Imagine that you are working as in-house or outside counsel for a business and you are acquiring hardware or software for an advanced technology system. What information do you need to help your company manage privacy practices and the company’s information security function? How do you know if your company is managing privacy and security effectively?

想象一下，您是作为企业的内部或外部顾问，而您正在为高级技术系统购买硬件或软件。 您需要什么信息来帮助您的公司管理隐私惯例和公司的信息安全功能？ 您如何知道您的公司是否正在有效地管理隐私和安全性？

A.数据保护管理的重要性 (A. Importance of Data Protection Management)

A business procuring advanced technologies faces strategic risks from picking incorrect privacy and security strategies that lead to customer’s or public backlash, or in the case of products in the physical world, the business may endanger safety if a compromise of the product could lead to an accident.

采购先进技术的企业可能会因选择不正确的隐私和安全策略而导致客户或公众的强烈反对而面临战略风险，或者在物理世界中的产品情况下，如果产品的妥协可能导致事故，则企业可能会危害安全。 。

Failed internal procedures, such as procedures for maintaining a trustworthy workforce, may lead to operational risks such as breaches caused by insiders. Privacy and data breaches may trigger lawsuits and governmental investigations, resulting in investigative and defense costs, litigation costs, and the cost of settlements and fines. Organizations that sustain breaches face angry customers and damage to their reputations, resulting in the loss of customer and worker loyalty, further resulting in losses of revenue, profits, and ultimately shareholder/equity value.

内部程序失败，例如维持可信赖的员工队伍的程序，可能会导致操作风险，例如内部人员造成的违规行为。 隐私和数据泄露可能会引发诉讼和政府调查，从而导致调查和辩护费用，诉讼费用以及和解和罚款费用。 遭受破坏的组织将面对愤怒的客户并损害其声誉，从而导致客户和员工忠诚度的损失，进而导致收入，利润以及最终股东/权益价值的损失。

Consequently, managing privacy and security effectively are crucial for the continued health of any business. Managers at businesses that fail to safeguard customer data may lose their jobs and may face personal legal, reputational, and business consequences.

因此，有效管理隐私和安全性对于任何企业的持续健康至关重要。 无法保护客户数据的企业经理可能会失业，并可能面临个人法律，声誉和企业后果。

B.律师角色概述 (B. Overview of Counsel’s Role)

Attorneys play a crucial role in data protection management functions within businesses. First, they can review applicable data protection laws and requirements and counsel their clients to facilitate compliance. Second, they frequently participate in and assist in contract drafting and negotiation in connection with transactions that implicate data protection issues. Third, they handle potential liabilities and disputes relating to data protection. Fourth, they may lead to investigations regarding data protection violations, incidents, accidents, or breaches. Finally, they help with data protection governance. For instance, they may establish data-protection management structures within businesses; develop and implement privacy and security programs; draft or edit privacy and security policies, procedures, guidelines, agreements, and training materials; and support audits and assessments leading to attestations and certifications, such as those under the EU-U.S. Privacy Shield program, the ISO 27001 security audit framework, and SOC reporting frameworks.

律师在企业内部的数据保护管理功能中扮演着至关重要的角色。 首先，他们可以查看适用的数据保护法律和要求，并咨询客户以促进合规性。 其次，他们经常参与和协助涉及隐含数据保护问题的交易的合同起草和谈判。 第三，他们处理与数据保护有关的潜在责任和纠纷。 第四，它们可能导致有关数据保护违规，事件，事故或破坏的调查。 最后，它们有助于数据保护治理。 例如，他们可以在企业内部建立数据保护管理结构； 制定并实施隐私和安全计划； 起草或编辑隐私和安全政策，程序，指南，协议和培训材料； 并支持导致证明和认证的审核和评估，例如欧盟-美国隐私保护计划， ISO 27001安全审核框架和SOC报告框架下的认证。

Attorneys must work together with other professionals to develop and implement data protection measures within a business involved with advanced technologies. The businesses that most effectively manage data protection make use of cross-functional teams of business line representatives, privacy professionals, security professionals, internal auditors, and risk managers to handle specific processes, projects, and issues. For businesses developing advanced technologies, cross-functional teams may work on new products or services and integrate privacy and security “by design” proactively during the development process, rather than waiting until the end of the process to weigh in on data protection issues. In any business, teams may be involved in the investigation and response to security incidents or breaches to determine the best response strategy and to implement it.

