With the proliferation of comprehensive U.S. state privacy laws in recent years, there’s been an understandable focus by privacy professionals on this growing patchwork. But privacy litigation is also on the rise and the plaintiff’s bar has explored some novel theories, particularly around the use of onlin tracking technologies. Greenberg Traurig Shareholder Darren Abernethy advises clients in the ad tech, data privacy and cybersecurity space and is familiar with these recent litigation trends involving theories related to pen registers, chatbots, session replay, Meta pixels, software development kits and the Video Privacy Protection Act. Here’s what he had to say about these growing litigation trends.

For many of us following along with the EU AI Act negotiations, the road to a final agreement took many twists and turns, some unexpected. For Laura Caroli, this long, complicated road has been a lived experience. As the lead technical negotiator and policy advisor to AI Act co-rapporteur Brando Benefei, Caroli was immersed in high stakes negotiations for the world’s first major AI legislation. IAPP Editorial Director Jedidiah Bracy spoke with Caroli in a candid conversation about her experience and policy philosophy, including the approach EU policy makers took in crafting the AI Act, the obstacles negotiators faced, and how it fundamentally differs from the EU General Data Protection Regulation. She addresses criticisms of the act, highlights the AI-specific rights for individuals, discusses the approach to future proofing a law that regulates such a rapidly developing technology, and looks ahead to what a successful AI law will look like in practice.

In tandem with privacy, cybersecurity law is rapidly evolving to meet the needs of an increasingly digitized and complex economy. To help practitioners keep up with this ever-changing space, the IAPP published the first edition of Cybersecurity Law Fundamentals in 2021. But there have been a lot of developments since then. Cybersecurity Law Fundamentals author Jim Dempsey, lecturer at UC Berkeley Law School and senior policy advisor at Stanford Cyber Policy Center, brought on a co-author, John Carlin, partner at Paul Weiss and former Assistant Attorney General, to help with the new edition. IAPP Editorial Director Jedidiah Bracy recently spoke with both Dempsey and Carlin about the latest trends in cybersecurity, including best practices in dealing with ransomware, the significance of the new SEC disclosure rule, cybersecurity provisions in state privacy laws, trends in FTC enforcement, the recent Biden Executive Order on preventing access to bulk sensitive personal data to countries of concern, and much more. We even hear about the time Carlin briefed the U.S. president on the Sony Pictures hack.

For those following the regulation of artificial intelligence, there is no doubt passage of the AI Act in the EU is likely top of mind. But proposed policies, laws and regulatory developments are taking shape in many corners of the world, including in Australia, Brazil, Canada, China, India, Singapore and the U.S. Not to be left behind, the U.K. held a highly touted AI Safety Summit late last year, producing the Bletchley Declaration, and the government has been quite active in what the IAPP Research and Insights team describes as a “context-based, proportionate approach to regulation.” In the upper chamber of the U.K. Parliament, Lord Holmes, a member of the influential House of Lords Select Committee on Science and Technology, introduced a private members’ bill late in 2023 that proposes the regulation of AI. The bill also just received a second reading in the House of Lords 22 March. Lord Holmes spoke of AI’s power at a recent IAPP conference in London. While there, I had the opportunity to catch up with him to learn more about his Artificial Intelligence (Regulation) Bill and what he sees as the right approach to guiding the powers of this burgeoning technology.

Hard to believe we’re at the twilight of 2023. For those following data protection and privacy developments, each year seems to bring with it a torrent of news and developments. This past year was no different. The EU General Data Protection Regulation turned five, and the Snowden revelations turned 10. From a finalized EU-US Data Privacy Framework, to major enforcement actions on Big Tech companies, to a panoply of new data protection laws in India and at least 7 US states, to the dramatic rise of AI governance, 2023 was as robust as ever. To help flesh out some of the big takeaways from 2023, IAPP Editorial Director Jedidiah Bracy caught up with IAPP Research & Insights Director Joe Jones, who joined the IAPP at the outset of the year. 

After a gruelling trilogue process that featured two marathon negotiating sessions, the European Union finally came to a political agreement 8 December on what will be the world’s first comprehensive regulation of artificial intelligence. The EU AI Act will be a risk-based, horizontal regulation with far-reaching provisions for companies and organizations using, designing or deploying AI systems. Though the so-called trilogue process is a fairly opaque one, where the European Parliament, European Commision and Council of the EU negotiate behind closed doors, journalist Luca Bertuzzi has acted as a window into the process through his persistent reporting for Euractiv. IAPP Editorial Director Jedidiah Bracy caught up with Bertuzzi to discuss the negotiations and what comes next in the process.

Martin Abrams knows a little something about information privacy and consumer policy. Over the course of the last 40-plus years, Abrams has had his hands in a number of initiatives, including as co-founder and president of the Center for Information Policy Leadership and founder of the Information Accountability Foundation. He took part in the development of the APEC Cross Border Privacy Rules and the OECD’s Working Party on Information Security and Privacy. Abram's work on transparency and accountability has been influential on policy makers around the world. At the latest Global Privacy Assembly in Bermuda, Abrams announced he was retiring from his full-time position at IAF and taking more time to be with his family. IAPP Editorial Director Jedidiah Bracy caught up with Abrams to take a look back at his career, the changes he’s seen in information policy and where he thinks data policy and regulation are heading.

The EU AI Act negotiations recently hit a major roadblock after EU Council Member States France and Germany unexpectedly pushed back on the European Parliament's draft position on regulating foundation models. The obstacle was so sudden, it appeared the negotiations were in a stalemate. Though the issue has not yet been fully resolved, the Spanish presidency of the EU Council is reportedly working with Member States to find a position that is workable for the European Parliament.  This comes as the IAPP hosts its sold out Data Protection Congress 2023 in Brussels, Belgium. To be sure, the foundation model issue is not the only sticking point remaining in the trilogue negotiations. There are others.  To get the inside scoop, I had the chance to catch up with EU AI Act co-rapportuer Dragoș Tudorache and Kai Zenner, head of staff for German MEP Axel Voss about the negotiations, the obstacles and whether there will be an agreement before next year's parliamentary elections. 

As automated systems rapidly develop and embed themselves into modern life, policy makers around the world are taking note and, in some cases, stepping in. Earlier this year, the Biden-Harris administration took an early step by releasing a Blue Print for an AI Bill of Rights. Comprising five main principles, as well as what should be expected of automated systems, while offering a slate of real-world examples of the potential harms and benefits of artificial intelligence, the Blueprint is a must-read for AI governance and privacy professionals working in the space. Suresh Venkatasubramanian is a Professor of Computer Science and Data Science at Brown University. He also co-authored the Blueprint while serving as Assistant Director for Science and Justice in the White House Office of Technology and Policy. IAPP Editorial Director Jedidiah Bracy recently caught up with Suresh to learn more about his work on the Blueprint, how it fits into the broader spectrum of existing AI guidelines and frameworks, and what professionals should know about this rights-based document.

In June 2013, a series of high-profile U.S. government surveillance disclosures to major media outlets rippled throughout the world and changed the calculus for the privacy profession.  Hard to believe it's now been 10 years since an unknown U.S. government contractor leaked to the world massive amounts of information about top secret U.S. intelligence programs. Within weeks, Edward Snowden became a household, if not, controversial name — not only in the privacy profession — but to consumers and citizens far and wide. A lot has transpired since the summer of Snowden in 2013. The U.S. has altered some of its surveillance laws, and the trans-Atlantic relationship between the U.S. and EU has grown complicated after a series of data transfer agreements were struck down by the EU's highest court. The third such agreement is pending.    Though the privacy world is constantly changing, it seems fitting to stop and take stock of this last decade to see how much, if anything, has changed. To help measure the ripple effect, IAPP Editorial Director Jedidiah Bracy chatted with IAPP Senior Research Fellow Muge Fazlioglu and Research and Insights Director Joe Jones to uncover what's changed in the U.S. and abroad, as well as how consumer attitudes have evolved since then. 

We often focus on consumer policy when discussing privacy laws and obligations, but companies must protect their employee data, as well. Navigating complex employee privacy and labor laws in the U.S., for example, can be challenging, and new state laws, like the California Privacy Rights Act, apply more pressure on privacy pros charged with ensuring employee data is protected and handled appropriately. Littler Mendelson Privacy and Data Security Practice Group Co-Chair Zoe Argento knows the workplace privacy field well and advises clients on a wide range of issues. IAPP Editorial Director Jedidiah Bracy recently caught up with Argento to discuss some of the pressing trends in the workplace privacy space, including CPRA obligations, workplace surveillance and artificial intelligence issues, international data transfers and data security best practices.  

