This lecture introduces the three branches of the U.S. federal government—legislative, executive, and judicial—and explains their roles in making, executing, and interpreting laws. It also compares federal, state, and local governance, emphasizing separation of powers and checks and balances. The structure of state governments is outlined as mirroring the federal model, with each branch ensuring that no single entity has absolute authority.

This lecture examines how the U.S. Constitution affects privacy, even though the word “privacy” isn’t explicitly stated. It explores the concept of “penumbras” from Supreme Court decisions and highlights amendments that protect privacy, such as the 3rd, 4th, 5th, and 14th. It also discusses bodily privacy, state constitutions like California’s, and international privacy frameworks from the UN and EU.

This lecture outlines different sources of law, including constitutions, statutes, regulations, and judicial opinions. It explains torts (intentional, negligent, strict liability), contracts, and privacy torts such as intrusion and false light. The regulatory process is also detailed—from congressional delegation to agency rulemaking—and concludes with a discussion on consent decrees as enforceable, court-approved settlements.

This lecture defines key legal terms relevant to privacy and data protection. It covers administrative enforcement, adjudication, jurisdiction, injunctions, and distinctions between civil and criminal litigation. It also explains what constitutes a “person” in legal terms—natural or legal—and introduces the concept of a private right of action, which allows individuals to initiate lawsuits to enforce privacy rights or remedies.

This lecture explores the five primary sources of privacy protection: law, markets, technology, self-regulation, and co-regulation. It introduces privacy governance models—comprehensive and sectoral—and compares their strengths and weaknesses. Comprehensive models ensure consistency but may be overly broad and expensive, while sectoral models are tailored but can result in a confusing legal patchwork across industries and jurisdictions.

This lecture explains Fair Information Practices (FIPs)—core principles for handling data responsibly. Originating from the 1973 HEW Report, the FIPs are grouped into four buckets: individual rights (e.g., notice and consent), controls on information (e.g., security and accuracy), the information lifecycle (collection through destruction), and management (administration and enforcement). These principles form the foundation of modern privacy laws and practices.

This lecture explores how Fair Information Practices (FIPs) have been adapted worldwide. It examines four major frameworks: the OECD Guidelines (1980, updated 2013), Convention 108 by the Council of Europe (1981), the APEC Privacy Framework (2004), and the Madrid Resolution (2009). These global interpretations share core principles like data quality, purpose specification, security safeguards, and accountability, but reflect regional differences in enforcement and emphasis.

These lectures introduce the ST. PEAR framework for analyzing laws: Scope, Tensions, Penalties & Preemption, Exceptions, Authorities, and Requirements. Using the CCPA as an example, learners evaluate who the law covers, how it conflicts with other laws, enforcement structures, and core obligations. The lectures build confidence in interpreting complex statutes by breaking them into manageable, repeatable steps.

These lectures introduce the ST. PEAR framework for analyzing laws: Scope, Tensions, Penalties & Preemption, Exceptions, Authorities, and Requirements. Using the CCPA as an example, learners evaluate who the law covers, how it conflicts with other laws, enforcement structures, and core obligations. The lectures build confidence in interpreting complex statutes by breaking them into manageable, repeatable steps.

This lecture defines regulatory authorities as entities authorized to enforce laws, such as federal agencies (e.g., FTC, HHS) and state attorneys general. It outlines sector-specific enforcement (e.g., finance, healthcare, education), explains the role of state laws like CCPA, and introduces transnational enforcement bodies like GPEN and the APEC CPEA. Learners explore challenges such as conflicting laws and the need for global cooperation.

This lecture categorizes risk into four types: legal, operational, reputational, and strategic. Risk is defined as the potential for harm, calculated as threat × vulnerability. Through examples ranging from car accidents to PHI breaches, the lecture demonstrates how controls (e.g., training, encryption) can mitigate risk. It encourages privacy professionals to balance business needs with risk management across legal and operational domains.

This lecture introduces foundational internet concepts for privacy professionals. It covers the origins of ARPAnet, explains key components of web addresses (e.g., HTTPS, protocols, encryption), and introduces browser terminology like HTML, XML, and CSS. Learners gain context for how the internet functions and why its design lacked built-in security—an important consideration in privacy engineering and data protection today.

This lecture explains key networking concepts like proxy servers, firewalls, and VPNs. It also introduces static vs. dynamic IP addresses and the differences between IPv4 and IPv6. Learners review the three states of data—at rest, in transit, and in use—and explore terms such as caching, web server logs, ISPs, and protocols like TCP. Common threats like cross-site scripting (XSS) are briefly introduced.

This lecture expands on TCP and TCP/IP, describing how data is broken into packets and transmitted through a three-way handshake. It explains URI, URN, and URL distinctions and introduces concepts like deep linking. It also compares thin and thick clients and distinguishes front-end (user-facing) from back-end (server-side) operations. These terms help learners understand how web architecture influences data protection.

This lecture introduces cloud computing and its three service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). It explains the advantages of cloud computing—cost savings, scalability, and ease of management—while emphasizing that the “cloud” is essentially someone else’s computer. Learners gain a high-level understanding of how data and applications are hosted and delivered remotely.

This lecture introduces edge computing, which brings data processing closer to where data is generated, improving speed, privacy, and reliability. It also covers three email protocols: SMTP (sending), IMAP (receiving and storing), and POP/POP3 (receiving and deleting). The text messaging section explains SMS (cellular-based) and OTT (internet-based) protocols, noting features like end-to-end encryption and message length limits.

This lecture covers methods of internet surveillance, including deep packet inspection (DPI), wireless eavesdropping, and network monitoring in schools or workplaces. It explains how packet sniffers capture data and how DPI is used for both security and censorship. The lecture also recommends ways to protect online traffic—like using encrypted Wi-Fi, VPNs, and HTTPS—to minimize interception risks.

This lecture explores how attackers exploit human behavior to gain unauthorized access or data. It explains various attack types—phishing, spear phishing, whaling, smishing, and vishing—as well as malware threats like spyware and keylogging. Prevention strategies include employee training and the use of technical defenses such as firewalls and spam filters to reduce exposure to manipulation and harmful code.

This lecture introduces cookies—small text files placed on user devices to enable personalization, authentication, and activity tracking. It explains different types: session-based, persistent, first-party, second-party, and third-party cookies. Whether cookies are considered personally identifiable information (PII) depends on jurisdiction; under GDPR, they are PII and require consent. Best practices include notice, consent, opt-outs, short expiration periods, and avoiding storage of sensitive data.

This lecture explains how websites and third parties collect data through cookies, user-generated content, and email tracking. It contrasts first-party (direct) data collection with third-party methods (often via data brokers). It also introduces cross-device tracking—both deterministic (login-based) and probabilistic (inferred). With growing regulation and browser restrictions, third-party tracking is becoming less viable, while email and device tracking remain common strategies.

This lecture explores how devices like phones and smart cars reveal location data using GPS, Wi-Fi triangulation, and metadata. It highlights the sensitivity of this data, which can infer home and work addresses, healthcare visits, and social affiliations. It also reviews legal limits, user controls, and risks from surveillance technologies like drones, smart toys, and CCTV. Privacy strategies include limiting permissions and conducting impact assessments.

