January 28 is data privacy day, and I thought it an appropriate time to take a step back.  One of my greatest regrets as a practitioner is that we are always under so much crisis pressure – deadlines, both real and imagined – to get to an answer or to a piece of advice or to a deal closing, that we fail to think big. I am jealous of my peers in academia who get to read, write, and think for extended periods of time. For myself, the pandemic has afforded me a little more ability to luxuriate in big thoughts (even losing that LA freeway commute time helps). So, this post is not about the CCPA, the CPRA, cross-border data transfers, the potential for federal legislation, or any of those other strictly legislative or regulatory matters, at least not on the surface. But it is about where we find ourselves today in terms of consumer privacy, where we are going, and what those of us in the private sector should be thinking about as we travel this path.

I found inspiration for this post in an unlikely place. Conceptions of privacy sometimes meet us in unexpected ways. Dilemmas that seem new, or unanticipated, are really very old. They are concerns that have preyed upon our idealized picture of humanity for many years, but are suddenly brought to life by new technologies or new social or political realities. This one came to light for me during story time, and the big thinker in this case was writing in 1961 (or before).

During life in lockdown, I am always home for bedtime. Every other night, my eight year old daughter and I read together from a chapter book. Right now we are completing The Phantom Tollbooth. Somehow I never read it, in school or otherwise. Last night we read Chapter 18, “Castle in the Air.” As I read those words out loud and in real time, I was astonished to imagine that, sixty (60) years ago, Norton Juster had such uncanny insight. Juster saw latent threats to personal privacy and dignity that we now see playing out in our daily lives, with potentially disastrous consequences. I want to talk about the character of the Senses Taker.
Continue Reading Thoughts on Data Privacy Day 2021 – Lessons Learned From a 1961 Children’s Novel

Previously, my colleague Tanya Forsheit wrote a cautionary tale, “A Big Zooming Mess,” about the Zoom video conferencing service whose rise in popularity also brought increased scrutiny of its privacy and data security practices. That scrutiny came not just from media outlets and consumers, but also from government agencies such as the New York Attorney General and New York City Department of Education. The entire FKKS Privacy and Data Security team even had a round-table discussion (over WebEx) to unpack all the issues (recording available here). Now, both the New York Attorney General and the New York City Department of Education announced that they reached coordinated but independent agreements with Zoom to address various privacy and security issues, and paving the way for NYC DOE educators to resume using Zoom for virtual classroom instruction. This post looks at the terms of the NY AG agreement and discusses some of its key takeaways.

Continue Reading Zoom Reaches Agreement with New York Attorney General to Resolve Privacy and Security Issues

On April 29, 2020, Google and Apple released the first version of their COVID-19 contact tracing tools to public health organizations. The tools, first announced by the companies on April 10th, aim to help public health agencies build apps to track and contain the virus. This article discusses how the contact tracing tools work, the planned two-phase implementation for the tools, and some of the privacy questions around the tools.

How Do the Tools Work?

“Contact-tracing” is not a new concept. The concept is that a society can limit the spread of a virus by tracing whom a person who has tested positive with a virus has recently come in contact with, and notifying those individuals to further prevent the spread of the virus. For example, if John tests positive for the virus and visits a grocery store, part of the contact tracing process would be to find and notify those individuals who came close to him in the grocery store. As you can imagine, contact tracing has historically been a laborious and inaccurate process that requires a manual review of an infected person’s interactions.

Google and Apple’s partnership aims to dramatically improve the contact tracing process by using Bluetooth technology within an infected person’s cell phone to determine whom the person has interacted with and notifying those other people. The partnership is particularly notable because it involves the creation of shared standards between two tech giants that rarely allow for any interoperability. Below is an example of how the tools work:
Continue Reading Google and Apple Release First Version of Contact Tracing Tools

The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.


Continue Reading Attorney General Holds Public Forum on CCPA