IAPP_US_TB_US-Private-Sector-Privacy-3E_1.0

U.S. Private-Sector Privacy

Law and Practice for Information Privacy Professionals
Third Edition

Peter Swire, CIPP/US

DeBrae Kennedy-Mayo, CIPP/US

An IAPP Publication

2020 by the International Association of Privacy Professionals (IAPP)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher, International Association of Privacy Professionals, Pease International Tradeport, 75 Rochester Ave., Portsmouth, NH 03801, United States of America.

CIPP, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM and CIPT are registered trademarks of the International Association of Privacy Professionals, Inc. registered in the United States. CIPP, CIPP/E, CIPM and CIPT are also registered in the EU as Community Trademarks (CTM).

Copy editor: Julia Homer
Indexer: Hyde Park Publishing Services

ISBN: 978-1-948771-37-5

Contents

About the IAPP

The International Association of Privacy Professionals (IAPP) is the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data.

The IAPP is a not-for-profit association founded in 2000 with a mission to define, support and improve the privacy profession globally. We are committed to providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals and provide education and guidance on opportunities in the field of information privacy.

The IAPP is responsible for developing and launching the only globally recognized credentialing programs in information privacy: the Certified Information Privacy Professional (CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy Technologist (CIPT). The CIPP, CIPM and CIPT are the leading privacy certifications for thousands of professionals around the world who serve the data protection, information auditing, information security, legal compliance and/or risk management needs of their organizations.

In addition, the IAPP offers a full suite of educational and professional development services and holds annual conferences that are recognized internationally as the leading forums for the discussion and debate of issues related to privacy policy and practice.

Preface

I write this preface in February 2020, just 27 months after the preface for the previous edition of this textbook. We privacy professionals must deal with constant change. Since the last book, the General Data Protection Regulation (GDPR) went into effect in the European Union. Just weeks later, the U.S. privacy world was rocked by passage of the California Consumer Privacy Act (CCPA), the first comprehensive state privacy law. The GDPR created a wave of change in how companies govern the personal data they hold. That wave has now spread to the large portion of U.S. companies that do significant business in California. As a result, this edition of the textbook adds two chapters, because U.S. privacy professionals now must learn the contours of both the GDPR and CCPA.

Along with this legal change, privacy professionals must cope with constant technological change. In recent months, my newsfeed has been flooded with stories about facial recognition and artificial intelligence (AI). I remember privacy debates about facial recognition being used at the Super Bowl in the early 2000s. At that time, facial recognition was plagued by many errors, and privacy advocates successfully objected that we should not rely on such an undependable technology. Today, the problem is the oppositetechnology has advanced to the point where facial recognition is often disturbingly accurate. Our society must now struggle with whether and how to regulate the connection of cameras (ubiquitous in our age of smartphones) to facial recognition databases.

Similar changes now arise in the areas of artificial intelligence and machine learning. Privacy practice, until now, has typically focused on the collection, use, and dissemination of information that is personally identifiable. With AI, we face complex new issues about the algorithms used to analyze sets of data. Experts are debating whether to require algorithmic transparency, to assess whether decisions made from an AI system have good inputs and sound calculations. More broadly, many worry about algorithmic bias, where the AI may have unfair or discriminatory effects based on gender, race, or other characteristics. Proposed provisions to govern algorithmic transparency and bias have now made their way into draft privacy legislation in Congress. In short, technological advances in AI appear to be creating yet another expansion in the work for privacy professionals.

You are holding the fourth version of this textbook. When Sol Bermann and I wrote the first iteration of the book, published in 2007, it was the first official International Association of Privacy Professionals textbook and was created to prepare for the first Certified Information Privacy Professional examination. Kenesa Ahmad and I revamped the text for the next version (and first edition with this name), published in 2012. DeBrae Kennedy-Mayo has been the co-author for both the version published in 2018 and this new edition. Sol, Kenesa, and DeBrae worked tirelessly to create a book that gives you, a new person in the field, a readable introduction to our profession. For this edition, Justin Hemmings also provided valuable assistance, and we have new chapters from DeBrae Kennedy-Mayo and Laura Song (GDPR) and Michael Young (CCPA).

In the IAPP, Nicole Russell was our lead contact for this edition. Under the direction of Trevor Hughes, the IAPP, which was founded in 2001, has grown into a vibrant, global organization with more than 57,000 members. Omer Tene plays a vital role in leading the content and thought leadership from the IAPP, assisted by the great professionals who provide the Daily Dashboard and other publications that so many of us read.

On a personal level, my special thanks to my wife, Annie Antn, for her wisdom and partnership in privacy and more importantly in life.

I believe that we, as privacy professionals, have a profound ethical responsibility to handle personal information in responsible ways. I hope this book fosters the knowledge and awareness to help make that a reality.

Peter Swire, CIPP/US

Atlanta, Georgia, USA

February 2020

I want to express my appreciation to Peter Swire for the opportunity to co-author the 2020 edition of this book. In addition, I want to thank both Peter Swire and Annie Antn for reminding all of us that the conversation about privacy should include both lawyers and technologists.

On a personal note, thank you to my amazing husband Garrett for his unique perspective, his practical advocacy for privacy, and his constant support of me. I want to express my appreciation to my sons Brayden and Austin, who help me to understand privacy and technology from the viewpoint of a younger generation. Thank you to my mother-in-law Gladys for her insight into an older generations perspective on these issues. I also want to express my gratitude to Carol, Joe, Joey, and Annabelle for exemplifying the definition of home and for helping me to remember to focus on protecting privacy related to that concept in an age when technology is a part of almost every aspect of our lives. Finally, I want to express my appreciation to Miss Kitty who reminds me of the unintended consequences of technology every time she sits on a remote control.