This lecture focuses on data-altering PETs (Privacy-Enhancing Technologies), such as suppression, generalization, and noise addition. It explains identifiers—strong, weak, quasi, and persistent—and introduces concepts like differential privacy and pseudonymization. Learners explore legal guidance from HIPAA and the FTC on deidentification and the importance of Privacy by Design and engineering to protect data while maintaining utility.

This lecture covers data-shielding PETs like encryption and hashing. It explains symmetric vs. asymmetric encryption, digital certificates, and Public Key Infrastructure (PKI). Hashing is introduced as a one-way function used for data integrity and pseudonym creation, along with risks like rainbow table attacks. Other PETs include homomorphic encryption, secure multi-party computation, and trusted execution environments—all aimed at keeping data secure during use and transmission.

This lecture introduces the CIA Triad: Confidentiality, Integrity, and Availability—the foundational pillars of information security. It contrasts this with the DAD model (Disclosure, Alteration, Destruction). It also explains three types of controls: administrative (e.g., policies), technical (e.g., firewalls), and physical (e.g., locks, cameras). Learners understand how controls mitigate risks and how cybersecurity fits within the broader concept of information security.

This lecture introduces foundational cybersecurity concepts for privacy professionals. It explains the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover, Govern) and stresses an adversarial mindset using threat modeling and the MITRE ATT&CK Framework. Learners explore STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), along with core principles like zero trust, least privilege, and defense in depth. The lecture also contrasts cybersecurity (system owner’s view) with privacy (data subject’s view).

This lecture describes the responsibilities and roles within a privacy program, including CPOs, DPOs, privacy engineers, managers, analysts, and informal privacy champions. It explores cross-functional collaboration and key duties such as policy writing, legal research, training, and risk monitoring. It also introduces stakeholder groups (fundamentalists, unconcerned, pragmatists) and discusses how expectations around privacy evolve over time.

This lecture introduces the DIKW pyramid (Data, Information, Knowledge, Wisdom) and the data life cycle (creation to deletion). It defines essential concepts like data inventory, classification, flow diagrams, and accountability. Using the “Who, What, When, Where, Why, and How” approach, learners are guided through the iterative process of cataloging personal data across departments and systems to meet legal and operational requirements.

This lecture builds on data inventory fundamentals, covering classification levels (e.g., confidential, proprietary, TS/SCI), context-based sensitivity, and visual tools like data flow diagrams. It introduces top-down and bottom-up mapping approaches, including GDPR’s Record of Processing Activities (RoPA). Learners explore data accountability—identifying who is responsible, applicable regulations, data flow paths, and security controls to ensure compliance and mitigate risk.

This lecture guides learners through building a privacy program framework—defining goals, drafting mission and vision statements, and developing policies, procedures, and standards. It emphasizes the importance of data inventories, risk assessments, awareness programs, and incident response. The lecture also covers tracking key metrics (e.g., DSARs, risk indicators, training stats) to assess performance and maturity while ensuring alignment with organizational values.

This lecture outlines the four stages of the privacy operational life cycle: Assess, Protect, Sustain, and Respond. “Assess” establishes baselines and identifies risks; “Protect” focuses on implementing privacy and security controls; “Sustain” involves audits and continuous monitoring; and “Respond” includes managing data subject rights and privacy incidents. The cycle reinforces ongoing improvement and integration of privacy into business functions.

This lecture explains the distinction between privacy policies (internal documents outlining how an organization handles PII) and privacy notices (external communications for consumers). It details key sections of a privacy policy—purpose, scope, responsibilities—and explores best practices for implementation and version control. It also covers notice accessibility, types of online notices (e.g., layered, just-in-time), and challenges like mobile optimization and legal complexity. Recommendations include transparency, privacy by design, and simplified consumer choices.

This lecture introduces types of user preferences—opt-in, opt-out, double opt-in, and no-choice contexts—and when each applies. It examines implementation challenges, including determining applicable laws, providing usable mechanisms (e.g., unsubscribe links), ensuring comprehensive coverage across communication methods, meeting legal timeframes, and enforcing preferences with vendors. It emphasizes that companies must balance legal compliance with user expectations to manage consent and data sharing responsibly.

This lecture explores laws requiring opt-in (COPPA, FCRA, HIPAA) and opt-out (GLBA, VPPA, CAN-SPAM). It discusses industry self-regulation and consumer rights to access and correct data, as supported by frameworks like APEC and laws like the Judicial Redress Act. APEC principles encourage organizations to confirm if data is held, respond reasonably, amend errors, and provide reasons for denials, ensuring transparency and user empowerment.

This lecture explains why organizations share PII with vendors and emphasizes contractual responsibilities. Key contract considerations include confidentiality, breach notification, subcontractor accountability, and security safeguards. It also covers data disposal (FACTA Disposal Rule), outlining methods like shredding and degaussing. Vendor vetting includes checking financial stability, security practices, insurance coverage, and the right to audit. A case study of the SolarWinds breach illustrates real-world risks.

This lecture provides a comprehensive overview of privacy risk management, including identifying, assessing, and mitigating risks through Privacy Impact Assessments (PIAs). It outlines global standards, risk calculation formulas, and examples of privacy harm. It also covers vendor risk assessments, breach readiness evaluations, and global data protection laws. Tools like OneTrust’s ethics code and frameworks like NIST guide practitioners in implementing transparent and accountable practices.

This lecture traces the evolution of U.S.-EU data transfer frameworks from the 1995 Data Protection Directive to the 2023 EU-U.S. Data Privacy Framework. It covers Safe Harbor, the Privacy Shield, and the impacts of Snowden’s revelations and the Schrems decisions. It explains data transfer tools like adequacy decisions, Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs), along with global alternatives like the CBPR Forum and OECD principles.

This lecture introduces the General Data Protection Regulation (GDPR), a privacy law applicable across the EU and EEA. It outlines who must comply—companies with a presence, customers, or data storage in the EU—and defines key terms like personal data, data subject, controller, and processor. The GDPR mandates explicit consent, breach notifications, data subject rights, and appointing a Data Protection Officer (DPO). It emphasizes accountability, transparency, and international data transfer rules.

This lecture explains the GDPR’s seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles guide every aspect of data processing under the GDPR. Controllers must not only comply but be able to demonstrate compliance, making documentation and risk assessments essential for legal and ethical data handling.

This lecture outlines the rights granted to individuals under the GDPR, including the rights to restrict processing, object, access, rectify, erase, and port their data, and avoid automated decision-making. It also covers the requirements for informed consent and the obligations of data controllers to respond to rights requests within 1–3 months. The session stresses that these rights promote user control and transparency.

This lecture details how GDPR is enforced through data protection authorities (DPAs), complaint procedures, and fines of up to 4% of global revenue. It defines what qualifies as a data breach and outlines reporting duties: controllers must notify DPAs within 72 hours, while processors must notify controllers “without undue delay.” It also covers when data subjects must be notified and the legal liabilities of controllers and processors.

This lecture explores the role of state-level Departments of Insurance (DOIs) in regulating the insurance industry and enforcing data protection standards. It introduces the National Association of Insurance Commissioners (NAIC), a standard-setting body that helps harmonize state regulations through model laws. A key focus is the NAIC’s Data Security Model Law (#668), which mandates insurers to implement information security programs, manage third-party risks, and report breaches within 72 hours. The lecture emphasizes how DOIs intersect with privacy enforcement and license compliance in the insurance sector.

