“The rug.” That’s how privacy activist Max Schrems began a tweet reacting to yesterday’s news that the Irish Data Protection Commission will act to stop Facebook from sending European citizens’ data overseas to the United States. Schrems, the individual most responsible for this development, was accurate to characterize this as a rug being pulled out from under the feet of the world’s biggest social network. But in truth, this is the opening gambit of a new data privacy chapter that could take years to unfold. Why Are EU Regulators Acting Now? Some background context: EU citizens’ data is protected by the provisions of the General Data Protection Regulation (GDPR). It’s a law that affords far greater privacy protections to European …

It’s a wild time in the world of data privacy. With the California Consumer Privacy Act becoming eligible for legal enforcement on July 1, companies all over the US are rushing to get compliant with the country’s first truly far-reaching privacy law. When a marketplace is full of urgency, it can be hard to separate truth from fiction. I’m writing to put paid to one of the more pervasive myths I’ve seen out on the front lines of CCPA compliance: the idea that you can adhere to the CCPA’s “Do Not Sell My Personal Information” requirement using just a cookie consent tool. You can’t. If you could, it wouldn’t be called a cookie consent tool. Here’s what I mean: Data …

There are two things businesses everywhere like: certainty and harmonization. The Schrems II ruling in the Court of Justice of the European Union (CJEU) strikes a blow on both of these counts with respect to the vast (and hugely valuable) transfer of user data from the EU to the United States.  By ruling that one of the two main legal protections for user data transferred to the US – the so called “Privacy Shield” – doesn’t sufficiently guarantee respect for fundamental data rights, the CJEU’s decision poses a clear and immediate threat to businesses that rely on Privacy Shield to facilitate data flows. That’s 5,378, including some of the biggest tech companies in the world.  It’s notable that while Privacy …

It’s been a long time since Facebook was on the receiving end of good press – heavy is the head that wears the social media crown. A quick win, in my view, would be to openly and proactively assist its many advertisers trying to comply with the California Consumer Privacy Act (CCPA).  The CCPA is the first major data privacy regulation in the US and a GDPR-lite for residents of California. But it’s quickly become a de facto standard for the entire United States, and many of tech’s leading lights have gone ahead and rolled out CCPA-level privacy protection for consumers all over the country.  So how does this relate to Facebook? The rollout of its Limited Data Use (LDU) …

I confess that the California Secretary of State’s announcement today, which affirmed the CPRA (or “CCPA 2.0”) will be put to public vote this coming November, and take effect as soon as next year, caught me by surprise.  When debate over its eligibility for inclusion arose, I expected legislators might angle to slow the tide of regulatory advance for California, and, in effect, for businesses across the country.  And I would understand that aim. I’ve seen very clearly the colossal strain that CCPA compliance efforts have placed on teams of all sizes. Ethyca’s technology can certainly alleviate large parts of it, but even key stakeholders among our clients have had to work hard to achieve the organizational buy-in and culture …