律师必须与其他专业人员一起在涉及先进技术的企业中制定和实施数据保护措施。 最有效地管理数据保护的企业利用跨部门的业务代表，隐私专业人员，安全专业人员，内部审计师和风险管理人员组成的团队来处理特定的流程，项目和问题。 对于开发先进技术的企业，跨职能团队可以在开发过程中主动“设计”集成新产品或服务，并主动集成隐私和安全性，而不必等到过程结束时才考虑数据保护问题。 在任何企业中，团队都可能参与调查和对安全事件或破坏的响应，以确定最佳响应策略并加以实施。

Since data protection attorneys will need to provide advice about mixed questions of fact, law, and technology, they should learn as much as they can about the advanced technologies developed or used by their business lines to provide products or services, technologies used to secure personal information and information systems, and technologies used to monitor, detect and report potential violations. Talking with information technology, audit, and security professionals, reading background information about different advanced technologies and security controls, and attending continuing education programs are invaluable. The American Bar Association Section of Science & Technology Law’s E-Privacy Committee and Information Security Committee provides helpful learning and networking opportunities for attorneys new to data protection through publications, programs, listservs, meetings, and events. Attorneys new to data protection will find that a wealth of information is available to help them adjust to new data protection roles and responsibilities quickly.

由于数据保护律师需要提供有关事实，法律和技术的混合问题的建议，因此他们应该尽可能多地了解其业务部门为提供产品或服务而开发或使用的先进技术，以及用于保护个人安全的技术。信息和信息系统，以及用于监视，检测和报告潜在违规行为的技术。 与信息技术，审计和安全专业人员进行交谈，阅读有关不同的先进技术和安全控制的背景信息，并参加继续教育计划是无价的。 美国律师协会科学技术法电子隐私委员会和信息安全委员会的部门通过出版物，程序，清单服务，会议和活动，为数据保护新手律师提供有用的学习和联系机会。 数据保护新手律师会发现，可以使用大量信息来帮助他们Swift适应新的数据保护角色和职责。

C.适用法律 (C. Applicable Laws)

Data protection attorneys need to understand the legal landscape of advanced technologies in order to promote compliance and mitigate legal risks. Businesses in the field of advanced technologies may have laws that apply directly to their technologies. They must also account for more general laws that cover their technologies.

数据保护律师需要了解先进技术的法律环境，以促进合规性并减轻法律风险。 先进技术领域的企业可能有直接适用于其技术的法律。 他们还必须考虑涵盖其技术的更一般的法律。

1.专门管辖先进技术的法律 (1. Laws Specifically Governing Advanced Technologies)

A number of new laws bear on information governance regarding advanced technologies. Perhaps the prime example is California’s new connected device law, SB 327 and AB 1906, enacted on September 28, 2018, which will become effective on January 1, 2020. This new law covers Internet of Things devices and other connected devices. Under this law, manufacturers of “connected devices” must equip the devices with one or more security features. These features must be appropriate to the nature and function of the device. They must also be appropriate to the type of information collected, contained, or transmitted by the device. Finally, the security features must be designed to protect the device and stored information from unauthorized access, destruction, use, modification, or disclosure. A “connected device” is “any device, or other physical objects that are capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Authentication mechanisms, such as passwords, are deemed reasonable if each device has a unique password or the device forces a change from a default authenticator.

