US state comprehensive privacy law comparison

(Apr 18, 2019) State-level momentum for comprehensive privacy bills is at an all-time high. After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center compiled the below list of proposed comprehensive privacy bills from across the country to aid our members' efforts to stay abreast of the changing state-privacy landscape. Although many of the bills included in the table will fail to become law, co... Read More

IAPP FAQs: Are GDPR-compliant companies prepared for CCPA?

(Apr 17, 2019) The California Consumer Privacy Act is top of mind for many privacy professionals across the U.S., who are working to leverage their GDPR preparation to build CCPA-compliance programs. They are learning that while their recent GDPR preparation is helpful, the CCPA has nuanced requirements that go beyond the GDPR. Emphasis is often placed on the novel “Do Not Sell My Personal Information” link. After listening to two useful web conferences comparing the CCPA and GDPR (available here and here, in... Read More

The state Senate version of the Washington Privacy Act: A summary

(Mar 26, 2019) Senate bill passed; House bill in committee Washington is increasingly looking like it will become the second state in the U.S. to pass a comprehensive privacy statute, following California’s Consumer Privacy Act. Drafting the statute was a two-plus-year process, during which the CCPA was passed and the EU General Data Protection Regulation went into effect. Washington’s proposed privacy statute shares many foundational principles with these two privacy regimes, but it has notable distinctions.... Read More

Meta-analysis: Timelines and budgets for GDPR compliance

(Mar 6, 2019) Perhaps no other law has received the attention that the EU General Data Protection Regulation has in recent years. Moreover, the GDPR has been the subject of a significant number of surveys on how well organizations are prepared for it, as well as how much of their budgets they are allocating to compliance efforts. Indeed, given the importance of the roll-out of the GDPR, organizations have been conducting surveys on GDPR compliance for several years. This abundance of survey data allows for a ... Read More

Washington state’s consumer privacy act takes next step toward passage

(Feb 28, 2019) On Wednesday, the Washington Senate Ways & Means Committee held a public hearing on the Washington Privacy Act (SB 5376). This was the second time the bill had come before a committee for a public hearing, after previously enjoying support from Microsoft General Counsel Julie Brill, during a public hearing in front of the Senate Environment, Energy & Technology Committee. Comments from the speakers at the Ways & Means Committee hearing varied from proposals for clarifying amendments... Read More

FTC issues its largest-ever COPPA fine

(Feb 28, 2019) The U.S. Federal Trade Commission announced a $5.7 million agreement with video social networking app (now TikTok) to settle alleged violations of the Children’s Online Privacy Protection Act. The settlement surpasses a December 2018 agreement between the New York Attorney General’s office and Oath as the largest fine for COPPA violations by any enforcement agency. Noteworthy is a joint statement from Commissioners Rohit Chopra and Rebecca Kelly Slaughter — published with the stipulat... Read More

Creating meaningful data protection out of US privacy proposals

(Feb 14, 2019) The IAPP recently reviewed a set of proposals from U.S. lawmakers for a new piece of federal privacy legislation, as well as comments submitted to the National Telecommunications and Information Administration in response to their proposed framework to protect data privacy. We did this to identify areas of consensus, as well as controversy, regarding what a U.S. federal privacy law would look like. In particular, we assessed levels of support for and opposition to various provisions that may be ... Read More

Comparison of Mobile Application Guidelines

(Jan 22, 2019) The IAPP has worked through a number of the leading privacy guides and standards created for mobile app developers and the parties who host those apps and pulled out the salient points for all of the stakeholders in the mobile app community who are looking to do everything from collect data from children to provide adequate notice and choice previous to data collection. ... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

(Jan 17, 2019) The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

US Supreme Court case may have far-reaching privacy implications

(Jan 16, 2019) A case currently making its way through the Supreme Court’s docket may have far-reaching implications for the future of privacy litigation. The case, Frank v. Gaos, concerns cy pres class action settlements, and the core issue (for which the Court granted certiorari) regards the appropriateness of the cy pres arrangement in the case. During oral arguments, however, another issue captured the Court’s attention: Article III standing, and, specifically, whether any of the plaintiffs in the case pl... Read More