This lecture introduces the concept of fiduciary duty, emphasizing the obligations of loyalty and care owed by a fiduciary to a beneficiary. It explores how fiduciary responsibilities apply to professionals and organizations handling personal data, particularly when there’s an imbalance of power or information. The lecture examines legal frameworks in various jurisdictions and the growing call for data fiduciaries—entities that must act in the best interests of individuals. Key examples and evolving regulatory discussions are included to illustrate how fiduciary principles intersect with modern data protection and privacy law.

This lecture outlines the key updates to Switzerland’s revised Federal Act on Data Protection (FADP), which came into force in 2023. It highlights the law’s alignment with the GDPR, while noting important differences such as the narrower scope of applicability and the lack of a public register of processing activities. The lecture covers key definitions (e.g., personal data, profiling), rights of data subjects, obligations of data controllers and processors, and enforcement mechanisms. The revised FADP strengthens data protection in Switzerland and ensures continued adequacy with EU standards for cross-border data transfers.

This lecture defines a data leak as the unintentional exposure of personal data—often due to human error, poor configuration, or third-party vulnerabilities—without malicious intent. It contrasts this with a data breach, which involves unauthorized access typically driven by malicious actors aiming to steal or exploit data. The lecture emphasizes the importance of prevention strategies, including employee training, data loss prevention tools, strong security policies, and continuous monitoring and risk assessment.

Domain 1 lecture notes in 3 formats: color, black and white (for printing), and review slides only.

This lecture introduces the Federal Trade Commission (FTC), its mission, and authority to regulate “unfair or deceptive acts or practices” (UDAP). It explains how the FTC enforces privacy through rules like COPPA and shared jurisdiction laws such as FCRA and CAN-SPAM. Learners explore definitions of “unfair” (substantial, unavoidable harm) and “deceptive” (misleading omissions/statements) and the FTC’s broad enforcement power under Section 5 of the FTC Act.

This lecture explores how the FTC enforces laws through investigations, administrative trials, and penalties. It introduces consent decrees—settlements where companies agree to change practices without admitting guilt—and explains their benefits to both the FTC and organizations. The FTC can issue significant civil penalties ($43,280 per violation/day) and injunctions. The lecture also notes the role of state-level organizations and industry self-regulation in UDAP enforcement.

This lecture details how the FTC creates rules under the Magnuson-Moss Act, not the typical Administrative Procedure Act (APA). Rulemaking requires evidence of UDAP prevalence and consideration of economic impact. Topics the FTC is considering include surveillance, dark patterns, data minimization, and harms to minors. The lecture also discusses the “major questions doctrine” from West Virginia v. EPA, which could limit the FTC’s regulatory power.

This lecture reviews major FTC privacy and security cases, including:

• Wyndham – FTC authority to regulate cybersecurity

• LabMD – limits on FTC enforcement scope

• Facebook (2019) – $5B fine for consent decree violations

• Everalbum – misleading claims led to algorithmic disgorgement

• Equifax – $300M penalty for breach affecting 147M users

• Uber – executive criminally charged for concealing breach

This lecture highlights the FTC’s priorities, especially through its new Office of Technology. Key initiatives include workshops and rulemaking efforts on data portability, commercial surveillance, health app guidance, and dark patterns. The FTC is increasingly using Section 5 to address unfair practices that affect competition, innovation, and user control. Privacy professionals are encouraged to monitor agency reports, proposals, and blog posts for updates.

This lecture outlines how state attorneys general (AGs) enforce UDAP laws alongside federal regulators. State UDAP laws often mirror the FTC Act but can also cover “unconscionable” conduct and offer a private right of action. Five states—CA, CO, CT, UT, VA—have comprehensive privacy laws, each with specific treatment of HIPAA, GLBA, FCRA, and DPPA-covered data. The lecture also details federal protections for Social Security Numbers and state-level privacy enforcement dynamics.

This lecture covers the Children’s Online Privacy Protection Act (COPPA), which applies to websites and services targeting children under 13 in the U.S. It requires parental consent before collecting personal data and mandates privacy policies on every data-collecting page. The FTC and state attorneys general enforce COPPA. It also introduces the concept of co-regulation through approved seal programs and compares COPPA with DOPPA and CCPA, which apply to older minors in Delaware and California, respectively.

This lecture explores Moore’s Law and Asimov’s Laws of Robotics in the context of emerging technologies. Moore’s Law predicts exponential growth in computing power, while Asimov’s laws advocate for ethical robotics. The lecture includes enhancements to Asimov’s framework by EPIC (transparency and audibility) and Microsoft CEO Satya Nadella (human-centered, private, transparent, and accountable AI). These frameworks help frame policy discussions about the future of AI and robotics.

This lecture introduces big data and its implications for privacy. It defines big data using the “3 V’s”—volume, velocity, and variety—and discusses data minimization and de-identification as critical privacy strategies. It explains types of identifiers, de-identification techniques (e.g., blurring, masking, differential privacy), and the role of data brokers. The lecture also reviews two major FTC reports recommending stronger transparency, consumer control, and limits on discriminatory uses.

This lecture defines the Internet of Things (IoT) as internet-connected devices that collect data without human interaction. Examples include wearables, connected cars, smart homes, and smart cities. It reviews FTC and BITAG reports recommending strong security, user control, and privacy by design. Key risks include surveillance, consent issues, and data aggregation. The lecture also introduces concepts like the Internet of Robotic Things (IoRT) and major industry initiatives for device interoperability.

This lecture emphasizes the ethical foundations of medical privacy, beginning with the Hippocratic Oath’s call for confidentiality. It explains how medical privacy protects individual identity, promotes openness with healthcare providers, and reduces workplace discrimination. It also highlights how medical records are used by insurers, providers, and researchers, reinforcing the need for responsible access and use of personal health data.

This lecture explains the Health Insurance Portability and Accountability Act (HIPAA), its definitions (e.g., PHI, ePHI, covered entity, business associate), and its goals to improve healthcare efficiency while protecting privacy. HIPAA applies to healthcare entities that process electronic transactions and imposes strict rules on data use, access, and breach response. It does not preempt stricter state laws and expands accountability through the HITECH Act and associated enforcement bodies.

This lecture details how the HIPAA Privacy Rule implements Fair Information Practices (FIPs) through notice, minimum necessary use, access rights, safeguards, and accountability. It defines permissible use and disclosure for treatment, payment, and operations (TPO), and explains de-identification, research exceptions, and public health disclosures. Enforcement is carried out by HHS OCR, DOJ, FTC, and state attorneys general, with civil and criminal penalties possible.

This lecture explores privacy developments in telemedicine during the COVID-19 pandemic. It details temporary regulatory relaxations by HHS OCR, CMS, and the DEA, which allowed broader use of videoconferencing and remote prescribing. It also introduces California’s Reader Privacy Act, which restricts government and litigant access to records of individuals who purchase or borrow books—especially sensitive medical titles—without demonstrating a compelling interest.

This lecture focuses on HHS OCR guidance following the Dobbs decision, which overturned Roe v. Wade. It outlines when HIPAA permits but does not require disclosures of reproductive health data, including under law enforcement requests or threats to safety. The lecture emphasizes that HIPAA does not protect health-related data stored on personal mobile devices and offers best practices for safeguarding digital privacy.

