Podcast

Speak with an Expert
Home » Resources » Podcast » S4 E06: State Privacy Laws – What Regulators are Looking For

S4 E06: State Privacy Laws – What Regulators are Looking For

Audio version

State Privacy Laws – What Regulators are Looking For

Transcript

Jordan Eisner  
Hello and welcome to another episode of Compliance Pointers. Here once again, joining me, your host, Jordan Eisner, is Matt Dumiak, our Head of Privacy and Marketing Compliance practices here at CompliancePoint, or as I like to call them collectively our head of regulatory, also known as the Privacy Prophet, although he’s been shy about that of late.


Matthew Dumiak  
You know, I love it. Good to see you, Jordan.


Jordan Eisner  
Yeah, yeah. Good to see you too, Matt. We are going to talk about some recent enforcements in the data privacy realm and some did reports out of Connecticut on what’s going on with their privacy law there and how they’re informing the masses.


Matthew Dumiak  
That’s right out of Connecticut.


Jordan Eisner  
As to why they put that in place and what’s going to be the result and how it’s benefiting consumers there. And then the big enforcement really we’re talking about is Disney.


Matthew Dumiak  
Yep.


Jordan Eisner  
And what maybe they were missing on and what other companies can do to avoid being in a similar situation. So where do you want to start?


Matthew Dumiak  
Yeah, sure. Well, I think we could start with Disney. I think it’s the the most succinct or straightforward. We can cover that high level. Then we can go into the Connecticut stuff if that sounds good.


Jordan
I think that sounds good. And I, you know, an introduction of you. You need no introduction. I think people recognize you. The ponytail privacy profit is probably enough, but it’s a good opportunity to remind everybody, especially if they can’t see you because they go, oh, I know that guy. He’s everywhere.


Matthew Dumiak  
Is everywhere.


Jordan Eisner  
He’s a data privacy guy, but if they can’t see you and they only recognize your voice or don’t recognize your voice, and they need to know that you’re the director. As I mentioned earlier, you’re head of our regulatory groups here, but you’ve been working in and out of data privacy for more than 15 years.


Matthew Dumiak  
Yep.


Jordan Eisner 
You know, now that’s a whole range of different things from FTC/FCC type stuff to more modern day GDPR and state data privacy law. You advise our clients and held several certifications in in this realm.
And I would say our clients too, just for reference for the folks here range from small mid-size start-up tech companies all the way up to you know some of the bigger enterprise and fortune brands that they would know today inside of financial services and all sorts of other industries that are.
Processing PII, which is quite a lot. So there we go. That’s who you’re listening to and he’s going to break down the Disney case for us.


Matthew Dumiak  
Great.
Yeah, great. And Jordan, when we were up in DC at that State of the Union that Ketch put on and heard from Ketch with a K and heard from Michael Macko out of the Cal Privacy, he talked a little bit about this. So I think we had a little bit of a hint. He didn’t talk about Disney, but he talked about the focus ff the Disney enforcement, which was, for those of you that don’t know, was the largest CCPA enforcement at 2.75 million. But really what they focused on was the opt outs of do not sale, the do not sell opt outs. Obviously under California that’s a requirement.
And Disney’s approach to that. And when I bring up Michael Macco about the State of the Union was Cal Privacy’s focus on honoring those consumer requests through and across all verticals in which a business is selling personal information. So really like closing that loop, I think early on we saw a lot of businesses implementing a cookie preference center because the real folk or a lot of focus was on cookies and trackers on the website to say, OK, that’s a sale or many of those are sale, they’re publicly facing. You can go to the website, you can look at those and know what they are.


Jordan Eisner  
Right.


