Updates and Changes in US State Privacy Laws for 2024 With Andrew Kingman

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello, Justin Daniels here. I am a Shareholder at the law firm Baker Donelson, and I am a corporate M&A and tech transaction attorney. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 1:01

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You’re very giddy today.

Justin Daniels 1:40

Well, I guess it’s because we’re back at the podcasting/broadcasting business.

Jodi Daniels 1:44

We are we took a long Turkey break at this. And now Now we’re back. And so for anyone who is curious about the US State privacy party that is happening, we have just the guest for you today because we have Andrew Kingman, who specializes in privacy technology and cybersecurity issues in all 50 states at both the legislative and Attorney General levels. As a public policy advocate with experience in compliance, he brings a unique and substantive perspective to discussions on how best to increase consumer privacy protections while maintaining operational workability and cybersecurity protections for businesses. He is a nationally recognized thought leader in the field, and in 2020, he was one of 25 attorneys named to Massachusetts Lawyers Weekly Up & Coming Lawyers’ list. Well, Andrew, we are delighted that you are here today. And we’re excited to get started.

Andrew Kingman 2:42

Thank you both so much for having me.

Jodi Daniels 2:45

That’s your cue. Show business, there’s like different cues.

Justin Daniels 2:50

Well, you know, I’m oblivious to half the things I’m told by certain people. But having said that, Andrew, tell us a little bit about how your journey got you to where you are today.

Andrew Kingman 3:02

Yeah, I don’t know. Does anybody know how their career unfolded? I always say there’s, I don’t know if you guys are fans of the Eagles. But there’s this great documentary on the Eagles. And Joe Walsh, who’s the guitarist has this great quote, he said, he goes, there’s a philosopher and it’s definitely not a philosopher who says as you live your life and appears to be anarchy and chaos and random events smashing into each other and causing this situation or that and then this happens. And it just looks like what in the world is going on. And later you look back at it. It looks like a finely crafted novel, but at the time it didn’t. And I feel like that’s kind of my career in a nutshell. But, you know, I got my start working in state politics and on state campaigns for state reps here and our fair Commonwealth of Massachusetts and worked on a governor’s campaign, went down to DC but worked for a state government affairs firm there, went to law school decided I was leaving politics behind and state government behind I was gonna go to be a corporate litigator, did that for a couple years and decided I was not going to be a corporate litigator and then got back into the politics world. Like Michael in The Godfather, I got pulled back in here. So you know, I started when after law school, when I went back to politics I started working for AT&T and working on their public policy in northern New England. This was probably 2013, 14,15, 16. So at that point, ISP privacy started to be a big issue at the federal level, and we started to see some state bills and I got very interested in the privacy set of issues and kind of felt like that’s where a lot of, you know, kind of big existential questions were going to be talked about and decided and got the opportunity of by my mentor Jim Halpert, who is the namesake for The Office character, as he is more than happy to tell you, and he gave me an opportunity to work on this client, the state privacy and security coalition. And, you know, kind of a perfect mix of working on privacy, but you know, need somebody who knows how to walk the halls and state houses and talk to state legislators and, you know, lobby. And so it was really great. I took sort of a year-long sabbatical to help TikTok start their state policy group in 2021 to 2022. And then, when Jim went back to the White House to go serve in the Biden Administration, he asked if I’d come back and, you know, take over running SPSC. And so I opened my own shop last year, Mariner Strategies, and helped SPSC and a few other clients work on state cybersecurity and privacy issues in all 50 states. And the

Jodi Daniels 6:08

work that that state coalition does is incredibly valuable. When I started my privacy career, I had the great fortune of being able to participate in a number of those calls, way back when and tremendous work. So really grateful that it’s continuing here today.

