PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Dark Patterns Reading List and Resources

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 18, 2021

Dark Patterns List of Resources

Dark patterns are starting to receive increased regulatory attention, which is a welcome development in the evolution of privacy law. Here’s a dark patterns resource and reading list.

What Are “Dark Patterns”?

Harry Brignull coined the term “dark pattern” in 2010, defining it as “a user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.” He now has a site devoted to dark patterns.

Regulating Dark Patterns

Dark patterns are increasingly becoming a focus of regulation. Regulators have long been reluctant to regulate technological design, but increasingly the reality is becoming clear: To effectively protect privacy, design must be regulated. The term “dark patterns” is catching on, and regulators are increasingly emboldened to regulate. It’s far more palatable to try to stop “dark patterns” than it is to restrict certain “technological designs.”

Under the California Privacy Rights Act (CPRA), the use of dark patterns to obtain consent will render consent invalid. A dark pattern is “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.” The privacy bill pending in the State of Washington seeks to restrict dark patterns. The FTC will be holding a dark patterns workshop later this month.

Dark Patterns Reading List and Resources

Here’s a list of resources about dark patterns that are worth attention:

Continue Reading

Cartoon: Data Ethics

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
April 15, 2021

Cartoon Data Ethics - TeachPrivacy Privacy Training 01 small

This cartoon is about “data ethics,” a term for when companies make an effort to review the ethical ramifications of their activities involving personal data. I generally applaud looking at ethics broadly because it avoids being unduly constrained in its focus by narrow conceptions of privacy.  But there often isn’t sufficient rigor in the analysis of data ethics.

Ultimately, companies are formed to make a profit. We must not forget their true nature. A tiger can snuggle with you like a kitten, but it is still a tiger. Corporations can act ethically, but their nature is to make profits. When profits conflict with ethics, it’s hard for companies to resist the pull of their nature. This is why regulation is a necessity.

We should reward companies for acting ethically. But just as with the snuggly tiger, we shouldn’t ever let our guard down.

Continue Reading

TeachPrivacy Data Privacy Law Fellowship

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 25, 2021

Data Privacy Law Fellowship TeachPrivacy 01

The TeachPrivacy Data Privacy Law Fellowship is a part-time fellowship for recent law school graduates. The Fellowship is virtual, so fellows can work from any location.

Data Privacy Law Fellows help Professor Daniel Solove research, draft, and update scripts for training courses and do research for resources, guides, and other materials. TeachPrivacy has 150+ courses on various federal, state, and international privacy laws (GDPR, HIPAA, FERPA, GLBA, CCPA, TCPA, CAN-SPAM, CASL, LGPD, and many more). Fellows also assist with researching new developments in the law to keep scripts up-to-date. Additionally, fellows help with researching for blog posts and with the company’s social media. Generally, Professor Solove hires recent graduates who have taken a privacy law class or who have otherwise acquired a background in privacy law.

TeachPrivacy is a computer-based training company founded and run by Professor Daniel Solove. TeachPrivacy produces privacy and security compliance training for hundreds of companies, hospitals, health plans, universities, government agencies, and other organizations around the world, including many Fortune 500 multinationals.

Requirements:

  • JD at US law school or foreign law school
  • Strong interest in privacy issues
  • Desire to pursue a career in privacy law

Recommended:

  • Information privacy law coursework
  • Experience in  privacy law (internships, etc.)

The Fellowship has no formal duration, but most fellows work for 6-18 months. Former Data Privacy Fellows now work at large law firms, prominent companies, industry associations, and many other prestigious organizations.

To apply, please send your resume and transcript to inquiry@teachprivacy.com.

Continue Reading

Cartoon: Video Recording

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 24, 2021

Cartoon Video Social Media - TeachPrivacy Privacy Training 02 small

This cartoon focuses on video recording – how people readily whip out their phones to record events involving people in distress. The “bystander effect” is often invoked to describe the phenomenon of why people watch an emergency unfold without trying to help the victim. Perhaps there should be a modern update to the “bystander effect” called the “video recording effect” to describe how people will take videos of people in distress rather than help them.

In an interesting article, Why Do People Film Others in Distress Instead of Helping Them?, Angela Lashbrook discusses research on the bystander effect (it’s not as strong a phenomenon as many accounts say it is) as well as the effects of surveillance and video recording on people’s behavior. The research points in many different directions.

Continue Reading

Cartoon: HIPAA Right to Access

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 9, 2021

Cartoon HIPAA Access - TeachPrivacy HIPAA Training 02

This cartoon is about the HIPAA right to access medical records. Obtaining access to one’s medical records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. There have been several articles (here, here, and here) about healthcare providers clinging desperately to their antiquated fax machines. According to a study in 2019, 90% of healthcare providers still use faxes.