Matthew Dumiak  
If you’re either with an enforcement agency or a plaintiff attorney, anyway, all publicly focused.
The this enforcement with Disney focused on, well, the different platforms they have, you know, Disney Plus being like Hulu, ESPN, Disney Plus and how they were really navigating that or offering those rights to consumers to say, oh, you can opt out, but then you have to go through multiple steps to effectuate this opt out, you might have to go to different platforms to opt out, that type of thing. And then even going beyond that, the opt out of sale beyond just advertisers, it was also offline selling is what we would call that and that was done through a number of ways, you know, Disney was conducting that in a number of ways as well. You know, the attorney a the A GS office had some pretty interesting quotes about the enforcement in terms of like leveraging some Disney.
Quotes again, not against them, but you know, kind of funny, interesting quips about Disney. But you know, kind of a kind of a, you know, being a little bit of a smart aleck, basically. But yeah, I was surprised by the enforcement.


Jordan Eisner  
Do tell. What do you mean?
What do you mean they like quoted Disney movies back to them? What are you saying?


Matthew Dumiak  
Yeah, I could take, they did. I could take a look online to look at what the enforcement said exactly. But yes, that’s what they were doing, was quoting like Disney taglines and things like that around this enforcement. And so that is based.


Jordan Eisner  
Oh yeah.
Trying to think of one now. For some reason, just the Cruella Deville song comes to my head.


Matthew Dumiak  
Yeah, well and I thought that it was, it further focused and reiterated that that’s where the AG’s office and the agency in California are going to be focusing, is the opt out of sale.
And making that clear and conspicuous and where someone is logged in, and this has been a focus, at least through commentary, that when someone is logged in to a platform and they opt out, businesses have an obligation.
To honor that, not just on that device, but across devices where they can, because that opt out can effectuate that. If you know, they know that, hey, if they’re logged in and they’re viewing it on their computer, but then they go and they view it on their smart TV and then they go view it on their phone.
And they’re logged in through those entire experiences. You know who that consumer is. It’s really critical for businesses to be aware of the focus there that those opt outs need to apply across those devices. You can no longer just say, oh, they were on their computer, then they were on their smartphone, then they were on their smart TV where you know the consumer. identity, that opt out needs to be applied across the board.


Jordan Eisner  
Right. And they might make cheeky remarks.


Matthew Dumiak  
Right.
Exactly, exactly.


Jordan Eisner  
Which can sometimes hurt more.


Matthew Dumiak  
You know, it probably didn’t feel great, right? So.


Jordan Eisner  
Yeah.
Yeah, well, you know, money’s one thing. Pride’s another.


Matthew Dumiak  
Yeah, absolutely.
So I have one. It says consumers shouldn’t have to go to Infinity and beyond to assert their privacy rights.
In the press release.


Jordan Eisner  
It is. Is that Disney? I know they own Pixar, but.


Matthew Dumiak  
They own Pixar, yes, yes.


Jordan Eisner  
But today when Toy Story came out.


Matthew Dumiak  
They did not.


Jordan Eisner  
I mean, not that it really matters. It is. It’s just not what I think of when I think it is.


Matthew Dumiak  
They were so knowing that, knowing the history of that, well, it’s.
Yeah, well, it’s kind of an interesting history. I guess we shouldn’t go into that in the podcast, but the, you know, they were using Disney was using Pixar’s labs to develop that and they said they were working in partnership to release that movie and then the acquisition, you know, and Steve Jobs was headed up that studio.


Jordan Eisner  
Makes sense.
It’s like Toyota and Subaru.


Matthew Dumiak  
And had a really good relationship with Bob Iger. Yeah, yeah, exactly. So.


Jordan Eisner  
Yes, yeah, they do. They’re working on it. Your Subarus, I believe, are like 12% Toyota.


Matthew Dumiak  
Yeah.
12%, Hey, that must make them so. That’s why they’re so reliable. That’s the reliability part, so.


Jordan Eisner  
Yeah.
And then I think Toyota uses some of the all-wheel drive technology from Subaru.


Matthew Dumiak  
The symmetrical all-wheel drive out of the Subaru.


Jordan Eisner  
Yeah, Subaru is good about that. I miss our Outback a lot.


Matthew Dumiak  
They are, yeah. Yeah, I know. And my parents really like theirs.


Jordan Eisner  
Oh, it’s a great car.
All right, so anything else on Disney?


Matthew Dumiak  
No, I think we’ve covered it.


Jordan Eisner  
I just totally struck out on any good Disney quotes that whole segment. So I guess we’ll just go down to Connecticut.