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-sourced systems, such as ChatGPT, AI is now consumer-facing and usable. The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems to help manage risk and to promote trustworthy and responsible development of AI systems. As a result, NIST released the AI Risk Management Framework 1.0 along with supplementary documents to help organizations. To learn more about the newly released framework and how organizations should approach it, IAPP Editorial Director Jedidiah Bracy caught up with NIST Research Scientist and Principle Investigator for AI Bias Reva Schwartz.

In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception – one of two prongs under the FTC Act – the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues that are embedded in the case, IAPP Editorial Director Jedidiah Bracy caught up with Wilmer Hale Partner Kirk Nahra to discuss some of the takeaways privacy pros in any industry vertical should consider. 

Without a doubt, 2022 was a packed year for privacy-related news and developments. But according to Goodwin Partner and IAPP Westin Emeritus Senior Fellow Omer Tene, 2023 is set to call and raise the stakes. To be sure, 2023 didn’t hesitate. On Jan. 4, just a few days before we sat down for our interview, the Irish Data Protection Commission levied a massive 390 million euro fine on Meta social networks Facebook and Instagram. Yet, that’s only the tip of the iceberg. In this episode of The Privacy Advisor Podcast, which was recorded January 10, IAPP Editorial Director Jedidiah Bracy sat down with Tene to discuss what he thinks will be some of the biggest developments in privacy in 2023, including why he believes a federal U.S. privacy law still has a chance in the new U.S. Congress. 

California has long led the way on many privacy-related laws, going back to at least 2002 when it passed the first data breach notification law in the U.S. More recently, passage of the California Consumer Privacy Act and the California Privacy Rights Act has prompted other states to follow suit. Baker McKenzie Partner Lothar Determann has long practiced and taught international data privacy law, and beginning in 2013, published the book, “California Privacy Law.” Now in its fifth edition and published by the IAPP for the last three editions, the new edition comes as the CPRA goes into effect, with implementing regulations on the way. IAPP Editorial Director Jedidiah Bracy caught up with Determann to talk about the California’s privacy regime, what companies should be doing to comply, what’s new in the updated book, and what’s on the horizon for federal and state privacy law in the U.S. and beyond.

With the rise of data subject rights in privacy law, privacy practitioners are often challenged with operationalizing what can be a complex and risky endeavor. California, through the CCPA and CPRA, has emerged as a leader on this in the United States. Advocacy organization Consumer Reports has not only been working on policy with states like California on data subject rights but also with industry on standardizing consumer data rights. With a number of companies in the privacy tech vendor space, CR is announcing the open standard called the Data Rights Protocol. It’s also in the early stages of acting as an authorized agent on behalf of consumers, with a service its calling Permission Slip. IAPP Editorial Director Jedidiah Bracy talks with Ginny Fahs, associate director of product R&D for Consumer Reports Digital Lab, and Technology Policy Director Justin Brookman, to learn about their open-sourced protocol and what they’re doing to help both consumers and organizations operationalize data subject rights.

Nearly five years after the implementation of the EU General Data Protection Regulation, Europe is immersed in a digital market strategy that is giving rise to a host of new, interconnected regulation. Among this complexity resides the proposed Artificial Intelligence Act. Originally presented by the European Commission April 2021, the AI Act is now in the hands of the Council of the European Union and European Parliament. If passed, this would be the world’s first comprehensive, horizontal regulation of AI. On my visit to Brussels for the IAPP Data Protection Congress, I had the opportunity to meet with AI Act Co-rapportuer and Romanian Member of Parliament Dragoș Tudorache in his office. During our extended conversation, we discussed the risk-framework for the proposal, how the legislation will intersect with existing regulations, like the GDPR, current sticking points with stakeholders and what this means for privacy and data protection professionals.

The highly anticipated mid-term elections in the U.S. so far have provided surprising results. Many political pundits expected a “red wave” of Republican candidates to take over both chambers of U.S. Congress. Though control of Congress is still up in the air, Democrats fared better than most expected. With some of the dust now settled, what do the 2022 midterm results mean for potential passage of the American Data Privacy and Protection Act, both in the lame duck session and the 118th Congress? Will House and Senate committee assignments change? What do the mid-term results mean for enforcement by federal agencies, like the Federal Trade Commission? And how will the results affect state privacy legislation in 2023 and beyond? To help shed light on these issues, I caught up with R Street Resident Senior Fellow for Cybersecurity and Emerging Threats Brandon Pugh and Public Knowledge Senior Policy Counsel Sara Collins.

As we round out 2022, digital technology is further embedding itself into our daily lives. Beyond the smartphone’s ubiquity, wearable sensors proliferate and are found everywhere from the gym to the bedroom. Intimate relationships are formed through dating apps more than ever before. We’re tracked in our cars, in retail establishments and online. At no time in history has data collection been as prevalent as it is now, and it’s only increasing. But what does that mean for the development of our identities and relationships, particularly for those who are most vulnerable? University of Virginia School of Law Prof. Danielle Citron has long explored these issues, which she’s presented in her new book, “The Fight for Privacy: Protecting Dignity, Identity and Love in the Digital Age.” I recently caught up with Prof. Citron to discuss her work, and how law – particularly civil rights law – society and privacy pros can all play a role in protecting what makes us human.

Since becoming U.K. Information Commissioner, John Edwards has been busy. Officially taking the reigns January 4, Edwards embarked on a listening tour to learn the ins and outs of the U.K. The former New Zealand Privacy Commissioner gave his first major public speech since heading up the ICO at the IAPP Data Protection Intensive in London last month and joined German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber for a “commissioner’s chat” at the IAPP Global Privacy Summit in Washington, DC. While there, The Privacy Advisor Podcast host Jedidiah Bracy caught up with Edwards in person to discuss his priorities, how he foresees working with other data protection authorities, his thoughts on transborder data flows and the U.K.’s potential changes to it data protection law, and, most importantly, what he’s currently listening to for music.

In 1998, the U.S. was the first nation to enact a privacy law specifically tailored to protect children’s data. Nearly 25 years later, COPPA – the Children’s Online Privacy Protection Act – is one of several children’s privacy and data protection laws around the world. LinkedIn Vice President and Chief Privacy Officer Kalinda Raina first encountered the draft COPPA bill while interning at the Center for Democracy & Technology. In the years since, she has helped lead the privacy efforts at Nintendo and Apple. With three children of her own, Kalinda has an in-depth knowledge of children’s privacy issues, both as a parent and privacy pro. Her passion for the issue led her to start a YouTube channel to help educate parents and kids about privacy and safety issues and to shepherd a new book called “Children’s Privacy and Safety,” published by the IAPP. The Privacy Advisor Podcast host Jedidiah Bracy recently caught up with Kalinda to discuss children’s privacy, her work, and the new book.

The concept of privacy and data protection by design is not new in the privacy world. We know that privacy should be integrated in the foundational design of a product or service; that is should be baked in, not bolted on. But what that means in practice is often elusive. In 2018, Enterprivacy Consulting Group founder Jason Cronk wrote the book Strategic Privacy by Design, which was published by the IAPP. In it, Cronk offered insights for building processes, products and services that consider an individual’s privacy interests as a requirement. In the four years since, law and technology have continued to evolve, prompting Jason to write a second edition of the book. The IAPP's Jedidiah Bracy recently caught up with Cronk to discuss his work in designing for privacy and what’s new in his second edition.

It’s difficult to remember a time when people didn’t extoll cliches like “privacy is dead” or “data is the new oil.” No doubt, privacy is constantly challenged by ever advancing technology, and data is mined ubiquitously for its value, but privacy is far from dead. Washington University in St. Louis School of Law Prof. Neil Richards agrees, but notes that though privacy is very much alive, it is up for grabs. These are some of the initial thoughts that helped inform his new book, “Why Privacy Matters.” IAPP Editorial Director Jedidiah Bracy recently caught up with Richards to discuss his new book and why there’s plenty of food for thought in there for privacy pros.

Though many privacy pros are still grappling with the EU General Data Protection Regulation, the EU is now busy leading a new generation of data regulations. As part of its Digital Single Market strategy, the EU is looking to not only protect data but also to create frameworks that allow for data flows, while aiming to mitigate hate speech and misinformation. Through an ambitious line of of proposed laws – including the Data Act, Data Governance Act, Digital Markets Act, Digital Services Act and the AI Act – the EU is poised to place a slew of new requirements for companies doing business in the region. Though not all privacy-related, privacy pros should be paying attention to this space. To catch up on this flurry of activity, IAPP Editorial Director recently chatted with journalist Luca Bertuzzi.  