有关新技术的信息治理方面有许多新法律。 最好的例子也许是加州于2018年9月28日颁布的新的互联设备法律 SB 327和AB 1906，该法律将于2020年1月1日生效。该新法律涵盖了物联网设备和其他互联设备。 根据该法律，“连接的设备”的制造商必须为设备配备一个或多个安全功能。 这些功能必须适合设备的性质和功能。 它们还必须适合设备收集，包含或传输的信息类型。 最后， 必须设计安全功能以保护设备和存储的信息免遭未经授权的访问，破坏，使用，修改或泄露。 “连接的设备”是“能够直接或间接连接到Internet并被分配了Internet协议地址或蓝牙地址的任何设备或其他物理对象。” 如果每个设备都有唯一的密码，或者设备强制更改默认身份验证器，则认为身份验证机制(例如密码)是合理的。

The law covers more than just Internet-connected devices in that it covers Bluetooth devices as well, which may include earphones and other computer accessories. On the other hand, the law may be under-inclusive because a direct or indirect connection to the Internet is necessary. Some devices may connect to private networks rather than the public Internet. The definition of “connected device” apparently excludes these devices, even though their security needs may be as great as Internet-connected devices.

该法律不仅涵盖与Internet连接的设备，还涵盖了蓝牙设备，其中可能包括耳机和其他计算机配件。 另一方面，由于可能需要直接或间接连接到Internet，因此法律的范围可能不够广泛。 某些设备可能连接到专用网络而不是公共Internet。 “连接的设备”的定义显然排除了这些设备，即使它们的安全需求可能与Internet连接的设备一样高。

California also enacted a new type of law, a “bot disclosure law.” This new law relates to the use of software bots (automated agents), especially ones that post content on social media to distort voting behavior. It also would apply to bots that generate fake reviews to pump up a business’s reputation. The law makes it unlawful for a person to communicate online with the intent to mislead another person about a bot’s artificial identity for the purpose of knowingly deceiving a person about the content of the communication. It applies where the person is trying to incentivize a purchase or sale of goods or services in a commercial transaction or to influence voting. No liability attaches, however, if the person clearly and conspicuously discloses the existence of the bot.

加利福尼亚州还制定了一种新型法律，即“机器人披露法律”。 这项新法律涉及软件bot(自动代理)的使用，特别是那些在社交媒体上发布内容以扭曲投票行为的机器人。 它也适用于产生虚假评论以提升企业声誉的漫游器。 该法律规定，出于故意知会某人有关通信内容的目的而误导他人有关该机器人的人为身份的意图，一个人进行在线交流是非法的。 它适用于个人试图鼓励在商业交易中购买或出售商品或服务或影响投票的情况。 但是，如果该人明确明显地公开了该漫游器的存在，则不承担任何责任。

Other laws regulate autonomous driving. Automated vehicles may be robots, may be connected to the Internet, and may receive or generate large amounts of data. California’s SB 1298 facilitates the operation of autonomous vehicles on California’s highways and the testing of those vehicles. In 2018, the California Department of Motor Vehicles adopted new regulations regarding autonomous vehicles. Under those regulations, manufacturers cannot place autonomous vehicles on public roads unless they provide the Department of Motor Vehicles “[a] certification that the autonomous vehicles meet appropriate and applicable current industry standards to help defend against, detect, and respond to cyber-attacks, unauthorized intrusions, or false vehicle control commands.” Most states now have autonomous vehicle laws, executive orders facilitating autonomous vehicles, or both. Manufacturers testing autonomous vehicles will need to comply with these laws and any data protection laws or regulations associated with them. Autonomous vehicle laws and truck platooning laws may not mention cybersecurity explicitly, but the process to prove safety sufficient to obtain a certification or other approval will likely include some showing of reasonable measures to prevent cyberattacks.

其他法律规定了自动驾驶。 自动化车辆可以是机器人，可以连接到Internet，并且可以接收或生成大量数据。 加利福尼亚州的SB 1298促进了加利福尼亚州高速公路上自动驾驶车辆的操作以及对这些车辆的测试。 2018年，加利福尼亚州汽车部门通过了有关自动驾驶汽车的新法规。 根据这些规定，制造商不得在自动道路上放置自动驾驶汽车，除非他们向汽车部提供“ [a]认证，证明自动驾驶汽车符合适当和适用的当前行业标准以帮助防御，检测和响应网络攻击，未经授权的入侵或错误的车辆控制命令。” 现在，大多数州都制定了自动驾驶汽车法律，或促进自动驾驶汽车的行政命令，或两者兼而有之。 测试自动驾驶汽车的制造商将需要遵守这些法律以及与之相关的任何数据保护法律或法规。 自主车辆法律和卡车整车法律可能未明确提及网络安全，但是证明安全性足以获得认证或其他批准的过程可能包括一些表明采取合理措施防止网络攻击的过程。

