The Customer

A global leader in the pharmaceutical industry. Customer needed a global-sized solution for its records retention management strategy.

 The Challenge

The customer’s prior solution lacked the international reach needed to cover countries in which the customer had a presence.

“The main challenge was even if there was a global retention policy, it wasn’t followed everywhere,” the customer’s RIM governance lead said. “It wasn’t forced to be implemented in different countries. So, the countries had their own retention policies, and it wasn’t regularly updated and there was not a group of reviewers.”

New legal record requirements had not been taken into consideration, the customer said. This became an issue when the European Union’s comprehensive privacy law, the General Data Protection Regulation (GDPR), went into effect in May 2018.

“We would have problems with not only GDPR but also with the records over preservation because the policy was not updated and there was not this link with the different legal citations,” the associate director of records and information management said.

The customer manages many types of records including regulatory affairs, quality, and medical devices. These records were grouped into over 250 record series with thousands of record types. It was time to begin looking for something better.

The Versatile Solution

The customer ultimately chose Zasio’s Versatile Retention (now known as Versatile 2025 with Retention Schedule Management) and Versatile Enterprise (now known as Versatile 2025 with Advanced Records Management), because the applications satisfied “multiple criteria” evaluated in the request for proposal process.

One of the biggest criteria, the customer said, was Versatile Retention met the customer’s retention and user requirements.

“It’s very user-friendly,” the RIM governance lead said.

“It’s easy for the end user to navigate. It was a great advantage because we didn’t have to force another training for people to be able to find retention requirements for their records. This saved a lot of time for us and also the cost for the implementation, to have thousands of providers and associates trained.”

She really appreciates how intuitive the user interface is.

“For us to manage our retention period to submit change requests, to approve them and the review process…from the administrative (side of things) it’s quite simple,” the customer said.

When it comes to Versatile, the customer has several favorite features. But one, in particular, stands out.

“One of the key items for us are the integrations. To be able to pull in updates from the record series into the tool itself without manually having to keep them in sync, I mean that is a game changer for a lot of the work we’re doing,” the customer’s associate director of records and information management said.

They also appreciate how Versatile isn’t overly complex.

“You don’t have to know SQL and scripting to be able to make even global changes. You can do a lot without having extra access and admin rights. It allows you to do a lot that perhaps others would be locked down or wouldn’t let you do,” the customer said.

The customer said she appreciates the change requests and audit trail features.

“It’s a really great advantage for us for the audit inspections when we need to provide the dates and know who approved what,” the customer said. “It is very clear — you can print it in PDF which is what’s required during the legal court (process). You need to have a stamped PDF…this is a great feature.”

Customer Support + Implementation

As a global pharmaceutical company, it has a vast internal support network. But when the customer does require assistance, Zasio has proven to be ready time and time again.

“We have had a pretty good experience I would say so far,” the customer said.

The customer also shared their admiration of Caleb Woolsey, one of Zasio’s software support specialists, whom the team frequently works with.

“Anytime I have any issue, he’s able to fix it, he’s very patient with me,” the customer said.

When it came time to implement Versatile, the process was straightforward.

“The implementation of Versatile went very smoothly from my perspective,” Woolsey said. “The biggest challenge was working with them through the validation process, and understanding their data for the import.”

Project scope and customer validation requirements made the Versatile implementation more challenging. And the customer shared this perspective but noted the tool and Zasio’s world-class support team were up to the task.

Zasio’s support team was key to navigating this process, though.

“Caleb provided great support during the entire project because of his high expertise and flexibility. He was also able to attend the meetings with our functional stakeholders and helped the business understand the requirements for successful migrations (such as data mapping).”

Zasio’s RIM Consulting Team

In addition to software, the customer said it’s benefited from Zasio’s RIM consulting services. From global record retention schedule simplification and human resources privacy retention projects to ad hoc requests for general consulting inquiries, Zasio’s software and consulting offerings have worked hand in hand to move the customer forward.

