PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Talking to Kids About Privacy Event

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 5, 2021

FPF and Common Sense Media Event - Talking to Kids About Privacy
I will be speaking at an event organized by the Future of Privacy Forum (FPF) and Common Sense Media about talking to kids about privacy.  There is a great lineup of speakers.

Talking to Kids About Privacy
May 13 from 12:00-1:00 Eastern

The event site is here. You can register here.

Speakers

  • Rob Girling, Co-Founder, Artefact Group
  • Sonia Livingstone, Professor of Social Psychology, London School of Economics and Political Science (LSE)
  • Kelly Mendoza, Vice President, Education Programs, Common Sense Media
  • Anna Morgan, Head of Legal, Deputy Commissioner, Irish Data Protection Commission (DPC)
  • Daniel Solove, Professor of Law, George Washington University Law School; Founder, TeachPrivacy

Moderator

  • Amelia Vance, Director, Youth and Education Privacy, Future of Privacy Forum (FPF)

If you’re interested in children’s privacy, I created a page of resources about children’s privacy for educators and parents here.

Continue Reading

Upcoming Book Reading of The Eyemonger at World Bank Event

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 5, 2021

I will be speaking on May 19th at 4:30pm EST at a virtual book reading of my children’s book, THE EYEMONGER.

The event is hosted by the World Bank Data Privacy Office and the World Bank Group Family Network.

How to Be a Privacy Superhero: Defeating Spooky Eyes and Internet Spies
Virtual Book Reading of The Eyemonger
Wed, May 19, 2021, from 4:30 PM to 5:30 PM EST

To attend, RSVP here. After you RSVP, a Zoom link will be sent to you.

If you’re interested in children’s privacy, I created a page of resources about children’s privacy for educators and parents here.

Continue Reading

Dark Patterns Reading List and Resources

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 18, 2021

Dark Patterns List of Resources

Dark patterns are starting to receive increased regulatory attention, which is a welcome development in the evolution of privacy law. Here’s a dark patterns resource and reading list.

What Are “Dark Patterns”?

Harry Brignull coined the term “dark pattern” in 2010, defining it as “a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.” He now has a site devoted to dark patterns.

Regulating Dark Patterns

Dark patterns are increasingly becoming a focus of regulation. Regulators have long been reluctant to regulate technological design, but increasingly the reality is becoming clear: To effectively protect privacy, design must be regulated. The term “dark patterns” is catching on, and regulators are increasingly emboldened to regulate. It’s far more palatable to try to stop “dark patterns” than it is to restrict certain “technological designs.”

Under the California Privacy Rights Act (CPRA), the use of dark patterns to obtain consent will render consent invalid. A dark pattern is “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” The privacy bill pending in the State of Washington seeks to restrict dark patterns. The FTC will be holding a dark patterns workshop later this month.

Dark Patterns Reading List and Resources

Here’s a list of resources about dark patterns that are worth attention:

Continue Reading

Cartoon: Data Ethics

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 15, 2021

Cartoon Data Ethics - TeachPrivacy Privacy Training 01 small

This cartoon is about “data ethics,” a term for when companies make an effort to review the ethical ramifications of their activities involving personal data. I generally applaud looking at ethics broadly because it avoids being unduly constrained in its focus by narrow conceptions of privacy.  But there often isn’t sufficient rigor in the analysis of data ethics.

Ultimately, companies are formed to make a profit. We must not forget their true nature. A tiger can snuggle with you like a kitten, but it is still a tiger. Corporations can act ethically, but their nature is to make profits. When profits conflict with ethics, it’s hard for companies to resist the pull of their nature. This is why regulation is a necessity.

We should reward companies for acting ethically. But just as with the snuggly tiger, we shouldn’t ever let our guard down.

Continue Reading

TeachPrivacy Data Privacy Law Fellowship

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 25, 2021

Data Privacy Law Fellowship TeachPrivacy 01

The TeachPrivacy Data Privacy Law Fellowship is a part-time fellowship for recent law school graduates. The Fellowship is virtual, so fellows can work from any location.

Data Privacy Law Fellows help Professor Daniel Solove research, draft, and update scripts for training courses and do research for resources, guides, and other materials. TeachPrivacy has 150+ courses on various federal, state, and international privacy laws (GDPR, HIPAA, FERPA, GLBA, CCPA, TCPA, CAN-SPAM, CASL, LGPD, and many more). Fellows also assist with researching new developments in the law to keep scripts up-to-date. Additionally, fellows help with researching for blog posts and with the company’s social media. Generally, Professor Solove hires recent graduates who have taken a privacy law class or who have otherwise acquired a background in privacy law.

TeachPrivacy is a computer-based training company founded and run by Professor Daniel Solove. TeachPrivacy produces privacy and security compliance training for hundreds of companies, hospitals, health plans, universities, government agencies, and other organizations around the world, including many Fortune 500 multinationals.

