All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners. Most modern privacy statutes recognize, however, that privacy risks are reduced when the third party is related to the organization from which the data originates. As the following chart

The terms “deidentified” and “deidentification” are commonly used in modern privacy statutes and are functionally exempt from most privacy and security-related requirements. As indicated in the chart below, differences exist between how the term was defined in the California Consumer Privacy Act (CCPA) and how it was defined in later state privacy statutes that are

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion

The terms “pseudonymize” and “pseudonymization” are commonly referenced in the data privacy community, but their origins and meaning are not widely understood among American attorneys.  Most American dictionaries do not recognize either term.[1] While they derive from the root word “pseudonym” – which is defined as a “name that someone uses instead of his

The term “sale” is defined slightly differently between and among modern U.S. data privacy statutes with some statutes defining the term as including exchanges of personal information in return for valuable consideration, and others defining the terms as including only exchanges of personal information in return for monetary consideration. As the following chart indicates, state

Modern data privacy statutes create special rules for activities that involve “selling.” Among other things, most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information sold. As the following chart indicates, the term “sale” is defined slightly different between and among state statutes, with some

It depends on the purpose for which a transfer impact assessment (TIA) is created. It is unlikely that the attorney-client privilege would apply to a TIA that is created, and used, to satisfy the requirements of the Standard Contractual Clauses (SCCs).

The attorney-client privilege in the United States refers to a judicially recognized ability for

Russia’s attack on Ukraine has resulted in historic and escalating U.S. sanctions, impacting companies who do business with Russia or Russian-affiliates and creating risks even for companies who do not. Since 2020, the number and sophistication of ransomware attacks has spiked, largely perpetuated by organized criminal groups in Russia and Eastern Europe. In light of

The term “Transfer Impact Assessment” or “TIA” is relatively new to the world of data privacy. Indeed, according to one widely used legal database the term was not referenced within any academic journals or secondary sources until 2021.[1] The term has come to refer to a written analysis, conducted by a controller or a