Furthermore, privacy laws affect the use of drones with cameras and other surveillance technologies. For example, California has a law that makes a user liable for invasion of privacy for trespassing onto land or in the airspace of another person without permission to capture video or audio where the invasion was in a manner offensive to a reasonable person. Other states have drone privacy laws as well.

此外，隐私法会影响摄像机和其他监视技术对无人机的使用。 例如，加利福尼亚州有一项法律，规定用户在未经允许的情况下侵入他人的土地或进入他人的空域而侵犯其私隐行为，而侵害他人的行为是对合理人的冒犯。 其他州也有无人机隐私法。

Finally, businesses using advanced automated data processing technologies with multinational operations, with customers in foreign countries, monitoring the behavior of foreign citizens, and processing data for foreign businesses should analyze whether they have compliance requirements under international and foreign data protection laws. For instance, the European Union’s General Data Protection Regulation (GDPR) grants individual rights to individuals whose personal data was involved in automated data processing. Article 15 of GDPR gives individuals a right of access to information about personal data collected about them. Paragraph 1(h) of Article 15 includes the right of the data subject to know about the existence of automated decision-making and “meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” Recital 71 refers to the data subject having a right to an explanation of a decision reached by automated means.

最后，使用具有跨国业务的先进自动化数据处理技术的企业，与外国客户的服务，监视外国公民的行为以及为外国企业处理数据的企业应分析其是否符合国际和国外数据保护法的要求。 例如， 欧盟的通用数据保护条例(GDPR)将个人权利授予其个人数据涉及自动数据处理的个人。 GDPR第15条赋予个人访问有关其个人数据的信息的权利。 第15条第1款(h)项包括数据主体了解自动决策的存在的权利，以及“有关所涉逻辑的有意义的信息，以及这种处理对数据主体的意义和设想的后果” 。” 陈述书71指数据主体有权解释通过自动方式达成的决定。

In addition to the right of an explanation, a data subject has a right of human intervention. Under GDPR Article 22, a “data subject shall have the right not to be subject to a decision based solely on automated processing” producing “legal effects concerning him or her or similarly significantly affects him or her.” In other words, a data subject can opt-out of automated data processing, with the implication that a human must make a manual decision. This blanket opt-out right does not exist if automated processing is necessary for entering into or performing a contract, applicable law authorizes processing, or the data subject has explicitly consented. Nonetheless, in instances of processing for contractual purposes or consent, the data controller must still provide for safeguards for the data subjects, which at least includes “the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.”

除了解释权之外，数据主体还具有人为干预的权利。 根据GDPR第22条的规定，“数据主体应有权不受纯粹基于自动处理的决定的约束”，产生“与其有关的法律效力或对他或她具有类似重大影响的法律效力。” 换句话说，数据主体可以选择退出自动数据处理，这意味着人们必须做出手动决策。 如果签订或履行合同必须进行自动处理，适用法律授权处理或数据主体已明确同意，则不存在该全面退出权利。 但是，在出于合同目的或同意而进行处理的情况下，数据控制者仍必须为数据主体提供保障，其中至少应包括“控制者一方表达其观点的权利”。查看并质疑该决定。”

For example, if a bank covered by GDPR turns down an applicant located in the European Economic Area for a loan based on its software powered by machine learning system used to score applicants, the applicant has a right to an explanation of how the system determined that he or she was not eligible for a loan. Moreover, under article 22, the data subject can demand that a bank official intervene, look at the results of the system, and listen to the data subject’s arguments to contest the decision. These provisions do not require the bank to change the results of the process, but they do give data subjects relief from machine-only automated decisions and a process to challenge them.