Requirements:

  • JD at US law school or foreign law school
  • Strong interest in privacy issues
  • Desire to pursue a career in privacy law

Recommended:

  • Information privacy law coursework
  • Experience in  privacy law (internships, etc.)

The Fellowship has no formal duration, but most fellows work for 6-18 months. Former Data Privacy Fellows now work at large law firms, prominent companies, industry associations, and many other prestigious organizations.

To apply, please send your resume and transcript to inquiry@teachprivacy.com.

Continue Reading

Cartoon: Video Recording

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 24, 2021

Cartoon Video Social Media - TeachPrivacy Privacy Training 02 small

This cartoon focuses on video recording – how people readily whip out their phones to record events involving people in distress. The “bystander effect” is often invoked to describe the phenomenon of why people watch an emergency unfold without trying to help the victim. Perhaps there should be a modern update to the “bystander effect” called the “video recording effect” to describe how people will take videos of people in distress rather than help them.

In an interesting article, Why Do People Film Others in Distress Instead of Helping Them?, Angela Lashbrook discusses research on the bystander effect (it’s not as strong a phenomenon as many accounts say it is) as well as the effects of surveillance and video recording on people’s behavior. The research points in many different directions.

Continue Reading

Cartoon: HIPAA Right to Access

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 9, 2021

Cartoon HIPAA Access - TeachPrivacy HIPAA Training 02

This cartoon is about the HIPAA right to access medical records. Obtaining access to one’s medical records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. There have been several articles (here, here, and here) about healthcare providers clinging desperately to their antiquated fax machines. According to a study in 2019, 90% of healthcare providers still use faxes.

Many healthcare providers cite to HIPAA as a reason to deny patient’s requests to be emailed their records.  But ironically, HIPAA says the opposite – providers must email patients their records if patients request them via email.

We’re well into the 21st Century now, and access to our health data should be much easier. HIPAA should do more than provide a right to access. It should encourage access and improve the ease of access.

Continue Reading

Covid-19 and Data Breach Litigation: An Interview of Daniel Raymond

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 3, 2021

The global pandemic has affected everything. COVID-19 is not just grinding trials to a halt and foreclosing live, in-person judicial proceedings, it has changed the class action litigation landscape, including data breach class actions. I recently had the opportunity to discuss the pandemic’s impact on data breach class actions with Daniel Raymond, a cyber & tech claims manager based in Beazley’s Chicago office.

Continue Reading

Privacy at the Margins: An Interview with Scott Skinner-Thompson on Privacy and Marginalized Groups

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 24, 2021

Privacy at the Margins 01

Recently, Professor Scott Skinner-Thompson (Colorado Law) published an excellent thought-provoking book, Privacy at the Margins (Cambridge University Press, 2020), which explores the important role that privacy plays for marginalized groups. The book is superb, and it is receiving the highest praise from leading scholars. For example, Dean Erwin Chemerinksy (Berkeley Law) proclaims that the book is “stunning in its originality, its clarity, and its insightful proposals for change.”

I am delighted to have the opportunity to interview Scott about the ideas and arguments in his book.

Continue Reading

Standing in Data Breach Cases: Why Harm Is Not “Manufactured”

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 15, 2021

Data Breach Standing - 11th Circuit

In a recent case, the U.S. Court of Appeals for the 11th Circuit weighed in on an issue that has continued to confound courts: Is there an injury caused by a data breach when victims don’t immediately suffer financial fraud?  I wrote on this issue in an article with Professor Danielle Citron in 2018, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018).  (Danielle and I have just completed a new piece on Privacy Harms ).  In the article, Danielle and I examined the inconsistent and messy cases and attempted to set forth a coherent approach.

PDQ Data BreachThe most recent case to weigh in on the issue is Tan Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959 (11th Cir. Feb 4., 2021). PDQ, a fast food chicken restaurant chain, had a data breach where hackers accessed customer credit card data for a period of nearly a year.  When the breach was announced, the plaintiff cancelled the credit cards he used at PDQ.  In doing so, the plaintiff lost access to his preferred accounts, lost points and rewards, and expended time and effort.  The Tsao court concluded that because the plaintiff couldn’t demonstrate that he suffered any credit card fraud, he lacked standing to sue.

In federal court, plaintiffs must demonstrate they they suffered a harm (actual or imminent injury) in order to sue. The plaintiff argued that he lost out on benefits when he cancelled his cards, but the court held that this was “manufactured” harm. The Tsao court relied on Clapper v. Amnesty International, 568 U.S. 398 (2013), where the U.S. Supreme Court held that plaintiffs can’t “manufacture” harm by spending money, time, and effort to protect themselves against surveillance that they couldn’t prove was occurring.  Clapper‘s view on “manufactured” harm striking me as manufactured itself — a rather poorly-reasoned cooked-up excuse to deny standing.  But the case is there, and it must be navigated around.

Continue Reading