personal information.

Question 50

What **law** establishes the VPC requirement?

Answer 50

The Children’s Online Privacy Protection Act | (COPPA) ## Footnote Codified at 15 U.S.C. 6501 and implemented under 16 CFR 312.

Question 51

Under **COPPA amendments** what can parents consent to separately?

Answer 51

Parents may consent to data collection without consenting to data disclosure unless disclosure is integral to the service.

Question 52

Why is **VPC** required?

Answer 52

To give parents **control over what content children under 13** can access and how their data is collected or used.

Question 53

What are the **major requirements** for operators under COPPA?

Answer 53

Provide parents with **detailed direct notice** and **obtain affirmative express consent** before collecting personal data.

Question 54

What are **common methods** used for VPC that may reduce accessibility?

Answer 54

Submitting **a credit card number** or **government-issued ID** which can limit equitable access.

Question 55

What does **Texas’ SCOPE Act** regulate? | (Securing Children Online through Parental Empowerment Act)

Answer 55

Prohibits **sharing or selling minors' data** without parental consent.

Question 56

What does the New York **Child Data Protection Act** prohibit? | (CDPA)

Answer 56

It **restricts websites** and apps from collecting or selling data from **children under 18** unless COPPA-compliant or with informed consent.

Question 57

What is the **NAIC**? | (National Association of Insurance Commissioners)

Answer 57

A **standard-setting** organization that coordinates **multi-state insurance regulation**.

Question 58

What does **AIS stand** for in the NAIC AIS Governance Guidelines?

Answer 58

Artificial Intelligence Systems

Question 59

When did the NAIC issue the **AIS Governance Model Bulletin**?

Answer 59

December 2023

Question 60

What do the NAIC AIS Governance Guidelines **require** insurers to establish?

Answer 60

A documented **organization-wide AI governance framework** overseeing all AI systems.

Question 61

What are the **guiding principles** emphasized by the AIS Governance Guidelines?

Answer 61

* Transparency * Fairness * Accountability * Ethical use of AI

Question 62

**Who is accountable** under the AIS Governance Guidelines?

Answer 62

**Senior management** holds accountability for AI governance and compliance.

Question 63

What does '**proportionate controls**' mean in the context of AIS Governance Guidelines?

Answer 63

Controls should **match the level of risk and complexity** of AI applications.

Question 64

What must the **governance structure** address under the AIS Governance Guidelines?

Answer 64

Policies, procedures, and risk management across the AI development life cycle.

Question 65

What **third-party considerations** are included in the AIS Governance Guidelines?

Answer 65

Insurers must manage third-party AI vendors and service providers responsibly.

Question 66

How do the AIS Governance Guidelines address **consumer transparency**?

Answer 66

They require **notice to consumers regarding AI use** and ensure transparency in automated decisions.

Question 67

What is the **Iowa Consumer Data Protection Act** (2025)?

Answer 67

* A **business-friendly** privacy law effective 2025 * Does **not provide** a right to correct inaccurate data * Includes a **90-day** cure period

Question 68

What is the **Kentucky Consumer Data Protection** Act (2026)?

Answer 68

**Does not require** businesses to recognize **universal opt-out** mechanisms.

Question 69

What is the **Maryland Online Data Privacy Act** (2025)?

Answer 69

* A strong privacy law * Restricts sensitive data processing * Prohibits geofencing * Bans sale of covered health data

Question 70

What is unique about the **Minnesota Consumer Data Privacy Act** (2025)?

Answer 70

* Special profiling rights * Right to opt out of automated decision-making * Receive detailed explanations about profiling impacts

Question 71

What is notable about the **Nebraska Data Privacy Act** (2025)?

Answer 71

* It excludes **SBA-defined small businesses** * Has **no numerical** revenue or consumer threshold

Question 72

What makes the **New Hampshire SB 255** (2025) unique?

Answer 72

* Lower applicability threshold of **35,000 consumers** * Provides a **60-day** cure period

Question 73

What is the **Rhode Island Data Transparency and Privacy Protection Act** (2026)?

Answer 73

It imposes **transparency requirements** on commercial websites and ISPs **regardless of business size or thresholds**.