 So if we're going back to the privacy bill, we recall there are a couple of outstanding issues based upon hallway conversations. I just thought it really seems very unlikely that we'll vote on this today. Hopefully we can put these in motion so maybe we first meet tomorrow morning and kick this baby out. The first thing was the issues that were outstanding I had was the audit. And I, despite the fact that I remember asking people to set this day aside to come back to us with suggestions as to what should be in the audit, apparently due to vacations and stuff, that has not fully happened yet. So we'll get an update on where that is. And then there was the issue of modernizing the biometric data, which you'll see of H3 of this bill. And then we had the big issue was whether we were going to go with the California version and apparently many, many states already have this in place to deal with how software companies and others deal with students in terms of privacy issues or a more, I guess, expansive, what's called the compromise version. So we had tentatively agreed to go with the two. I think, have they been sort of warning that there was some issues in there that industry people, not industry people. The issue here was that subpoena to Dell was sort of softer privacy information that might appear in a yearbook or stuff like that. And it affected schools and they will get into this at school districts in terms of how much administration they would have to do that. Set up flags, we hadn't understand that before. That might be an education committee issue. And those are the kinds of people and witnesses we generally don't deal with. So I made a call to Senator Verruth and he is very backed up at this particular point to take up that kind of issue in terms of what the administrative burden is. He is willing to take up this bill next week and might sit on the calendar for a while to at least deal with the more traditional subpoena issues in terms of industry being able to perform with the privacy issues which are currently all reputable companies now have sort of come into compliance with and would just be maybe protecting us against bad apples. So I think as you hear from David that shouldn't be much of a problem that we could make that decision again now in this discussion. The fourth issue was the issue of, if you recall, there was a lingering ISP issue as to whether or not we would ask the ISPs to maybe put some sort of statement on their form saying we do share data or we don't. I think you thought I was just killing myself over nothing here because they have privacy policies but they're very hard to read and stuff like that. So sort of backed away from existing there because I got approached by industries like Cupcast and other people saying we want to be heard. If you're going to put that in and I said no, we're not allowed to deal with this but there is one possible thing I'll suggest at the end of the committee is interested we might go down an even softer approach on that. And the last thing was the breach which I've had a suggestion here I think which is very short and sweet on page 13 which we will look at. So with that I'm going to turn it over to David to walk us through. Go back over to point one. Okay. For your record David Hall Legislative Council. So this right now is crafted as a strike all amendment committee amendment to S bill 110 which you do have in your possession. The changes relative to the last time you saw this are highlighted in yellow. It looks like you all have color copies so that's good. Section one here this is the issue of the privacy audit. Audits into whom it is committed. The change is to go to the agency of digital services. You've discussed whether it should be Chief Privacy Officer. You decided not to have yet the Chief Privacy Officer. And so right now ADS is the nominal leader of this effort. And it seemed like it was a bit of a hot potato situation where nobody really wanted it. So do we have a sense whether the agency of digital services. They're here. They're here. And we will briefly from them in terms of. So right now items one through seven you can see are the same. These are essentially the items from the report plus six and seven from the AG's original testimony. So at this point that's what they would be looking at. Now you hear when we sort of left and people were come together and give us their best thoughts on what you should be in the audit. Do you remember that conversation? I was sitting right behind you. Okay. And what is your knowledge of status of that? I think this will work. I think Secretary Quig you would be involved in that weren't you? The AG's office would be involved in that. Have you guys met at all? Talked at all? We have not. Again. Okay. And who else is going to be involved? David, you, the three of you? Okay. Tommy is here. Okay. Can you do that today? Because we're one again. We can talk today. Okay. Do it right after. Okay. We'll get you out of here early. And because I'd really like to, if possible, vote this up tomorrow. And it still has a long way to go. But if we could just take this section one and improve upon it, the committee would be most grateful. Maybe you could convene in your office or something. I do. How do you have to do that? Everywhere. Okay. I have a meeting with another set of clients from 12-1. I have to testify from 1-3-3. Okay. Well, these three, the substantive people could get together and pull together some ideas. And my understanding is just because they all have a hand in it, they were just going to basically reflect on whether or not these are the right things to look at in the audit. That's the way they left it. And if need be, we'll take