Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Continue Reading Virginia is for Privacy, Apparently

January 28 is data privacy day, and I thought it an appropriate time to take a step back.  One of my greatest regrets as a practitioner is that we are always under so much crisis pressure – deadlines, both real and imagined – to get to an answer or to a piece of advice or to a deal closing, that we fail to think big. I am jealous of my peers in academia who get to read, write, and think for extended periods of time. For myself, the pandemic has afforded me a little more ability to luxuriate in big thoughts (even losing that LA freeway commute time helps). So, this post is not about the CCPA, the CPRA, cross-border data transfers, the potential for federal legislation, or any of those other strictly legislative or regulatory matters, at least not on the surface. But it is about where we find ourselves today in terms of consumer privacy, where we are going, and what those of us in the private sector should be thinking about as we travel this path.

I found inspiration for this post in an unlikely place. Conceptions of privacy sometimes meet us in unexpected ways. Dilemmas that seem new, or unanticipated, are really very old. They are concerns that have preyed upon our idealized picture of humanity for many years, but are suddenly brought to life by new technologies or new social or political realities. This one came to light for me during story time, and the big thinker in this case was writing in 1961 (or before).

During life in lockdown, I am always home for bedtime. Every other night, my eight year old daughter and I read together from a chapter book. Right now we are completing The Phantom Tollbooth. Somehow I never read it, in school or otherwise. Last night we read Chapter 18, “Castle in the Air.” As I read those words out loud and in real time, I was astonished to imagine that, sixty (60) years ago, Norton Juster had such uncanny insight. Juster saw latent threats to personal privacy and dignity that we now see playing out in our daily lives, with potentially disastrous consequences. I want to talk about the character of the Senses Taker.
Continue Reading Thoughts on Data Privacy Day 2021 – Lessons Learned From a 1961 Children’s Novel

Last month, the Global Advertising Lawyers Alliance (GALA), in collaboration with the International Advertising Association (IAA), released the first-ever book on how privacy laws affect marketing and advertising around the world. The book, entitled “Privacy Law: A Global Legal Perspective on Data Protection Relating to Advertising & Marketing,” is over 700 pages and covers privacy laws in more than 70 countries – from Argentina to Zimbabwe.

Continue Reading GALA and IAA Release First-Ever Global Guide to Privacy Laws Related to Advertising & Marketing

Over the last few months, we’ve witnessed some major developments around SDKs and privacy. In February, the SDK defendants named in the consolidated McDonald/Rushing putative COPPA class action settled with plaintiffs. In late March, Zoom experienced a PR nightmare due, in part, to its inclusion of the Facebook SDK in its platform (discussed further in our Zoom blog). In mid-April, the Ninth Circuit reinstated a lawsuit against Facebook for alleged privacy violations in connection with its use of tracking technologies on third party websites. And this past Wednesday, the US District Court for New Mexico granted a motion to dismiss, the privacy claims against ad networks providing SDKs in child-directed apps.

In this blog, we’ll break down the New Mexico District Court order, and provide some observations from the decision. We are also using this blog as a springboard for a follow-up webinar that will discuss the state of affairs for SDKs and privacy. More to follow on the webinar soon.

  • Background on the New Mexico District Court Case


Continue Reading SDKs and COPPA: An Overview of the Recent Court Order in the New Mexico Attorney General COPPA Lawsuit

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

California’s Senate voted on Thursday to hold SB-561, effectively killing the bill for 2019. The CCPA gives consumers the right to sue a business for data breaches, and SB-561 would have expanded the right to sue for any violation of the CCPA, even technical privacy violations. The death of the bill means that the private right of action will remain limited to data breaches, and the California legislature will not revisit expansion until 2020 at earliest.
Continue Reading CCPA Amendment Update: Bill to Expand Private Right of Action is Dead (for Now)

Many organizations are committing considerable resources to preparing for compliance with  the California Consumer Privacy Act (CCPA), a process that is complicated by the large number of pending proposed legislative amendments. We won’t rehash the history here. As you know, the Act has an effective date of January 1, 2020, and the Attorney General can enforce the Act on July 1, 2020 (or six months after issuing regulations). This post is meant to bring you up to speed on some of the key proposed amendments to the CCPA (there are many more not addressed here) and where they are in the California legislative process. This process is constantly in flux, so keep a close eye on the text and history of these bills (some of which are linked below).

Continue Reading The CCPA Amendments – What’s the Deal?

Vermont’s new Data Broker Regulation (“Regulation”) takes effect on January 1, 2019. The Regulation requires, among other things, that data brokers register with the Vermont Secretary State and protect personally identifiable information of Vermont residents. This week, the Vermont Attorney General issued guidance on the Regulation, which helps address questions on process and scope. Below are some of the key takeaways from the Regulation and guidance.

Continue Reading Vermont AG Issues Guidance on New Data Broker Regulation

This week, the New York State Attorney General announced a $4.95 million settlement with Oath Inc., the result of an investigation into violations of the Children’s Online Privacy Protection Act (“COPPA”).

The NYAG found that Oath’s ad exchanges transferred persistent identifiers and geolocation from website users to DSP bidders in its automated auction process.  While that may be fine for websites directed to grown-up audiences, COPPA includes persistent identifiers and geolocation in its definition of “personal information.”  And under the law, companies must obtain verifiable parental consent before collecting or using children’s personal information.

But instead of seeking verifiable parental consent, Oath treated all websites (and therefore all user information) the same, despite knowledge that some website inventory on its exchange was directed to children under 13 and subject to COPPA.  And instead of using available technology to avoid the use of children’s information altogether, Oath’s ad exchanges allowed advertisers to collect information on children and display ads on sites targeting children.  The “flagrant” violations of the law led to the largest-ever penalty under COPPA and a settlement agreement provided some remarkable takeaways:


Continue Reading AdTech Provider Hit with Record COPPA Fine

Shortly after FTC staff published the results of their study on cross-device tracking (described in this prior blog post), the FTC issued its own comprehensive report on the topic.  In addition to highlighting many of the same benefits and privacy concerns raised by cross-device tracking, the FTC report provides an update on industry self-regulatory efforts in this area, along with practical recommendations for those involved in cross-device tracking, based on learnings from past FTC enforcement actions.
Continue Reading Don’t Get Your Wires Crossed When Cross-Device Tracking