PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Cartoon: Multi-Jurisdictional Privacy Law Compliance

Cartoon Multi-Jurisdictional Privacy Law Compliance Poodle - TeachPrivacy CCPA Training 02 small

This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR.  In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA).  And, there will be a new referendum on privacy law in California next year — CCPA 2.0.  There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on.  And, each year, more and more countries are passing new comprehensive privacy laws.

We are witnessing the growing pains of privacy law.  Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed.  A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.

For more on the issue, I recently interviewed K Royal on this topic – see here for the interview.

Continue Reading

Developing a Multi-Jurisdictional Approach to Privacy Laws — An Interview with K Royal

Global Privacy Law

I’m thrilled to interview K Royal, Senior Director, Western Region, Privacy, at TrustArc. K has had a long career in privacy law, having served as privacy counsel for several companies. She’s also an adjunct professor at Arizona State University.

Prof Solove: What is the need for a multi-jurisdictional approach to privacy laws?

K RoyalK Royal: With the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA),  and other laws such as the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), businesses must be prepared to comply with a variety of laws around the world.

Privacy is a complex, multi-level, comprehensive concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.

Prof Solove: Can a company just set one high bar and just treat all personal data the same?

Continue Reading

Cartoon: Cookies and the GDPR

Cartoon Cookies and the GDPR

This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies.  I find these cookie notices to be form over substance.  These notices are virtually meaningless and don’t help consumers. They are a nuisance.  They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.

Because cookies are so ubiquitous and commonly-known, being notified about them isn’t very informative. At this point, a notice that says “this site uses cookies” is akin to a notice that says “this computer uses electricity.” What matters is how personal information is being used, not whether there are cookies. Additionally, there are no meaningful choices for consumers. Often, there’s no choice but to accept the cookies. Even when there is a choice, consumers aren’t informed enough about the benefits and costs to make a meaningful decision.

Formalistic “protections” of privacy such as these cookie notices are a big fail.  These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.

Continue Reading

Profiling and the GDPR: An interview with Mark Singer and Raf Sanchez

I had the opportunity to interview Mark Singer and Raf Sanchez, both at Beazley, about the issue of profiling and the GDPR. Mark Singer is a member of the Cyber & Executive Risk Group at Beazley. Mark handles insurance coverage issues arising out of cybersecurity, technology errors and omissions, data privacy, intellectual property, media and advertising liabilities. Raf Sanchez leads the international Beazley Breach Response Services team at Beazley and is responsible for incident response in all territories outside the US and Canada.

Continue Reading

Cartoon: Data Subject Access Requests Under the CCPA and GDPR

Cartoon Data Subject Access Requests (DSARs) - TeachPrivacy CCPA Training 02

This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs).  The GDPR Article 15 provides for DSARs.  The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.

For more background about DSARs, see this great guide to DSARs by WireWheel.

Continue Reading