more time. Senator Brock obviously would have an interest in this section. So I think it's delayed tomorrow morning again. So we're on page two. We're now moved to, this is the definition section that governs the chapter in which the Data Breach Notice Act appears. And the very important term there is PII, Personally Identifiable Information. The recommendation from the AG study had been to modernize this definition to expand things, to include it, biometric information, genetic information health, information logging credentials, and passport numbers. So Pam Dixon had testified by phone later that she could offer a more thorough definition of biometric information. So the yellow language that you see here is essentially reflects what she offers. I did send this to her. I have not heard it back from her. But I know there was also some work outside the room by industry on looking at what a couple of other states to do. I have no idea who likes this definition and who doesn't. I guess the one thing I'll note is that I do use the word includes here. And for purposes of our statutes, as you're likely well aware, includes denotes a non-exhaustive list of examples that could constitute biometric information, but this is not the only stuff. And ultimately, whether or not biometric information is implicated in a breach is up to both the company affected and to the AG's office as the enforcement people on the subject matter. So that's all I have on that. What did this list of definitional information regarding biometric come from? The yellow language? Yeah. Pandex. World privacy work. A woman had testified, remember? It was such a whiz. It was probably zero weight. I mean, it's hard for me to envision this definition quite frankly. Yeah, I think the trigger here is that whether it's the imagery or it's patterns or it's some other kind of data, it would be used singly or in combination to establish individual identity. Sleep data. Sure. As an identifier, I mean, is that something that is generally accepted in the scientific community as a measure, as a biometric identifier? I have no idea. I would like to have some idea if we're putting a definition into law that it's actually meaningful. I think we might hear from John Quinn. I think that the thrust here is that there at this point, a lot of individually identifiable patterns such as your heartbeat that distinguish one person from another. Yes, like your car knows, your BMW knows it's you by your heartbeat and won't start unless it's you. I don't know. The bottom line here, again, though, I want to underscore is that this is not the only list of stuff that could qualify as biometric. But not limited to. Exactly. So it could be any of these things and it could be a thousand more. That we haven't yet identified our individual, like all the giraffe spots or all just like our fingerprints I had. So as I said, if there were a breach of some sort of data by a company and they were subject to this law, they would have to make the first analysis. Well, we lost this information about people. Does that constitute biometric information under Vermont's law? If it does, then we have a duty to report. I think that frequently happens in consultation with the AG's office but not always. And then the AG's office will also have the duty if it chooses to enforce or not to enforce to say you lost data, it constitutes biometric information under our law, you have a duty to report. It's a tricky, if you read the whole thing through, I mean you could eliminate everything after line 18 and you might be left with a more confusing situation because it says physiological, biological, behavior character can be used singly in combination with each other or they're identified to establish individual identity. You can add to there but we already have in law things like genetic information, health information. So I guess these are sort of new wave, new age kind of things that sort of fall into the same. Well actually they're all being currently used in some capacity as my guess. As personally identifiable characteristics. So it's not exhaustive. Right. It gives you a good notion. Inclusive. It's inclusive. It's not exhaustive. Which is what we try to be at home. So that's it. That piece, the next piece starting with section three here, the saga of SOPEPA continues. I think we've talked about SOPEPA a number of times what it does as far as the prevention of targeted advertising, collection of information data during the scope of the use of a particular educational product for K through 12 purposes. I'm sure that all rings a bell for you this morning. As the chair indicated the version that was offered subsequently by Pam Dixon and I think, I don't know if I want to characterize the support or neutral by industry because it didn't really affect them had this last component added to what would otherwise just be SOPEPA. And that was this putting this responsibility on schools to disclose in certain ways how it uses and disseminates student data, specifically directory type information, which is already addressed in federal law to some extent. This would have gone further. It would have required a certain kind of notice. It would have required it to make it available on its website. It would have required the option to pick and choose what data you wanted to release and not release and to be able to change that throughout the year. So as the chair indicated, I flat for him as your counsel a general concern that that would impose some burden on Vermont schools. I don't know what it is. I don't know how the burden weighs against the benefits to privacy considering it's already addressed in some regard by federal law. So that was the flag