This lecture introduces the HIPAA Security Rule, which mandates that covered entities implement administrative, technical, and physical safeguards to protect ePHI. It defines required and addressable implementation specifications and calls for risk assessments, security officials, and workforce training. The rule considers organizational size, resources, and threat landscape, and must be followed alongside stricter state-level privacy laws where applicable.

This lecture explains the HITECH Act, which strengthened HIPAA by extending its privacy and security requirements to business associates and creating breach notification rules. It clarifies when an event qualifies as a breach, outlines penalties, and highlights incentives for adopting electronic health records (EHRs). HITECH requires reporting significant breaches to HHS, media, and affected individuals and emphasizes “limited data sets” for non-consensual sharing.

This lecture examines the federal regulation that protects the confidentiality of substance use disorder (SUD) patient records. It limits the disclosure of “patient-identifying” information and generally requires explicit consent, with exceptions for emergencies, research, audits, or court orders. The rule applies to federally assisted programs and includes criminal penalties for violations. As of February 2024, it aligns with HIPAA but does not override stricter state laws.

This lecture explores GINA’s protections against discrimination based on genetic information. It prohibits health insurers and employers from using genetic data for underwriting or employment decisions and classifies genetic data as protected health information (PHI). GINA amended several laws including HIPAA and the Civil Rights Act, and it allows exceptions such as voluntary disclosures or legally mandated genetic monitoring. It sets a federal baseline but does not preempt stricter state laws like California’s CalGINA.

This lecture outlines the CURES Act’s push for medical innovation and data sharing, focusing on interoperability and information blocking. It empowers HHS and the ONC to penalize health IT developers for obstructing data exchange and outlines certification criteria. Privacy provisions include exemptions from FOIA for certain research, certificates of confidentiality, and HHS guidance on compassionate disclosures of mental health data. The law supports electronic health record access while balancing privacy and system integrity.

This lecture defines medtech as technologies like imaging machines, wearables, and at-home DNA kits. It explains that medtech may fall under FTC or FDA jurisdiction depending on its use and risk level. The FDA regulates Software as a Medical Device (SaMD) and considers cybersecurity protections in device approval. Privacy risks arise when HIPAA does not apply, leading states like California and Utah to mandate transparency and consent for data use.

This lecture details the FCRA, which regulates how consumer reporting agencies collect, use, and disclose personal financial data. It mandates accurate data, notice of adverse actions, and limited use of reports for permissible purposes. Enforcement comes from the FTC, CFPB, and state attorneys general. The FCRA also includes amendments such as FACTA and the Red Flags Rule, and it grants consumers rights to access, correct, and dispute their credit information.

This lecture explains FCRA requirements for notices and disclosures. Users of consumer reports must certify permissible purposes—legal, credit-related, or other. If an adverse action is taken, consumers must be notified and provided their rights, including free access to their report. The lecture also covers risk-based pricing notices and disclosures tied to residential loan credit decisions. Affiliate and third-party data use comes with additional notice obligations.

This lecture covers FCRA’s employment-related requirements. Employers must provide notice, obtain authorization, and send pre-adverse action notices if using consumer reports. Investigative consumer reports, which detail character and reputation, require specific disclosures. The FCRA also limits use of medical data—typically allowing only coded information unless consumer consent is given. Data used for employment must be relevant and not shared beyond its intended purpose.

This lecture explores the Fair and Accurate Credit Transactions Act (FACTA), including consumer protections and two key rules. The Disposal Rule mandates “reasonable” disposal of consumer reports to prevent unauthorized access. The Red Flags Rule requires financial institutions to detect, prevent, and mitigate identity theft through formal programs. FACTA preempts most state laws, with exceptions for identity theft and credit score issues. Enforcement comes from the FTC, CFPB, and federal banking regulators.

This lecture introduces the Gramm-Leach-Bliley Act (GLBA), which governs how financial institutions handle nonpublic personal information. It mandates data protection, privacy notices, and opt-out rights for consumers. Enforcement is shared by agencies like the CFPB, SEC, and CFTC. GLBA allows stricter state laws and penalizes violations with fines up to $1.1 million. It originated from financial industry consolidation in the 1990s and aims to ensure consumer privacy and data security.

This lecture details GLBA’s privacy notice requirements and the Safeguards Rule. Notices must explain data collection, sharing, and opt-out options, and must be provided initially and annually. Institutions may not share account numbers with nonaffiliates for marketing. The Safeguards Rule mandates an information security program with administrative, technical, and physical protections. Institutions must manage risks, monitor vendors, and secure consumer data—especially in online and mobile banking environments.

This lecture covers the E-Sign Act, which allows consumers to opt into electronic banking by consenting to receive notices and disclosures electronically. It differentiates between online banking (internet access to accounts) and mobile banking (interacting with services via mobile devices). The act facilitates digital commerce by giving electronic signatures the same legal status as handwritten ones.

This lecture compares how California and New York have expanded GLBA. California’s Financial Information Privacy Act (CFIPA) requires opt-in for sharing with nonaffiliates and opt-out for affiliate sharing. New York’s Department of Financial Services mandates cybersecurity programs for financial institutions, aligned with NIST standards. These expansions include risk assessments, CISO designation, and retention limits. NY also regulates virtual currencies through the BitLicense program.

This lecture covers the Dodd-Frank Wall Street Reform and Consumer Protection Act, enacted after the 2008 financial crisis. It created the Consumer Financial Protection Bureau (CFPB), which regulates financial products and enforces consumer protection laws like FCRA and GLBA. The CFPB can investigate, subpoena, and fine entities for unfair, deceptive, or abusive practices. Civil penalties range from $5,526/day to over $1 million for knowing violations.

This lecture explains Regulation E, which implements the Electronic Fund Transfer Act (EFTA) of 1978. It defines electronic fund transfers (EFTs) and outlines consumer protections and financial institution responsibilities. Covered transactions include ATM use, direct deposits, and mobile app payments. Under 2021 CFPB guidance, liability for unauthorized person-to-person payments (e.g., Venmo, Zelle) falls on financial institutions—not consumers—provided the transfers qualify as unauthorized.

This lecture introduces the Family Educational Rights and Privacy Act (FERPA), which governs education records in federally funded institutions. It grants students rights to access, amend, and control the disclosure of their education records, and defines personally identifiable and directory information. FERPA requires annual notification of rights, includes exceptions for emergencies, and permits complaints to the U.S. Department of Education. It does not preempt stricter state laws.

This lecture expands on FERPA by detailing who holds rights (parents or students, depending on age and tax dependency) and when disclosure of education records is permitted. It covers consent requirements, statutory exceptions (e.g., health emergencies, subpoenas), and students’ rights to access and correct their records. Enforcement occurs through the Department of Education, and violations can lead to loss of federal funding.

This lecture examines how FERPA interacts with other laws. It identifies gaps in FERPA that allowed directory information sales, later addressed by the Protection of Pupil Rights Amendment (PPRA) and the No Child Left Behind Act. It also compares FERPA with HIPAA and introduces laws like California’s SOPIPA and the IDEA, which offer additional protections for student data, especially for students with disabilities.

This lecture discusses privacy challenges in educational technology, using Google’s data practices as a case study. It covers self-regulation via the Student Privacy Pledge, the FTC’s enforcement of COPPA, and cybersecurity expectations like adopting the NIST Cybersecurity Framework. While FERPA does not mandate breach notification, the Department of Education may investigate data breaches. State laws like SOPIPA and NY’s Education Law 2-D add further requirements.