Andrew Kingman 6:25

I think I think what I like about it is that, while I like a number of things, but I think the group, first of all, is a really great mix of you know, the legal team and the policy team. So you’re getting, you know, compliant, here are compliance issues with this with this problem, right? We there are plenty of other groups who are great at talking about the effects on the economy, if the bad bill passes, or this will inhibit innovation, we’re, you know, we really try to be substantive and operational in our critique. But the other thing I love is that we tend to try to be constructive, we’re not the no coalition, where the if you’re going to do this, let’s help you get to yes coalition. And that tends to be more rewarding in terms of being creative finding solutions to problems, you know, we’re more than happy to go and explain why VIP is a bad idea. No, don’t lose any sleep over that. But, you know, in general, we’ve worked, the group started working on data breach bills way back in the, you know, early 2000s, and has evolved to working on comprehensive privacy, children’s privacy, consumer health, privacy, as of last year, biometrics, you know, anything in that realm where we’re working?

Jodi Daniels 7:45

Well, 2023 kept you all really busy, because there were a number of different laws introduced and then actually passed and signed. So we’re curious, what are the biggest surprises in your mind from 2023?

Andrew Kingman 8:03

Yeah, you know, I think the biggest surprise was probably outside of the comprehensive world, the My Health, My Data in Washington state being passed, with a private right of action. And with the broad definitions, I think there was, you know, a general sense of disappointment among the business community that we weren’t able to do more to curb what, you know, I think will be a pretty problematic lot to implement. And I think we’ll, you know, pretty fundamentally change the way that consumers are gonna be using the internet in Washington state. And I think, you know, in the comprehensive world, I think other folks may have been surprised that so many red states passed privacy bills, right. And we had seven states. And, you know, right out of the gate, it was Texas, and Indiana, and Iowa, and Montana. And, you know, then we have Delaware and Oregon, you know, kind of pulling up the rear at the at the very end of session last year. That that was not particularly surprising to me, you know, over the past, you know, three to four years, as we’ve seen, you know, national dynamics around populism grow. On the more conservative side of the aisle, there sort of been this closed loop sharing about privacy between the right and the left, where, you know, it’s become a really bipartisan issue. So, you know, I think it’s not it was not particularly surprising to me, but I think for a lot of folks in the middle of session, you know, when we were in April, and it was like, oh, man, or is it just going to be red states this year, the past privacy bills, I think folks were, you know, feeling a little bit surprised by that. So, you know, we’ll we’ll see See what this coming year brings, I think it’ll continue to be a mix of red and blue. But again, this is something that’s a bipartisan issue, I sadly took the time to add up all of the votes of the comprehensive privacy bills in from, you know, Virginia through Delaware this year in all of the chambers that those bills went through. And the the final vote tally was 3140 to 30. So, you know, this is not a partisan issue, this isn’t an issue where, you know, there’s, there’s only one side of the of the coin. And if there is, it’s in favor of, you know, finding that balance and that framework that can work for everybody and put in some privacy protections for consumers and give them consumer rights but preserved this is ability to, to keep innovating and to, you know, to, to institute some norms in their businesses around privacy.

Jodi Daniels 11:06

On the Washington health law that you mentioned, and you thought that there would be some real challenges for companies, can we dive a little bit deeper in that, as someone who’s really intimately familiar with that law, perhaps you can share one or two of the or three of the big areas that companies should pay attention to? Or that you’re seeing companies really discuss anything that you can offer? I’m sure our listeners would really