“I work almost daily with Jennifer (Chadband) because we have a lot of questions from our internal stakeholders,” the customer said. “And because I’m not a legal person, I always need support from her side and the responses are always very quick. She’s always willing to join the calls and discuss with the stakeholders so they understand. Overall the support is brilliant.”

Having a close working relationship has proven to be mutually beneficial.

“For us, it’s very precious because we are receiving not only questions related to legal requirements but also, for example, to identify what is the best type of record series the users should use,” she said.

Results

Since Zasio and this customer have joined forces, the results have been significant. The customer now has approximately 30 percent fewer record series to manage. It also has a newly simplified global records retention schedule. The customer had initial research, application, and recommendations done for the European Union Supranational, 32 federal, and a multitude of relevant sub-jurisdictions.

And, of course, the customer continues to rave about Zasio’s customer support.

“Obviously, working with Caleb so closely, he’s like a member of the family,” the customer said.

To learn more about Versatile 2025 or Zasio’s Consulting services, please call 1-800-513-1000 opt. 1 or email sales@zasio.com. 

A comprehensive federal data privacy law in the United States has never been closer to reality. Even with bipartisan and bicameral support, it still has many obstacles to overcome to get through Congress. The most recent hurdle was making it out of the House Committee on Energy and Commerce, which sent the bill to the full House for consideration after numerous compromises led to a 53-2 vote to advance. The following is a big picture overview of the ADPPA in its current form.

Who Supports/Opposes it, and What are the Major Points of Contention?

Proponents of the bill cite the need for comprehensive data privacy legislation at the U.S. federal level to “create a robust set of consumers’ data privacy rights, and appropriate enforcement mechanisms.”[1] In addition, many companies in the business community also support the law as a way to create a national standard as opposed to a patchwork of different state laws.

Preemption of state law is a major point of contention. Section 404 (b)(1) specifies that:

No State or political subdivision of a State may adopt, maintain, enforce, or continue in effect any law, regulation, rule, standard, requirement, or other provision having the force and effect of law of any State, or political subdivision of a State, covered by the provisions of this Act, or a rule, regulation, or requirement promulgated under this Act.[2]

Some exceptions to this preemption principle are found in Section 404 (b)(2), which generally include consumer protection laws of general applicability, civil rights, employee or student privacy, data breach notification, and contract or tort laws, to highlight a few. Some specific laws are also called out in Section 404 (b)(2), including the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act, as well as section 1798.150 of the CCPA on consumer actions based on personal information security breaches.

The California Privacy Protection Agency (CPPA) Board is one of the most vocal opposers of the ADPPA, arguing that it preempts important provisions of the CCPA and CPRA. The House Committee on Energy and Commerce sought to lessen the impact on California by noting in amended Section 404 (b)(3) that the CPPA may enforce the ADPPA “in the same manner it would otherwise enforce the CCPA,” but this concession didn’t resolve the CPPA’s preemption concern. In a letter sent to U.S. House Speaker Nancy Pelosi, D-California, the CPPA discusses how the CPRA sets a “floor” on privacy protections, allowing for stronger privacy rights but not weaker ones. They continue that the ADPPA is below the CPRA floor, weakens the privacy rights of C.A. citizens, and that it’s a ceiling limiting the extension of privacy rights instead of a floor. A more in-depth analysis of the argument against preemption can be found here.

The private right of action is also a point of contention. The US Chamber of Commerce argued that a private right of action will “encourage an influx of abusive class action lawsuits, create further confusion regarding enforcement of blanket privacy rights, harm small businesses, and hinder data-driven innovation.”[3] Others argue that the private right of action is too limited as currently drafted because there is a right-to-cure process for most violations and because arbitration is mandatory. An analysis of the private right of action can be found here, which includes an opinion about its perceived weakness as currently drafted.

Who is Regulated?