Cybersecurity is inextricably connected to privacy in countless ways. Like privacy law and regulation in the U.S., cybersecurity stands on a patchwork quilt of rules, laws, regulations and court cases. Stanford Cyber Policy Center Senior Policy Advisor Jim Dempsey has been teaching cybersecurity law since 2015 and worked in the area for decades, whether as an academic, a government representative on the U.S. Privacy and Civil Liberties Oversight Board, or an advocate at the Center for Democracy & Technology. He’s long thought about the cybersecurity space and how it matches up to privacy and data protection. In fact, he’s thought so hard on this subject that he published a new book with the IAPP called “Cybersecurity Law Fundamentals.” IAPP Editorial Director Jedidiah Bracy recently caught up with Dempsey to discuss cybersecurity’s current state of play, the biggest issues companies face from a world burgeoning with adversaries and what to look for in his new book.

Data protection and competition enforcement have been on a collision course in recent years. The Big Tech platforms have amassed powerful market share with vast amounts of user data. This inevitable convergence is shaping up on both sides of the Atlantic. U.S. President Joe Biden has appointed notable antitrust proponents to powerful government positions in recent months. And in Brussels, the European Commission has released a slew of draft legislation to help bolster its Digital Single Market efforts, curtail Big Tech hegemony, and promote competition. Journalist Samuel Stolton has been following these developments with an ear to the ground in Brussels. Host Jedidiah Bracy recently caught up with Stolton right as news emerged that Amazon faces a record $888 million fine related to GDPR violations.

On July 13, Ohio Lt. Governor Jon Husted announced the introduction of the Ohio Personal Privacy Act. The law applies to organizations doing business in Ohio or whose products or services target consumers in the state. Businesses with annual gross revenues exceeding $25 million, or process personal data of 100,000 or more Ohio consumers, or derive 50% of gross annual revenues from the sale of personal data would be covered. Like other laws, it does offer some consumer rights, including correction, deletion and portability, as well as an opt-out right for the sale of personal data. Most notably, the OPPA includes a carve out for businesses that reasonably conform with the U.S. National Institution of Standards and Technology’s Privacy Framework. Host Jedidiah Bracy recently caught up with Husted to discuss the bill, the NIST provision, and what the OPPA could mean for the future of privacy law at the state, federal and international levels. 

Voice-activated products and services are proliferating, while voice-recognition technology is on the rise. In addition to popular voice-activated assistants, call centers are beginning to use advanced voice-intelligence technology in novels ways. The technology could lead to plenty of innovation, but the potential privacy, safety and fairness issues will need some thinking. In his new book "The Voice Catchers: How Marketers Listen In to Exploit Your Feelings, Your Privacy, and Your Wallet," Joseph Turow describes the rise of what he calls the “voice intelligence industry” and how artificial intelligence is enabling personalized marketing and profiling through voice analysis. IAPP Editorial Director Jedidiah Bracy caught up with Turow to discuss the potential privacy issues and what privacy pros and policy makers should be thinking about with this nascent industry.

Notice and consent have been foundational principles in privacy and data protection for decades. But do they provide individuals with the ability to make informed decisions as they navigate products and services? Will laws like the California Privacy Rights Act help change how companies design their privacy notices? For Jennifer King, the Privacy and Data Policy Fellow at Stanford's Institute for Human-Centered Artificial Intelligence, the notice-and-consent paradigm as it currently stands is a “farce” that needs an overhaul, not just from a legal standpoint, but also from a human-technology interaction perspective. IAPP Editorial Director Jedidiah Bracy chats with King about what's needed for an effective paradigm shift in this space. 

Prospects for a federal privacy law in the U.S. ramped up in recent years, but even though data protection is a bipartisan issue, nothing has come close to passing. At the same time, U.S. state activity is swarming, and many countries around the world are developing and implementing their own national privacy laws. So what’s it going to take for the U.S. to pass a federal law? Rep. Suzan DelBene, D-Wash., was the first congressional lawmaker to propose federal privacy legislation in 2021. Her bill received praise from the U.S. Chamber of Commerce and other industry groups for its approach, but does the bill have what it takes to cross the finish line? The Privacy Advisor Podcast host Jedidiah Bracy recently caught up with DelBene to talk about her proposed bill, the state of play on Capitol Hill, and what it will take for the U.S. to pass federal privacy legislation.

Artificial intelligence and machine learning technologies are rapidly developing across virtually all sectors of the global economy. One nascent field is empathic technology, which, for better or worse, includes emotion detection. It is estimated that the emotion detection industry could be worth $56 billion by 2024. However, judging a person's emotional state is subjective and raises a host of privacy, fairness, and ethical questions. Ben Bland has worked in the empathic technology space in recent years and now chairs the IEEE's P7014 Working Group to develop a global standard for the ethics of empathic technology. We recently caught up to discuss the pros and cons of the technology and his work with IEEE. 

U.S. government surveillance bubbled back up in headlines in recent weeks. Portugal's data protection authority halted transfers of data to the U.S. after complaints that census data were being sent back to the U.S. The same week, a U.S. Foreign Intelligence Surveillance Court decision was published, in which it renewed a U.S. surveillance program even though it found some Federal Bureau of Investigation employees illegally accessed email data. This comes as the U.S. and EU try to hammer out a renewed data transfer agreement in the wake of the "Schrems II" decision that invalidated Privacy Shield. April Falcon Doss worked at the U.S. National Security Agency for 13 years. In 2017, Doss joined the U.S. Senate Select Committee on Intelligence for the Russia investigation. She also wrote a book, "Cyber Privacy: Who Has Your Data and Why You Should Care," and took a new job at Georgetown University Law Center. Host Jedidiah Bracy recently caught up with Doss to discuss the state of play of U.S. surveillance law, her new book, what she found out while investigating the 2016 presidential election, and what’s on the horizon with her new gig at Georgetown.

The Norwegian Consumer Council made waves in early 2021 after its complaint to Norway's data protection authority, Datatilsynet, against Grindr resulted in an intention to fine the company $12 million, the highest fine ever levied by the nation’s DPA. Grindr responded to the proposed enforcement action, arguing it has refined its consent mechanism, but the case isn't over. The NCC has long worked with other advocacy organizations to bring protections and awareness for consumers around privacy issues in the marketplace. In 2018, they released an in-depth report on “dark patterns” to demonstrate how companies nudge users into making decisions that may not always be in their best interest. IAPP Editorial Director Jedidiah Bracy, CIPP, recently caught up with the NCC’s Finn Myrstad to discuss the NCC's case against Grindr and, more broadly, what companies can do to avoid using dark patterns at the expense of their users.

In the wake of "Schrems II," the future of data transfers is on shaky ground. True, the Biden administration has demonstrated that it’s taking trans-Atlantic data flows seriously after appointing Christopher Hoff in January, not long after Biden was inaugurated. And though both the U.S. Department of Commerce and European Commission are working together in earnest, short of changing its national security laws, what else can be done to prevent another legal challenge and potential invalidation to a future agreement? Baker MacKenzie Global Data Privacy and Security Group Chair Brian Hengesbaugh has an idea. Using his background in international policy and data protection, Hengesbaugh thinks now is the time for the Biden administration to “go big” and initiate an international treaty among democratic nations and their shared values around both human rights and national security. He explains in this latest episode of The Privacy Advisor Podcast. 

Virginia joined rarified air March 2 after its governor signed the Consumer Data Protection Act into law. Though California was the first state to pass baseline privacy legislation, Virginia was the first to do so absent a ballot initiative. So, what is in Virginia’s CDPA? Where does it overlap with provisions in the California Consumer Privacy Act, California Privacy Rights Act or EU General Data Protection Regulation? What are some early steps businesses should consider as they make preparations? And, what effect will the CDPA — if at all — have on other state privacy laws, and ultimately, on potential federal privacy legislation? These are a few of the issues IAPP Editorial Director Jedidiah Bracy, CIPP, discussed with Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP.

Concepts like “privacy engineering” and “privacy by design” have been in the privacy lexicon for several years, but do we all know or agree about what they mean? What is a privacy engineer? Sure, when we discuss privacy by design, we’re talking about baking privacy considerations in from the start and not just bolting them on after a product or service has been designed, but what is privacy by design in practice? How do you ensure your tech and legal teams can understand each other, and how can you get senior leadership to buy into privacy as a business advantage instead of an obstacle? These are a couple of issues IAPP Editorial Director Jedidiah Bracy, CIPP, recently discussed with Nishant Bhajaria, head of technical privacy and governance at Uber.

With 2020 finally in the rearview mirror, 2021 looks like it will be filled with potential data privacy legislation in the U.S. Of course, front and center right now resides the Washington Privacy Act, but the Pacific Northwest state isn't the only one in play. So far, legislation has been proposed in Connecticut, Minnesota, New York, Oklahoma and Virginia, among others. This all comes while a new presidential administration takes hold in Washington, D.C., along with a Congress controlled — though by a slim margin — by the Democrats. What should privacy pros make of all this state activity, and what are the prospects for federal privacy legislation? Host Jedidiah Bracy, CIPP, discusses these pressing issues with Husch Blackwell Partner David Strauss. 

