1. © 2023 TrustArc Inc. Proprietary and Confidential Information.
Nymity Framework: Privacy
& Data Protection Update in
7 States

2. 2
Speakers
Meaghan McCluskey
Associate General Counsel, Research,
TrustArc
Daniela Sanchez
Privacy Research Lawyer
TrustArc

3. Agenda
○ State privacy landscapes and updates
○ Multi-state compliance challenges
○ Effective privacy risk management
○ Insights into coming changes and
preparing for the evolving landscape
○ Q & A

4. Poll Time!
What is your organization's
biggest challenge when it comes
to multi-state data privacy
compliance?

5. 5
State-Specific Privacy Landscapes and
Updates

6. 6
State-Specific Privacy Landscapes and
Updates

7. 7
State-Specific Privacy Landscapes and
Updates

8. 8
State-Specific Privacy Landscapes and
Updates
● Texas is the only state that applies to individuals
● Scope: Apply to organizations ‘doing business’ in the state or
‘actively engaging in any transaction for financial or pecuniary gain
or profit’
● California - Explanation in other Californian Laws
○ Tax Code: actively engaging in any transaction for the
purpose of financial pecuniary gain or profit
○ Company must register with the California Secretary of State
as a non-California company
○ Subject ot court jurisdiction
● Other indicators:
○ Incorporation
○ Location
○ Employees’ or
○ Consumers
● CPPA explanation = plain language

9. 9
State-Specific Privacy Landscapes and
Updates

10. 10
State-Specific Privacy Landscapes and
Updates
Connecticut: Health information protection
● Prohibition - using a geofence to establish a virtual boundary that is within 1,750 feet of any mental
health facility or reproductive or sexual health facility;
● Consent required to sell or offer to sell consumer health data;
● Prohibition to provide access to employees or contractor (exceptions apply)
California, Colorado and Connecticut: Non-monetary considerations are recognized as sales. Other states
require valuable or monetary considerations.
Tennessee:
● Affirmative defense available for organizations facing enforcement under this act - organizations can
argue that they maintain a privacy program that reasonably confirms to the NIST Privacy
Framework.
Florida: Apply mostly to big tech companies and include very specific requirements:
● Right to opt out of the collection of personal data collected through the operation of a voice
recognition or facial recognition feature;
● Prohibition of using voice recognition feature, a facial recognition feature, a video recording feature,
an audio recording feature for surveillance purposes, unless expressly authorized.
Oregon and Delaware: Third party lists
● Obtain a list of the specific third parties to which the controller has disclosed the consumer’s
personal data.

11. 11
State-Specific Privacy Landscapes and
Updates

12. 12
Multi-State Compliance Challenges & Best
Practices
● Compliance Challenges:
○ Information and individuals moving through the states make it difficult
to identify when and to whom to recognize rights provided by state
laws.
○ Global Privacy Control (GPC)
● Faced by Organizations Operating in Multiple States:
○ Cost and efficiency to determine which requirements apply in each
jurisdiction where the organization operates;
○ Constant implementation of new measures to meet ongoing legal
requirements;
○ Uncertainty created by the evolving landscape reduces innovation.
● Strategies and Best Practices to Ensure Regulatory Adherence:
○ Data Mapping: Data flows
○ Broad and Proactive approach to compliance

13. 13
A Framework Approach to Privacy Management

14. 14
Nymity Privacy Management and Accountability Framework
● Menu of more than 140 privacy management activities
● Created in 2014, released publicly in 2015
● Updated in 2016 to reflect GDPR developments
● Updated in 2023 to reflect NIST Privacy Framework, AI, current reality:
○ Integrate privacy into the Data Ethics/Stewardship program
○ Integrate privacy into the System Development Life Cycle
○ Maintain policies/procedures for algorithmic accountability
○ Use interoperable frameworks to monitor and report on privacy risks

15. 15

16. What is your
Resource Profile?
● Low Resources “part-time privacy”:
○ Single individual for whom the role of privacy officer is a
secondary role (limited time)
○ Financial constraints
○ Lack buy-in
○ Perceived low risk
● Medium Resources:
○ Buy in from the operational and business units;
○ Full time privacy officer and/or culture of compliance;
○ Processing as a core activity;
○ Contractual obligations;
○ Major project as a driver.
● High Resources:
○ Buy in from board or executive level;
○ Funded privacy officer;
○ Resources and responsibility are allocated;
○ Follows recommendations from lawyers and consultants.
Resources are the people,
processes, technologies and
tools that help you do your job

17. 17
Resource-Driven Privacy Management Strategy
Low - Policy First Medium - Governance First High - Inventory First
Assign responsibility for data privacy to an
individual (e.g. Privacy Officer, General Counsel,
CPO, CISO, EU Representative)
Assign responsibility for data privacy throughout
the organization (e.g. Privacy Network)
Maintain an inventory of personal data and/or
processing activities
Maintain a data privacy policy and Maintain a
privacy notice
Conduct regular communication between the
privacy office, privacy network and others
responsible/accountable for data privacy
Classify personal data holdings by type (e.g.
sensitive, confidential, public)
Conduct privacy training Incorporate data privacy into operational training,
such as HR, marketing, call centre
Maintain documentation of data flows (e.g.
between systems, between processes, between
countries)
Engage senior management in data privacy (e.g.
at the Board of Directors, Executive Committee)
Maintain defined roles and responsibilities for
third parties (e.g. partners, vendors, processors,
customers)
Integrate data privacy into records retention
practices
Engage stakeholders throughout the
organization on data privacy matters (e.g.,
information security, marketing, etc.)
Integrate data privacy into the System
Development Life Cycle
Conduct due diligence around the data privacy
and security posture of potential
vendors/processors
Report to internal stakeholders on the status of
privacy management (e.g. board of directors,
management)
Maintain procedures to respond to requests to
opt-out of, restrict or object to processing
Conduct impact assessments for new programs,
systems, processes
Maintain procedures to respond to requests for
access to personal data
Integrate Privacy by Design into system and
product development

18. 18
An example:
Building on
existing
DPIA/PIA
processes

19. 19
An example:
Building on
existing
DPIA/PIA
processes

20. The Ever Evolving
Landscape:
Navigating
Uncertainty with
Confidence
● Copycat legislation: all 50 states
● Technological development: AI, Internet
Platforms
● Economic pressures: EU
● Consumer protection: Womenʼs
healthcare, Data brokers

21. Q&A

22. Thank You!
See http://www.trustarc.com/insightseries for the
2023 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
privacy and data security compliance, please reach out to
sales@trustarc.com for a free demo.