What’s Exciting in Privacy
Law?

What’s Exciting in Privacy Law?
First, let’s re-define the word
“exciting”

I: What is “Privacy”?
“The good news about privacy is that
eighty-four percent of us are concerned
about privacy. The bad news is that none
of us know what we mean.”
-Anne Branscomb

I: What is “Privacy”?
Are we referring to:
• The Need for Privacy?
• The Right of Privacy?
• The Invasion of Privacy?
• The Functions of Privacy?
• The Legal Protection of Privacy?

I: What is “Privacy”?
The Four Functions of Privacy (“Privacy and
Freedom”)
1. Personal Autonomy
2. Emotional Release
3. Self-Evaluation & Decision Making
4. Limited & Protected Communications

II: How Did We Get Here?

1791-1867 1910s 1940s 1960s
4th, 5th and
14th
Amendmen
ts
Federal Trade
Commission Act
UN Declaration on
Human Rights
London Installs CCTV
Surveillance in Train
Station
Griswold v.
Connecticut
Video Tape
Recorder

1970s 1980s 1990s
Fair Credit
Reporting
Act
Electronic
Communications
Privacy Act;
Telephone
Consumer
Protection Act;
Nat’l Do Not Call
Registry
Privacy Act,
Family
Educational
Rights &
Privacy Act
EU Data
Protection
Directive
HIPAA
Gramm-
Leach-
Bliley Act
Video
Privacy
Protection
Act
COPPA

2000s 2010s
E-
Governmen
t Act
1st Facial
Recognition
Database Available
to Law Enforcement
1st Data
Breach
Notification
Law
(California)
Consumer
Financial
Protection Act
EU Right to
be
Forgotten
CCPA
FTC Report
on Data
Brokers

II: Where Are We Now
1.Proposed U.S. federal privacy law
2.State-level privacy laws
3.GDPR and new EU Data Laws

II: Where Are We Now – U.S.
Federal
The American Data Privacy and Protection Act
• Applies to Businesses Subject to FTC, Common
Carriers & Non-Profits that “collects, processes, or
transfers covered data.”
• “Covered Data” includes data that can be linked to
a person or to a device that is then linkable to a
person
• Does NOT include “De-Identified Data”
• Creates Category for “Large Data Holders,” a.k.a.
Data Brokers
• Imposes stricter standards on data considered to

II: Where Are We Now – U.S.
Federal
The American Data Privacy and Protection Act
• Imposes various privacy and security
requirements
• Creates Consumer Data Rights similar to the
CCPA and GDPR
• Enforcement through the FTC/State Attorneys
General
• Limited and convoluted Private Right of Action
• Preemption of Numerous State-Level Laws

II: Where Are We Now – U.S.
States

II: Where Are We Now –
European Union
•GDPR
•Digital Markets Act
•Digital Services Act

IV: Is Anyone Getting This
Right?
It Depends

IV: Is Anyone Getting This
Right?
1. Sectoral Model vs. Comprehensive Model
2. Consumer-Focused vs. Business Friendly
3. Privacy Advocates vs. Big Tech vs.
Governments

IV: Is Anyone Getting This
Right?
3. Privacy Advocates vs. Big Tech vs.
Governments

V: Where Everyone is Getting it
Wrong
The Lie of “De-Identified” or “Anonymized”
Data

V: Where Everyone is Getting it
Wrong
The Lie of “De-Identified” or “Anonymized”
Data
Privacy Law is a Balancing Act
Legitimate
Business
Interest
Personal
Privacy

V: Where Everyone is Getting it
Wrong
The Lie of “De-Identified” or “Anonymized”
Data
Privacy Laws Assume:
1. Actual “De-Identification” is Possible
2. The Authors understand what Data Brokers
do

V: Where Everyone is Getting it
Wrong
It is STAGGERINGLY easy to “re-
Identify” data
•15 Data Points = 99.98% re-
identification accuracy
•Gender + DOB + Zip Code + Marital
Status = 95%

V: Where Everyone is Getting it
Wrong

V: Where Everyone is Getting it
Wrong
Data Brokers
•What Are They?
•Where/How Do They Get Their
(Your) Data?

The Case of Company 2

The Case of Company 2
• Only gets primary data from
commercial sources…

The Case of Company 2
• Only gets primary data from
commercial sources…
• But also buys data from Companies 5
and 9…

The Case of Company 2
• Only gets primary data from
commercial sources…
• But also buys data from Companies 5
and 9…
• Who also get primary data from public
and government sources…

The Case of Company 2
• Only gets primary data from
commercial sources…
• But also buys data from Companies 5
and 9…
• Who also get primary data from public
and government sources…
• And also buy data from Companies 1
and 8…

The Case of Company 2
• Only gets primary data from
commercial sources…
• But also buys data from Companies 5
and 9…
• Who also get primary data from public
and government sources…
• And also buy data from Companies 1
and 8…
• Who also get primary data from public
and government sources…

The Case of Company 2
• Only gets primary data from
commercial sources…
• But also buys data from Companies 5
and 9…
• Who also get primary data from public
and government sources…
• And also buy data from Companies 1
and 8…
• Who also get primary data from public
and government sources…
• And also buy data from Company 6…

V: Where Everyone is Getting it
Wrong
Data Brokers
•What Are They?
•Where/How Do They Get Their
(Your) Data?
•What Do They Do With Their (Your)
Data?

VI. Today’s Hot Topics
1. The Dobbs Decision – Privacy of people
seeking advice/information re: abortion
services
2. Consumer-Protection vs. Business Interests
3. Inferences and Algorithms
4. Phantom Collection – The Facebook Cookie

VII. The Future
1. Amount of data collected and analyzed by
businesses and government increases
exponentially
2. Erosion of Constitutional Privacy Protections
3. Biometric Policy Debate(s)
4. Quantum Computing (and all that stored data)
5. AI and Machine Learning Bias
6. Workplace/Productivity Monitoring
7. Any of about 50,000 other things…

What’s Exciting in Privacy Law?
Thank You
Brian Focht