例如，如果受GDPR覆盖的银行基于其机器学习系统(用于对申请者进行评分)提供支持的软件拒绝了位于欧洲经济区的申请者的贷款，则该申请者有权解释该系统如何确定他或她没有资格获得贷款。 此外，根据第22条，数据主体可以要求银行官员进行干预，查看系统结果，并听取数据主体的论点以反对该决定。 这些规定不需要银行更改流程的结果，但是它们确实使数据主体摆脱了仅由机器执行的自动决策以及挑战流程的挑战。

The difficulty with these laws is that many machine-learning artificial intelligence systems are “black boxes.” It may be difficult for even experts to explain how a machine learning system came up with a decision. Businesses and academics are working on this problem of machine learning explainability in part to satisfy requirements in GDPR and future laws likely to follow.

这些法律的难点在于，许多机器学习人工智能系统都是“黑匣子”。 即使是专家，也可能很难解释机器学习系统是如何做出决定的。 企业和学者正在研究机器学习的可解释性问题， 部分是为了满足GDPR和未来可能遵循的法律的要求 。

2.一般法律 (2. General Laws)

General data protection laws may apply to advanced technologies. This section contains some examples of general laws that may impose privacy or security requirements on businesses developing, selling, purchasing, or operating advanced technologies. Some general privacy and security laws are applicable to specific sectors.

通用数据保护法可能适用于先进技术。 本节包含一些通用法律示例，这些通用法律可能会对开发， 销售，购买或运营先进技术的企业施加隐私或安全要求。 一些一般性的隐私和安全法适用于特定领域。

For instance, financial institutions purchasing IoT devices or using AI for processing customer nonpublic personal information must account for compliance with the Gramm-Leach-Bliley Act of 1999 (GLBA), which is the main piece of federal legislation governing financial institution privacy and security practices. The GLBA requires covered financial institutions to implement processes and procedures to ensure the security and confidentiality of consumer information, protect against anticipated threats or hazards to the security of customer records, and protect against unauthorized access to such records. In addition, the GLBA requires financial institutions to provide notice to consumers about their information practices and give consumers an opportunity to direct that their personal information not be shared with certain non-affiliated third parties. When financial institutions purchase or license advanced technologies, they must make sure they do not put nonpublic personal information at risk. For instance, banks should create secure transmission protocols with their automated teller machines to prevent interception and compromise of financial information.

例如，购买IoT设备或使用AI处理客户非公开个人信息的金融机构必须考虑遵守1999年的《格拉姆-里奇-布里利法案》(GLBA)，这是联邦法律对金融机构隐私和安全实践的主要规定。 GLBA要求涵盖的金融机构实施流程和程序，以确保消费者信息的安全性和机密性，防止对客户记录的安全性造成预期的威胁或危害，并防止未经授权访问此类记录。 此外，GLBA要求金融机构向消费者发出有关其信息惯例的通知，并使消费者有机会指示其个人信息不与某些非关联第三方共享。 金融机构购买或许可先进技术时，必须确保不会将非公开个人信息置于危险之中。 例如，银行应使用其自动柜员机创建安全的传输协议，以防止财务信息被截取和泄露。

Likewise, healthcare providers and their business associates obtaining and operating surgical and service robots, patient data machine learning and AI systems, and operational AI systems will need to comply with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and regulations promulgated under them. Privacy notices will need to disclose what health information the business collects, how it uses that information, and to whom it will disclose the health information. The HIPAA Security Rule will require the business to implement reasonable and appropriate administrative, physical, and technical safeguards to secure protected health information created, received, maintained, or transmitted by the business. For example, a hospital operating service robots in its facility should have a policy to manage audio and video data recorded by the robots. It may seek to minimize the amount of protected health information recorded in the first place. Moreover, its policy should ensure that any protected health information recorded by the robots is secured and not shared with unauthorized parties.