It goes without saying 2020 has been a challenging and difficult year. COVID-19 has affected the world in inalterable ways. And though the pandemic is a sea change for how we live, work and educate our children, it did not lessen the impact of privacy and the privacy profession. In fact, privacy has become an even more front-and-center issue for businesses, governments and individuals. From the “Schrems II” decision in the EU to Proposition 24 in California to new and proposed laws in Brazil, Canada, China and India, there was no shortage of developments in the privacy space. To help assess what just happened in 2020 and what’s ahead in 2021, IAPP Editorial Director Jedidiah Bracy, CIPP, spoke with IAPP VP and Chief Knowledge Officer Omer Tene and Research Director Caitlin Fennessy, CIPP.

Artificial intelligence, big data and personalization are driving a new era of products and services, but this paradigm shift brings with it a slate of thorny privacy and data protection issues. Ubiquitous data collection, social networks, personalized ads and biometric systems engender massive societal effects that alter individual self-determination, fracture shared reality and even sway democratic elections. As an associate professor at the University of Oxford's Faculty of Philosophy and the Institute for Ethics in AI, Carissa Véliz has immersed herself in these issues and recently wrote a book, "Privacy Is Power: Why and How You Should Take Back Control of Your Data." In this latest Privacy Advisor Podcast, host Jedidiah Bracy, CIPP, caught up with Véliz to discuss her book and the importance privacy plays in society. 

Hard to believe it, but we’re only days away from a fateful vote in California on what’s called Proposition 24. If approved by the residents of California, Prop 24 will put the California Privacy Rights Act on the books. The law will add an additional layer of privacy protections for California residents and a new privacy compliance regime for businesses. Prop 24 has been hotly debated, especially in recent weeks. And the traditional fault lines between consumer advocacy and industry are not what you might suspect. Behind much of Prop 24, and the CCPA before it, is Alastair Mactaggart. With a background in real estate, Mactaggart has quickly become one of the most influential individuals in the U.S. privacy landscape. I recently had a chance to catch up with Alastair to discuss the ins and outs of Prop 24. 

As a consumer, it can be really difficult to figure out who's tracking your data online. Many companies hide behind algorithms claiming they're the "secret sauce" to their business model, which sometimes frustrates regulators and laymen alike. That's why award-winning journalist Julia Angwin and investigative journalist Surya Mattu, both of the non-profit news organization The Markup, recently developed and released Blacklight, a web site that allows users to scan any site for potential privacy violations, including what's being tracked and who's sharing your personal data. In this episode of The Privacy Advisor Podcast, Angwin and Mattu talk about the tool and why the team is passionate about user empowerment. 

There have been no shortage of hearings in the last couple of years on potential federal privacy legislation in the U.S. This week was no exception, as the U.S. Senate Committee on Commerce, Science and Transportation held another. But this hearing was under different circumstances, namely, it was held in the middle of the COVID-19 global pandemic. That garnered some conversation about the need for a comprehensive law more than ever, as did the release this week of the SAFE Data Act, which consolidates previously released legislation into one bill, with some nuance. In this episode of the podcast, IAPP Senior Research Fellow Muge Fazlioglu discusses the bill's provisions, and Sara Collins of Public Knowledge discusses how that featured into this week's hearing. 

As children around the globe either head back to school or continue their school year, depending on geolocation, many new privacy and data protection concerns present themselves. Whether it be heightened data collection on student health to prevent the spread of COVID-19 at school or new technologies implemented to facilitate virtual learning, there are all sorts of new unprecedented risks. In this episode of The Privacy Advisor Podcast, former White House Senior Advisor for Privacy Marc Groman and the Future of Privacy Forum's Director of the Education Privacy Project Amelia Vance discuss how we can help protect children's privacy — and whose job that is. 

If Brazil gave birth to its data protection law this week, it was a really fast labor.  Privacy professionals awoke to the news Thursday that overnight, in an unprecedented move, the Brazilian Senate approved an amendment allowing the General Personal Data Protection Law to go into effect (almost) immediately. The decision reverses a vote Tuesday to delay the implementation of the LGPD to Dec. 31, 2020. How could this have happened? What does it mean for those covered by the law? In this episode of The Privacy Advisor Podcast, Dirceu Santa Rosa talks to Angelique Carson, CIPP/US, about why there's some fear surrounding the news. 

In a highly anticipated decision, Europe's highest court decided July 16 that the EU-U.S. Privacy Shield agreement is invalid. The ruling will impact thousands of companies who'd used Privacy Shield to transfer data from the EU to the U.S. Additionally, the court decided to uphold another data transfer mechanism, standard contractual clauses, but with conditions. The news is a game-changer and casts much uncertainty upon the stability of cross-border agreements. In this episode of The Privacy Advisor Podcast, IAPP Research Director Caitlin Fennessy, Hintze Law's Susan Lyon-Hintze and Future of Privacy Forum's Gabriela Zanfir-Fortuna discuss the decision and what privacy pros should be thinking about in the coming days and weeks.   

There's no shortage of tech companies and apps aiming to help thwart the spread of COVID-19, in addition to government efforts. But with so many different apps being deployed and so much sensitive data being swept up, is this one of those moments in time that we're putting safety ahead of privacy in ways that can't be undone? In this episode of The Privacy Advisor Podcast, the Future of Privacy Forum's Polly Sanderson and the International Digital Accountability Council's Quentin Palfrey discuss both the apps themselves as well as the greater ecosystem surrounding contact tracing. 

Recently, Jay Edelson and his team at Edelson PC have filed three different class-action lawsuits related to unwanted surveillance: One against security company ADT, one against a Chicago hospital and another against biometric start-up Clearview AI. In this episode of The Privacy Advisor Podcast, Edelson talks about why he chose to file the suits and why he thinks they're important cases for privacy rights generally. He also talks about the status of his firm's historic settlement with Facebook over violations of Illinois biometric privacy law. 

When the world was turned upside down with the COVID-19 pandemic and then the murder of George Floyd in the U.S., any momentum we’d started to see on passing a federal privacy bill was lost — at least temporarily. But Cam Kerry is aiming to change that by re-igniting bi-partisan conversations with a report proposing how we might overcome the impasse we've found ourselves at in two crucial areas: federal pre-emption and a private right of action. In this episode of The Privacy Advisor Podcast, Kerry discusses how to bridge the divide. 

There is so much privacy news related to the pandemic lately that it sometimes feels like that's the only news. But the world continues to spin, if more quietly, as most of its population works from the comfort of their homes. In this episode of The Privacy Advisor Podcast, Angelique Carson chats with Brussels-based freelance journalist Jennifer Baker about two government data breaches, the latest on activist Max Schrems and his complaints, as well as recent criticisms on the level of DPA enforcement now that the GDPR has turned two.

Especially now, while most of us are stuck indoors hiding from the invisible monster that is the COVID-19 disease, it's not difficult to imagine better days — days when we can safely travel again to faraway islands with blue-glass waters and sandy beaches. Or, you could do what Alex White did and move there. The former deputy chief privacy officer of South Carolina didn't move to the island for a vacation, though. He took the job as the country's first-ever privacy commissioner, a position created with the passage of Bermuda's privacy law in 2016. In this episode of The Privacy Advisor Podcast, White talks to host Angelique Carson, CIPP/US, about the challenges of starting up a new office — especially in the midst of a global pandemic — and why he thinks privacy professionals should think of themselves as, of all things, GPS devices. 

The EU General Data Protection Regulation ushered in an enhanced private right of action for violations of the law, both for material and non-material damages. Attorneys say there's now a significant uptick in cases brought alleging such a grievance has occurred, and that they're often brought as a "follow-on" to data protection authorities' own investigations. In this episode of The Privacy Advisor Podcast, Orrick attorneys Keily Blair and James Lloyd, both based in the U.K., describe the uptick in civil litigation claims they're seeing and the ways that's changing things — including how companies interact with data protection authorities. 

It's a troubling and weird time to be alive. The headline are dominated by reports of mass death and despair globally, and we're all trapped at home trying to cope with a very new and very difficult reality. In a time like this, it can feel hard to find meaning in the day-to-day work of being a privacy professional. In this fireside-chat style podcast, IAPP Editor Angelique Carson, CIPP/US, talks with three DC-based privacy professionals -- who happen to also be three of her best friends -- about how they're coping and staying focused on their individual missions. 

