Apple is days away from releasing the public version of iOS14.5, which will bring a seismic shift in the way the operating system functions with respect to privacy. In particular, the operating system introduces two major changes.

The first change is a requirement that all apps must include a privacy nutrition label within the App Store that helps users better understand the app developer’s privacy practices prior to download (this feature is actually already live). The second change is a requirement that all apps that use information for tracking purposes must obtain opt-in consent from the user prior to engaging in such tracking.

As a privacy lawyer in the ad tech space, I’ve been closely watching the dialogue around iOS14 since these changes were unveiled at WWDC last June, and I thought it would be helpful to provide my thoughts on these changes. This post reflects my own opinion, and not those of the firm or anyone else.


Continue Reading iOS 14.5: An Imperfect Step Forward for Privacy

Today, Virginia Governor Ralph Northam signed the Consumer Data Protection Act (SB 1392) into law, making Virginia the second state after California to enact major privacy legislation.  Like the recently approved California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act, the Virginia Consumer Data Protection Act (“CDPA”) also becomes effective January 1, 2023.  But the similarities to California law don’t end there.  There is considerable overlap between the CDPA and the CCPA and CPRA, on the one hand, and between the CDPA and the European General Data Protection Regulation (“GDPR”), on the other hand.  However, there are also important distinctions between the CDPA and those laws that make it unique.  This blog post tracks some of the CDPA’s key features, and notes where they align with or depart from existing law.
Continue Reading Virginia is for Privacy, Apparently

On January 14, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification (“Guidelines”).  The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (“GDPR”), WP 250.  The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.


Continue Reading European Data Protection Board Issues Guidelines on Data Breaches

Last month, the Global Advertising Lawyers Alliance (GALA), in collaboration with the International Advertising Association (IAA), released the first-ever book on how privacy laws affect marketing and advertising around the world. The book, entitled “Privacy Law: A Global Legal Perspective on Data Protection Relating to Advertising & Marketing,” is over 700 pages and covers privacy laws in more than 70 countries – from Argentina to Zimbabwe.

Continue Reading GALA and IAA Release First-Ever Global Guide to Privacy Laws Related to Advertising & Marketing

The start of 2020 did not just bring us the effective date of the California Consumer Privacy Act (CCPA). It also lead to several state legislators introducing their own versions of potentially ground-breaking privacy and data security laws. Each law has nuances that will likely result in a compliance nightmare, particularly if all or most of the states and territories enact their own law. However, each also appears on its face to riff on either the EU’s General Data Protection Regulation (GDPR) or the CCPA.

The chart below provides a list (current as of April 14, 2020) of proposed state privacy legislation that could still be enacted this session. The purpose of the chart is to provide the broad strokes of each proposed law, show their similarities, and highlight key differences. The question is whether the GDPR and/or CCPA actually provide the most appropriate models to emulate? The CCPA is perceived and touted by many as the first and most comprehensive privacy and data security law of its kind in the US, but we can’t help but wonder: does first necessarily mean best?

States that considered but ultimately chose not to pass proposed privacy legislation in 2020 include: Florida, Maryland, Virginia, Washington, and Wisconsin.
Continue Reading What’s the Deal with the Other State Privacy Bills?

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

This afternoon, Governor Brown signed into law California Assembly Bill 375, the California Consumer Privacy Act of 2018. The law is unprecedented in the United States that it applies European-level compliance obligations akin to the now infamous General Data Protection Regulation (GDPR), which took effect only a month ago. How did this happen? California legislators rushed a bill through to avoid a ballot initiative proposed by Alastair Mactaggart. Mactaggart agreed to withdraw the initiative if a law was signed by the Governor by today. The law takes effect on January 1, 2020. (And if you think that’s a long time, then you did not just live through the last 18 months working on GDPR preparedness.)   What does AB 375 mean for organizations doing business in California? It includes new disclosure requirements, consumer rights, training obligations, and potential penalties for noncompliance, among other things.

Below are some of the key provisions:


Continue Reading California, Privacy, and the New Normal – CA AB 375 Signed Into Law