PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Cartoon: Cookies and the GDPR

Cartoon Cookies and the GDPR

This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies.  I find these cookie notices to be form over substance.  These notices are virtually meaningless and don’t help consumers. They are a nuisance.  They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.

Because cookies are so ubiquitous and commonly-known, being notified about them isn’t very informative. At this point, a notice that says “this site uses cookies” is akin to a notice that says “this computer uses electricity.” What matters is how personal information is being used, not whether there are cookies. Additionally, there are no meaningful choices for consumers. Often, there’s no choice but to accept the cookies. Even when there is a choice, consumers aren’t informed enough about the benefits and costs to make a meaningful decision.

Formalistic “protections” of privacy such as these cookie notices are a big fail.  These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.

Continue Reading

Entering the New Age of Privacy in the US: Learning from GDPR — An Interview with Daniel Barber

I had the chance to interview Daniel Barber, CEO and Co-founder of DataGrail. DataGrail is a purpose-built privacy management platform that ensures sustained compliance with the GDPR, CCPA, and forthcoming regulations. Their customers span a variety of industries and include Databricks, Plexus Worldwide, TRI Pointe Homes, Outreach, Intercom, and SaaStr. Daniel and I spoke about the lessons we’ve learned one year on from GDPR and how companies can apply those lessons as they think about CCPA and laws like Nevada’s SB 220.

Continue Reading

ALI Data Privacy: Overview and Black Letter Text — Available for Download

American Law Institute (ALI) Data Privacy 01

Professor Paul Schwartz and I have posted the black letter text of the American Law Institute (ALI), Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project.  Earlier this year, I wrote a post about our completion of the project.  According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”

The project is an attempt to create a comprehensive approach to data privacy for the United States.  The project was 7 years in the making, and we’re thrilled finally to share the text.  We also wrote a short introduction to explain what various provisions are attempting to accomplish.  You can download it from SSRN for free.  Our piece is called ALI Data Privacy: Overview and Black Letter Text.

Here’s the abstract.

In this Essay, the Reporters for the American Law Institute Principles of Law, Data Privacy provide an overview of the project as well as the text of its black letter. The Principles aim to provide a blueprint for policymakers to regulate privacy comprehensively and effectively.

The United States has long remained an outlier in privacy law. While numerous nations have enacted comprehensive privacy laws, the U.S. has clung stubbornly to a fragmented, inconsistent patchwork of laws. Moreover, there long has been a vast divide between the approaches of the U.S. and European Union (EU) to regulating privacy – a divide that many consider to be unbridgeable.

The Principles propose comprehensive privacy principles for legislation that are consistent with certain key foundations in the U.S. approach to privacy, yet that also align the U.S. with the EU. Additionally, the Principles attempt to breathe new life into the moribund and oft-criticized U.S. notice-and-choice approach, which has remained firmly rooted in U.S. law. Drawing from a vast array of privacy laws and frameworks, and with a balance of innovation, practicality, and compromise, the Principles aim to guide policymakers in advancing U.S. privacy law.

The essay above consists of our short introduction and the black letter text.  The full document is 100+ pages long and is available at the ALI.  Right now, final proofreading and formatting are being done on the document, but you can obtain from ALI the near-final version.

Continue Reading

Establishing a Robust Law School Educational Program for Privacy Law

Privacy Law Educational Progaram

Recently, the International Association of Privacy Professionals (IAPP) released a ranking of law schools based on their educational programs in privacy law.  Although I applaud the effort to focus more attention on the issue of teaching privacy law in law schools, there are many aspects of the project that I would do differently.  In this post, I will discuss the elements of what I believe would constitute a robust privacy law educational program at law schools.

First, a bit of background about IAPP’s rankings.  IAPP ranks schools into three tiers.  Tier 1 is for schools offering a “certification or formal concentration in privacy law.”  Tier 2 is for schools that “offer at least one three-credit course in privacy annually.”  Tier 3 is for schools that “have a privacy offering, such as a one-credit seminar” rather than a three-credit offering or that have offered privacy courses but not on a “consistent basis.”

Unfortunately, the data that IAPP has assembled thus far is incomplete and needs quite a number of corrections.  For example, many schools listed in Tier 3 have a 3-credit annual offering.

Additionally, I don’t agree with the set of criteria used to rank the schools.  Having a certificate doesn’t put a school’s program in the top tier.  There are many other factors to consider.  Presenting the data in a rankings format is counterproductive because the data needs a lot of correcting plus the criteria are incomplete and not properly weighted.  I think a more useful endeavor would be to improve the data, gather data on some other criteria, and just present the data rather than try to rank.  IAPP’s project is just a starting point, and I hope that my suggestions here are constructive and will help shape the project.

Continue Reading