Telecommunications companies across the world, including in Germany, Brazil and China have granted their governments access to customers' cellphone data in an effort to help track the COVID-19. Other countries are more cautious; the Dutch DPA called for emergency legislation before sharing occurs, and Canadian Prime Minister Justin Trudeau has said a flat no, for now. In this episode of The Privacy Advisor Podcast, Heather Federman, vice president of privacy and policy at BigID, discusses the potential longterm implications of location data agreements and the role privacy officers should play in board room discussions on sharing customer data. 

It's a scary time by any standard. There's news every day about the latest number of those infected by an invisible danger that'll make some sick and kill others and to stay safe we have to stay away from each other in a time when we most need each other for support. And when we're scared, sometimes we make decisions based on fear. In this episode of The Privacy Advisor Podcast, Michelle De Mooy of DeMOOY Consulting and former director of privacy and data at the Center for Democracy and Technology, talks about the data privacy concerns related to private-public entities partnering up to address the health crises COVID-19 has presented. 

If there's anyone we could call an expert on data protection in the EU, it's Christian D'Cunha. Years back, he was charged with leading the review of the EU Data Retention Directive — no easy task — before he moved to a role at the European Data Protection Supervisor's office as a policy assistant under former EDPS Peter Hustinx and then, his successor, the late Giovanni Buttarelli. Now, D'Cunha has taken a role at the European Commission at DG Connect, a segment of the Cybersecurity and Digital Privacy Unit. In this episode of The Privacy Advisor Podcast, D'Cunha discusses what he learned about the art of negotiation during his leadership role on the Directive, the future of ethics in the privacy profession and whether we're ever going to see that ePrivacy Regulation come to fruition.

February 19, the European Commission released its EU data strategy. As the IAPP's Riyan Chiavetta reported, the document outlines the commission’s five-year plan for “policy measures and investments to enable the data economy.” The commission based its strategy on four pillars, one of which is a cross-sectoral governance framework for data access and use. In conjunction with the release data strategy, the commission also published a white paper on AI. In this episode of The Privacy Advisor Podcast, the Future of Privacy Forum's Gabriela Zanfir-Fortuna, who's expertise on moves by the European government is exceptionally informed, discusses the new releases and whether they'll have a meaningful impact or if they're lofty, abstract goals.

In January, the U.K. Information Commissioner's Office released its proposed "Age Appropriate Design Code" aimed at protecting children's privacy online. The code, which will require parliamentary approval, outlines 15 standards online services should follow. It also provides guidance on data protection safeguards aimed at ensuring online services are appropriate for children's use. In this episode of The Privacy Advisor Podcast, Playwell's Linnette Attai talks to host, Angelique Carson, CIPP/US, about what the code means for companies who cater to children, and even more importantly, those who traditionally haven't but may be covered under the new rules. 

It would've been hard to miss the big news this week, news privacy advocates are heralding as a major win: Facebook has agreed to settle for $550 million in a class-action lawsuit alleging the company violated Illinois' biometric privacy law when it used facial recognition software to suggest users "tag" faces in photos they'd uploaded to the site. In this episode of the podcast, Jay Edelson, one of the plaintiff's attorneys who argued the case, talks about why he's "enormously proud" of what is " easily the largest cash privacy settlement in our nation's history" and why this is a good settlement for members of the class. 

Jan. 15, Washington State Legislature's Senate Environment, Energy & Technology Committee held its first public hearing on a reintroduced version of the Washington Privacy Act. Those who've been following developments on the state's privacy legislation will recall that last year, despite gaining some significant momentum, the bill failed. The new version of the bill has gained praise from many privacy advocates, and lawmakers in Washington have said the bill has significant bi-partisan support. But Jevan Hutson and Jennifer Lee, who both testified at Wednesday's hearing, have concerns that the bill fails to protect consumers in a number of ways. In this episode of the podcast, Hutson and Lee discuss what happened at the hearing and why they're not convinced this bill represents comprehensive privacy reform. Full Story

Anyone who's been in the privacy game for a minute will likely tell you 2019 was one of the most exciting — and stressful — years on the books. Regulatory and enforcement action, the mad dash to comply with the California Consumer Privacy Act and continuing efforts to operationalize GDPR-compliant programs were just a fraction of the news privacy professionals had to track this year in order to do their jobs well. The good news? That made for plenty of fodder for The Privacy Advisor Podcast. In this last episode of the 2019 season, five of the year's best-rated guests, according to you, talk about the pitfalls of 2019 and — more importantly — the essential developments they're tracking as 2020 approaches.

Last week, on the keynote stage at the IAPP's Data Protection Congress, data protection authorities from three different countries took the stage to address a sold-out crowd of privacy professionals eager to hear straight from the proverbial horses mouths' what to expect from the leaders charged with enforcing Europe's sweeping data privacy law. When are the fines finally coming? Is the GDPR even working at all? And what kinds of emerging technologies and data uses scare the regulators most given the risk of misuse? In this episode of The Privacy Advisor Podcast, the Future of Privacy Forum's Gabriela Zanfir-Fortuna, who moderated the on-stage discussion, talks to host Angelique Carson about what the regulators had to say. 

In this episode of The Privacy Advisor Podcast, host Angelique Carson chcats with Robert Robbert van Eijk, who's recently joined the Future of Privacy Forum as its managing director for Europe. Prior to serving in this position, Eijk worked at the Dutch Data Protection Authority (DPA) for nearly 10 years and has since become an authority in the field of online privacy and data protection. He represented the Dutch DPA in international meetings and as a technical expert in court, and he also represented the European Data Protection Authorities in negotiations of the World Wide Web Consortium on Do Not Track. Van Eijk discusses the future of online advertising and what it’s like working within the walls of a data protection authority.

It wasn't long ago that the number of journalists covering the privacy and data protection beat was very small. Most mainstream newspapers didn't have a journalist dedicated to what were once considered very niche topics. Now, every major newspaper has one or more journalists dedicated to the onslaught of daily news made by tech companies' missteps or the policymakers reacting to them. In this episode of The Privacy Advisor Podcast, host Angelique Carson chats with Brussels-based Politico journalist Laura Kayali on the ePrivacy Regulation, covering the Max Schrems hearing and emerging EU trends in facial recognition. 

There are so many privacy headlines in the U.S. right now that it almost seems to overshadow developments in the EU. While the privacy profession was, for years, seemingly laser-focused on the General Data Protection Regulation -- deservedly -- the California Consumer Protection Act set a firestorm in 2017 and then later in 2018 when it was passed. But that doesn't mean things are quiet in the EU. In this episode of The Privacy Advisor Podcast, host Angelique Carson chats with FieldFisher's Phil Lee, CIPP/E, about everything from the future of cross-border data transfers to that yet-to-be-passed ePrivacy Regulation. 

At the IAPP's Privacy. Security. Risk. conference, it would be hard to argue that the California Consumer Privacy Act wasn't the general topic of conversation everywhere from the keynote stage to breakout sessions to happy hour. From a dressing room offstage at The Cosmopolitan Hotel's Chelsea Theater in Las Vegas, Nevada, Angelique Carson, CIPP/US, sat down with Tanya Forsheit of Frankfurt Kurnit Klein & Selz to talk about the latest. Forsheit counsels all sorts of companies, big and small and in-between, to help them comply with CCPA. In this episode of The Privacy Advisor Podcast, Forsheit talks about industry's perspective on the latest CCPA amendments, the most difficult part of compliance to date and what she thinks about the bombshell Alastair Mactaggart dropped during this week's conference that he's introducing a CCPA 2.0. 

A surefire way to take the social temperature of a time period is to sample its art. For those who’ve been working in privacy for some time, it’s perhaps slightly surreal to now see aspects of the profession reflected in popular culture. In October, “The Right to Be Forgotten,” by playwright Sharyn Rothstein, will debut at the Arena Stage in Washington, D.C. It follows the story of a 17-year-old boy seeking to have his past misdeeds forgotten online and the obstacles he faces in doing that. Host Angelique Carson recently got a preview of the play and afterward interviewed director Seema Sueko in this episode of The Privacy Advisor Podcast.

Friday, Sept 6, was the final day for any amendments to the California Consumer Privacy Act to be introduced, per California Assembly rules. Lawmakers have since voted on those amendments and we now know what the final version of the CCPA looks like, subject to the signature of California Gov. Gavin Newsom. In this episode of The Privacy Advisor Podcast, Mary Stone Ross, who worked alongside Alastair Mactaggart to craft what we now know as the CCPA, discusses the last amendments to be introduced to the law before the California legislature adjourns today, Sept. 13. 