This lecture explores privacy concerns and legal frameworks surrounding telemarketing. It distinguishes between FCC’s TCPA and FTC’s Telemarketing Sales Rule (TSR), which impose restrictions on phone calls, robocalls, texts, and emails. Covered organizations must follow rules on disclosures, call times, do-not-call lists, and suppression requests. The TSR does not preempt stricter state laws, reinforcing consumer control over intrusive marketing practices.

This lecture details key restrictions under the Telemarketing Sales Rule (TSR), including prohibitions on misrepresentations, call abandonment, and unauthorized billing. It covers express consent requirements, safe harbor rules, recordkeeping mandates, and how TSR aligns with TCPA updates on robocalls and autodialers. The FTC, state attorneys general, and individuals may enforce violations, with penalties reaching over $50,000 per call. Strict compliance documentation is required.

This lecture explains the National Do Not Call (DNC) Registry, allowing consumers to opt out of telemarketing calls. It outlines exceptions for nonprofits and existing business relationships, and details the consent exemption process. Telemarketers must maintain updated call lists and comply with DNC Safe Harbor standards. The lecture also discusses “neighbor spoofing,” robocall enforcement, and how state laws supplement federal protections.

This lecture reviews the Junk Fax Prevention Act (JFPA), which permits unsolicited commercial faxing with an existing business relationship (EBR) and opt-out. It also outlines CAN-SPAM’s rules for unsolicited emails, including labeling, opt-out mechanisms, and truthfulness in messaging. 2008 regulations clarify definitions and sender responsibilities. Penalties can reach $2 million, and while there is no federal private right of action, some states may allow lawsuits.

This lecture explains how CAN-SPAM applies to Mobile Service Commercial Messages (MSCMs). It defines MSCMs as marketing messages sent directly to wireless devices and emphasizes the need for express prior authorization. The FCC requires specific, affirmative consent, with clear opt-out mechanisms. A Wireless Domain Registry helps senders identify covered domains. The rules do not apply to standard phone-to-phone texts.

This lecture outlines CPNI protections under the Telecommunications Act of 1996. CPNI includes billing, service, and call data—but not personal identifiers like name or address. Carriers need consent to share CPNI, with opt-out and opt-in options depending on the use. VoIP and ISPs are covered, but streaming services are not. Breach notification, compliance certifications, and password protection are required.

This lecture discusses the Cable Communications Policy Act (CCPA) and the Video Privacy Protection Act (VPPA). The CCPA governs cable service providers’ handling of customer data, with rules on notice, retention, and disclosure. The VPPA, inspired by a Supreme Court nominee’s leaked rental history, limits sharing of video rental data and mandates prompt deletion. Both laws provide private rights of action and statutory damages.

This lecture explores how digital advertising is regulated through industry self-regulation and limited legislation. It covers the roles of the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI), each promoting transparency, user choice, and limitations on data use. Enforcement is supported by industry bodies and the FTC under UDAP principles. The lecture also examines the now-rescinded FCC Broadband Privacy Rule and California’s CalOPPA “Do Not Track” amendment requiring privacy disclosures by websites that collect personal information.

This lecture introduces ethical principles in digital advertising, emphasizing the need to balance legal compliance with responsible behavior. It defines ethics and data ethics, referencing the Institute of Advertising Ethics (IAE) principles: honesty, fairness, and protecting privacy. It highlights concerns like online behavioral advertising, dark patterns that manipulate users, and the targeting of children, whose cognitive development limits informed decision-making. The lecture underscores the importance of transparent, consumer-respecting advertising practices.

This lecture covers the Driver’s Privacy Protection Act (DPPA) of 1994, which restricts the release, use, or sale of personal information collected by Departments of Motor Vehicles. It safeguards data such as names, addresses, and driver IDs, and requires express consent unless a legally permissible use exists—such as law enforcement, court orders, or insurance underwriting. Violations can result in civil lawsuits, reinforcing the law’s role in protecting motor vehicle record privacy.

This lecture examines the legality of web scraping—automated data extraction from websites—under U.S. and EU law. It discusses relevant rulings (e.g., Van Buren v. U.S., LinkedIn v. hiQ), noting that scraping public data may not violate the CFAA. Under CCPA, scrapers may not need to notify users unless they sell or share the data. Under GDPR, scraping PII requires a lawful basis. The lecture outlines where and when web scraping practices are legally and ethically constrained.

This lecture introduces key terminology related to corporate restructuring—mergers, acquisitions, and divestures—and explores associated privacy implications. Students are taught how to conduct a privacy-focused gap analysis to assess risks related to new data processes, compliance requirements, contracts, and technical infrastructure. The lecture also emphasizes data transfer considerations, including the need for due diligence, understanding data origin and purpose, adhering to data processing principles, and ensuring safeguards like accuracy, integrity, and security during organizational transitions.

This lecture explains how the Fourth Amendment protects against unreasonable searches and seizures by requiring warrants based on probable cause. It explores the amendment’s historical origins, the process of obtaining a warrant, and the exclusionary rule, which bars unlawfully obtained evidence from being used in court. The amendment ensures that law enforcement must demonstrate specific, justified need before conducting a search, safeguarding individual privacy against government intrusion.

This lecture introduces federal laws that provide privacy protections beyond the Fourth Amendment, including the Right to Financial Privacy Act (RFPA), the Electronic Communications Privacy Act (ECPA), and HIPAA. These laws allow government access to personal data under lower thresholds than probable cause, such as subpoenas or written requests, while still offering consumer rights like notice and the ability to challenge disclosures.

This lecture outlines the Bank Secrecy Act (BSA), which mandates recordkeeping and reporting by financial institutions to combat money laundering and financial crimes. Institutions must report transactions over $10,000, retain specific customer records, and file Suspicious Activity Reports (SARs) when certain thresholds or red flags are met. Violations may result in significant civil and criminal penalties. BSA applies to banks, brokers, casinos, and more.

This lecture reviews expansions to the Bank Secrecy Act through the International Money-Laundering Abatement and Anti-Terrorist Financing Act (as part of the USA PATRIOT Act) and the Foreign Account Tax Compliance Act (FATCA). These laws introduce Know Your Customer (KYC) obligations, encourage inter-agency information sharing, and increase scrutiny on foreign account holders to deter tax evasion and financial crimes.

This lecture explains how cryptocurrency businesses are treated under the BSA. Companies offering hosted wallets, anonymizing services, and peer-to-peer exchanges are classified as “money service businesses,” subjecting them to recordkeeping and reporting obligations. However, decentralized exchanges and mining pools may be exempt, highlighting regulatory gray areas in emerging financial technologies.

This lecture examines how court decisions have shaped wiretap laws in the U.S. It reviews Olmstead v. U.S. (1928), Katz v. U.S. (1967), and the “reasonable expectation of privacy” standard. It also discusses the third-party doctrine and cases like U.S. v. Jones, Riley v. California, and Carpenter v. U.S., which clarified warrant requirements for GPS tracking, smartphone data, and location records.

This lecture outlines laws governing various forms of surveillance. Title III prohibits wiretaps unless exceptions apply, such as consent or business necessity. The Stored Communications Act (SCA) restricts access to stored electronic communications, while preservation orders require service providers to retain data. Pen registers and tap-and-trace devices track call metadata under lenient legal standards. Changes under the USA PATRIOT and FREEDOM Acts affect how bulk data is collected, emphasizing specific selectors over mass surveillance.