“Covered entities” include “any entity or any person…that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and

• is subject to the Federal Trade Commission Act [or]
• is a common carrier subject to the Communications Act of 1934… or
• is an organization not organized to carry on business for their own profit or that of their members; and

includes any entity or person that controls, is controlled by, or is under common control with another covered entity.”[4]

Exclusions are listed in (SEC. 2)(9)(B), which include federal, state, and local governmental entities and entities collecting, processing, or transferring covered data on their behalf.

What types of data are regulated?

“Covered data” is defined as “information that identifies or is linked or reasonably linkable, alone or in combination with other information, to an individual or a device that identifies or is linked or reasonably linkable to an individual, and may include derived data and unique identifiers.”[5] Exclusions in (SEC. 2)(8)(B) include de-identified data, employee data, publicly available information; or “inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive covered data with respect to an individual.”

What are some noteworthy provisions?

A Data Minimization provision under (Title I)(Sec 101) prohibits covered entities from collecting, processing, or transferring covered data unless that activity is “limited to what is reasonably necessary and proportionate to-

• provide or maintain a specific product or service requested by the individual [or]
• deliver a communication that is reasonably anticipated by the individual recipient within the context of the individual’s interactions with the covered entity; or
• effect a purpose expressly permitted under subsection (b).”

Permissible purposes under subsection (b) include several related to carrying out the transactions and services requested by the individual, such as authenticating users of a product or service or fulfilling a warranty service. Permissible purposes also include purposes unrelated to the transaction, like preventing security incidents, fraud, and illegal activity or complying with legal obligations.

Section 102 establishes some loyalty duties for covered entities, laying out several restricted data practices. Most significantly it restricts collection or processing of sensitive personal data except where its “strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains, or to effect a purpose enumerated in section 101(b)(1) through (10).” Notably missing are the purposes related to marketing or advertising in 101(b)(10) and (11). Section 102 also addresses collection, processing, or transferring of social security number and aggregated internet search or browsing history subject to exceptions.

Section 103 discusses Privacy by Design, requiring covered entities to “establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data.” The highlights of this requirement involve mitigating privacy risks and implementing reasonable training and safeguards to promote compliance.

Title II deals with Consumer Data Rights, which include many of the foundational rights found in other privacy laws such as the GDPR and CCPA. For example, section 202 discusses transparency, requiring covered entities to publicly share their privacy policy that spells out data collection, processing, and transfer activities. Section 203 grants individuals certain rights concerning access, correction, deletion, and portability of their covered data. Section 204 deals with individuals’ rights to consent and to withdraw consent.

How are Covered Entities Held Accountable?

Title III has several requirements geared towards accountability. Section 301 requires executives to certify within one year of enactment of the Act that there are reasonable controls to ensure covered entities’ compliance and reporting structures in place. It also requires covered entities to designate a privacy officer. Title III additionally contains technical compliance requirements along with requirements for the Federal Trade Commission to review controls. More robust controls are also required based on the size and nature of the information collected by covered entities.

Who will Enforce it?

Title IV, section 401 specifies compliance will be carried out by a new Bureau of Privacy organized under the Federal Trade Commission. Section 402 also allows civil enforcement by state attorneys general or state privacy authorities within federal district courts where the interest of the residents of that state could be adversely affected by the activities of a covered entity. Finally, section 403 provides a limited private right of action to individuals beginning four years after the Act takes effect (which was already discussed above).

Conclusion

The likelihood of passing this law still may be a long shot based on how far it still needs to go to get through Congress and who is responsible for initiating the next steps. If it doesn’t pass in this Congress, many believe it will be years before a federal privacy law is seriously discussed again, especially if party control changes in the midterms. Regardless, though, it’s significant that the priority of federal privacy law is gaining momentum. Bipartisan and bicameral support of an idea is a giant leap forward and sets a new stage for privacy law in the United States. The ADPPA will also remain important because, in its current form, it is a much stronger piece of legislation than any prior federal privacy law that has received serious discussion in Congress and likely sets a new, more stringent baseline for future legislative debate. If privacy law hasn’t yet impacted your organization, it’s likely to soon. If you need help strategizing how to minimize privacy risks in your records retention schedule or RIM program, Zasio can help.