Matthew Dumiak  
Yeah, let’s go over to Connecticut. So they have an annual reporting requirement that they look back on a year and say so they’ve looked back on 2025 and they provide a report of any enforcement actions, what they’re seeing complaints about from consumers, any initiatives.
The AG’s office is undertaking as it pertains to the state privacy law, any amendments that are coming up, that type of thing that businesses should obviously be aware of typical stuff. So as you can imagine, privacy rights is 1 and that’s a leader where consumers are saying, hey, I’m trying to, I’m trying to delete my personal information from a business.


Jordan Eisner  
What are the game complaints about?


Matthew Dumiak  
This I can’t either find a way to do that or they’ve declined it with not a lot of explanation of why.


Jordan Eisner  
Well, you don’t have to give the consumer the ability to delete the information, they just need to be able to request it.


Matthew Dumiak  
Yeah, absolutely. Yeah, request it. And then there are valid exemptions. I think consumers are complaining that they don’t even have the ability to to make a request. Yeah, it’s a good, good to call that out. So they don’t even looking at the privacy notice or portals, they don’t even have the ability. So some privacy requests complaints. Complaints about notices being unclear. So privacy policies. That’s probably a function of 19 state privacy laws. And these privacy laws are these privacy policies becoming really overly burdensome for consumers to read and review.
If you go look at a company’s privacy policy, I’ve seen some as long as 60 pages because they’re trying to cover all the state privacy laws one by one when they’re not really taking into account the other obligation to make sure that it’s a clear and easy to understand and easy to read privacy policy.
So there’s probably some of that mixed in that there’s so many. The packwork of privacy laws is presenting some challenges, but also maybe businesses just aren’t even in front of it and they don’t have a privacy notice that has consumer rights. You know, you and I are on the front end sometimes from a from a sales perspective, we can go look at a website and see how an organization’s doing.
We see that oftentimes as well. We see dates from 2019, 2018 might have been a GDPR update, no state privacy update, that type of thing. Breaches, so data breaches as well is what they’re receiving complaints about that type of thing and that’s pretty typical. So that’s the type of thing they’re seeing and reporting on.


Jordan Eisner  
OK.


Matthew Dumiak  
Yeah.


Jordan Eisner  
Are other states doing that? Does California do that?


Matthew Dumiak  
California does not. They’ll provide a lot of education, and they’ll provide some periodic updates about notices they’ve sent out or the types of types of businesses they’ve sent notices to or inquiries to.
But they don’t. I don’t believe they have this annual requirement to send out an official update about their privacy law or anything like that under in California.


Jordan Eisner  
Do you know of any other states?


Matthew Dumiak  
No.


Jordan Eisner  
Why? This is just something that was part of the law.


Matthew Dumiak  
Yeah, exactly. And I, well, I think it’s part of the way the lawmakers would view to say, hey, let’s, we would like, yeah, exactly. Accountability, provide an update. What are consumers complaining about? Is it working? What is your focus areas? It’s helpful for consumers and businesses to get that type of report.


Jordan Eisner  
I like it.


Matthew Dumiak  
So, and that’s a good question. I haven’t seen any states that have this obligation, but I’ll double check. I just haven’t seen, like I’ve seen Connecticut’s a couple years in a row now. I haven’t seen any other states publish this type of report other than the periodic updates from California. But again, it’s not as an official update on their privacy law.


Jordan Eisner  
Yeah.


Matthew Dumiak  
So I think it’s an accountability measure, which I think is good.


Jordan Eisner  


Matthew Dumiak  
Yeah.


Jordan Eisner  
What else? What else were we supposed to cover?


Matthew Dumiak  
So we were going to talk about a little bit about, well, where are they focused? Oh, I could handle that at a high level. I mean there’s they’re focused similar to California. They’re focused on the opt out of sale.


Jordan Eisner  
Oh, oh, so connected here.


Matthew Dumiak  
Yeah, still Connecticut. They’re focused on that. They’re focused on.


Jordan Eisner  
We’re giving them as much attention as California and they’re one 100th size.


