Insights: Publications 3 Key Takeaways | Privacy in a Flash: Keeping Up with Rapid Changes in State Laws
Kilpatrick’s John Brigagliano recently spoke at the Association of Corporate Counsel (ACC) DFW Annual In-House Symposium in Frisco, Texas. John spoke on the topic of “Privacy in a Flash: Keeping Up with Rapid Changes in State Laws” where he addressed how in-house counsel can navigate the rapidly shifting landscape in state privacy regulation while reducing compliance costs, enabling business objectives, and minimizing legal risks.
Key takeaways from John’s presentation include:
1. Shifting privacy risk in vendor contracts requires redrafting or negotiating form language. First, standard provisions that require mutual compliance insufficiently protect customers. Customers with sufficient leverage should instead require vendors to not cause the customer to violate applicable privacy laws. Second, damages arising from security incidents aren’t captured through breach notice costs. Customers should exclude such damages from liability limits and caps. Participants in the crowd generally considered “supercaps” on security incident damages of $5 million to $20 million to provide sufficient coverage (depending on the nature of their business).
2. Don’t take a myopic approach to privacy compliance. Legal media and third-party vendors tend to heavily focus on newly passed state consumer privacy laws as a primary driver of privacy compliance. That overstates the risks presented by those laws for several reasons. For example, those laws are largely interoperable. Any newly passed law therefore presents, at most, marginal new compliance requirements. Those consumer privacy laws also lack private rights of action and contain many exceptions.
3. AI training presents unique privacy risks. Companies using personal data to train AI products must consider privacy alongside other legal risks. We discussed several challenges to doing so. Establishing sufficient rights in such personal data can be difficult as upstream third-party contracts and prior notices delivered to consumers may limit the company’s use of personal data. In terms of privacy operations, companies should evaluate whether their privacy rights operations (i.e., data governance) and controller-processor designations account for any use of personal data for AI training.
For more information, please contact:
John Brigagliano, jbrigagliano@ktslaw.com
Related People
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.