Andrew Kingman 11:28

value? Yeah, I think I think there were three sort of, let’s put the enforcement aside, I think, you know, the issues on compliance are always exacerbated when you have a private right of action, right? Because you have to assume that it’s, you know, the enforcement, the compliance provisions are being thought of by trial attorneys, and not an attorney general’s office or folks with necessarily expertise. So putting enforcement to the side, I think, you know, three issues that jumped to mind that we worked on a lot, you know, one was the idea of the definition of consumer health data, which right now, and as pass is anything that could be used to identify anything about a consumers health in terms of, you know, vital signs, bodily conditions, or bodily functions, anything like that. And, you know, we worked hard, but to no avail, unfortunately, to try to get some intentionality added into that, right. So that a business has to actually be using that information, in order to fall within the scope of the act, that they actually actually be using information to make inferences about health, not just that, that information could be used to make inferences. So that’s one thing that I think companies should pay attention to is that this is a much broader scope than just, oh, this is non HIPAA health data, like running data, or my heartbeat, you know, my resting heartbeat or something like that. This, you know, could be the clothes that you buy the food that you’re buying, you know, I’m a type one diabetic. So theoretically, any piece of food that I buy has a health implication, right. So I think that can be challenging. I think the second piece is that, while the bill requires opt in consent for collection of this data, and, you know, we didn’t really have an issue at large, with the idea that, you know, sensitive health data should be subject to opt in consent. You know, this bill defines collection as any type of processing of data. So really, it’s consent for using this data at every stage. So at storage for deletion for any type of analysis that you’re doing beyond collection, the definite the definition of collection is any type of processing. So, you know, the way that that manifests itself in the audit compliance, I think there’s going to be very, very tricky. And then the third piece is that the definition of consumer includes anyone whose information is stored in Washington state, so you do not have to be a resident of Washington, if the company if you’re a company, and you have servers in Washington state, and you’re storing data from other residents and other parts of the company, other parts of the country. But the data that you’re storing could be considered health data under this bill, you know, there may be some compliance obligations for you there. So, you know, those are three things that we worked hard, and again, unfortunately, to no avail to change that, I think, you know, we’ll have some pretty big compliance effects and when the bill goes into effect, this coming year.

Jodi Daniels 14:47

Very helpful examples. Thank you so much for sharing.

Justin Daniels 14:52

One question that I was thinking about was, as you talked about, looking ahead to 2024, I’d love to get your view on handicapping how many more privacy laws get passed? And second is will we get to 50 before we have a federal law on privacy? Because as you pointed out, in my world, there are 52 different breach notification laws in this country, including Guam, and Puerto Rico, which is insane.

Andrew Kingman 15:18

Yeah, you know, I would expect I mean, last year, we had seven feels like, you know, somewhere around that numbers, probably fair to expect this year, could be more, you know, I would be surprised if it was less than, say, four. Only, because at this point, I think there is a framework that, you know, some consumer groups have supported that business is generally okay with and again, you know, it’s a nice win for the legislators as well to be able to do something on privacy that’s meaningful, and to generally have, you know, bipartisan support and not be, you know, I always joke the legislators, you know, particularly three or four years ago, before there was really an established framework, they would file legislation and file a privacy bill and think that they’d get visited by three or four companies. And, you know, in in January, they’d be looking like, you know, W or Obama in their first term. And, you know, by April that look like those guys in their last term, right, they gray and exhausted, and they’ve aged 10 years and four months. And, you know, it tends to be a pretty tough slog because of the amount of stakeholders that are that are invoked here. I have bad news for you on the federal side, which is that, you know, I don’t think many of us who are working on the policy side see much of a path for federal privacy in the next year or two. I would not be surprised if we end up with a data breach, like patchwork that have privacy laws, where, you know, there’s a general framework that most of the vast majority of states have adopted, and there are going to be some outlier requirements in each of those states. Right. But that, you know, to my mind, the more states that adopt a bill, the the actual the, the less likely that it is that the defendants are going to be prompted to move, right, because if there’s sort of a default national standard, then that lets them off the hook a little bit for, for better or for worse. I think we’d prefer federal, a federal bill. This point.

Justin Daniels 17:40

I wanted to ask you a follow up, which is yeah, we have a lot of guests come on the show and question we sometimes get into is for state legislatures, you know, they may have a variety of different priorities. Privacy could be one, something in agriculture could be one. Now, you know, AI is coming onto the scene, the latest sexy thing in technology. Can you kind of give us a little insight into how the state legislatures weigh what bills they want to make a priority versus other bills that kind of languish in the background? Because isn’t that kind of a roadmap as to how privacy became more of a front burner issue with all of the states that have passed privacy laws?

Andrew Kingman 18:28

Yeah, it’s great question and give you the, you know, the standard lawyer answer, which is it depends on the state.

Jodi Daniels 18:37

How does it feel to get that back?