This lecture explains the Communications Assistance for Law Enforcement Act (CALEA), also known as the “Digital Telephony Bill.” Passed in 1994, CALEA requires telecommunications providers to design systems that allow lawful government access to communications. Initially limited to telecom services, CALEA was expanded in 2005 to cover broadband and VoIP. The Federal Communications Commission (FCC) oversees its implementation, ensuring alignment with national security and law enforcement needs.

This lecture reviews the FISA framework, created in 1978 to govern foreign intelligence collection. It introduced court-authorized surveillance, later expanded by the USA PATRIOT Act and reformed by the USA FREEDOM Act. FISA authorizes wiretaps, pen registers, and trap-and-trace orders for foreign intelligence purposes. Section 702 permits surveillance of non-U.S. persons outside the U.S., using programs like PRISM and Upstream, under approval from the FISC and oversight mechanisms.

This lecture explores how national security laws have evolved, including the USA PATRIOT Act, FISA Amendments, and the use of National Security Letters (NSLs). It covers the Snowden disclosures and subsequent reforms like the USA FREEDOM Act and the Judicial Redress Act. The lecture discusses the tension between national security and civil liberties, highlighting surveillance powers, court oversight, and unresolved issues like encryption and lawful access debates.

This lecture explains the 2015 Cybersecurity Information Sharing Act, which encourages companies to share cyber threat data with the government. It provides legal protections for companies that monitor networks and report indicators of cyber threats, such as liability limitations and FOIA exemptions. CISA promotes public-private collaboration while safeguarding sensitive data and privileges like attorney-client confidentiality.

This lecture addresses how personal information is handled in public court records. It contrasts pre- and post-internet access, introduces protective orders, qualified protective orders (QPOs), and redaction under Rule 5.2 of the Federal Rules of Civil Procedure. The lecture emphasizes balancing transparency with privacy, especially for sensitive data like Social Security numbers, financial accounts, and personal identifiers in civil litigation.

This lecture covers when disclosures of personal information are required, permitted, or prohibited by law. It reviews disclosure obligations under laws like the Bank Secrecy Act, HIPAA, and OSHA, and discusses subpoenas and court orders. It also explains permitted disclosures under HIPAA and the USA PATRIOT Act, and outlines prohibited disclosures protected by evidentiary privileges (e.g., attorney-client, doctor-patient). The session concludes by distinguishing legal standards that govern when courts compel disclosures.

This lecture introduces the Privacy Protection Act (PPA) of 1980, enacted to protect media organizations from government searches. Passed in response to Zurcher v. Stanford Daily, the PPA requires law enforcement to use subpoenas—not search warrants—when seeking materials intended for public dissemination. It includes limited exceptions and allows for damages and attorney’s fees. The law applies broadly to traditional and potentially digital media involved in First Amendment activities.

This lecture explores electronic discovery (e-discovery), which involves turning over electronically stored information (ESI) during litigation. It highlights data sources, employee device policies, and the importance of retention procedures. Standards from the Federal Rules of Civil Procedure and the Sedona Conference guide best practices. The lecture addresses the tension between privacy laws like HIPAA and GLBA and discovery obligations, especially when court and corporate policies conflict.

This lecture explains the CLOUD Act (Clarifying Lawful Overseas Use of Data), passed in 2018 to address access to data stored abroad. Part I authorizes U.S. law enforcement to obtain data from U.S. companies, even if stored overseas. Part II enables qualifying foreign governments to request data directly from U.S. providers under executive agreements. The law resolves jurisdictional challenges exposed in United States v. Microsoft and modernizes global data access procedures.

This lecture reviews the 2022 Second Additional Protocol to the Budapest Convention on Cybercrime. The Protocol facilitates cross-border cooperation in obtaining digital evidence. It allows law enforcement to directly request subscriber and traffic data from service providers and expedite emergency requests. It also provides data protection through domestic laws and bilateral agreements—both binding and non-binding—between requesting and receiving countries.

This lecture provides an overview of workplace privacy in the U.S., highlighting the absence of a comprehensive federal law. It explores how constitutional protections (like the Fourth Amendment), contract law, and torts apply in employment contexts. Employees may have limited privacy based on negotiated contracts or union agreements. Common torts include intrusion on seclusion and defamation. State laws add fragmented protections, covering issues like social media account access and discrimination based on marital status.

This lecture surveys major federal laws that protect employee privacy. It includes health and benefits laws (HIPAA, COBRA, ERISA, FMLA, GINA), anti-discrimination statutes, and data management regulations (FCRA, OSHA, NLRA). These laws govern what information employers can collect, how it must be protected, and under what conditions it can be disclosed. It also covers employment eligibility (IRCA) and financial disclosures (Securities Exchange Act of 1934).

This lecture introduces key government agencies involved in safeguarding employee privacy. The Department of Labor oversees working conditions and benefits through FLSA, OSHA, and ERISA. The EEOC enforces anti-discrimination laws such as Title VII and the ADA. Other agencies, like the FTC, CFPB, and NLRB, regulate unfair practices and labor rights. State Departments of Labor handle wage laws, safety, and unemployment services.

This lecture focuses on the human resources department’s responsibility for managing sensitive employee data, including medical, pay, and performance records. HR must ensure data is protected, especially during and after employment, such as in wrongful termination cases. It also discusses the risks of defamation from reference letters and how “qualified privilege” offers limited legal protection to employers who provide honest evaluations.

This lecture addresses privacy considerations throughout the employment lifecycle. Before hiring, background and credit checks may raise privacy issues. During employment, polygraphs, drug testing, digital monitoring, and BYOD policies are common. Post-employment concerns include termination of access and data retention. The lecture emphasizes employer obligations to respect privacy while managing operational risk across all employment stages.

This lecture examines the use of background checks before employment and the privacy and anti-discrimination laws that govern them. It outlines legal justifications for screening—such as national security or working with vulnerable populations—and identifies roles legally required to undergo checks. It also reviews federal laws that limit screening based on race, age, disability, and more. The lecture emphasizes balancing due diligence with legal protections under Title VII, ADA, GINA, and others.

This lecture explores how the Americans with Disabilities Act (ADA) governs pre-employment medical screening. Employers with 15+ employees may not require medical exams unless they are job-related and consistent with business necessity. After a conditional offer, exams may be required, but results must remain confidential. The lecture also addresses reasonable accommodations and expanded ADA coverage under the 2008 Amendments Act, which broadened definitions of disability following Supreme Court rulings.

This lecture covers the Fair Credit Reporting Act (FCRA) and its role in pre-employment background and credit checks. Employers must obtain written notice and consent, use a qualified consumer reporting agency (CRA), and notify applicants before taking adverse action. It contrasts FCRA with California’s stricter Investigative Consumer Reporting Agencies Act (ICRAA) and discusses state-level restrictions on the use of credit information. The lecture also highlights emerging screening tools like social media reviews and AI analysis.

This lecture introduces the Fair Chance to Compete for Jobs Act (FCA), a “Ban the Box” law that bars federal employers from inquiring about criminal history until after a conditional job offer. It also discusses technological tools used in screening, including social media monitoring and artificial intelligence-based behavioral assessments. These tools raise ethical and legal questions about transparency, discrimination, and accuracy in hiring decisions.

