What a year 2020 has been, for the world at large and for the field of data privacy specifically.  US businesses that previously hadn’t thought too hard about the ways they collect and process data will have found the last 10 months felt somewhere between “whirlwind” and “tornado”. There was the introduction of the California Consumer Privacy Act (CCPA) on January 1st. Then, around mid-March, global lockdown, work from home, and a million little disruptions to data management practices. In summer, EU-US data flows were thrown into chaos.  And finally this morning, Californians and businesses at large wake up to the passage of Proposition 24, the California Privacy Rights Act. It’s a brand new privacy law less than a year …

“The rug.” That’s how privacy activist Max Schrems began a tweet reacting to yesterday’s news that the Irish Data Protection Commission will act to stop Facebook from sending European citizens’ data overseas to the United States. Schrems, the individual most responsible for this development, was accurate to characterize this as a rug being pulled out from under the feet of the world’s biggest social network. But in truth, this is the opening gambit of a new data privacy chapter that could take years to unfold. Why Are EU Regulators Acting Now? Some background context: EU citizens’ data is protected by the provisions of the General Data Protection Regulation (GDPR). It’s a law that affords far greater privacy protections to European …

It’s a wild time in the world of data privacy. With the California Consumer Privacy Act becoming eligible for legal enforcement on July 1, companies all over the US are rushing to get compliant with the country’s first truly far-reaching privacy law. When a marketplace is full of urgency, it can be hard to separate truth from fiction. I’m writing to put paid to one of the more pervasive myths I’ve seen out on the front lines of CCPA compliance: the idea that you can adhere to the CCPA’s “Do Not Sell My Personal Information” requirement using just a cookie consent tool. You can’t. If you could, it wouldn’t be called a cookie consent tool. Here’s what I mean: Data …