Justin Daniels 18:39

What do you mean, I get that from you all the time, and you’re not a lawyer.

Andrew Kingman 18:42

I gave a talk at my high school a couple of weeks ago, on on this topic. And one of my old teachers, I had asked a question, you know, what do you think about privacy? What does it mean to you? Right? And she sort of gave an answer that wasn’t okay. I said, Well, that’s good. But like, let’s go a little deeper. And I got to say, this is so much fun. I get to finally, you know, be the one you did this to me 20 years ago. Now I get to be like, well, let’s, let’s try that out a little bit. Let’s tease out what you mean. So yeah, you know, it depends on the state. I think, external events and what’s kind of in the news determine a lot of what states think that they want to focus on. A lot of states have a biennium, right, a two year cycle in for many states, one of those years, it’s a budget year. And so, oftentimes, that year, they’re much more kind of, you know, blocking and tackling how are we funding this department? Why are we fixing our subway or, you know, whatever the budget priorities may be. And then the other the other year is kind of, you know, larger issue, less, you know, budgetary focused and so oftentimes in that session is when we’re getting a lot of the activity. You know, a lot of the states, sometimes we get questions from regulators, or advice we’ll give about how to get a bill done is to sort of say, you know, a lot of times it’s not a one year or one session thing, most of the states that have passed comprehensive privacy at this point, have we’re working on it for a few years, right? Texas representative Greg Leone had filed bills going back to 2018. Obviously, we know Washington state never got their bill across the across the finish line, you know, both Indiana and Iowa took a couple of years to do it. Montana had had privacy bills for a number of years. So oftentimes, it’s a multi year process. And through that process, you know, legislators are able to kind of get the right pieces in the right places. I think the other thing that legislators have been, have found success out is sort of outside of session, stakeholder groups, where you’re not getting, you know, so much of state policy is, is made in such a condensed period of time, right, you’ve maybe got four months from the start of the session to the end of the session in most states. You know, I live in Massachusetts, where we have a full time legislature, but that’s very much the exception, versus the norm. So you have, you know, kind of citizen representatives coming in and trying to handle very complex issues in a very condensed period of time. And, you know, having that offseason stakeholder group where you’ve got some consumer advocates, and you’ve got some business representatives, etc, being able to have those discussions without the crush of of session and the pressure of session, and they tends to lead to more success. So I’m not sure if that totally answered your question, and I’m happy to, to dig into it more. But I think I mean, you know, the the more patient that legislators are actually the faster that that that can happen.

Justin Daniels 22:01

It sounds to me like you made a couple real important points. One is these, the legislation that we see get passed, it’s usually the effort of being a kind of a privacy seedling legislative effort that grows into actually getting passed. And I guess the other interesting thought is for the layman or even Jodi, who participate in the space, what level of understanding, I mean, have you ever I’m sure you’ve seen some of the congressional testimony, big tech gives up on Capitol Hill? And all the media talks about is how silly some of the answers are. Because, you know, let’s be honest, the US Senate, it’s kind of like an old person’s retirement home with the average age. So I was just curious, on the state level, do you find engagement and thoughtfulness amongst the legislators or at least their staff are being pretty savvy and understanding these issues?

Andrew Kingman 22:52

Yeah, I mean, I think I think the vast majority of legislators are working really hard to understand this stuff. Right. And again, it is not easy when you are coming in for four or five months at a time and trying to get your arms around this. And, you know, when you know, when our advocacy is really like, well, you know, that’s not really how like a deletion. Right? Is operationalized on the back end, you know, internally are like, here’s why authenticating a consumer request is actually much trickier than you might think it is. I mean, yeah, of course, that stuff is hard for them to grasp onto and put it into the larger context. But I think the vast majority of legislators were one of the reasons I love working at the state level is there is still that altruism, right? I mean, it, you have to have a degree of altruism to get paid $500 to go get yelled at for five months by constituents and lobbyists and go to the rubber chicken dinners and do all of that work, right, you’ve got to want to do. And so, you know, I find that the vast majority of legislators are doing and in good faith and want to get to the right answer, and are really trying to understand the issues. You know, obviously they’re, you know, of course, you see exceptions to that. But, you know, overall, I think it’s a it’s a pretty good faith effort all around to try to, you know, get to yes and get to something that works for everyone.

