This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR. In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA). And, there will be a new referendum on privacy law in California next year — CCPA 2.0. There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on. And, each year, more and more countries are passing new comprehensive privacy laws.
We are witnessing the growing pains of privacy law. Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed. A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.
This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies. I find these cookie notices to be form over substance. These notices are virtually meaningless and don’t help consumers. They are a nuisance. They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.
Formalistic “protections” of privacy such as these cookie notices are a big fail. These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.
This cartoon depicts something that happens far too often with HIPAA — HIPAA is used as an excuse not to do something (such as make disclosures or provide access to records in ways that patients request) even though HIPAA doesn’t have such a restriction. This is often done out of a lack of knowledge about HIPAA. Healthcare providers frequently have mistaken notions of HIPAA being far more restrictive than it actually is. For example, last year, I wrote a post about how numerous healthcare providers wrongly use HIPAA as an excuse to refuse to email medical records to patients. Ironically, instead of forbidding it, HIPAA actually requires that medical records be emailed to patients if patients so request.
This cartoon is about evolution of data breaches, which began to grab headlines back in 2005, thanks in large part to California’s data breach notification law — the first of such laws. Since that time, every state has passed breach notification laws, and there are breach notification laws sprouting up around the world. Every day, we hear of more and more data breaches . . . and they are getting larger and larger.
This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.