PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Cartoon: The Travails of CCPA Compliance

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 12, 2019

Cartoon CCPA Sisyphus 04

This cartoon depicts the travails of complying with the CCPA as it rapidly evolves.  The CCPA originated when a referendum regarding consumer privacy rights was scheduled to be on the ballot in November 2018.  Alastair Mactaggart, the referendum’s sponsor, offered to withdraw it if California passed a law.  So, in the summer of 2018, the California legislature passed the CCPA in an all-out dash to beat the deadline for the referendum’s withdrawal

Businesses scrambled to get ready to comply for the CCPA’s effective date – January 2020.  Being ready to comply with the CCPA requires quite a lot of work.  Further complicating compliance, the CCPA is riddled with ambiguities and difficult tradeoffs between privacy and data security.

Continue Reading

Cartoon: Social Media

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 4, 2019

Cartoon Social Media - TeachPrivacy Privacy Training 02 small

It is hard to imagine a world without social media. People are increasingly relying on social media to maintain friendships, share photos and happenings with family, and keep current with the news.  But there’s a dark side – more superficial relationships, cyberbullying, harassment, hate speech, and manipulation. Social media has become a cesspool of lies and misinformation campaigns, a place where radicalized hate groups can spread their venom, recruit more members, and rally their followers to attack.

Several prominent social media sites are struggling to figure out what to do. In the early days of the commercial Internet (mid 1990s through early 2000s), idealists pushed a vision of the Internet as a free speech zone. Bad speech would be countered and beaten by good speech, lies would be defeated by truth, and freedom and happiness would reign.  Platforms could just remain neutral and rarely intervene.  They could mainly let the battles be fought, with the faith that eventually the forces of good would win out over the forces of evil.

But this view is naive. We have seen in the past 10-15 years that lies, hate, harassment, defamation, invasion of privacy, and many other social ills are festering online. Social media platforms must wake up and realize that the earlier idealism isn’t the direction reality is taking us. A position of neutrality isn’t appropriate. Platforms must intervene more; they must govern.

Social media platforms currently lack much experience and skill with governance. They don’t have enough personnel who have the background to formulate wise rules, procedures, and due process.  But the call for platforms to govern is increasing in volume, and they can’t keep avoiding it. This is why social media companies should start hiring more people in the humanities, who often have a background in thinking about complicated moral and philosophical issues.

Continue Reading

Cartoon: Data Use and Transparency

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 31, 2019

Cartoon Data Use and Transparency - TeachPrivacy Privacy Training 02 small

Wouldn’t it be nice if companies were completely transparent in their privacy notices?  Typically, privacy notices are filled with long clunky prose that manages to say hardly anything meaningful to consumers.  These notices are written by lawyers who carefully craft every sentence so that they won’t pin down a company.  The drafters of privacy notices do this because it is difficult to anticipate all the uses of personal data that might be fruitful in the future.  Companies want to avoid making promises that are too limiting of how they might use personal data.  This could tie their hands in the future, making them less nimble in the dynamic and fast-paced world of business in the digital age.

From a business standpoint, having greater room to use personal data in different ways is a great benefit.  From a consumer standpoint, consumers are not adequately informed about how their data is being used.

Additionally, companies often have many different things going on with personal data, and there frequently isn’t a strong enough central command structure to oversee everything that’s happening.  Companies aren’t evil in all of this, but the interests of companies and those of consumers are often not fully aligned.

Continue Reading

Cartoon: Algorithmic Transparency

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 20, 2019

Cartoon Algorithmic Transparency - TeachPrivacy Privacy Training 02

This cartoon is about algorithmic transparency. Today, more and more decisions are being made by algorithms.  The logic and functioning of these algorithms is increasingly complex and opaque to people. Today, the new buzzwords are “artificial intelligence” and “machine learning.”  AI and machine learning represent a number of different but related things, but what they generally share in common are algorithms.  As algorithms become more complex and rely on being fed massive quantities of data, it becomes harder and harder to explain their reasoning.  This is a big problem because algorithms play a significant role in our lives by making some very important decisions.

Continue Reading

Cartoon: Multi-Jurisdictional Privacy Law Compliance

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 9, 2019

Cartoon Multi-Jurisdictional Privacy Law Compliance Poodle - TeachPrivacy CCPA Training 02 small

This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR.  In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA).  And, there will be a new referendum on privacy law in California next year — CCPA 2.0.  There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on.  And, each year, more and more countries are passing new comprehensive privacy laws.

We are witnessing the growing pains of privacy law.  Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed.  A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.

For more on the issue, I recently interviewed K Royal on this topic – see here for the interview.

Continue Reading

Developing a Multi-Jurisdictional Approach to Privacy Laws — An Interview with K Royal

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 6, 2019

Global Privacy Law

I’m thrilled to interview K Royal, Senior Director, Western Region, Privacy, at TrustArc. K has had a long career in privacy law, having served as privacy counsel for several companies. She’s also an adjunct professor at Arizona State University.

Prof Solove: What is the need for a multi-jurisdictional approach to privacy laws?

K RoyalK Royal: With the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA),  and other laws such as the Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), businesses must be prepared to comply with a variety of laws around the world.

Privacy is a complex, multi-level, comprehensive concept which is now being regulated in more than 130 countries with more than 500 privacy laws. To be successful in complying with so many laws, businesses must develop a multi-jurisdictional approach to privacy laws that is consistent and predictable yet also not one-size-fits-all.

