USA: States move forward with amendment bills and privacy legislation in Vermont and Maine
July 2020 has begun as a busy month with Vermont's Senate Bill ('SB') 110 for an Act Relating to Data Privacy and Consumer Protection ('the Breach and Student Privacy Act') taking effect on 1 July 2020, amending Vermont's data breach law and creating a student data privacy law. Additionally, Maine's Legislative Document ('LD') 946 for An Act To Protect the Privacy of Online Customer Information ('the Online Information Act') took effect on 1 July 2020, establishing requirements for internet service providers ('ISPs').
Vermont: Student privacy and strengthened breach notification requirements
Breach notification requirements
The Breach and Student Privacy Act is divided into two main sections, with the first focusing on privacy and security breach notification. Among other things, the Breach and Student Privacy Act defined and amended various definitions to include login credentials as protected piece of personal information. Moreover, the Breach and Student Privacy Act amended the definition of personally identifiable information ('PII') to include:
- unique biometric data generated from the measurements or technical analysis of human body characteristics used to identify or authenticate the consumer, such as a fingerprint, retina or iris image;
- genetic information; and
- health records or records of a wellness program or similar program of health promotion or disease prevention which includes a health care professional's medical diagnosis or treatment of the consumer or a health insurance policy number.
Furthermore, the Breach and Student Privacy Act adds requirements with respect to an unauthorised acquisition of login credentials, and requires, among other things, that breaches be notified to consumers within 45 days after the discovery or notification of the breach by data collectors that own or license computerised PII or login credentials that includes personal information concerning a consumer. Moreover, the Breach and Student Privacy Act provides that security breaches limited to an unauthorised acquisition of login credentials require data collectors to only notify the Vermont Attorney General or the Vermont Department of Financial Regulation.
Student data privacy
With respect to student privacy, the Breach and Student Privacy Act outlines prohibited practices for operators of an internet website, online service, online application, or mobile application, which include:
- engaging in targeted advertising based on information that the operator has acquired because of the use of that operator's site, service, or application for PreK–12 school purposes;
- using information that is created or gathered by the operator's site, service, or application to amass a profile about a student;
- selling, bartering, or renting a student's information; and
- disclosing covered information, unless the disclosure is made for a legitimate purpose and is proportionate to the identifiable information necessary to accomplish the purpose.
Maine: Online Information Act ensures ISP compliance
The Online Information Act, which applies to providers operating within Maine when providing broadband internet access service to customers that are billed for service received in Maine and are physically located in Maine, regulates the actions of ISPs by providing protection for customer personal information. In particular, the Online Information Act defines customer personal information as information which includes PII such as the customer's name, billing information, social security number, and demographic data, as well as information from a customer's use of broadband internet access service, such as the customer's usage and web browsing history, precise geolocation information, financial information, health information, information pertaining to the customer's children, or information pertaining to the customer's device identifier, among others.
More specifically, the Online Information Act prohibits ISPs from using, disclosing, selling or permitting access to such customer personal information unless the customer has expressly given their consent, or for other limited but permitted circumstances such as responding to emergency situations. In addition, the Online Information Act prohibits ISPs from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale, or access of their personal information.
Although the Online Information Act has taken effect as of 1 July 2020, and given the COVID-19 ('Coronavirus') pandemic, the Maine Attorney General has delayed enforcement until August 2020, in order to allow ISPs to take the necessary efforts to ensure their compliance.
Iana Gaytandjieva Privacy Analyst