that I raised on that piece. And I have sent this along to Senator Verruth and I have not heard that from him. Nice. Have spoken to him. So his reaction was he also feels pressed for time. He has no time this week. He could certainly look at, I think he's having a calendar that he could look at the more common version of SOPEPA next week for half hour an hour and get the players in if he wanted to. If he wanted to. He seemed less inclined. I said I would personally be interested in looking at the broader version but I would not do it unless he wanted to do it because I think, you know, those cast economies, if you're talking about the NEA and the Superintendent's Association and anybody else who might be affected by this is more in his value. So I told him, you know, if you want to add it on, we'll look at that potentially. We have to look at it as an amendment, maybe a friendly amendment, but we're not going to do that here. That was a chair's position. If other people feel differently that we could talk about adding that back in. If I may offer one more thing. And also David did say that this would be the first of its kind in the nation. So the language that came to you on that second piece of the proposal, I frankly have some concerns with the way it was written. I felt like some of the terminology was not consistently used. We can deal with that. True, but I did reach out to try to understand why some of the phrasing and some of the terms were used the way that they were and so far haven't heard back. So yes, Senator Clarkson. So to the end of the schools, expanding the school's responsibility, they, I mean, sadly, they've assumed some responsibility in offering some of the software, educational software to students. So when you offer that, and in some cases the students might access that on their own, but the school may also have provided that software to the student. In such a case, they're already responsible. If they are responsible for enabling and providing access for that software, they then should be responsible for how it's used and what its effect is on a student's life. Maybe all true. I want to say here that part of the problem raised by attacking that last piece on the SOPEPA is that they're not really related except at the broad level of student privacy. So that whole piece about disclosure of the school's personal information about the students, that is independent of the use of the software for K through 12 purposes. So I think your comments are directed at that first piece. The second piece is not governed by the first piece. It really relates to how does the school disclose and to whom does it disclose directory information of students, which again is covered by FERPA and whether and how families can opt out of that information, how they're supposed to receive that information. So that's the onus, that's the burden on schools relative to directory information. SOPEPA relates to what data am I collecting about you and I use your math builder program. So in some ways they actually already have that responsibility. Every school deals with what it's choosing to disclose or not. That's true. So under the federal law they have a duty to annually disclose how they manage your education records, who can see them. They also have to tell you what they consider to be directory information and how you can opt out of its use. This is one step on FERPA. That's kind of it. Right. The federal law doesn't tell you how you have to do it, doesn't tell you when you have to do it. It doesn't even really say explicitly that they have to make this rolling preference available to you. So this would be a Vermont layer on top of that. So there was one other piece in there too, wasn't there about... The general audience website in SOPEPA? Yes. Right. So yes, at each step along this path we've sort of flagged this one piece of the proposal that was present in the original California law and has been replicated in the many states that have brought it along. And that was the exception of SOPEPA's application to the use of general audience websites, even if you had to use logging credentials first to find your way over the general audience website. The question has always been what does that mean exactly? What is the scope of that exception? In its most general terms it's when you're using that K through 12 software and then you find a link in that software that takes you out to Google or whatever. And at that point the targeting, the data collection, the regulatory pieces don't apply to your use over here even though it was a gateway to go from that software to the general audience website. So the question has been why do we have that exception? Why shouldn't your use when you're in this fear also be governed by SOPEPA's protections at last hearing the AG's office was going to talk to the industry about why they have the need for the exception, what it means, et cetera. Has there been any litigation over that at all? I don't know the answer to that. Has anybody got rid of the exception and other SOPEPA laws? I haven't looked at all 34 of them so I don't know but my understanding is the majority, if not all of them have it. We'll hear from the agent and the campaign. Let's move on. Sure. Let's skip over the ISP that I mentioned earlier and go just to react. Is that just the last thing that you mentioned? It is. It's the question of substitute notice. Sorry, what page? It starts on page 12 at the bottom. So it's amending subdivision B6. The first component of that is direct notice which is required unless you can use substitute notice. That appears on page 13. And right now they can use substitute notice if the data collector demonstrates the cost