[1] “HOUSE AND SENATE LEADERS RELEASE BIPARTISAN DISCUSSION DRAFT OF COMPREHENSIVE DATA PRIVACY BILL” Jun 3, 2022 Press Release https://energycommerce.house.gov/newsroom/press-releases/house-and-senate-leaders-release-bipartisan-discussion-draft-of

[2] H.R.8152 – American Data Privacy and Protection Act Section 404 (b)(1) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[3] “U.S. Chamber Warns It Will Oppose Any Privacy Legislation That Creates a Blanket Private Right of Action.” May 31, 2022. https://www.uschamber.com/technology/data-privacy/u-s-chamber-warns-it-will-oppose-any-privacy-legislation-that-creates-a-blanket-private-right-of-action

[4] H.R.8152 – American Data Privacy and Protection Act (SEC. 2)(9)(A) as of 8/3/2022. 117th Congress (2021-2022). https://www.congress.gov/bill/117th-congress/house-bill/8152/text

[5] ID at (SEC. 2)(8)(A).

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

State-enacted comprehensive consumer data privacy legislation is becoming more common across the United States. Connecticut is now the fifth state to enact such legislation, joining California, Colorado, Utah, and Virginia.[1]  Public Act No. 22-15—The “Act Concerning Personal Data Privacy and Online Monitoring” (also referred to as the “Connecticut Data Privacy Act” or “CTDPA”)—will go into effect in July 2023. With a year to go before the law is implemented, it is important for consumers and businesses to understand their rights and responsibilities under the CTDPA, and to prepare accordingly.

The CTDPA shares a number of similarities with other comprehensive state privacy laws. One similarity of the CTDPA to the Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), and Virginia Consumer Data Protection Act (“VCDPA”) is that all of these laws do not apply to data that is collected in an employment or commercial context.[2] But the CTDPA also has its differences. One difference of the CTDPA from the UCPA and VCDPA is that the CTDPA includes both monetary and non-monetary consideration in the sale of personal data, while the UCPA and VCDPA includes only monetary consideration in the sale of personal data.[3]

What Rights Do Consumers Have?

Consumers can exercise six different rights with respect to their personal under the CTDPA.[4] These include the right to: confirm the processing of personal data; access personal data; correct inaccuracies in personal data; have personal data deleted; obtain a copy of personal data in a portable and readily usable form; and opt out of processing of personal data for targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects involving the consumer.[5] This latter right is similar to the right to opt out of automated decision making found in Article 22 of the GDPR.[6]

For a consumer to exercise any of their rights under the CTDPA, the consumer must do so by way of “secure and reliable means” established by the data controller.[7] Children do not have the authority to exercise the CTDPA’s six consumer rights, but a parent or legal guardian may do so on a child’s behalf.[8]

What Requirements Do Businesses Have?

For a business to be subject to the CTDPA, the business must first meet at least one of two numeric thresholds, and then fall within the definition of a “controller.”[9] A business falls within the CTDPA’s requirements if during the preceding calendar year, the business controlled or processed the personal data or more than one hundred thousand consumers (not including data that was controlled or processed solely for the purpose of completing a payment transaction); or controlled or processed the personal data of more than twenty-five thousand consumers and more than twenty-five percent of the gross revenue of the business cause from the sale of personal data.[10]

Businesses are a “controller” of personal data if they solely or jointly with others determine the purpose and means of processing personal data.[11] Controllers must do a number of things, some of which include: limiting the collection of personal data to what is “adequate, relevant, and necessary” in relation to the purpose of processing that is disclosed to the consumer; implementing safeguards to protect the confidentiality, integrity, and accessibility of personal information; and not processing a consumer’s sensitive personal data without first obtaining the consumer’s consent.[12]

Who Has a Right of Action?