Prof Solove: Can a company just set one high bar and just treat all personal data the same?

Continue Reading

Cartoon: Cookies and the GDPR

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 3, 2019

Cartoon Cookies and the GDPR

This cartoon depicts how, after the GDPR, countless websites have cookie notices and require agreeing to accept cookies.  I find these cookie notices to be form over substance.  These notices are virtually meaningless and don’t help consumers. They are a nuisance.  They give privacy a bad name because people start to think that privacy is just about a bunch of silly notices and needless extra clicks.

Because cookies are so ubiquitous and commonly-known, being notified about them isn’t very informative. At this point, a notice that says “this site uses cookies” is akin to a notice that says “this computer uses electricity.” What matters is how personal information is being used, not whether there are cookies. Additionally, there are no meaningful choices for consumers. Often, there’s no choice but to accept the cookies. Even when there is a choice, consumers aren’t informed enough about the benefits and costs to make a meaningful decision.

Formalistic “protections” of privacy such as these cookie notices are a big fail.  These cookie notices create the illusion of doing something about privacy, but nothing really meaningful is happening here.

Continue Reading

Entering the New Age of Privacy in the US: Learning from GDPR — An Interview with Daniel Barber

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 1, 2019

I had the chance to interview Daniel Barber, CEO and Co-founder of DataGrail. DataGrail is a purpose-built privacy management platform that ensures sustained compliance with the GDPR, CCPA, and forthcoming regulations. Their customers span a variety of industries and include Databricks, Plexus Worldwide, TRI Pointe Homes, Outreach, Intercom, and SaaStr. Daniel and I spoke about the lessons we’ve learned one year on from GDPR and how companies can apply those lessons as they think about CCPA and laws like Nevada’s SB 220.

Continue Reading

ALI Data Privacy: Overview and Black Letter Text — Available for Download

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
September 26, 2019

American Law Institute (ALI) Data Privacy 01

Professor Paul Schwartz and I have posted the black letter text of the American Law Institute (ALI), Principles of the Law, Data Privacy. Professor Paul Schwartz and I were co-reporters on the project.  Earlier this year, I wrote a post about our completion of the project.  According to the ALI press release: “The Principles seek to provide a set of best practices for entities that collect and control data concerning individuals and guidance for a variety of parties at the federal, state, and local levels, including legislators, attorneys general, and administrative agency officials.”

The project is an attempt to create a comprehensive approach to data privacy for the United States.  The project was 7 years in the making, and we’re thrilled finally to share the text.  We also wrote a short introduction to explain what various provisions are attempting to accomplish.  You can download it from SSRN for free.  Our piece is called ALI Data Privacy: Overview and Black Letter Text.

Here’s the abstract.

In this Essay, the Reporters for the American Law Institute Principles of Law, Data Privacy provide an overview of the project as well as the text of its black letter. The Principles aim to provide a blueprint for policymakers to regulate privacy comprehensively and effectively.

The United States has long remained an outlier in privacy law. While numerous nations have enacted comprehensive privacy laws, the U.S. has clung stubbornly to a fragmented, inconsistent patchwork of laws. Moreover, there long has been a vast divide between the approaches of the U.S. and European Union (EU) to regulating privacy – a divide that many consider to be unbridgeable.

The Principles propose comprehensive privacy principles for legislation that are consistent with certain key foundations in the U.S. approach to privacy, yet that also align the U.S. with the EU. Additionally, the Principles attempt to breathe new life into the moribund and oft-criticized U.S. notice-and-choice approach, which has remained firmly rooted in U.S. law. Drawing from a vast array of privacy laws and frameworks, and with a balance of innovation, practicality, and compromise, the Principles aim to guide policymakers in advancing U.S. privacy law.

The essay above consists of our short introduction and the black letter text.  The full document is 100+ pages long and is available at the ALI.  Right now, final proofreading and formatting are being done on the document, but you can obtain from ALI the near-final version.

Continue Reading

Establishing a Robust Law School Educational Program for Privacy Law

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
September 24, 2019

Privacy Law Educational Progaram

Recently, the International Association of Privacy Professionals (IAPP) released a ranking of law schools based on their educational programs in privacy law.  Although I applaud the effort to focus more attention on the issue of teaching privacy law in law schools, there are many aspects of the project that I would do differently.  In this post, I will discuss the elements of what I believe would constitute a robust privacy law educational program at law schools.

First, a bit of background about IAPP’s rankings.  IAPP ranks schools into three tiers.  Tier 1 is for schools offering a “certification or formal concentration in privacy law.”  Tier 2 is for schools that “offer at least one three-credit course in privacy annually.”  Tier 3 is for schools that “have a privacy offering, such as a one-credit seminar” rather than a three-credit offering or that have offered privacy courses but not on a “consistent basis.”

Unfortunately, the data that IAPP has assembled thus far is incomplete and needs quite a number of corrections.  For example, many schools listed in Tier 3 have a 3-credit annual offering.

Additionally, I don’t agree with the set of criteria used to rank the schools.  Having a certificate doesn’t put a school’s program in the top tier.  There are many other factors to consider.  Presenting the data in a rankings format is counterproductive because the data needs a lot of correcting plus the criteria are incomplete and not properly weighted.  I think a more useful endeavor would be to improve the data, gather data on some other criteria, and just present the data rather than try to rank.  IAPP’s project is just a starting point, and I hope that my suggestions here are constructive and will help shape the project.

Continue Reading