同样，获取和操作手术和服务机器人，患者数据机器学习和AI系统以及可运行的AI系统的医疗保健提供者及其业务伙伴也需要遵守《健康保险可移植性和责任法案》(HIPAA)，《 HITECH法案》和法规在他们之下颁布。 隐私声明将需要披露企业收集的健康信息，其如何使用该信息以及向谁披露健康信息。 HIPAA安全规则将要求企业实施合理和适当的管理，物理和技术保护措施，以保护企业创建，接收，维护或传输的受保护健康信息。 例如，其设施中的医院操作服务机器人应具有管理机器人记录的音频和视频数据的策略。 它可能试图最大程度地减少最初记录的受保护健康信息的数量。 此外，其政策应确保保护机器人记录的任何受保护的健康信息，并且不得与未经授权的各方共享。

Other federal agencies have jurisdiction to regulate or at least provide guidance about data protection practices for advanced technologies used in other sectors. For instance:

其他联邦机构具有管辖权，或至少对其他部门使用的先进技术的数据保护实践提供指导。 例如：

• the Food and Drug Administration provides guidance for premarket submissions for and post-market management of cybersecurity issues;美国食品药品监督管理局为网络安全问题的上市前和上市后管理提供指导；
• public utility commissions regulate privacy and security requirements for smart meters;公共事业委员会规范智能电表的隐私和安全要求；
• the Department of Energy’s programs promote security for Big Data from smart meters and sensors, as well as security requirements for critical power grid infrastructure and integrated distributed energy resources;能源部的计划促进了智能电表和传感器对大数据的安全性，以及对关键电网基础设施和集成分布式能源的安全性要求；
• the Federal Communications Commission and the Department of Transportation oversee Security protocols for connected vehicle communications;联邦通信委员会和运输部负责监管联网车辆通信的安全协议；
• the Department of Defense provides cybersecurity guidance and policies that govern the procurement and operation of Internet of Things devices.国防部提供网络安全指导和政策，以管理物联网设备的采购和运营。

Aside from these sector-specific data protection laws, businesses selling or operating advanced technology systems also need to comply with general state breach notification and security laws. Beginning with California in 2003, states began requiring that businesses holding various categories of unsecured personal information about state residents notify those residents of security breaches that compromise their personal information. All states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws. Personal information covered by breach notification laws includes Social Security numbers, driver’s license/state ID numbers, and financial account numbers in combination with a PIN, password, or other identifier facilitating the use of or access to financial accounts.

除了这些特定于部门的数据保护法律之外，销售或运营先进技术系统的企业还需要遵守一般的州违反通知和安全法律。 从2003年的加利福尼亚州开始，各州开始要求拥有有关州居民的各种不安全个人信息的企业将危害其个人信息的安全漏洞通知那些居民。 所有州，哥伦比亚特区，关岛，波多黎各和美属维尔京群岛都有违反通知法。 违规通知法涵盖的个人信息包括社会安全号码，驾驶执照/州ID号码以及金融帐号，以及PIN，密码或其他便于使用或访问金融帐号的标识符。

A number of states go further and require businesses to take reasonable measures to protect the security of personal information about state residents. A prime example is California’s AB 1950. A business subject to federal or state law providing greater protection for personal information, however, is deemed in compliance with AB 1950. Other states have similar laws. Practitioners should also bear in mind the possible scope of federal preemption of these state laws, especially as Congress considers federal data protection and breach notification legislation.

许多州走得更远，要求企业采取合理措施来保护有关州居民的个人信息的安全。 加利福尼亚州的AB 1950是一个很好的例子。受联邦或州法律管辖的业务为个人信息提供了更大的保护，但是，该业务被视为符合AB1950。其他州也有类似的法律。 从业人员还应牢记联邦对这些州法律的优先管辖权的范围，尤其是在国会考虑联邦数据保护和违规通知立法的情况下。

Massachusetts, however, has a more detailed set of information security requirements. The Massachusetts Office of Consumer Affairs and Business Regulation issued regulations in 2008 to implement the Massachusetts security breach and data destruction law. Unlike the state security laws discussed in the previous paragraph, the Massachusetts regulations require a written information security program with specific security controls that businesses holding personal information about Massachusetts residents must implement.