The CTDPA provides that the Connecticut attorney general’s office possesses the exclusive authority to enforce violations.[13] Thus, consumers do not have a private right of action for CTDPA violations. From July 1st, 2023, until December 31st, 2024, the attorney general must provide a notice of violation before bringing an action, but only if it is possible to cure the violation.[14] If it is not possible to cure the violation, the attorney general can immediately prosecute the violation.[15] Then, beginning on January 1st, 2025, the attorney general may consider five factors when determining whether to allow an opportunity to cure an alleged violation.[16] These six factors include: (i) the number of violations; (ii) the size and complexity of the controller or processor; (iii) the nature and extent of processing activities; (iv) the substantial likelihood of injury to the public; (v) the safety of persons or property; (vi) and whether the alleged violation was caused by human or technical error.[17]

Conclusion

Although Connecticut is the most recent state to have passed comprehensive consumer privacy legislation, it is certainly not the last. With the increasing number of states that have enacted comprehensive consumer privacy laws, and the similarities and differences that can exist between these laws, compliance can be difficult. Contact Zasio today to see how our innovative products and services can help you remain compliant across the growing patchwork of state data privacy laws.

[1] Cheryl Johnson et al., Connecticut’s New Privacy Law: What You Need to Know, JD Supra (May 23, 2022), https://www.jdsupra.com/legalnews/connecticut-s-new-privacy-law-what-you-8578081/.

[2] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[3] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[4] 2022 Conn. Acts 15 Reg. Sess.

[5] 2022 Conn. Acts 15 Reg. Sess.

[6] See 2022 Conn. Acts 15 Reg. Sess.; see Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 22, 2016 O.J. (L 119).

[7] 2022 Conn. Acts 15 Reg. Sess.

[8] 2022 Conn. Acts 15 Reg. Sess.

[9] See 2022 Conn. Acts 15 Reg. Sess.

[10] 2022 Conn. Acts 15 Reg. Sess.

[11] 2022 Conn. Acts 15 Reg. Sess.

[12] 2022 Conn. Acts 15 Reg. Sess.

[13] 2022 Conn. Acts 15 Reg. Sess.

[14] 2022 Conn. Acts 15 Reg. Sess.

[15] 2022 Conn. Acts 15 Reg. Sess.

[16] 2022 Conn. Acts 15 Reg. Sess.

[17] 2022 Conn. Acts 15 Reg. Sess.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

On Friday, March 25^th, the United States and European Commission issued a joint statement announcing their agreement in principle on a Trans-Atlantic Data Privacy Framework (the “Framework”). If finalized, the new framework would allow cross-border transfers of personal data from Europe to the United States.

This agreement is the culmination of over a year of negotiations between the U.S. and E.U. It comes after the previous trans-Atlantic data flow framework known as “Privacy Shield”—which was an arrangement allowing companies to share EU personal data to the U.S.—was invalidated by the European Court of Justice in July 2020 for lack of adequate privacy protections. Specifically, the court noted that Privacy Shield did not limit the access and use of personal data by U.S. authorities for surveillance purposes in line with EU principles of necessity and proportionality. The court also found that Privacy Shield did not provide data subjects adequate redress mechanisms for improper use of their data by U.S. intelligence agencies.

In a press statement, the White House outlined steps the United States will take under a new Framework (referred to by some as “Privacy Shield 2.0”) to ensure appropriate protection of EU personal data, including commitments to:

• Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
• Establish a new redress mechanism with independent and binding authority; and
• Enhance its existing rigorous and layered oversight of signals intelligence activities.

President Biden stated in a joint press statement that the new Framework underscores the EU/U.S. “shared commitment to privacy, to data protection, and to the rule of law” and that it will allow for “transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.”