of providing written or telephonic notice to affected consumers would exceed $5,000 or the class of affected consumers would be provided written telephonic notice to exceed 5,000 consumers or if they don't have sufficient contact information. So you'll see obviously the changes here raising that thresholds from $5,000 to $10,000 and eliminating the class of affected consumers. So it would all turn on either the cost of direct notice or the inability to contact because you don't have sufficient contact information. So you recall the conversation last time we would say the balance in that case is what is the burden on the business that has done the breach. And when we started talking about the new age of email there could be 50,000 people and it could be very inexpensive to do it. So if I put an email in here that could lower the cost significantly and the $10,000 was admittedly arbitrary over time whatever was there before has grown with inflation and I didn't see a need for the number it was more the cost to people. One thing I would say in here, David it may be just think about it, I don't know if it's necessary could somebody read this number I want and say well it costs me over $10,000 if I try to mail everybody and it says I have a choice of written email or telephone notice here so therefore I'm electing to do it in the paper. So it should be any one of those three as opposed to them choosing which one they want you follow what I'm saying there? It's sort of just a drafting kind of thing to make it clear that somebody can look at it and say if I had to mail everybody a letter it would cost me over $10,000 even though I do have 90% of my people could be emailed and it could cost me a lot less. I think you want to say something like whichever is the least costly. I understand. Right, can we hear from you? We're going to have to go to another bill in about five minutes I'd like to hear from you. I don't know that John I need to hear from you today but I do want you guys to get together on that first section. And I assume we will hear from you as to whether you speak what the cost of this might be. Yes, that's not a good sign. I'm used to it. You want to do this, don't you tell me? He likes the test. We can give you more time for the cost of this. Okay, I'm going to say a little bit of a test. I'll cut it out. So I think the first part we could sort of move on if you guys are going to meet in the next hour or so to see if you have any suggestions on that. Let's talk about Sopipa. Sure. And for the record, Ryan Crater with the Attorney General's office. I'm Charity Clark, Attorney General's office. So as far as the Sopipa part goes what I'd like to suggest is as I understand it, the version in this is the original California law. Is that correct? So as I understand it, there's kind of three versions that we're looking at here. There's this version, the original California law. Then there is the enhanced version which was negotiated between Pam Dixon and the industry folks and has tweaks throughout. Just to be clear, when I hear the word is that what we've been referring to as the compromise and negotiation? Correct. Well what David has been saying is that for the most part the industry has no interest in that so who did they compromise? Who did they negotiate with? The third party should have been the schools rather than the industry. So what I'm going to say is the enhanced version also has those two extra sections that are the FERPA sections. What? The FERPA sections. The school sections. So what I would recommend is that if the school sections are going to come out because the education company doesn't have time for that I would revert back to the enhanced version minus those two sections, not the California version. Okay. That's what this is? Okay. Great. So that. Now as far as the, let me just speak to the school version and I'll tell you, we had three hearings with regard to all of these. There was SOPIPPA raised in all of those hearings and we did actually reach out to agents of education. We did try to get those folks in the room. Did they get there? I can't remember how to call them big and I think there's. There may have been a presence in the final hearing. So I mean we weren't, we were trying to bring all the stakeholders in. We did try to do that. All I would say about those last two sections is under FERPA there are limitations on schools' ability to share this directory information that includes date of birth and, you know, the information that parents and students might not want to be shared. And schools are allowed, as David explained, schools are allowed to share this information if they get consent. They have to alert the issue, I think, why we have these two extra sections is if parents don't realize what their rights are under FERPA then they don't exercise the rights under FERPA. So it's just as good as FERPA not existing for that purpose of directory information. And the purpose of this was to allow to enhance the ability of parents and students to know their rights to opt out of the sharing of that information. And the other part of it was that currently some schools will take an all or nothing approach to opt out. So if you want to opt out of the bus sharing your directory information you can but then you can't be in the air book. Which de facto means no one opts out because they want to be in the air book. Which means again their rights under FERPA aren't really exercised. Right, so two things just to keep us going. Sure. One is that what you're describing seems to be it sounds good policy-wise but it's going to take the change in approach by the schools and we haven't heard from the schools. And they may say even