Creating meaningful data protection out of US privacy proposals

(Feb 14, 2019) The IAPP recently reviewed a set of proposals from U.S. lawmakers for a new piece of federal privacy legislation, as well as comments submitted to the National Telecommunications and Information Administration in response to their proposed framework to protect data privacy. We did this to identify areas of consensus, as well as controversy, regarding what a U.S. federal privacy law would look like. In particular, we assessed levels of support for and opposition to various provisions that may be ... Read More

CCPA offers minimal advantages for deidentification, pseudonymization, and aggregation

(Jan 17, 2019) The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization, and aggregation. It's helpful to take a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and point out of t... Read More

US Supreme Court case may have far-reaching privacy implications

(Jan 16, 2019) A case currently making its way through the Supreme Court’s docket may have far-reaching implications for the future of privacy litigation. The case, Frank v. Gaos, concerns cy pres class action settlements, and the core issue (for which the Court granted certiorari) regards the appropriateness of the cy pres arrangement in the case. During oral arguments, however, another issue captured the Court’s attention: Article III standing, and, specifically, whether any of the plaintiffs in the case pl... Read More

New IAPP guide to US privacy law proposals

(Jan 15, 2019) You've seen the news: Numerous lawmakers and organizations have offered proposals or recommendations regarding a new U.S. federal data privacy law. But where is there consensus? What will be the biggest points of contention as a potential final text emerges? To shine more light on specific provisions being debated and their likelihood of coming to fruition, IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, undertook a study of the most recent bills introduced in Congress, as we... Read More

Lawsuit against weather app sign of things to come?

(Jan 11, 2019) Recently, the office of the Los Angeles City Attorney, Mike Feuer, filed a complaint against The Weather Channel Product and Technology, LLC (TWC)—the company owned by IBM and behind the popular Weather Channel mobile application. Feuer stated: “[W]e allege TWC elevates corporate profits over users’ privacy, misleading them into allowing their movements to be tracked, 24/7. We’re acting to stop this alleged deceit.” This action may encourage state attorneys general across the country to conside... Read More

New e-book: 'Top 5 Operational Impacts of the CCPA'

(Jan 2, 2019) Tuesday marked one year until the California Consumer Privacy Act of 2018 comes into effect. Are you ready to go? Probably not. Don't worry, the IAPP Resource Center has you covered. We released the brand-new "Top 5 Operational Impacts of the California Consumer Privacy Act of 2018" e-book, which rolls up and updates a series of pieces written this past fall, while also providing a handy copy of the updated law, itself, for easy reference. While there may yet be amendments, and indeed there has ... Read More

Worse than negligent: Takeaways from Oath's COPPA settlement with the NY AG

(Dec 10, 2018) On Tuesday, the New York Attorney General’s office announced a $4.95 million settlement with Oath (formerly AOL) to settle violations of the Children’s Online Privacy Protection Act. The settlement represents the largest ever enforcement penalty for a COPPA violation from any enforcement agency. The company’s violations rise beyond the conduct underlying previous COPPA violations — which often involve a company utilizing third-party tracking software and inadvertently tracking children on a webs... Read More

DPO liability and potential insurance coverage

(Jun 19, 2018) The data protection officer role is a new feature for many organizations now subject to the EU General Data Protection Regulation, which specifies the criteria for designating a DPO, describes the position, and enumerates its responsibilities. Critically, for many companies, designating a DPO is not optional. In any case, the Article 29 Working Party’s guidance makes it clear that, once chosen, both mandatorily and voluntarily designated DPOs have the same responsibilities. The Working Party (no... Read More

What FTC Enforcement Actions Teach Us About the Makings of Reasonable Privacy and Data Security Practices: A Follow-Up Study

(Jun 11, 2018) In this report, we update our September 2014 study, “What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices,” originally written by IAPP Westin Fellow Patricia Bailin, CIPP/US, CIPM, CIPT, now head of privacy at Datavant. The initial study analyzed organizational failures on issues of privacy, security, software/product review, service providers, risk assessments, unauthorized access/disclosure, and employee training. Moreover, the study descri... Read More

What’s new in WP29's final guidelines on transparency?

(Apr 18, 2018) The Article 29 Data Protection Working Party has published its “last revised” guidelines on transparency under the General Data Protection Regulation. When the WP29 released its proposed guidelines last December offering “practical guidance and interpretive assistance” regarding transparency obligations, IAPP analyzed the key issues. In addition to a brief summary of the transparency requirements, IAPP’s analysis of the proposed guidelines focused on the meaning of phrases such as “concise, tran... Read More