This lecture explores workplace testing practices, focusing on polygraphs and substance use tests. The Employee Polygraph Protection Act (EPPA) generally prohibits private employers from using lie detectors, with exceptions for government and certain sensitive jobs. Drug testing is not governed by federal law, but is supported by court rulings and mandated in some safety-sensitive roles. It also addresses tensions between legal marijuana use and workplace policies, and ADA protections for alcoholism but not illegal drug use.

This lecture explores legal and ethical considerations surrounding employee monitoring. It covers reasons for monitoring—such as safety, productivity, and liability reduction—and details the legal framework, including the Wiretap Act, ECPA, and SCA. It also addresses video surveillance, biometric data collection (e.g., under Illinois’ BIPA), postal mail monitoring, and union considerations. While employers generally have broad authority to monitor their own property, excessive or intrusive surveillance may be limited by state laws or collective bargaining agreements

This lecture reviews modern monitoring tools and the privacy concerns they raise. Topics include location-based services (LBS), data loss prevention (DLP), the consumerization of IT (COIT), bring your own device (BYOD) policies, and teleworking security. It emphasizes the importance of balancing privacy with security by implementing safeguards like access controls, patch management, and employee training on phishing and malware when remote work or personal devices are involved.

This lecture outlines legal and procedural best practices for investigating employee misconduct. It emphasizes fairness, documentation, and adherence to policies. The “Vail Letter” case is discussed, which led to FACTA’s amendment of the FCRA to allow covert investigations. Under current law, employers are exempt from giving notice or obtaining consent when investigating misconduct, as long as the matter is unrelated to creditworthiness and the report is kept internal.

This lecture presents best practices for protecting company data and assets when employees leave. It recommends promptly revoking physical and technical access, collecting equipment (like keys and devices), and disabling or deleting credentials—including those linked to BYOD policies. These procedures help minimize the risk of unauthorized access and ensure smooth offboarding from both a security and compliance perspective.

This lecture introduces the California Privacy Protection Agency (CPPA), established by the California Privacy Rights Act (CPRA) to enforce and implement the California Consumer Privacy Act (CCPA). Governed by a five-member board, the CPPA promotes public awareness, issues privacy regulations, investigates potential violations, and collaborates with other enforcement bodies across jurisdictions to ensure consistent privacy protection standards.

This lecture covers state and federal laws aimed at protecting Social Security Numbers (SSNs). It highlights state-level restrictions like California’s ban on printing SSNs on mail or ID cards and transmitting them unencrypted. It also reviews the federal Social Security Number Fraud Prevention Act of 2017, which limits mailing full SSNs and restricts their visibility from envelopes.

This lecture examines how states regulate the destruction of personal data to prevent unauthorized access. It defines data destruction methods for paper and electronic media and compares state laws, using North Carolina as a model. The lecture also reviews the FTC Disposal Rule, which mandates “reasonable” disposal practices for consumer reports based on sensitivity, cost, and technology.

This lecture revisits foundational concepts in information security, focusing on the CIA triad—Confidentiality, Integrity, and Availability. It contrasts the CIA model with the DAD triad (Disclosure, Alteration, Destruction) and defines administrative, technical, and physical controls used to mitigate risks. It also clarifies the distinction between privacy (how personal data is used) and cybersecurity (how it is protected).

This lecture introduces California Assembly Bill 1950 (AB 1950), which requires businesses that own or license Californians’ personal information to implement “reasonable security” practices. It outlines the types of personal data covered, exemptions for businesses already under stricter regulations (e.g., HIPAA, GLBA), and references the Center for Internet Security’s Critical Security Controls as a baseline standard.

This lecture explores data security laws in Massachusetts and Washington. Massachusetts’ 201 CMR 17 is one of the strictest, requiring designated security officers, documented policies, third-party contract obligations, and technical safeguards like encryption and access controls. Washington’s HB 1149 allows financial institutions to recover costs from data breaches if processors were negligent, unless the data was encrypted and the processor was PCI-DSS certified. The lecture also notes several states adopting PCI-DSS as a security baseline.

This lecture reviews Illinois’ Biometric Information Privacy Act (BIPA), a pioneering law regulating the collection and use of biometric identifiers. It requires written consent, prohibits profiting from biometric data, and mandates publicly available retention and destruction policies. Violations can result in statutory damages of $1,000–$5,000. Notable cases include Clearview AI’s vast facial recognition database and the 23andMe breach, highlighting public concerns over biometric data misuse.

This lecture focuses on biometric privacy laws in Washington and Texas. Both states define biometric identifiers as unique biological traits (e.g., fingerprints, iris scans, voiceprints) and require consent for collection. They prohibit disclosure or sale without consent and enforce data security and retention policies. These laws reflect growing legislative efforts to protect sensitive personal data in the absence of a federal biometric privacy standard.

This lecture outlines the scope of the California Consumer Privacy Act (CCPA). It applies to for-profit businesses that operate in California and meet specific thresholds—such as earning over $25 million annually, processing data for 50,000+ consumers/devices, or deriving 50% of revenue from selling personal data. The CCPA excludes nonprofits and entities without data control. It also restricts third-party sales without proper consumer notice and opt-out options.

This lecture defines key terms in the CCPA, including “consumer” (a California resident) and “personal information” (any data linked to a person or household). It distinguishes between personal and de-identified data and explains what constitutes a “sale” under the law. The lecture also details notice requirements—initial, website, and opt-out notices—and emphasizes the role of service providers in lawful data sharing.

This lecture explains the five key consumer rights under the California Consumer Privacy Act (CCPA): the right to know what data is collected and shared, to access specific data elements, to request deletion (with exceptions), to opt out of the sale of personal data, and to be free from discrimination when exercising these rights. It emphasizes businesses’ responsibilities to disclose categories of data collected, sources, purposes, and recipients, and to provide consumer-friendly access and opt-out options.

This lecture outlines the CCPA’s enforcement mechanisms and remedies for data breaches. Consumers may bring private actions for breaches of sensitive data if caused by a lack of reasonable security measures. Statutory damages range from $100 to $750 per incident. Regulatory enforcement is handled by the California Attorney General and the California Privacy Protection Agency (CPPA), with civil penalties up to $7,500 for intentional violations. Businesses must be notified and given a chance to cure violations.

This lecture defines what constitutes a “business” under various state privacy laws. Definitions vary but typically include thresholds based on revenue and the number of consumers’ data processed. It also covers two types of exemptions: entity-level (e.g., nonprofits, government) and data-based (e.g., HIPAA-covered data). A comparison across five states highlights differing criteria for regulation and details excluded organizations.

This lecture examines how state privacy laws define “consumer” and “personal information.” A consumer is generally any state resident, regardless of commercial relationship. Personal information includes any data linked or linkable to an individual or household. California’s definition is the broadest, including employment data. The lecture also outlines exclusions (e.g., deidentified or publicly available data) and details categories of sensitive personal information across states.

This lecture explores how comprehensive state privacy laws define the “sale” of personal information. In Utah and Virginia, a sale requires monetary compensation. In California, Colorado, and Connecticut, it includes exchanges for anything of value. The lecture clarifies what is not considered a sale (e.g., service fulfillment or mergers) and explains California’s unique treatment of “sharing,” which includes non-monetary disclosures for cross-context behavioral advertising.