This week, the U.S. Federal Trade Commission announced its settlement with Google and its subsidiary YouTube as a historic moment and a "game changer" for enforcement under the Children's Online Privacy Protection Act. Google will pay $170 million and YouTube must implement various changes to the way it manages content creators on its site and the way they treat content geared toward children. It's the largest COPPA settlement ever obtained, but there's been criticism, including from FTC commissioners themselves. In this episode of The Privacy Advisor Podcast, Linnette Attai discusses COPPA enforcement to date and whether this settlement is in fact, as the FTC has touted, a "game changer." 

Remember when the GDPR was about to be signed into law and there was all sorts of chatter that the ePrivacy Regulation would soon be passed as well? That was years ago now. So what's happening within the EU government that we still don't have one. In this episode of The Privacy Advisor Podcast, Gabriela Zanfir-Fortuna, senior privacy counsel at the Future of Privacy Forum, takes us through the latest. She also discusses what went down in the European Court of Justice earlier this month when it heard the Schrems II case and how that might impact both the Privacy Shield and standard contractual clauses as viable methods for global data transfers. 

There's no question that the California Consumer Privacy Act has captured the attention of not only the U.S. but its global counterparts as well. What's perhaps even more concerning to companies aiming to comply with the law before it becomes effective in 2020 is the uncertainty surrounding the seemingly endless number of amendments being considered by California's legislature. How do you prepare to comply with a law that's not fully baked? In this episode, co-author of the CCPA ballot initiative, Mary Stone Ross, discusses how the law might differ, in the end, from its initial aims, and the impact industry's lobbying efforts is having on the end result. 

Recently, The New York Times announced it had hired journalist Kashmir Hill to its Business beat. Hill, most recently of Gizmodo, has long covered privacy in a distinct and unique first-person style, often through experimentation of her own with technology products and services. There was the time she tried to quit using the top five technology companies to see what her life would become, or the time she connected her entire home to the Internet of Things. In this episode of The Privacy Advisor Podcast, Hill talks to host Angelique Carson, CIPP/US, about covering the privacy beat and what she hopes to do with it at her new gig. 

It's been three years since journalist Angelique Carson, CIPP/US, was directed by her boss to start something called a podcast that could help serve the IAPP membership, allowing them in-depth insights from their peers on how to thrive in the privacy profession and detailed looks at some of the industry's most important news. Since then, The Privacy Advisor Podcast has grown by the thousands in downloads and listeners. To celebrate, in this fun-loving, 100th-episode special anniversary edition, Jay Edelson, a plaintiff's attorney and founder of Edelson PC, aims to give listeners some insight to the woman behind the microphone, grilling Carson on how she approaches interviews on the podcast, the massive shift in the privacy landscape since she started reporting in the space, and why she's so darn out-of-the-loop on pop culture. 

In this special edition of The Privacy Advisor Podcast, two of the people completely immersed in EU General Data Protection compliance discuss the last year of their lives. Irish Data Protection Commissioner Helen Dixon describes the last year as "a washing machine stuck on the spin cycle; it’s been an incredible year of change for us as a data protection authority.” And Hogan Lovells’ Eduardo Ustaran calls the year “unprecedented.” The two talk about the ongoing struggles as companies and regulators sort things out, and opine as to whether individuals are genuinely better off as a result of the regulation.

While it's true privacy and data protection laws are undergoing shifts in many parts of the world, this is especially true for Latin America where there is no shortage of legislative action. Brazil approved its general data protection law last year, and it will come into effect in early 2020. Just as the U.S. is seeing with the California Consumer Privacy Act, Brazil's law is now being amended in all kinds of ways ahead of implementation. Amendments to the LGPD, the acronym used for its formal name in Portuguese, will also establish a new national DPA, and those approvals are expected to reach the country's Senate within weeks. In this episode of the podcast, Rosa Maria Franco, the IAPP's managing director for Latin America and based in Mexico, and Dino Santa Rosa of Brazil discuss the legal landscape in both Mexico and Brazil and what that means for the privacy profession in each jurisdiction.

There's been no shortage of press about the California Consumer Privacy Act. Sessions on the topic were among the most attended at the IAPP's Global Privacy Summit in Washington, D.C., last week. But what's difficult is keeping pace with all of the amendments being voted up or down on any given week. In this episode of The Privacy Advisor Podcast, host Angelique Carson, CIPP/US, chats with Frankfurt Kurit's Tanya Forsheit, who's on the front-lines of the issue in both advising clients and testifying at hearings on the CCPA in Sacramento. Forsheit offers tips on how to start compliance efforts given the law is in flux, the status of the AG's attempts to expand the CCPA's private right of action, and what we can read into, if anything, about stalled efforts for a privacy bill in Washington State. 

On May 1, the U.S. Senate Committee on Commerce, Science and Transportation held its third hearing on how to craft a potential federal privacy bill. Witnesses included repesentatives from the American Civil Liberties Union, the Future of Privacy Forum, Common Sense Media and the Irish Office of the Data Protection Commissioner. In this episode of The Privacy Advisor Podcast, host Angelique Carson welcomes back frequent guest Joseph Jerome, of the Center for Democracy and Technology, to discuss the highlights and lowlights of this most recent hearing and whether we're finally pushing proverbial the ball forward on how to do things right in the U.S. 

In this episode of The Privacy Advisor Podcast, New Zealand Privacy Commissioner John Edwards discusses the privacy landscape in New Zealand and ongoing updates to the country's privacy law of 1993. Th regulator is unique in that he does not have fining powers, but he says that's working just fine. Edwards also discusses what he says are necessary reforms to the way social media platforms respond to modern-day terrorist attacks. Specifically, he's frustrated with Facebook's response to the attacks on two of the country's mosques, after the terrorist live-streamed the act and the company took nearly 30 minutes to remove it.

History was made Friday night, April 12, when the largest ever privacy class-action verdict was announced. A federal jury in Oregon decided it would tell health supplement marketer ViSalus to pay $925 million in damages after it was charged by a certified class of 800,000 people with making 2 million illegal robocalls. It’s unusual not only in that it’s the highest amount ever awarded, but also in that privacy class—action cases often don’t ever go to trial. In this episode of The Privacy Advisor Podcast, Jay Edelson, whose firm argued the class-action for the plaintiffs' bar, talks us through the legal victory, the significance of the ruling and what it could mean for the future of privacy litigation in the U.S. 

Eduardo Ustaran is global co-head of the Hogan Lovells Privacy and Cybersecurity practice, and he's widely recognized as one of the world's leading privacy and data protection lawyers. In this episode of the podcast, host Angelique Carson talks to Ustaran about what's happening in the U.K. on Brexit and what that might mean for data protection in the region. He also gives us a download on progress related to the ePrivacy Regulation. With Romania at the helm, fulfilling residency of the Council of the European Union, the ball seems to be inching even closer towards the line. 

On Capitol Hill this week, Congress held two back-to-back hearings on a potential U.S. federal privacy bill. The aim was to gain insights from expert witnesses on what such a bill should contain. At the first hearing, at the House Committee on Energy and Commerce, industry and advocates debated how prescriptive a federal law should be. At the Senate Committee on Commerce, Science, and Transportation on Wednesday, lawmakers asked witnesses whether a U.S. law should model itself on the EU's General Data Protection Regulation, or perhaps California's Consumer Privacy Act. While industry didn't like that idea, witnesses did agree that the CCPA should be the floor upon which a federal law is built.

It's clear at this point that the momentum has shifted in favor of federal privacy bill in the U.S. The question is: What will that bill look like, who will sponsor something both the tech community and advocates can live with, and will it actually happen this year? Joseph Jerome, policy counsel at the Center for Democracy and Technology in Washington, D.C., has been dead center on the federal privacy bill debate for some time now and took a leading role at the CDT in drafting their own bill. In this episode of the podcast, Jerome discusses the difficulties inherent in trying to pass a bill that pleases everybody. Or at least one that all stakeholders can live with. 

In this episode of the podcast, Mike Shapiro,  chief privacy officer of Santa Clara County talks about whether he thinks this is the year for a federal privacy bill, nudged perhaps by the California Consumer Privacy Act of 2018. He also discusses building a privacy program from the ground up for an entire county, one that comprises so many different government entities (hospitals, police departments, social services) and with them so many laws and regulations to comply with. Then there's the tension between, as a public servant, spending your time on compliance efforts and delegating some time to data-use for the public good. 

Six months into his new role as commissioner at the U.S. Federal Trade Commission, Rohit Chopra is still settling into his role, but he knows he has at least two priorities going forward: First, is to bring “more enforcement teeth to everything that we do.” Second, though, follows on from the first: “We have to prove to the public that we’re up to the task. Otherwise that’s a recipe for disaster.” In episode of The Privacy Advisor Podcast, recorded live at Privacy. Security. Risk 2018, Chopra talks to host Angelique Carson, CIPP/US, about his concerns regarding American isolationism and keeping pace with the rest of the world on data protection and digital rights. “We’re increasingly feeling that other countries, particularly Europe, are in the lead," he said.

