PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

California Privacy Law for the World: An Interview with Lothar Determann

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 17, 2018

For the first half of 2018, all eyes were focused eastward on the EU with the start of GDPR enforcement this May. Now, all eyes are shifting westward based on a bold new law passed by California. By January 1, 2020, companies around the world will have to comply with additional regulations related to the processing of personal data of California residents. Pursuant to the California Consumer Privacy Act of 2018, companies must observe restrictions on data monetization business models, accommodate rights to access, deletion, and porting of personal data, update their privacy policies and brace for additional penalties and statutory damages. The California Legislature adopted and the Governor signed the bill on June 28, 2018 after an unusually rushed process in exchange for the proposed initiative measure No. 17-0039 regarding the Consumer Right to Privacy Act of 2018 (the “Initiative”) being withdrawn from the ballot the same day, the deadline for such withdrawals prior to the November 6, 2018 election.

Below is an interview with Lothar Determann, a leading expert on California privacy law. He has a treatise on the topic: California Privacy Law (3rd Edition, IAPP 2018).

Continue Reading

Cartoon: GDPR Data Portability

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 9, 2018

Cartoon GDPR Data Portability Santa - TeachPrivacy GDPR Training 02 medium

This cartoon is about the GDPR’s right to data portability under Article 20.  This right allows data subjects to take their data from one organization and transfer it easily to other organizations. Pursuant to the GDPR Article 20:

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Continue Reading

Carpenter v. United States, Cell Phone Location Records, and the Third Party Doctrine

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 1, 2018

Carpenter v US - cell-site location information 02

The U.S. Supreme Court recently issued a decision in Carpenter v. United Statesan important Fourth Amendment case that was eagerly awaited by many. The decision was widely cheered as a breakthrough in Fourth Amendment jurisprudence — hailed as a “landmark privacy case” and a “major victory for digital privacy [link no longer available].”  In the NY Times, Adam Liptak referred to Carpenter as a “major statement on privacy in the digital age.”

Although I agree with the outcome of the decision, I ultimately find it to be disappointing.  True, the Supreme Court finally took a step forward to bring the Fourth Amendment more in line with the digital age.  But this was only a step in the year 2018, when the Court should have walked more than a mile.

Despite the fact that the various opinions in Carpenter total 119 pages, Carpenter only resolves a narrow issue and leaves many open questions.  When something is the length of a Tolstoy novel, the plot should advance quite a lot more.  The basic holding of the case is that the Fourth Amendment applies when the government “accesses historical cell phone records that provide a comprehensive chronicle of the user’s past movements.”  But a lot more was at stake in the case.  This was the prime opportunity of the Court to overrule the Third Party Doctrine, under which the Court has held that that there is no reasonable expectation in privacy for information known or exposed to third parties. The Third Party Doctrine was forged in the 1970s in cases involving bank and phone records. In United States v. Miller, 425 U.S. 435 (1976), the Court held that  there is no reasonable expectation of privacy in financial records maintained by one’s bank because “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.”  In Smith v. Maryland, 442 U.S. 735 (1979), the Court concluded that there was no reasonable expectation of privacy when the government obtained a list of phone numbers a person dialed from the phone company because people “know that they must convey numerical information to the phone company” and cannot “harbor any general expectation that the numbers they dial will remain secret.”

As I argued in an earlier post about Carpenter, the Third Party Doctrine is deeply flawed and eviscerates Fourth Amendment protection in today’s digital age where so much of our information is in the hands of third parties.  Carpenter would have been the ideal case to get rid of the Third Party Doctrine.  Instead, the Supreme Court did what it has often done in recent years — tiptoe weakly like a mouse, nibbling around the edges of issues rather than directly resolving them.  Rather than overrule Smith and Miller, the Carpenter Court just stated that these cases don’t apply to cell-site location records: We decline to extend Smith and Miller to cover these novel circumstances. Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection. ”  This is a partial victory, as the Third Party Doctrine finally has a stopping point, but there are an endless series of situations involving the Third Party Doctrine, and the Court has provided scant guidance about when the Third Party Doctrine will apply.

Continue Reading

The California Consumer Privacy Act of 2018

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 29, 2018

California Consumer Privacy Act of 2018

In the period of just a week, California passed a bold new privacy law — the California Consumer Privacy Act of 2018.  This law was hurried through the legislative process to avoid a proposed ballot initiative with the same name.  The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot.  Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.

The text of the California Consumer Privacy Act is here.  The law becomes effective on January 1, 2020.

California palm treesThere are others who summarize the law extensively, so I will avoid duplicating those efforts.  Instead, I will highlight a few aspects of the law that I find to be notable:

(1) The Act creates greater transparency about the personal information businesses collect, use, and share.

(2) The Act provides consumers with a right to opt out of the sale of personal information to third parties and it attempts to restrict penalizing people who exercise this right.  Businesses can’t deny goods or services or charge different prices by discounting those who don’t opt out or provide a “different level or quality of goods or services to the consumer.”  However, businesses can do these things if they are “reasonably related to the value provided to the consumer by the consumer’s data.”  This is a potentially large exception depending upon how it is interpreted. 