Matthew Dumiak  
I know. But you know, we’ve got this interesting report out of the AG’s office.


Jordan Eisner  
I’m kidding. No hard feelings, Connecticut. I like you.


Matthew Dumiak  
Right. Well, it’s interesting you call that out. So they’ve got a couple things. They’ve got, they’ve got focus on opt out of sale. They’ve got focus on clear and conspicuous privacy notices.
All regulators are also focused on health information, health data and minors and privacy. They’re focused on that. They have some initiatives underway. From an amendment perspective, it’s interesting you call out Connecticut. So you know, many of these states have this threshold.
Surrounding the number of consumers you process as a business from their state and whether or not you meet that, that’s sometimes what triggers if you have to comply with the if the business has to comply with the state privacy law, Connecticut’s was at 100,000 consumers.
So as you just called out relatively small state, if you went number by number, we might have some pretty large clients or there are pretty large businesses out there that may not do or process the personal information of 100,000.
Connecticut residents. Now you get into website visitor data and things like that. That’s probably triggered, but there’s going to be some that that doesn’t. Surprisingly, they’re lowering that threshold to 35,000 residents, realizing Connecticut is realizing that the 100,000 was frankly too high for a state their size.
So, you know, it’s interesting you called that out about, you know, the parity between California and Connecticut. Another thing that Connecticut had that we see a lot at the state level is the GLBA exemption for any entity that is regulated by GLBA, they were exempt. They’re exempt from many of the state privacy laws. So a lot of financial institutions are exempt from state privacy laws.
Connecticut’s taking that down a notch. They’re saying, OK, we’re not going to have the entity level exemption anymore. What we’re going to have is that the data that’s covered by GLBA is exempt. So front end website data.
Marketing, that type of thing before the GLBA is triggered. That data is now within scope of Connecticut’s privacy law if the overall law applies to the business. So they they got some complaints from consumers that felt like that and some consumer advocacy groups that.
That exemption was too broad. Anything power, any entity covered by GLBA was exempt. So they they’re bringing that down to data, which I think is interesting. I’m not aware of any other states that have softened that exemption or would you say hardened that exemption? I don’t know, stripped down that exemption if you will, from entity level to data level. I know it’s a matter of semantics.


Jordan Eisner  
Oh.


Matthew Dumiak  
Can see you thinking through it. It’s philosophical question really, but they’re bringing that down to data.


Jordan Eisner  
Yeah, they tightened it. They tightened it.


Matthew Dumiak  
Exactly another one. With all the A I going on, businesses or controllers are expressly required to disclose in their privacy notices whether they collect, use or sell personal information for the purpose of training large language models.
I think that’s something that businesses need to think through because even if you’re not developing or you are, if you’re not a developer of AI, but you’re deploying it within your organization and your that personal information or that data and that personal information is training those LLMs.
That’s going to have to be disclosed in the privacy notice.
There are many times options under these AI products to not train the LLM, but you know, I think there’s some some things to do there about like, well, did you do that or is it too, is it too late to pull that back?
That type of thing. So you know, of course there’s an AI nuance there. And then something that a lot of businesses find as a pain point and that we’re going to, we’re starting to see out of more states is that like Minnesota has this requirement, California.
Some others Rhode Island. Actually California doesn’t, but Minnesota, Rhode Island and now Connecticut is that consumers will have the ability to actually request the actual list of specific third parties the business has sold personal information to.
Some of the states will say, OK, you can do that at a categorical level. These other states, they’re starting to call that out and go, no, we want you to track and understand what specific third parties you’re selling data to so that the transparency, but then so that the consumers can go to those third parties and say, I know you have my personal information.
I want you to delete it. I want you to opt out, you know, whatever it might be. Now obviously you talked about it, right? Consumers have the ability to request, but there are exemptions. You know, that’s another one that as you know, for a business to operationalize that, that is something you really want to take some time and get in front of.
So doesn’t. It’s not an overnight exercise.


Jordan Eisner  
You’re basically like granting like right to transparency.


Matthew Dumiak  
Yes, specifically around the sale of personal information.


