I had the chance to give the keynote address this week at the InfoGov World conference in San Diego.
Between panels and keynotes, I’ve come up with these seven hot topics that are burning the world of data privacy.
Take notes please!
- SchremsII and cross-border transfers: risk-based, why are you? With the other cases Google Analytics, Google Fonts, Amazon AWS, Google Workspace, SchremsII and DPA guidelines accumulate. The discussion based on risk or not continues. The decision of the German Public Procurement Court (hard core without any risk) has been overturned. In many cases, there is nothing to do but cry and pray. But that could change on Monday, when (drum roll please) the Executive Order on the Transatlantic Data Privacy Framework is expected to be released.
- Back to basics: It’s not just about #NSAatemycookies. You have to go back to basics, as Allan Frank of Datatilsynet says. About 90% of data controllers do not control their data processing, service providers or purpose limitation.
- Save the ADPPA? US privacy and data protection law, the closest thing in the US to a federal privacy law, has stalled following objections, mostly from California , regarding pre-emption provisions. However, Cameron Kerry reports that Sen Maria Cantwell, a key element, wants to get something signed…so something should eventually be signed.
- Cookies are a thing, both in the EU and in the US: We already know about noyb.eu and the Commission Nationale de l’Informatique et des Libertés is sweeping. But there’s also the California Attorney General’s second year of enforcement and Sephora’s $1.2 million fine, which specifically addressed cookies and global privacy controls.
- Beep beep BIPA: Biometric pursuits are exploding, but it’s not your grandmother’s employee biometric time entry BIPA pursuits. These involve virtual clothing or eyewear or makeup try-ons, smart toothbrushes, voice recognition while driving, facial recognition in retail, and emotion analysis in videos. Make sure you have the right notices, consent, and retention/destruction policies.
- Pixelate your battles: Lawsuits surrounding the sharing of personal information via trackers are also exploding. This is both under a cause of action for wiretapping (applied to session replay) and under the Video Privacy Act for sharing information regarding the viewing of video clips.
- Don’t be so sensitive (information): Sensitive information is a point of attention on enforcement by both the Federal Trade Commission (blog posts, statements, rule-making notices, and Kochava lawsuits) and under the CPRA (Sephora claim, CPRA regs). This is both health information (especially in the wake of Dobbs), but also precise geolocation. Pay attention to your risk analysis and data minimization about it.