Photo of Kim Phan

Kim Phan

Subscribe to Kim Phan's Posts

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Follow:Read more about Kim PhanKim's Linkedin Profile

In this crossover episode of The Consumer Finance Podcast and Regulatory Oversight, Chris Willis, Kim Phan, and Stephen Piepgrass provide insights on a new joint privacy task force among several state AGs, known as the Consortium of Privacy Regulators. The consortium recently outlined goals to share state resources and align enforcement priorities regarding consumer harm and privacy rights. In response to an anticipated shift of regulatory scrutiny from federal agencies to state leaders, this episode focuses on specific steps financial services companies should consider when dealing with consumer privacy, data, complaints, and inquiries to ensure compliance and mitigate potential investigations and enforcement actions.

Join us for a special crossover episode of The Consumer Finance Podcast and Regulatory Oversight, where Chris Willis, Kim Phan, and Gene Fishel delve into the evolving world of state AI legislation. As AI becomes a pivotal tool in the financial services industry, understanding the implications of new laws is crucial. This episode focuses on Colorado’s comprehensive AI law and its potential influence on other states, exploring key issues such as algorithmic discrimination, privacy, and cybersecurity. Gain insights into best practices for compliance and learn how state attorneys general are stepping up enforcement in the absence of federal action. Don’t miss this informative discussion bridging consumer finance and regulatory oversight.

On May 8, attorneys general (AG) from 14 states and the District of Columbia sent a letter to Congressional leadership opposing provisions of the recently proposed federal American Privacy Rights Act (APRA). In addition to the District of Columbia, the signatory states include California, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont. Their objections primarily center on the APRA’s preemption clause, which would nullify 16 state comprehensive data privacy laws that have been enacted since 2018.

In a recent alert, we reported that California Attorney General (AG) Rob Bonta announced a settlement with DoorDash over allegations that the company violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA) by selling consumers’ personal information without providing notice or an opportunity to opt out.

In an era where privacy, security, and artificial intelligence are at the forefront of many business operations, staying informed about the latest developments is crucial. Our 2023 Privacy Year in Review is an in-depth analysis of the past year’s significant advancements and challenges in these areas.

On January 16, New Jersey became the first state this year to enact a comprehensive privacy law, S332, which applies to businesses conducting operations in the state or targeting its residents. As noted in this article by our privacy team, similar to other state comprehensive privacy laws, S322 grants consumers the right to confirm, correct, delete, obtain a copy of their personal data, and opt out of its processing for targeted advertising, sale, or profiling. Controllers and processors are obligated to limit data collection, establish security practices, and provide a privacy notice. They are also required to conduct a data protection assessment for processing activities that pose a heightened risk of harm to consumers. The New Jersey Attorney General’s Office has exclusive authority to enforce violations, treating them as “unlawful practices” under the New Jersey Consumer Fraud Act. The law takes effect on January 16, 2025, with an 18-month grace period for organizations to correct violations before enforcement actions are taken.

In the latest episode of Regulatory Oversight, Ashley Taylor is joined by his colleagues Kim Phan and Kristen Eastman to discuss the Consumer Financial Protection Bureau’s (CFPB) 1033 proposed rule, also known as the Personal Financial Digital Rights rule. This rule, part of the Dodd-Frank Act, aims to place limits on the ability to access consumer data as well as any subsequent uses of such data. It focuses on entities subject to the Truth in Lending Act (TILA) and Regulation Z, such as depository institutions, credit card companies, and payment processors. The proposed rule requires these entities to make financial records available both to consumers and their authorized third parties.