I was lucky enough to give the keynote this week at the InfoGov World conference in San Diego.

Between panels and speeches, I came up with these seven hot topics that are burning up the data privacy world.

Please take note!

  1. SchremsII and cross border transfers: Risk based, wherefore art thou? With the Google Analytics, Google Fonts, Amazon AWS, Google Workspace other cases, the SchremsII and DPA guidance is piling up. The risk-based-or-not discussion continues. The German procurement court decision (hard core no risk whatsoever), got overturned. In many cases, there is nothing to do but cry and pray. But that might change on Monday, when (drumroll please) the Executive Order of Trans-Atlantic Data Privacy Framework is reported to be coming out.
  2. Back to basics: It’s not all about #NSAatemycookies. You need to get back to basics, as Datatilsynet’s Allan Frank says. About 90% of controllers are not on top of their data processing, or their service providers, or their purpose limitation.
  3. Save the ADPPA? American Data Privacy and Protection Act, the closest thing  the United States has right now to a federal privacy law, has stalled following objections, mainly from California, regarding the preemption provisions. However, Cameron Kerry reports that Sen Maria Cantwell, a key holdout, wants to get something signed… so something should ultimately be signed.
  4. Cookies are a thing, both in the EU and in the US: We are already familiar with noyb.eu and the Commission Nationale de l’Informatique et des Libertés sweeps . But there also is the California Attorney General’s second year enforcement and the $1.2 million Sephora fine, which dealt specifically with cookies and global privacy controls.
  5. Beep beep BIPA: The biometrics lawsuits are blowing up, but these are not your grandmother’s employee biometric time entry BIPA lawsuits. These involve virtual clothes or glasses or makeup try ons, smart toothbrushes, drive through voice recognition, face recognition in retail, and emotion analysis in videos. Make sure you have the right notices, consent and retention/destruction policies.
  6. Pixel your battles: Lawsuits surrounding the sharing of personal information through trackers are also blowing up. This is both under a cause of action of wiretapping (applied to session replay) and under the Video Privacy Protection Act for sharing information regarding the viewing of video clips.
  7. Don’t be so sensitive (information): Sensitive information is a point of emphasis on enforcement both by the Federal Trade Commission (blog posts, statements, notice of rulemaking and the Kochava lawsuits) and under the CPRA (Sephora claim, CPRA regs). This is both health information (especially in the wake of Dobbs), but also precise geolocation. Mind your risk analysis and data minimization on this.