Jodi Daniels 24:19

What are you hearing from the regulators, so when these wonderful legislators pass their legislation now we have regulators who are going to come in and try and say companies, make sure you’re doing XYZ? Are there any big themes that maybe aren’t making the headlines that people can be aware of?

Andrew Kingman 24:37

That’s a great question. Are there big themes? You know, I think, I think one of the things that we’re gonna be continuing to push back against this year, you know, unfortunately, some of the federal dynamics are coming into the state dynamics where you’re seeing more A bit more polarization and you’re seeing, you know, kind of politics over policy sometimes. I think one of the things that became clear last year, in particular, is that, you know, privacy is starting to become a place where larger cultural issues are getting hashed out. Right. So state privacy legislation, you know, does sensitive data cover reproductive health care information? Or what is the ramification of, you know, biometric data, you know, we don’t want a surveillance state type of concern, we’re gonna see it and are already seeing it in AI, where, you know, some blue states are really looking at, hey, we want to prevent, you know, systemic and disparate impact and discrimination. You know, some red states are more concerned about, we want to make sure speeches and suppressed and algorithmic algorithms are prioritizing particular types of speech over another. And so, you know, I think we’re gonna continue to try to keep the focus on the substantive and operational parts of privacy law and make sure that it works. And it’s kind of, to the extent possible, I mean, we very much understand that, you know, any legislation is going to reflect that state’s cultural values. And so we get that, but trying to keep the compliance obligations, at least out of the, you know, cultural, you know, circle or the cultural, you know, kind of cauldron.

Justin Daniels 26:37

You brought up the topic of, as my mom was calling it, the IA, which is so funny. Anyway, when we’re talking about AI, I actually read the CCPA AI regulations that were drafted and came out last week. And, the thought I had is, as I said earlier, you have all these competing priorities for legislation. Do you think we might see a trend where AI legislation gets bootstrapped into privacy legislation? Or do you think it will be something separate? Because I’m thinking as a policymaker, you have to have a strategy around Hey, there, you’ve got four months of time, they’ve got a finite attention span. What is the best way forward to do that? Or do I ended up if I do both Hey, it’s just a watered down bill, and I’ve really accomplished nothing.

Andrew Kingman 27:26

Well, first, my joke that I’ve been making that I’m putting out on this on this podcast, I know everybody in privacy listens to this podcast, is the I think the IPP is going to be changing its name next year to the AIPP. That’s trademarked, nobody else can use that, or? No, um, yeah, I think we, you know, privacy is very AI adjacent or vice versa. Right. And so I wouldn’t be surprised, you know, I think I think one of the things we’re going to see in any kind of emerging tech legislation moving forward is sort of the primacy of the data protection assessment. Right. And, and that’s going to with whatever, whatever type of new technology that’s going to emerge, having some internal documentation where you’re weighing the risks and benefits, you know, issues around disclosure and transparency are going to be there and AI, how much you know, of a company’s dataset do they have to make transparent, you know, how much of their methodology, those types of things. So I think many of the issues are going to be the same. I don’t see it being bootstrapped too much to privacy, I would know, like you, with interest that the California Privacy Protection Agency has noted that they are the de facto regulator of AI in the US going forward. That was a quote that they put out this past summer, so I didn’t, I was not aware that that was what the CPRA had done. But, you know, that was surprising. You know, beyond California, you know, I think that’s, you know, if we’re talking macro trends, that’s kind of another interesting point, right, that California, is a little bit on an island. And I think what they do, obviously has huge import on the compliance side, because they’re the world’s fourth largest economy. And so many businesses have major operations and offices there, but nobody else is really following what they’re doing right. Everybody else is kind of doing it a different way. Nobody, although the CCPA had been filed in a lot of different states. Nobody else adopted that. I think other states have been pretty wary of getting in the rulemaking world. You know, we’ve seen obviously Colorado, go down that path. have, you know, but otherwise, I don’t think any of the other states have rulemaking in there. So yeah, I don’t know what I we’re certainly going to see a lot of activity in AI this year, I think there are some trends that are starting to emerge, whether we see it bootstrapped on the back of privacy or working to a comprehensive privacy framework, not clear.