When Angelique Carson, CIPP/US, started reporting on privacy in 2010, she was digging for enterprise stories that might matter to a nascent field of privacy professionals. Now, there's so much privacy reporting to do that mainstream media have established "privacy beats" and hired reporters to cover them. Here at the IAPP, we're constantly having to prioritize and reprioritize what to report based on a massive influx of news every day of the week. There's so much news, in fact, we've decided it’s time to launch a second podcast to help all of us digest it. So to launch, “The Privacy Reporters" will cover the biggest privacy stories of the week, discussed by the reporters who are covering them. Carson, joined by the IAPP's Sam Pfeifle as co-host, will chat with reporters based globally to discuss not only the big stories but how they're reported. In this episode of The Privacy Advisor Podcast, Carson and Pfeifle offer a sneak-peek. 

A few years back, Zackary Plotkin was grabbing a coffee, as one does. When he went to swipe his credit card, a chief privacy officer who happened to be standing nearby asked him, "Hey, do you know where that data goes?" Thinking about it for a moment, Plotkin realized: No, he didn't. That began Plotkin's early education into privacy and data protection. An manager at Infinity Consulting Solutions, Plotkin decided he wanted to start helping staff companies working in the privacy space. That was before the General Data Protection Regulation come into play. It took a bit, but business has since picked up. In this episode of the podcast, Plotkin talks about what companies are hiring for and offers tips for pros on the market and looking to get their next gig. 

Ask anyone who frequents Defcon, known as a sort of summer camp for hackers, and they'll tell you the attendee roster at the wildly popular white hat event is overwhelmingly male. Rachel Tobac, chair of the board at Women in Security and Privacy, has been going to Defcon to compete in Social Engineering Capture the Flag for the last three years, and winning. She's gained some notoriety for it, including appearing on this podcast twice before. But noticing she was very much in the minority, she decided she didn't just want to go to Defcon this year, she wanted to bring women in privacy and security with her. An effort that initially saw two women winning sponsorships to attend ended in 57 actually boarding a flight to Vegas. In this episode of The Privacy Advisor Podcast, Tobac tells us how it happened and why it matters. 

Woodrow Hartzog is law professor at Northeastern University in Boston, and his research focuses on quote “the complex problems that arise when personal information is collected by powerful new technologies, stored and disclosed online.” In this episode of The Privacy Advisor Podcast, Hartzog discusses discusses the ways that technologies are designed, at the engineering level, to undermine our privacy. Social media companies, for example, which make money on user data via advertisers, "have every incentive to use the power they have with designers to engineer your almost near-constant disclosure of information," Hartzog says, adding our modern privacy frameworks, which emphasize informed consent, are broken models. "We will be worn down by design, our consent is pre-ordained," he says. 

What we know about attorney Jay Edelson to date: He loves beach volleyball so much that he had a court installed at his Chicago law firm so he and his crew could blow off steam. The New York Times refers to him as Silicon Valley's "baby faced boogeyman" for his aggressive court takedowns of tech behemoths. And he's got a very firm grasp on the global privacy and data protection legislative landscape. In this episode of The Privacy Advisor Podcast, Edelson talks about his latest legal pursuits, including a class-action lawsuit against Facebook for alleged violation of biometric privacy law, and another against Kanye West over alleged consumer privacy violations via his music streaming service, Tidal. Edelson also discusses why he thinks the new California Consumer Protection Act is no good. 

The U.S. Supreme Court ruled in June that the government generally must have a warrant to gather location data from cellphones. The case followed an appeal filed by Timothy Carpenter after he was convicted for a series of armed robberies with help from cellphone data obtained by law enforcement without a warrant. Lawyers representing Carpenter asserted that his Fourth Amendment rights were violated, as the lack of a warrant constitutes as an unreasonable search and seizure. The case incited much reaction from both privacy and law enforcement advocates. But now that the dust has settled a bit, what can we take away from the case and how might this change the trajectory of digital surveillance policy in the U.S.? Prof. Orin Kerr of the University of Southern California School of Law and Jennifer Granick of the American Civil Liberties Union, discuss why the case is so significant and what it could mean for the future of digital surveillance, the third-party doctrine and how the Fourth Amendment applies. Kerr also weighs in on how this the nomination of Brett Kavanaugh to the Supreme Court might impact Fourth Amendment cases in the future. 

Anyone using the Internet today is surely aware of the viral hate that displays itself everywhere from social media platforms to newspaper comment sections to group chat forums. It's in such forums that marginalized groups face the kind of cyberbullying that surely exists on our streets but seemingly not to the extremes we see when users can hide behind a screen. In this live event, hosted by Hogan Lovells in Washington, D.C. to commemorate PRIDE month, Chris Wolf talks to host Angelique Carson, CIPP/US, about strategies to combat viral hate online in the name of protecting those who are especially targeted, including the LGBTQ community. 

In this episode of The Privacy Advisor Podcast's series on robocalls, FTC Attorney Ian Barlow, who's in charge of running the federal do not call list program and bringing cases against illegal robocallers, discusses the FTC's approach to thwarting fraudulent calls. 

If there's one way to describe Alvaro Bedoya besides hard working, it's that he's passionate. Nowhere is that more evident than in his work on the surveillance of minority populations, a passion fueled by Bedoya's time as chief counsel to the Senate Judiciary Subcommittee on Privacy, Technology and the Law. It was during that time that the Snowden revelations hit, and Bedoya was baffled by the ways in which minority populations were being surveilled and the lack of voices speaking up against that. Three years ago, Bedoya, who's now executive director of the Center on Privacy and Technology at Georgetown Law, launched a daylong conference called The Color of Surveillance, which brought to the stage activists, scholars and artists from impacted minority populations to discuss the widespread impact government surveillance has had on their communities and what they're doing to combat it. This year's conference, July 19, will focus government surveillance on religious minorities. It's free and open to the public. 

The big day has finally arrived. Years of blood (well, maybe not blood), sweat and tears have culminated in this momentous occasion. So how will things change now? In this episode of the podcast, privacy pros who've been working hard to help companies achieve compliance discuss what their lives will look like on May 26: Will they kick off their shoes? Head to the beach? Is there even time for that, or do we go straight into tucking away and stray hairs and working toward ongoing compliance? Here's what a few of them had to say. 

In parts one and two of this miniseries for The Privacy Advisor Podcast on the plague that is robocalls, host Angelique Carson examined the problem from the U.S. and U.K. perspectives. In short, the U.S. continues to fight an uphill battle, despite levying heavy fines against offenders, while the U.K. has seen a decline in complaints since it started issuing fines. In Hong Kong, a loophole exists in which it is difficult for the Privacy Commissioner for Personal data to enforce. In this part three, PCPD Stephen Wong discusses his approach to helping consumers. 

 So, here we are. We’re in that final push to May 25 when the GDPR comes into force. I have to admit to you that I actually, at this point, would love to never use the acronym GDPR ever again. I feel like we’ve written so many stories here at the IAPP and done so many podcasts on the topic that, like you, I’m a little GDPR burned out. But I first interviewed Chris Zoladz, of Navigate, a consulting firm, in February of 2017, to get a feel for the kinds of questions privacy pros were coming to him with in their GDPR prep and to hopefully give you guys a feel for whether your progress on it was tracking with your peers. It’s our highest rated podcast to date in terms of listens, so, it was clearly something that resonated. Given that, I interviewed him again in August 2017 for an update on how things were going, so it only felt right that, given we’re in this final stretch before deadline, I should interview him again to get a sense for the finish. Obviously May 25 isn’t Y2k, and compliance is an ongoing process, as Zoladz will talk about in this episode. But nonetheless, it’s a big date in our profession. So here, Zoladz and I will talk about what folks should be focusing on if they’re scrambling now, and what things look like from a compliance standpoint moving past this historic date. 

In episode two of The Privacy Advisor Podcast's miniseries on robocalls, Andy Curry, the Information Commissioner's Office's enforcement group manager, discusses how the U.K has worked to thwart illegal robocalls. The UK ICO regulates under the Data Protection Act and the Privacy and Electronic Communications Regulations. It has the Telephone Preference Service, akin to the do-not-call list in the U.S., which it can fine callers for violating. The office got the power to fine in 2011 because it recognized an increasingly rapid problem. In fact, the ICO just yesterday announced a fine with two companies, IAG Nationwide Limited — which will pay 100,000 pounds, and a company called Costelloe and Kelly Limited — which will pay 19,000 pounds for nuisance calls. While in the U.S., the FTC and FCC struggle to shrink the number of complaints streaming into their agencies, the U.K. has found numbers declining. Editor Angelique Carson reports. 