(3) The Act allows businesses to “offer financial incentives, including payments to consumers as compensation,” for collecting and selling their personal information.  Financial incentive practices cannot be “unjust, unreasonable, coercive, or usurious in nature.”   I wonder whether this provision will undercut the restriction on offering different pricing or levels of service in exchange for people allowing for the collection and sale of their information.  Through some clever adjustments, businesses that were enticing consumers to allow the collection and sale of their personal data through different prices or discounts can now restructure these into “financial incentives.”

Continue Reading

Cartoon on HIPAA Training

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 15, 2018

HIPAA Training Cartoon - Train without the pain

This cartoon depicts the way many people perceive HIPAA training.  But it doesn’t have to be this way. When most people hear HIPAA training they prepare themselves to slog through a boring lecture filled with tedious legalese.   Many have been subjected to hours of training that is overly technical, not useful for their jobs and not even close to being memorable.  I designed my HIPAA training to be different.  I believe that training should be fun and engaging.  It should have personality.  I avoid the wordy and needless filler material and focus on the key concrete things that people must know and do.

Continue Reading

Cartoon: Data Localization

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 9, 2018

Cartoon Data Localization - TeachPrivacy Privacy Awareness Training 02 medium

This cartoon is based on a fairly recent trend – countries that are requiring data localization.  Data localization involves requirements that personal data collected in a certain country reside on servers within that country’s borders.

Here are some articles on data localization worth looking at:

• Bret Cohen, Britanie Hall, and Charlie Wood, Data Localization Laws and their Impact on Privacy, Data Security, and the Global Economy (ABA Antitrust)

• Manuel Maisog, Making the Case Against Data Localization in China (IAPP)

• Jyoti Panday, Rising Demands for Data Localization a Response to Weak Data Protection Mechanisms (EFF)

Continue Reading

Did the LabMD Case Weaken the FTC’s Approach to Data Security?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 8, 2018

Federal Trade Commission - Washington, DC

Co-Authored by Prof. Woodrow Hartzog

On Wednesday, the U.S. Court of Appeals for the 11th Circuit issued its long-awaited decision in LabMD’s challenge to an FTC enforcement action: LabMD, Inc. v. Federal Trade Commission (11th Cir. June 6, 2018). While there is some concern that the opinion will undermine the FTC’s power to enforce Section 5 for privacy and security issues, the opinion actually is quite narrow and is far from crippling.

While the LabMD opinion likely does have important implications for how the FTC will go about enforcing reasonable data security requirements, we think the opinion still allows the FTC to continue to build upon a coherent body of privacy and security complaints in an incremental way similar to how the common law develops. See Solove and Hartzog, The FTC and the New Common Law of Privacy, 114 Columbia Law Review 584 (2014).

Continue Reading

Cartoon: GDPR Superhero

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 3, 2018

Cartoon GDPR Superhero - TeachPrivacy GDPR Training 02 medium

For global organizations as well as organizations in the EU, the GDPR has brought significant attention and resources to privacy.  Finally, many executives are beginning to take privacy seriously.  As I recently wrote in my article, Prime Time for Privacy, at Bloomberg Law:

The GDPR has taken privacy to the next level. Before the GDPR, nothing had fully gelled around what protecting privacy actually entailed. The consequences of poor privacy were also rather vague in many cases. There was no clear blueprint for protecting privacy. Organizations would do just one or two things, such as provide a notice of privacy practices and keep data secure, and then claim they were protecting privacy. But they were only doing a fraction of what was truly needed to protect privacy.

The GDPR has changed all that. It provides a blueprint for protecting data that is more thorough and complete than nearly any other privacy law. The GDPR contains provisions that require governance measures, data mapping, assessment, data protection by design, and vendor management, among other things. It provides for individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability. The GDPR has a broad definition of personal data, and it applies across different industries, so it provides a comprehensive baseline of privacy protection.

Now, privacy professionals can point to a definitive source of the various norms, best practices, standards, and rules that have long existed in fragmentary form. The GDPR has penalties that will keep the CEO awake at night. Privacy professionals can point to it and say, “This is what we need to do, and this is why.”

Continue Reading

Cartoon: GDPR Change in Privacy Notices

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 27, 2018

Cartoon GDPR Privacy Notice Change - TeachPrivacy GDPR Training 02 medium

In the past few weeks, with enforcement of the General Data Protection Regulation (GDPR) beginning on May 25, countless organizations launched emails and pop up notices about changes in their privacy notices in light of GDPR.  This cartoon pokes a little fun at the blizzard of changed privacy notice notices.

Continue Reading

Cartoon: The Post-GDPR World

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
May 23, 2018

Cartoon Post-GDPR World - TeachPrivacy GDPR Training 02 meidum

This is a momentous week.  On Friday, May 25, 2018, the General Data Protection Regulation (GDPR) will begin being enforced. Organizations are racing against the clock to be prepared.  What will the day look like when the sun rises on May 25?

Continue Reading