Apple is days away from releasing the public version of iOS14.5, which will bring a seismic shift in the way the operating system functions with respect to privacy. In particular, the operating system introduces two major changes.

The first change is a requirement that all apps must include a privacy nutrition label within the App Store that helps users better understand the app developer’s privacy practices prior to download (this feature is actually already live). The second change is a requirement that all apps that use information for tracking purposes must obtain opt-in consent from the user prior to engaging in such tracking.

As a privacy lawyer in the ad tech space, I’ve been closely watching the dialogue around iOS14 since these changes were unveiled at WWDC last June, and I thought it would be helpful to provide my thoughts on these changes. This post reflects my own opinion, and not those of the firm or anyone else.


Continue Reading iOS 14.5: An Imperfect Step Forward for Privacy

Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Continue Reading Virginia is for Privacy, Apparently

January 28 is data privacy day, and I thought it an appropriate time to take a step back.  One of my greatest regrets as a practitioner is that we are always under so much crisis pressure – deadlines, both real and imagined – to get to an answer or to a piece of advice or to a deal closing, that we fail to think big. I am jealous of my peers in academia who get to read, write, and think for extended periods of time. For myself, the pandemic has afforded me a little more ability to luxuriate in big thoughts (even losing that LA freeway commute time helps). So, this post is not about the CCPA, the CPRA, cross-border data transfers, the potential for federal legislation, or any of those other strictly legislative or regulatory matters, at least not on the surface. But it is about where we find ourselves today in terms of consumer privacy, where we are going, and what those of us in the private sector should be thinking about as we travel this path.

I found inspiration for this post in an unlikely place. Conceptions of privacy sometimes meet us in unexpected ways. Dilemmas that seem new, or unanticipated, are really very old. They are concerns that have preyed upon our idealized picture of humanity for many years, but are suddenly brought to life by new technologies or new social or political realities. This one came to light for me during story time, and the big thinker in this case was writing in 1961 (or before).

During life in lockdown, I am always home for bedtime. Every other night, my eight year old daughter and I read together from a chapter book. Right now we are completing The Phantom Tollbooth. Somehow I never read it, in school or otherwise. Last night we read Chapter 18, “Castle in the Air.” As I read those words out loud and in real time, I was astonished to imagine that, sixty (60) years ago, Norton Juster had such uncanny insight. Juster saw latent threats to personal privacy and dignity that we now see playing out in our daily lives, with potentially disastrous consequences. I want to talk about the character of the Senses Taker.
Continue Reading Thoughts on Data Privacy Day 2021 – Lessons Learned From a 1961 Children’s Novel

As anticipated, on September 29, 2020, Governor Newsom signed into law Assembly Bill 1281 incorporating an extension of time for the sunset of the employee and business to business exemptions of the California Consumer Privacy Act of 2018 (“CCPA”) to January 1, 2022.
Continue Reading Don’t Let the Sun Go Down – Governor Newsom Signs Off on the Extension of Key CCPA Exemptions for Employee and B2B Data

Last week, the LA City Attorney announced that it has agreed to settle its lawsuit against The Weather Channel over alleged improper location data practices. The settlement serves as reminder about the increasing scrutiny over location data, and the need to revisit policies and practices in preparation for the launch of iOS 14.

Continue Reading Takeaways from The Weather Channel Settlement over Location Data Practices