though it's not great for parents I don't want the edit workload or there is an edit workload. And the second thing is I think the AG took no position on one or the other here. Now it sounds to me like you're taking the position. I just want to explain the value of those sections. I understand that they're coming out and we may talk about that in the other committee and have that conversation. Is there someone we can accomplish that and actually educate parents better about FERPA without necessarily going down the road. I mean isn't there something we could do on education? Cross over. There may be other options certainly. Those have not been discussed this page. So that's basically the section. What about the section? So my understanding is that we're talking about that one section that some advocates have recommended removing and I don't want to specifically refer to. Can you help us find that page? I think it's page 11 2443 F sub 3 line 10 applied to general audience. So the position of the Attorney General's office is we did have a conversation with the industry advocates on Friday. They expressed their reasons why they think it needs to stay in. I'm not going to try to characterize their reasons. I don't want to mischaracterize them. We were of the opinion that the student privacy interests seemed stronger than the arguments we were hearing. However, this committee has not heard from them directly as far as their arguments. And if it were to take out then that would make us singular as far as I think every other state does have this section in there. It may be because the argument was having California and it made it in and it just replicated through. I don't know that that is a statement of the merits of it one way or the other, but it would put us in a different position vis-à-vis all the other states. That is. Well, I don't want to apologize because I would like to explore looking at that exception. As I would like to explore the things about the parents, we just have time to do it. So it's frequently the case we run out of time and it's hard for us to bring something to the floor without advocating that everybody hurts. Certainly, people don't understand. I did want to note one other issue. Just going back to the definition of PII if you have a second. Yes. The definition of biometric. So this was the definition that Pam Dixon described to us as the gold standard that was created by an academic somewhere. But in that conversation on Friday, the industry folks said that they weren't in love with this definition. If I recall, in the data broker bill for broker personal information, there was a biometric definition. I believe this definition was the introductory definition which was then negotiated into what ended up in the biometric in the data broker bill. So one possibility, I think probably the easiest thing to do would be just to build it on the outside and build the negotiations and we'll change it. The goal is the same. We just did it last year unless there's been some changes. That's the other way to go. It's about to be a little bit more modern but it's just important. And that would also be consistent across our schedule. On the other hand, I'm reluctant to leave the gold standard. It's a gold standard according to one aggregate. It's a gold standard as far as definitions and in effect dictionaries definitions and definitions to look up. I think it goes too far, right? No. I would say that only if it wasn't all in current practice but I would bet us dollars to do it. That's already happening. I hold it out of all of these three things. When you get the message to Michael Morkan, I guess that's what it is. Yeah. That frequently happens when bills cross over. You do your first shot and then the other committee says we can do better. So I'm going to encourage that they look at these issues, continue to look at these issues and it's not that we rejected them as much as a time issue. And in addition, I mean, that biometric argument happened in that committee last year. So, you know, they have some experience with that. Any difference? Can you okay with that? I mean, it seems like a reasonable change. I agree with your edit that it would want to be clear that the least costly version, $100,000, however that would be done. Oh, one other thing I did want to mention that came up on Friday with regard to logging credentials including username and password. There's been an argument that if you're talking about a data breach involving credentials, the notice really is a very different type of notice than all the other kinds of breach. What a lot of states have done is for a credential breach they've almost created kind of like a separate subsection for that kind of breach because basically if you have a username and credential breach usually what they do is the next time you log in, they say change your password because there was a breach it's just a different but it only makes sense and also, for example you don't want to notify people about they need to have a credit report run if you lost your username and credentials. It's a totally different animal. So, again, I wouldn't let that hold up us here. That could be a discussion that happens on the other side. Good. Thank you. Okay. So, tomorrow we'll carve out some type of finishes and we'll hear from John. Hopefully they'll have language for us on the odd and well, depending on how reasonable John is and his money would best be to put money in or not. Money could be. Just teasing. So, we'll see you guys tomorrow morning. Kayla will be in touch with you and hopefully all of you can meet right now and see if you want to change any of that language on the first section. We'll do it. Thanks.