Jordan Eisner  
You know, like, yeah, but lifecycle transparency, right? Where it’s going, Yeah. Is that exist?


Matthew Dumiak  
Yeah. Where’s it go? Where’s it flowing? Yep, exactly. And we’re working.
We’re working with, we’re work. No, not to that degree. Absolutely not. I mean, it’s categorical. And so that’s what we’re working with a lot of clients on right now is like, OK.


Jordan Eisner  
Like with GDPR.


Matthew Dumiak  
Let’s offer we gotta get through the life cycle of this and maintain a list. You know, the website stuff is one thing and it goes beyond that too where it’s offline selling. So and you know, like I’ve been on the website, those cookies, trackers, all the technology on the website, it changes. It’s very fluid. So like, OK, when did this consumer visit and what did we share their?


Jordan Eisner  
Yeah.


Matthew Dumiak  
Who do we share their personal information with can be a challenge to track down. There’s some techniques or some strategies you can take to do that proactively through some of these CM PS, but it’s a real concern and it’s something we’re focused on with our clients.


Jordan Eisner  
Hmm.


Matthew Dumiak  
Yeah. Even though it’s the limited number of states, it’s something that these states can really hook into and say, hey, we have this obligation, it’s unique to our state. How are you handling it and how are you handling it for our consumers, right? It’s one of those things that they can easily say and they’ve said that.
Time and time again, so.


Jordan Eisner  
Oh man.


Matthew Dumiak  
Yeah, good stuff.
I know riveting, I can tell.


Jordan Eisner  
What’s the likelihood of that, though?


Matthew Dumiak  
Of that type of thing, we’ll see. You know, California’s been the most active on the enforcement front. We haven’t seen a ton. I think some of that’s due to these cure periods that will fall off from these state privacy laws. I.


Jordan Eisner  
Just seems over burdensome.


Matthew Dumiak  
Yeah, yeah, absolutely. To a degree. But I think it’s also a strategy again for the states to say, hey, we have this unique requirement that we can take a look at and see how mature your actual privacy program is, right?


Jordan Eisner  
OK, this has been good.


Matthew Dumiak  
Fun stuff, yeah.


Jordan Eisner  
That’s all. Yeah, I wouldn’t go that far.


Matthew Dumiak  
Check out the Connecticut report from the AG’s office. OK, if you have trouble sleeping, crack that open.


Jordan Eisner  
Yeah, yeah, it’s, it’s, it’s, you know, this is probably gonna drop on a Wednesday. It’s Friday today, but to.


Matthew Dumiak  
What a way to close out the week.


Jordan Eisner  
I’m speaking to the future right now because when somebody’s hearing this, it’s into the future. It’s not the present. And I’m just saying.


Matthew Dumiak  
Mhm.


Jordan Eisner  
If you’re looking for a good read.
At night, the Connecticut Data Privacy Report.


Matthew Dumiak  
Yes.


Jordan Eisner  
OK, good reading material to put in ChatGPT and say summarize this please.


Matthew Dumiak  
Good reading material.


Jordan Eisner  
All right. Well, Matt, thank you. And for our listeners, if you if you’ve made it this far through the anter, bring Matt and myself and probably nowhere near as enjoyable as we like to think it is. Thank you. And if you have questions about any of these data privacy.


Matthew Dumiak  
I think I’ve seen some blogs out there.


Jordan Eisner  
Laws, reports, hypotheticals and theoreticals that we’ve discussed here. Please don’t hesitate. As Matt alluded to, he’s working through a lot of clients with a lot of the things we just mentioned there towards the tail end of this. But of course, on the front end too, anytime there’s enforcements, clients want to know how they can avoid them.
And if you’re somebody like that or you want to find out more about CompliancePoint services, please don’t hesitate to reach out. The easiest way is to go to our website, CompliancePoint.com and interact with us there. You can schedule calls with team members.
To learn more, but you can also e-mail us directly at connect@compliancepoint.com with any inquiries and we will respond rather quickly and hopefully get a conversation brewing. So Matt, thank you again until next time.


Matthew Dumiak  
Thanks for having me, Jordan.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.

Get a Quote