David Reitman is a board-certified adolescent medicine specialist. Marc Groman served as the Senior Advisor for Privacy in the Obama White House. Based on their personal experiences and unique professional expertise, Reitman -- who's a specialist in adolescent medicine, and Groman discuss the challenges of raising children in today's rapidly-evolving digital world, where the pressures to be online are real. The prevalence of smartphones, social media, inter-active gaming, the potential for 24/7 online access, and data that's "forever" all present difficult issues for kids, parents, and policymakers. In this live taping of The Privacy Advisor Podcast, recorded recently live recently at the IAPP Global Privacy Summit, host Angelique Carson questions Groman and Reitman on privacy, security, responsible online behavior, mental health concerns, and the potential pitfalls today's teens face when navigating the online world. And yeah, there were a few laughs along the way.

Robocalls. We've all gotten them. In fact, an estimated 90 billion robocalls are placed in the U.S. alone each day. Approximately 2.5 billion a month. It's the number one complaint the Federal Communications Commission hears, and it's their number one enforcement priority right now. Sometimes, the calls are even scary, claiming you'll be arrested or taken to court if you don't respond immediately. But who are these people making robocalls? Why is it an on-the-rise crime? And if regulatory agencies are struggling to find a fix to the problem, who will? This podcast is the first in a series on robocalls, in which we look at the problem in the U.S. and abroad and examine what's being done to stop them. 

The ad tech industry is facing a crises of sorts, depending on who you ask. The big deal is that the GDPR, and the ePrivacy Regulation to follow, place importance on transparency and user consent. And to date, those are two things the ad tech industry has been sort of lucky enough to be able to run on without a whole lot of. We’re being tracked by so many parties online. And none of us are really aware of by whom, and how these entities have our data in order to track us. There are a lot of deals made between first parties and third parties on access to our data and the ability to then serve us targeted ads. It's one of those things like health insurance, that feels too overwhelming t try to understand. But really, this is the backbone of online commerce, so it is super important for us to understand.  In this episode of The Privacy Advisor Podcast, Matthias Mattheison, who heads the Interactive Advertising Bureau in Brussels, describes the problems at hand and IAB's proposed solutions. Solutions not everyone agrees with. 

Jennifer Baker makes a career out of knowing the nuances of data protection and data privacy. But she's she's not advising clients or writing privacy policies. Rather, as a freelance journalist, reporting on the developments that often guide the decision making of those who do. Baker has spent years developing sources inside European institutions and businesses, and in this episode of The Privacy Advisor, host Angelique Carson talks with Baker about reporting on the privacy beat from Brussels. 

You may have heard Johnny Ryan on this podcast before. Last year, he came on to talk about the ad tech industry and what needs to happen within it for it to thrive under the General Data Protection Regulation. Ryan says, while there's some movement in the direction he thinks will best serve the industry -- namely, advertising without collecting any personal data online at all, there isn't enough. He's worried that if ad tech companies don't transition, and fast, the economic impact will be something akin to the financial meltdown the U.S. faced a few years back. In this episode, Ryan discusses what he believes needs to change, and how, for the industry to save itself.

If you were to look at a heat map of where the IAPP has seen a particular frenzy of activity in the last year or so, the EU would undoubtedly be glowing red. Unsurprisingly, that's largely due to the changing legal landscape thanks to the forthcoming General Data Protection Regulation. Because of that, IAPP Content Director Sam Pfeifle decided it was a good time to head from company headquarters in the U.S. to visit with some of our members standing firmly at the forefront of such a sweeping change. It may be surprising to some that Pfeifle has found privacy pros, while perhaps slightly panicked, embracing the GDPR as an empowering tool, one that's elevated their role and significance within the company; it's "given them the pulpit." In this episode of The Privacy Advisor Podcast, Pfeifle discusses what he's seeing on the ground. 

It's rare to find someone who exudes passion for what they do. But you'll find it in Whitney Merrill, who’s privacy, e-commerce and consumer protection council at Electronic Arts. Merrill was named one the 2017 Top Women in Security, she did a stint at the Federal Trade Commission as part of a National Science Foundation program and she runs the Crypto and Privacy Village each year at DEFCON, for which she's working hard to up the number of women represented there. In this episode of the podcast, Merrill talks about her path to finding what she loves, and how early experiences with cyber bullying pushed her in that direction. 

Gabe Maldoff is a young guy. He graduated law school in 2015, got himself a fellowship at the IAPP's Westin Center, and then immediately went to work at London's Bird & Bird. And just as he was adjusting to life in the real world, the world itself was adjusting to what would be expected of it under Europe's new privacy regime via the GDPR. In this episode of The Privacy Advisor Podcast, Maldoff talks to host Angelique Carson about how his early experiences in Tanzania shaped his future career, establishing himself at this unprecedented time in privacy and data protection, and his predictions for U.K. data protection policies post-Brexit. 

As we reported in the Daily Dashboard yesterday, The U.S. House of Representatives voted Thursday morning to renew Section 702 of the Foreign Intelligence Surveillance Amendments Act for six years. An alternative bill put forth by Reps. Justin Amash, R-Mich., and Zoe Lofgren, D-Calif., was voted down. The alternative bill, which garnered support from liberal and conservative civil liberties lawmakers, would have required that the government get a warrant prior to searching through the data of American citizens. Prior to the vote Thursday morning, President Donald Trump tweeted out two conflicting posts about Section 702, prompting House Democrats to ask for a delay in the House vote. In this episode, IAPP Westin Fellow Lee Matheson talks to Angelique Carson about what privacy pros should know about yesterday's vote and what it means for coming days. 

By any measure, 2017 was a banner year for privacy. Here at the IAPP, we saw an incredible surge of activity, from attendance at IAPP KnowledgeNets and Privacy After Hours, to certifications, to podcast listens. The most obvious push behind that surge was that four-letter word, the "GDPR." But interpreting the text of the EU's new data protection regime wasn't the only news that mattered in 2017. In this episode of The Privacy Advisor Podcast, the IAPP Publications Team sits around the microphone on a cold December day to discuss the highlights of the year in privacy and what to expect from the IAPP in 2018.

Under the 2008 FISA Amendments Act, Section 702 allows U.S. intelligence agencies to conduct surveillance on persons overseas it believes to be a potential threat. But the government is forbidden from collecting intelligence via Section 702 on persons “reasonably believed” to be within the U.S. or even a U.S. person outside of U.S. borders. But critics say there’s reason to believe U.S. persons are often incidentally the target of investigations, despite the rules stating otherwise, and that the secrecy surrounding intelligence operations allows it to happen en masse. Section 702 is set to expire on Dec. 31, and intelligence officials have argued it should be renewed wholesale. But critics of the program say it should be renewed only with amendments that increase privacy protections for innocent Americans whose data may be swept up in the data collected. And what happens with 702 may have a broader impact on international agreements like the Privacy Shield, for example, which is already on shaky ground, in part, because of concerns over U.S. intelligence agencies use of the data it collects. In this episode of The Privacy Advisor Podcast, Angelique Carson, CIPP/US, travels to American University to talk to law professor Jennifer Daskal to talk about what she thinks might happen on or before Dec. 31.

Odia Kagan knew she wanted to be an attorney at age three. As the story goes, she was found crafting a list of the harms she suffered at the hands of her then-one-month-old younger sister. Though that might have been child’s play, Kagan never deviated from her dream of becoming a lawyer. Though she spent her youth in Israel, she moved to the U.S. nine years ago, and she's now a transactional attorney in the U.S. In this episode of The Privacy Advisor Podcast, Kagan discusses the differences she perceived practicing in both jurisdictions, many of them cultural, and how she stays ahead of the curve advising clients in the face of emerging technologies.

In this episode of the podcast, PageFair's Johnny Ryan talks to host Angelique Carson about why ad tech is in trouble. Essentially, the industry faces a consumer revolt of sorts given the strict consent requirements under the pending GDPR and ePrivacy Regulation. Consumers indicate they're likely to opt-out en masse, and advertisers are faced with a new world from the Wild Wild West they'd been operating under previously.

This special edition of The Privacy Advisor Podcast features a recap of the highlights from the IAPP's Privacy. Security. Risk. conference recently in San Diego. In this episode, the IAPP's Jed Bracy, Emily Leach, Angelique Carson and Sam Pfeifle gather around the mic, slightly sleep deprived and delusional, to discuss the highlights from PSR's key themes, including blockchain, the tension between needing a "tribe" and needing autonomy, and whether any of us could spend 20 years alone in the woods.