In 2011, the International Organization for Standards technical committee on Information Security, Cybersecurity and Privacy Protection developed a privacy framework that was intended to propose common privacy terminology, define the roles of different organizations with respect to privacy, and establish core privacy principles.1  The result was the publication on December 15, 2011, of the

There are few published statistics regarding the adoption rate of privacy frameworks. The statistics that do exist have questionable reliability, primarily owing to sampling bias and self-reporting bias. For example, studies that ask clients of an organization that creates a privacy framework whether they adopted the privacy framework are likely to overreport adoption rates, as

There are numerous privacy frameworks. Some are established by independent organizations such as the International Organization for Standardization (ISO), which established the ISO 29100 privacy framework. Others are established by standard-setting bodies related to specific countries or governments. For example, the United States National Institute of Standards and Technology (NIST) established a NIST Privacy Framework.

A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime.  Instead, the framework attempts to establish a privacy program

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys. Most American dictionaries do not recognize either term.1 While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his

Deidentified information is defined within the CCPA to refer to information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that a business that uses deidentified information takes four operational and organizational steps to ensure that such information is not

The CCPA includes a non-exhaustive list of data types that may fall under the definition of personal information. One of those data types is “biometric information.”1

While the CCPA provides a definition of “biometric information,” it is worth noting that the CCPA’s definition differs from the definition of the term in other statutes and

After more than four years of negotiations, the Regulation on Privacy and Electronic Communications (ePrivacy Regulation), which will replace the ePrivacy Directive (2002/58/EC), appears to be at a turning point. On Feb. 10, 2021, the Council of the European Union announced it has adopted a consolidated version (the “Council’s Position”) which will be the basis


“Hashing” refers to the process of using an algorithm to transform data of any size into a unique fixed-sized output (e.g., combination of numbers and letters). To put it in layman’s terms, some piece of information (e.g., a name) is run through an equation that creates a unique string of characters. Anytime the exact

Kate Black, a shareholder in Greenberg Traurig’s Data Privacy & Cybersecurity and Emerging Technology practices, will participate in a panel discussion on Wednesday, April 7 from 10:00 – 11:00 a.m. PDT as part of the International Association of Privacy Professionals (IAPP) Global Privacy Summit Online 2021. The summit is designed to provide critical