This development in EU/U.S. data privacy cooperation is welcome news both for companies that routinely handle personal data flowing from the EU to the U.S., and EU citizens whose data is being transferred to the U.S. Under the Framework, participating U.S. companies will have the ability to more freely facilitate EU/U.S. data flows, and EU data subjects will be able to seek redress from a “multi-layer redress mechanism,” which includes an independent data protection review court consisting of individuals outside the U.S. Government, with full authority to handle claims and oversee remedial measures.

The Framework is still in its preliminary stages, with few details available at this initial phase. The goal, as outlined by the joint statement, is to “translate [the] arrangement into legal documents that will need to be adopted on both sides.” It will be interesting to see how this new Framework will differ from the previous Privacy Shield framework, and what measures will be implemented to accomplish the intended objectives. As the Framework continues to develop and more details are released, it is important for companies to be aware of its specific provisions, and to accurately assess how these might impact their business and the way they collect and store personal data from the E.U..

Contact Zasio to explore how our technology solutions and consulting services can help fulfill your data privacy and information governance needs.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer J. Cox, making Utah the fourth state, behind California, Virginia, and Colorado, to pass comprehensive consumer privacy legislation.

The UCPA’s Applicability

 The UCPA applies to entities that:

• conduct business in Utah or produce products and services that target Utah residents;
• have an annual revenue of $25 million or more; and
• either controls or processes the personal data of at least 100,000 Utah residents or derives 50% of its revenue from the sale of personal data and controls or processes the data of over 25,000 Utah residents.

There are also a number of exemptions under the UCPA, including, government agencies, institutions of higher education, non-profit corporations, and entities regulated under the Health Insurance Portability and Accountability Act (HIPAA).

What Rights Do Consumer Have Under the UCPA?

Utah residents have the following rights under the UCPA:

• Access: Right to confirm whether a controller is processing the consumer’s personal data and access to that data.
• Deletion: Right to delete the personal data provided to the controller.
• Portability: Right to obtain copies of the personal data provided to the controller in a format that is portable, usable, and transmittable.
• Opt-Out: Right to opt-out of the processing of personal data for targeted advertising or sale of personal data.

Responsibilities for Processors and Controllers

The UCPA specifies the following responsibilities for processors and controllers:

• Contracts between processors and controllers shall be established before processors begin processing information on behalf of a controller. The contract should provide the instructions for processing personal data, the purpose, type of data being processed, the duration, and the rights and obligations of the parties. The contract should also ensure confidentiality by the processor in relation to the personal data being processed. Any subcontractors must also enter into a contract and abide by the same obligations as the processor.
• Controllers shall provide consumers with a privacy notice that includes:
• categories of personal data processed by the controller;
• purpose of processing the personal data;
• how consumers may exercise their rights;
• categories of personal data that are shared with third parties;
• categories of third parties with whom the controller shares personal data; and
• the manner in which consumers may exercise the right to opt-out of the sale of personal data or processing for targeted advertising.
• Establish data security practices to protect the confidentiality of personal data and reduce the risk of harm to consumers in relation to the processing of their personal data.
• Controllers may not process data collected from a consumer without providing notice and the opportunity to opt-out of the processing.
• Controllers may not discriminate against consumers for exercising their rights by denying goods or services, charging different prices to consumers for goods or services, or providing the consumer with a different quality of goods or services.

UCPA Enforcement

The Utah attorney general has the exclusive right to enforce actions under the UCPA (i.e., consumers do not have a private right of action against business for UCPA violations). Violators of the law have a 30-day cure period upon receipt of written notification before the attorney general initiates any actions against the controller or processor. Uncured or continued violations are subject to penalties up to $7,500 per violation and may be responsible for payment of damages to the attorney general to be deposited into the Consumer Privacy Account.

The UCPA’s Effective Date

The UCPA becomes effective on December 31, 2023, giving businesses a grace period to adjust their operations. While this may seem far off, don’t underestimate the amount of time it can take for a business to adjust its practices to be legally compliant. Instead, contact Zasio to find out how you can help bring your business into compliance with this new law, as well as other comprehensive state privacy laws.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.