Many healthcare providers cite to HIPAA as a reason to deny patient’s requests to be emailed their records.  But ironically, HIPAA says the opposite – providers must email patients their records if patients request them via email.

We’re well into the 21st Century now, and access to our health data should be much easier. HIPAA should do more than provide a right to access. It should encourage access and improve the ease of access.

Continue Reading

Covid-19 and Data Breach Litigation: An Interview of Daniel Raymond

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
March 3, 2021

The global pandemic has affected everything. COVID-19 is not just grinding trials to a halt and foreclosing live, in-person judicial proceedings, it has changed the class action litigation landscape, including data breach class actions. I recently had the opportunity to discuss the pandemic’s impact on data breach class actions with Daniel Raymond, a cyber & tech claims manager based in Beazley’s Chicago office.

Continue Reading

Privacy at the Margins: An Interview with Scott Skinner-Thompson on Privacy and Marginalized Groups

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 24, 2021

Privacy at the Margins 01

Recently, Professor Scott Skinner-Thompson (Colorado Law) published an excellent thought-provoking book, Privacy at the Margins (Cambridge University Press, 2020), which explores the important role that privacy plays for marginalized groups. The book is superb, and it is receiving the highest praise from leading scholars. For example, Dean Erwin Chemerinksy (Berkeley Law) proclaims that the book is “stunning in its originality, its clarity, and its insightful proposals for change.”

I am delighted to have the opportunity to interview Scott about the ideas and arguments in his book.

Continue Reading

Standing in Data Breach Cases: Why Harm Is Not “Manufactured”

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 15, 2021

Data Breach Standing - 11th Circuit

In a recent case, the U.S. Court of Appeals for the 11th Circuit weighed in on an issue that has continued to confound courts: Is there an injury caused by a data breach when victims don’t immediately suffer financial fraud?  I wrote on this issue in an article with Professor Danielle Citron in 2018, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018).  (Danielle and I have just completed a new piece on Privacy Harms ).  In the article, Danielle and I examined the inconsistent and messy cases and attempted to set forth a coherent approach.

PDQ Data BreachThe most recent case to weigh in on the issue is Tan Tsao v. Captiva MVP Restaurant Partners, LLC, No. 18-14959 (11th Cir. Feb 4., 2021). PDQ, a fast food chicken restaurant chain, had a data breach where hackers accessed customer credit card data for a period of nearly a year.  When the breach was announced, the plaintiff cancelled the credit cards he used at PDQ.  In doing so, the plaintiff lost access to his preferred accounts, lost points and rewards, and expended time and effort.  The Tsao court concluded that because the plaintiff couldn’t demonstrate that he suffered any credit card fraud, he lacked standing to sue.

In federal court, plaintiffs must demonstrate they they suffered a harm (actual or imminent injury) in order to sue. The plaintiff argued that he lost out on benefits when he cancelled his cards, but the court held that this was “manufactured” harm. The Tsao court relied on Clapper v. Amnesty International, 568 U.S. 398 (2013), where the U.S. Supreme Court held that plaintiffs can’t “manufacture” harm by spending money, time, and effort to protect themselves against surveillance that they couldn’t prove was occurring.  Clapper‘s view on “manufactured” harm striking me as manufactured itself — a rather poorly-reasoned cooked-up excuse to deny standing.  But the case is there, and it must be navigated around.

Continue Reading

Privacy Harms

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 9, 2021

Privacy Harms

Professor Danielle Keats Citron (University of Virginia School of Law) and I have just posted a draft of our new article, Privacy Harms, on SSRN (free download). Here’s the abstract:

Privacy harms have become one of the largest impediments in privacy law enforcement. In most tort and contract cases, plaintiffs must establish that they have been harmed. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins, the U.S. Supreme Court has held that courts can override Congress’s judgments about what harm should be cognizable and dismiss cases brought for privacy statute violations.

The caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm. Courts conclude that many privacy violations, such as thwarted expectations, improper uses of data, and the wrongful transfer of data to other organizations, lack cognizable harm.Continue Reading

The M.D. Anderson Case and the Future of HIPAA Enforcement

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
February 7, 2021

HIPAA Enforcement MD Anderson Case 02

The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2021), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious.  This case has significant implications for HHS enforcement — and for agency enforcement more generally.

My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.

HIPAA USBThe case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.

Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2).  There are several parts of the court’s decision that are worth discussing.

Continue Reading