Apple is days away from releasing the public version of iOS14.5, which will bring a seismic shift in the way the operating system functions with respect to privacy. In particular, the operating system introduces two major changes.

The first change is a requirement that all apps must include a privacy nutrition label within the App Store that helps users better understand the app developer’s privacy practices prior to download (this feature is actually already live). The second change is a requirement that all apps that use information for tracking purposes must obtain opt-in consent from the user prior to engaging in such tracking.

As a privacy lawyer in the ad tech space, I’ve been closely watching the dialogue around iOS14 since these changes were unveiled at WWDC last June, and I thought it would be helpful to provide my thoughts on these changes. This post reflects my own opinion, and not those of the firm or anyone else.


Continue Reading iOS 14.5: An Imperfect Step Forward for Privacy

Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Continue Reading Virginia is for Privacy, Apparently

January 28 is data privacy day, and I thought it an appropriate time to take a step back.  One of my greatest regrets as a practitioner is that we are always under so much crisis pressure – deadlines, both real and imagined – to get to an answer or to a piece of advice or to a deal closing, that we fail to think big. I am jealous of my peers in academia who get to read, write, and think for extended periods of time. For myself, the pandemic has afforded me a little more ability to luxuriate in big thoughts (even losing that LA freeway commute time helps). So, this post is not about the CCPA, the CPRA, cross-border data transfers, the potential for federal legislation, or any of those other strictly legislative or regulatory matters, at least not on the surface. But it is about where we find ourselves today in terms of consumer privacy, where we are going, and what those of us in the private sector should be thinking about as we travel this path.

I found inspiration for this post in an unlikely place. Conceptions of privacy sometimes meet us in unexpected ways. Dilemmas that seem new, or unanticipated, are really very old. They are concerns that have preyed upon our idealized picture of humanity for many years, but are suddenly brought to life by new technologies or new social or political realities. This one came to light for me during story time, and the big thinker in this case was writing in 1961 (or before).

During life in lockdown, I am always home for bedtime. Every other night, my eight year old daughter and I read together from a chapter book. Right now we are completing The Phantom Tollbooth. Somehow I never read it, in school or otherwise. Last night we read Chapter 18, “Castle in the Air.” As I read those words out loud and in real time, I was astonished to imagine that, sixty (60) years ago, Norton Juster had such uncanny insight. Juster saw latent threats to personal privacy and dignity that we now see playing out in our daily lives, with potentially disastrous consequences. I want to talk about the character of the Senses Taker.
Continue Reading Thoughts on Data Privacy Day 2021 – Lessons Learned From a 1961 Children’s Novel

Last week, the LA City Attorney announced that it has agreed to settle its lawsuit against The Weather Channel over alleged improper location data practices. The settlement serves as reminder about the increasing scrutiny over location data, and the need to revisit policies and practices in preparation for the launch of iOS 14.

Continue Reading Takeaways from The Weather Channel Settlement over Location Data Practices

Last month, the Global Advertising Lawyers Alliance (GALA), in collaboration with the International Advertising Association (IAA), released the first-ever book on how privacy laws affect marketing and advertising around the world. The book, entitled “Privacy Law: A Global Legal Perspective on Data Protection Relating to Advertising & Marketing,” is over 700 pages and covers privacy laws in more than 70 countries – from Argentina to Zimbabwe.

Continue Reading GALA and IAA Release First-Ever Global Guide to Privacy Laws Related to Advertising & Marketing

The start of 2020 did not just bring us the effective date of the California Consumer Privacy Act (CCPA). It also lead to several state legislators introducing their own versions of potentially ground-breaking privacy and data security laws. Each law has nuances that will likely result in a compliance nightmare, particularly if all or most of the states and territories enact their own law. However, each also appears on its face to riff on either the EU’s General Data Protection Regulation (GDPR) or the CCPA.

The chart below provides a list (current as of April 14, 2020) of proposed state privacy legislation that could still be enacted this session. The purpose of the chart is to provide the broad strokes of each proposed law, show their similarities, and highlight key differences. The question is whether the GDPR and/or CCPA actually provide the most appropriate models to emulate? The CCPA is perceived and touted by many as the first and most comprehensive privacy and data security law of its kind in the US, but we can’t help but wonder: does first necessarily mean best?

States that considered but ultimately chose not to pass proposed privacy legislation in 2020 include: Florida, Maryland, Virginia, Washington, and Wisconsin.
Continue Reading What’s the Deal with the Other State Privacy Bills?

Over the last several weeks, while Americans have grown accustomed to working from home, home schooling, and life in lockdown during the COVID-19 pandemic, the Zoom videoconferencing service has surged in popularity for every imaginable form of gathering, professional and personal. Zoom has become the service of choice – from team meetings to kids’ story times; from religious services to happy hours; from corporate onboarding to every manner of more “intimate” get-togethers for individuals who are following government-mandated social distancing guidelines.

The media and then, in quick succession, regulators, plaintiffs’ lawyers, and even Congress, began to scrutinize, publicize, and take legal action with respect to what were perceived as privacy or data security flaws from the latest technology darling. The result is a still-evolving case study in the classic reactionary American response to privacy and data security concerns, a phenomenon we have seen again and again in this practice space.

What sins has Zoom actually committed? Are they really so “shocking” from a privacy and data security perspective? In violation of law? Just not best practice? Creepy? And has Zoom’s iterative response served as a wet blanket or fuel for the inferno?

In this post, I explore the who, what, why, when, and how of this, at least as much as we can say as we sit here today. And because I am a hopeless nerd, I have chosen the format required by California’s data breach notification law, California Civil Code § 1798.82(d)(1), as the very best way to tell this story. We are going to use this blog post as a jumping off point for a free live and recorded roundtable discussion webinar (using WebEx [insert winking emoji here]) on April 14, 2020, at 12:30 pm Eastern/9:30 am Pacific. You can register here.
Continue Reading A Big Zooming Mess: A Cautionary Tale

Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020.

Continue Reading Data Broker Registration for California is Live

Last week, British Airways (BA) became one of the first public relations victims of the General Data Protection Regulation (GDPR). Per reports from TechCrunch, BA requested that individuals who had tweeted BA regarding flight delay complaints respond on Twitter—to the public—with personal information, purportedly in order to comply with the GDPR. The personal information that BA representatives requested included full names, billing addresses, dates of birth, the last 4 digits of payment cards, and even passport numbers. Eventually, BA clarified that it did not mean that users should respond with the requested information in the public feed, but rather that they should do so via direct message (DM).

Continue Reading GDPR Woes Take Flight: British Airways Asks Customers to Tweet Their Personal Information in Misguided Attempt to “Comply” with GDPR