Category: GDPR Compliance

Posts about GDPR Compliance by Professor Daniel J. Solove for his blog at TeachPrivacy, a privacy awareness and security training company.

Cartoon: Multi-Jurisdictional Privacy Law Compliance

Daniel Solove

@danielsolove

Founder of TeachPrivacy

October 9, 2019

This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR. In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA). And, there will be a new referendum on privacy law in California next year — CCPA 2.0. There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on. And, each year, more and more countries are passing new comprehensive privacy laws.

We are witnessing the growing pains of privacy law. Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed. A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.

For more on the issue, I recently interviewed K Royal on this topic – see here for the interview.

Daniel Solove

@danielsolove

Founder of TeachPrivacy

October 6, 2019

I’m thrilled to interview K Royal, Senior Director, Western Region, Privacy, at TrustArc. K has had a long career in privacy law, having served as privacy counsel for several companies. She’s also an adjunct professor at Arizona State University.

Prof Solove: What is the need for a multi-jurisdictional approach to privacy laws?

K Royal: With the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other laws such as the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), businesses must be prepared to comply with a variety of laws around the world.

Privacy is a complex, multi-level, comprehensive concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.

Prof Solove: Can a company just set one high bar and just treat all personal data the same?

October 6, 2019 / Posted in GDPR, GDPR Compliance, International Privacy, InterviewsTagged K Royal

Daniel Solove

@danielsolove

Founder of TeachPrivacy

October 3, 2019

This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies. I find these cookie notices to be form over substance. These notices are virtually meaningless and don’t help consumers. They are a nuisance. They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.

Because cookies are so ubiquitous and commonly-known, being notified about them isn’t very informative. At this point, a notice that says “this site uses cookies” is akin to a notice that says “this computer uses electricity.” What matters is how personal information is being used, not whether there are cookies. Additionally, there are no meaningful choices for consumers. Often, there’s no choice but to accept the cookies. Even when there is a choice, consumers aren’t informed enough about the benefits and costs to make a meaningful decision.

Formalistic “protections” of privacy such as these cookie notices are a big fail. These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.

October 3, 2019 / Posted in Cartoons, Cartoons GDPR, Consumer Privacy, GDPR, GDPR Compliance, Humor, PrivacyTagged cookies

Daniel Solove

@danielsolove

Founder of TeachPrivacy

June 12, 2019

I had the opportunity to interview Mark Singer and Raf Sanchez, both at Beazley, about the issue of profiling and the GDPR. Mark Singer is a member of the Cyber & Executive Risk Group at Beazley. Mark handles insurance coverage issues arising out of cybersecurity, technology errors and omissions, data privacy, intellectual property, media and advertising liabilities. Raf Sanchez leads the international Beazley Breach Response Services team at Beazley and is responsible for incident response in all territories outside the US and Canada.

June 12, 2019 / Posted in European Union Privacy, GDPR, GDPR Compliance, Interviews, PrivacyTagged Mark Singer, Profiling, Raf Sanchez

Daniel Solove

@danielsolove

Founder of TeachPrivacy

June 11, 2019

This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.

For more background about DSARs, see this great guide to DSARs by WireWheel.

June 11, 2019 / Posted in California Privacy Law, Cartoons, Cartoons GDPR, CCPA, GDPR, GDPR Compliance, HumorTagged Data Aubject Access Requests, DSAR, SAR

PRIVACY + SECURITY BLOG

News, Developments, and Insights

Subscribe to Professor Solove's TeachPrivacy Newsletter