Jodi Daniels 30:26

We have a lot of crystal balls. We have AI, crystal ball, the privacy crystal ball, there’s a lot, a lot of crystal balls. With so much knowledge in the privacy space, we always like to ask, what is your best privacy or security tip?

Andrew Kingman 30:42

Yeah, I mean, to me, going back to the data protection assessment, I would say, if you, if your company is not does not have a process established for that already, I would get on board with that, because I, as I said, I think, you know, whether it’s privacy, whether it’s AI, whether it’s children’s privacy, that is going to be, I think, a central component of any compliance regime moving forward. And, you know, I think any of us who have either advised companies or worked out worked in companies who are working on data protection assessments, you know, it’s a huge process to put together, of course, across all of the business units. But you know, we’re just seeing it to your point with the CPA, you know, they explicitly call for a cross business unit group for their risk assessments, right. And to the extent where if you’re doing high risk processing, you have to explain why you didn’t consult external experts. And so, you know, I just think that to me, is going to be a central part of any privacy compliance program going forward, or any AI compliance program going forward. And the more you can start building into that, and normalizing that now, I think is probably for the best in good investment long term.

Jodi Daniels 32:10

There you go. DPA Central.

Justin Daniels 32:13

I was hoping he was gonna say, No your data, and then we could have that Red Clover t-shirt for our guest.

Jodi Daniels 32:17

Well, you could have DPA and know your data.

Justin Daniels 32:21

There you go.

Andrew Kingman 32:21

Listen, if you haven’t done data mapping yet, then good luck to you. Because as a company, because you know, a, if you don’t know by now, where your data is coming from, what you’re doing with it, and where it’s going, when it leaves, it’s going to be tough, and spend a lot of money on Red Clover and Mariner and other companies to help get you compliant.

Jodi Daniels 32:47

And you have to maintain it? Even if you do once, you gotta keep maintaining it because someone else in the business is doing something cool and interesting.

Andrew Kingman 32:54

I think those initial compliance costs are gonna get steeper and steeper, if you’re if you’re falling behind.

Jodi Daniels 32:59

I agree. What he said.

Justin Daniels 33:03

Are you can just pay me on the back end when I clean up the breach.

Andrew Kingman 33:08

As I said, we’re, you know, we’re trying to make sure your, your billables get.

Justin Daniels 33:16

So, when you’re not doing all of your public policy-making stuff in state legislatures for privacy, what do you like to do for fun?

Andrew Kingman 33:26

Yeah, well, you know, golf is my addiction, and like legislation, it is incremental, it is a masochistic undertaking that, you know, we only get for six months at a time up here, north of Boston. So that’s, that’s what I love to do. Let’s travel and play golf, love to spend time with my family. In the summer, we try to get out on the water as much as possible and, and take a breather and try to regroup from you know, my airline receiving a foreign for five-month increments.

Jodi Daniels 34:05

Well, we’re so grateful that you came and shared all this amazing wisdom with us. If people would like to learn more and follow you, where should we send them?

Andrew Kingman 34:13

Yeah, you can go to www.marinerstrategies.com. I am on whatever the platform is being known as now, at Andrew K 2342. We can might be X it might be Twitter. I don’t know. It might not be here by the time this podcast airs. Who knows? But you find me there and on LinkedIn and we love talking to new clients. My associate and I really enjoy this work and find it very rewarding to help solve companies problems and try to help them plan for what’s coming next. So thank you guys for all the work that you do, and for the opportunity to be here.

Jodi Daniels 34:52

Absolutely. Thank you.

Outro 35:00

Thanks for listening to the She Said Privacy/ Hee Said Security Podcast. If you haven’t already be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time