PRIVACY + SECURITY BLOG

News, Developments, and Insights

Cartoon: Data Subject Access Requests Under the CCPA and GDPR

This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs).  The GDPR Article 15 provides for DSARs.  The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months. For more background about […]

ALI Principles of Law, Data Privacy

I’m thrilled that, the American Law Institute (ALI) has approved the Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project.  According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for […]

A Major Move to Weaken HIPAA

Quietly, at the end of April, HIPAA was significantly weakened.  HHS published what sounds like an innocuous notification in the Federal Register: Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.  This notification is actually an enormous change to the HIPAA penalty structure, a drastic reduction in HIPAA fines. The existing penalty structure under HIPAA […]

Cartoon: Data Minimization

This privacy cartoon is about data minimization, a principle embodied in many privacy laws.  Under the data minimization principle, organizations are to collect, process, or share only the minimum necessary personal data to achieve their purpose.  There’s a lot of hat tipping to data minimization, but this principle is often not followed enough.  Far too […]

Anatomy of a Privacy Law

I was recently giving a presentation about new privacy laws, and I created the infographic above to catalog the various elements that privacy laws often have.  Going through this list can help to assess how complete a privacy law is.  For example, the California Consumer Privacy Act (CCPA) is often compared to the General Data […]

Will the United States Finally Enact a Federal Comprehensive Privacy Law?

These days, there seems to be a lot of energy around a federal comprehensive privacy law in the United States.  When the US Congress started passing privacy laws in the 1970s, 80s, and 90s, it eschewed the route of passing a comprehensive privacy law, opting instead for the sectoral approach — passing a series of […]

Cartoon: The CCPA, a Federal Comprehensive Privacy Law, and Preemption

For years, many policymakers, industry representatives, and commentators were opposed to a comprehensive federal privacy law.  They typical federalism arguments were often trotted out. Then, in 2018, California passed the California Consumer Privacy Act (CCPA). Now, there seems to be a chorus for a comprehensive federal privacy law with preemption.  I’ll be posting soon about […]

Please Join Us at the International Privacy and Security Forum (April 3-5, 2019)

I hope that you can join us for the International Privacy+Security Forum (April 3-5, 2019 in Washington, DC). The International Privacy+Security Forum is an annual sister event to the Privacy+Security Forum, an annual event held in October at George Washington University in Washington, DC.  The Int’l Forum event focuses on privacy and security laws from […]

Cartoon: Data Breach Notification

This cartoon is about data breach notification.  All 50 states plus the District of Columbia and Puerto Rico now have data breach notification laws, and breach notification laws are spreading around the globe.  And, as is often said in data security, it’s not whether a breach will happen, but when . . .