但是，马萨诸塞州对信息安全有更详细的要求。 马萨诸塞州消费者事务和商业法规办公室在2008年发布了实施马萨诸塞州安全漏洞和数据破坏法的法规。 与上段中讨论的州安全法不同，马萨诸塞州法规要求具有特定安全控制措施的书面信息安全计划，持有马萨诸塞州居民个人信息的企业必须实施这些安全控制措施。

Businesses using advanced technologies that receive, store, or transmit any of the covered data elements must comply with these state data protection and breach notification laws. Manufacturers selling or licensing these technologies will want to make sure their systems facilitate compliance by their customers. Customers may negotiate agreements with them that places the responsibilities for compliance violations and data breaches on them without constraints of the normal liability caps vendors place in agreements.

使用接收，存储或传输任何涵盖的数据元素的先进技术的企业必须遵守这些州数据保护和违规通知法律。 销售或许可这些技术的制造商将希望确保其系统有助于其客户遵守法规。 客户可以与他们协商协议，从而将违反法规和数据泄露的责任置于他们身上，而不受卖方在协议中规定的正常责任上限的限制。

Likewise, businesses will need to account for the new California Consumer Privacy Act (CCPA) when it goes into effect in 2020, as well as any other state laws that follow on CCPA. CCPA provides “consumers” (California residents) with certain individual rights, such as the right of disclosure about the collection, use, and disclosure of personal information, the right to demand erasure of personal information, and the right to opt-out of the sale of personal information. Businesses collecting personal information in connection with the sale or operation of advanced technologies will need to comply with CCPA once it becomes effective.

同样，企业将需要考虑到新的《 加州消费者隐私法案》(CCPA)于2020年生效，以及随之而来的任何其他州法律。 CCPA为“消费者”(加利福尼亚州居民)提供某些个人权利，例如，关于收集，使用和披露个人信息的披露权，要求删除个人信息的权利以及选择退出个人信息的权利。出售个人信息。 收集与销售或操作先进技术有关的个人信息的企业将必须在CCPA生效后遵守CCPA。

In addition, businesses should take into account laws against unfair and deceptive trade practices. Examples include the Federal Trade Commission Act Section 5, California’s Unfair Competition Law, California’s False Advertising Law, and similar laws in other states. The Federal Trade Commission regularly brings enforcement actions against businesses failing to secure their advanced technology products. Manufacturers and sellers that misrepresent their privacy or security practices or fail to include reasonable security features in their products may face federal or state enforcement actions or private party class-action suits.

此外，企业应考虑到针对不公平和欺骗性贸易行为的法律。 例子包括《联邦贸易委员会法》第5条，加利福尼亚的《不正当竞争法》，加利福尼亚的《虚假广告法》以及其他州的类似法律。 联邦贸易委员会会定期对无法确保其先进技术产品安全的企业采取执法行动。 虚假陈述其隐私或安全惯例或未能在其产品中包含合理的安全功能的制造商和销售商可能会面临联邦或州执法行动或私人团体集体诉讼。

Finally, businesses may need to meet the requirements of GDPR and other foreign data protection laws. If they have customers from or operations in foreign countries or receive personal data from foreign countries, they should determine if they fall under these laws and how those laws affect them.

最后，企业可能需要满足GDPR和其他外国数据保护法的要求。 如果他们有来自国外的客户或在国外开展业务，或从国外接收个人数据，则应确定他们是否受这些法律的约束以及这些法律如何影响他们。

Stephen S. Wu is a shareholder with Silicon Valley Law Group in San Jose, California. He advises clients on a wide range of issues, including transactions, compliance, liability, security, and privacy matters regarding the latest technologies in areas such as robotics, artificial intelligence, automated transportation, the Internet of Things, and Big Data. He has authored or co-authored several books, book chapters, and articles and is a frequent speaker on advanced technology and data protection legal topics.

Stephen S. Wu是位于加利福尼亚州圣何塞的硅谷法律集团的股东。 他为客户提供广泛的建议，包括有关机器人技术，人工智能，自动运输，物联网和大数据等领域最新技术的交易，合规性，责任，安全性和隐私问题。 他撰写或合着了多本书，书籍章节和文章，并且经常就先进技术和数据保护法律主题发表演讲。

Originally published at https://www.airoboticslaw.com.

最初发布在 https://www.airoboticslaw.com 。