Dec 09 2021

Q&A: A Data Privacy Lawyer Explains How to Prepare for Forthcoming Privacy Laws

A partner at the Dorsey & Whitney law firm explains how to manage current and future compliance risks.

On Nov. 1, China’s first comprehensive privacy law — the Personal Information Protection Law (PIPL) — went into effect. While it resembles parts of the European Union’s General Data Protection Regulation (GDPR), it also differs in key areas. As more countries and states pass variations of existing privacy laws, it becomes increasingly challenging for higher education leaders to manage an evolving privacy compliance landscape.

Without umbrella privacy legislation, universities and colleges must regularly maintain and update privacy programs to ensure compliance with multiple regulations and legislation.

In a Q&A with EdTech: Focus on Higher Education, Deborah Howitt, a partner at the Dorsey & Whitney law firm who specializes in data privacy, offers advice on how to manage current and future compliance risks.

TAKE CONTROL OF RISK: Get guidance on continuous compliance posture monitoring from CDW.

EDTECH: How should higher ed begin preparing for the growing number of privacy acts?

HOWITT: Numerous states are in the process of evaluating their own data privacy and security legislation, so we anticipate several other state bills to pass into law soon.

To prepare for this, universities and colleges might be able to leverage work they have already done for the GDPR, the California Consumer Privacy Act and the recently enacted Virginia Consumer Data Protection Act and Colorado Privacy Act. Several of the laws or proposed bills in other states track many of the best practices common to other privacy laws around the world.

DIVE DEEPER: What’s the difference between security, privacy and confidentiality?

EDTECH: What are some common best practices?

HOWITT: Entities may want to focus their preparation on common elements such as:

  • Understanding and creating a data map of all “personal information.” This includes all information within the entity’s possession or control, as this is now very broadly defined. This applies to any information that relates to an identified or identifiable person or household, which is significantly broader than what was traditionally understood.
  • Developing and implementing a comprehensive privacy notice. The notice should describe, in detail, the personal data collected and how it is used and disclosed.
  • Ensuring contracts include necessary provisions. Any contracts related to the sharing of data with service providers or vendors must contain all necessary provisions. (These vary somewhat among the laws).

Click the banner below to unlock premium content exploring privacy in higher ed.

  • Implementing an intake and response process for data requests. People will have broad rights to access, correct, export and delete their personal data and to opt out of the “sale” of their personal data (broadly defined to include most forms of data monetization).
  • Allowing individuals to exercise rights to opt-in or opt-out. This applies to the processing of various data, which differs under state laws. It includes targeted advertising and the handling of sensitive data categories such as race, sexual orientation, health, sex life and biometric data.
  • Confirming that they have an incident response plan. This requires institutions to have appropriate data security policies and to be prepared for more requirements relating to security breaches and breach notification. This often means supplementing existing requirements under existing law.

ICYMI: CISOs share privacy compliance advice at EDUCAUSE 2021.

EDTECH: What are some privacy legislation variations that institutions should be mindful of?

HOWITT: There remains some variation in the details of each of the state laws. For example, the opt-out of sale rights generally includes a right to opt out of certain types of advertising. But in Colorado, companies will also be required to support certain automated signals (such as a browser setting) that indicates a user’s desire to opt out.

Separately, the specifics of what is considered a “sale” under these state laws may continue to evolve. So will the specifics about how to comply with the right to opt out. And it is unclear how consistent this will be as other states pass new laws.

Additionally, there are specific requirements relating to AI and biometrics. As the definition of “sensitive” information continues to evolve, it may be increasingly subjected to diverse requirements that vary state by state.

MORE ON EDTECH: What do college students really think of data privacy?

EDTECH: What kind of enforcement considerations should institutions be mindful of?

HOWITT: Much of the data subject to specific federal regulation or long-standing state laws (such as the Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, mental health laws and the like) are likely excluded from new state consumer privacy laws.

Finally, most of the state consumer privacy laws do not allow individuals to sue when there are violations. Only the attorneys general or state agencies can enforce. That said, advocates are putting significant pressure on legislators to allow private lawsuits. There would be significant, additional risks if a state were to allow broad private enforcement rights.

What can higher education institutions do to prepare for these risks? Consider working with various internal stakeholders to determine what data is being handled and in what contexts. Understand what personal data is collected, how it is used, with whom it is shared and how it is protected. From there, institutions can develop appropriate policies and procedures that meet these common requirements — and get a head start on what will likely become the core of future state consumer privacy laws, as well as elements that will likely make their way into future iterations of education privacy laws.

matejmo/ iStock / Getty Images Plus

aaa 1

Register