This lecture outlines consumer rights under five U.S. state privacy laws. Core rights include access, data portability, opt-out of data sales, and non-discrimination. Deletion rights vary: some states allow deletion of all data, others only what was collected from the consumer. Additional rights in some states include correction, objection to automated decision-making, and control over sensitive personal data. Consumers can submit requests to businesses, which must respond within 45 days (15 for opt-outs in CA). Appeal rights exist in CO, CT, and VA, but not in CA or UT.

This lecture details business requirements under state privacy laws. All five states mandate privacy notices and opt-out options, with California requiring extra notices and links. Opt-in consent is required for children’s data in varying ways, with California and Connecticut applying stricter standards. Businesses must collect data only for specific, necessary purposes and conduct risk assessments when handling sensitive data or engaging in high-risk activities. All states require reasonable administrative, physical, and technical security controls, except Utah, which omits certain requirements.

This lecture reviews how state privacy laws are enforced. Civil penalties vary: up to $7,500 in CA, UT, and VA; $20,000 in CO; and $5,000 in CT. Enforcement authority is split among attorneys general, privacy agencies, and local entities depending on the state. Cure periods to fix violations are allowed in UT and VA, expire in 2024 in CO and CT, and are not offered in CA. Only California provides a limited private right of action for data breaches.

This lecture introduces California’s Age-Appropriate Design Code Act of 2022. The law requires online platforms to prioritize the “best interests” of child users by default. It prohibits using children’s personal data in harmful ways and blocks the collection, sharing, or sale of children’s location data by default. Platforms must implement child-friendly safety and privacy settings from the outset, making the digital environment more protective for users under 18.

This lecture outlines a four-step framework for responding to data breaches: Confirm, Contain, Notify, and Follow Up. It explains the types of breaches—including hacking, insider threats, and physical loss—and highlights real-world statistics. The lecture emphasizes documenting containment steps, tailoring notifications based on state laws, and conducting internal reviews post-incident. Recommendations include implementing Data Loss Prevention tools, performing simulated exercises, and enhancing training to prevent future incidents.

This lecture presents the U.S. federal government’s framework for handling data breaches involving personally identifiable information (PII), as outlined in OMB Memorandum M-17-12. It emphasizes forming a Privacy Incident Response Team (PIRT), documenting compliance, collaborating across functions, assessing breach scope, and notifying affected individuals. It also covers vendor responsibilities such as training, encryption, notification protocols, and staff participation in investigations, reinforcing the importance of preparation and cross-functional coordination in breach response.

This lecture explains how state-level breach notification laws fill the gap left by the absence of a federal standard. It outlines common elements across all states, including definitions for personal information, covered entities, and security breaches. It highlights variations in data types considered “personal,” such as biometrics or medical records, and emphasizes that reporting thresholds, exemptions, and private rights of action vary by state.

This lecture explores the logistical details of state breach notification laws. It outlines who must be notified (individuals, attorneys general, consumer reporting agencies), how quickly (usually within 30–45 days), and by what methods. It details notification contents and exceptions, such as encryption. It also explains penalties and enforcement mechanisms, including AG actions and private lawsuits. It notes the high variability in requirements across states and stresses prompt, transparent reporting.

This lecture highlights recent developments in breach laws. It covers FCC’s expanded breach notification rules for telecom providers, including a seven-day notification mandate. Utah’s SB 127 adds new reporting rules for breaches affecting over 500 residents. Pennsylvania’s SB 696 broadens the definition of personal information and shifts the notification trigger from discovery to determination. Texas shortens its notification window to 30 days and mandates public disclosure by the Attorney General.

This lecture details Washington’s 2023 My Health, My Data Act, which regulates the collection, sharing, and sale of consumer health data. It applies to businesses targeting WA residents and has no size threshold. It defines consumer health data broadly, mandates clear consent for data practices, and grants consumers rights to access, delete, and withdraw consent. The act bans geofencing near health services and allows private lawsuits. Transparency, access controls, and strong purpose limitations are central to compliance.

This lecture outlines Nevada’s SB 370, which governs how organizations handle consumer health data. It defines regulated entities and includes a broad scope of health-related information. The law mandates detailed privacy policies, affirmative consent, and robust safeguards. It grants consumers rights to access, delete, and halt data sharing, and restricts geofencing near medical facilities. Unlike Washington’s similar law, it does not offer a private right of action.

This lecture explores Illinois’ Genetic Information Privacy Act (GIPA) and its rising role in class actions. Originally focused on direct genetic data like DNA tests, recent lawsuits now include pre-employment physicals and family history inquiries. The Melvin v. Sequencing, LLC case sparked a wave of litigation, with over 50 actions filed. Employers and insurers are being scrutinized for potentially violating GIPA by requiring or misusing genetic information.

This lecture reviews how several U.S. states regulate automated decision-making (ADM). Laws in CA, CO, CT, VA, and NYC address profiling and high-risk ADM activities like hiring, lending, and insurance. Requirements include opt-outs, algorithmic impact assessments, and transparency. The lecture also defines “profiling” and “high-risk activities” and compares legal obligations across jurisdictions, showing how ADM regulation is evolving at the state level.

This lecture explains New York City’s Local Law 144, which regulates the use of automated employment decision tools (AEDTs). It mandates annual bias audits, public disclosure of results, and advance notice to candidates. The law covers any employment decisions linked to NYC-based roles and aims to reduce bias and increase transparency in algorithmic hiring. Enforcement falls under the Department of Consumer and Worker Protection.

This lecture explores Colorado’s SB21-169, which restricts insurers from using algorithms and external consumer data (ECDIS) in ways that result in unfair discrimination. It defines ECDIS and outlines prohibited practices tied to protected characteristics. Insurers must create governance frameworks, maintain detailed documentation, and submit oversight reports to the Division of Insurance. The law is a pioneering step in algorithmic accountability within the insurance industry.

This lecture covers California’s Delete Act (SB 362), which allows consumers to delete personal data held by all registered data brokers through a centralized online portal. Data brokers must process requests every 45 days, undergo audits every three years, and maintain transparency about data practices. Enforcement is handled by the California Privacy Protection Agency, with penalties for non-compliance. The law aims to shift the burden of data management from consumers to data brokers.

This lecture highlights unique aspects of recent state privacy laws. Examples include Delaware’s teen protections, Florida’s narrow scope, Indiana’s “representative summary” of personal data, Oregon’s sensitive data definitions, and Tennessee’s NIST-aligned safe harbor. Despite differences, most laws grant core consumer rights and impose data protection duties on businesses. These developments show growing diversity and innovation in U.S. state privacy legislation.

This lecture explains the legal requirement for organizations to obtain verifiable parental consent (VPC) before collecting personal data from children under 13 in the U.S. Key methods include requiring signed consent forms, using payment methods, or verifying government-issued IDs. The lecture emphasizes the importance of clear privacy notices and outlines the conditions under which consent can be revoked.

This lecture provides an overview of the NAIC’s (National Association of Insurance Commissioners) Artificial Intelligence Systems Governance Guidelines, which outline principles for responsible AI use by insurance companies. The guidelines focus on fairness, accountability, transparency, and ethics. Core recommendations include documenting AI model development and deployment processes, conducting impact assessments, ensuring proper data governance, and providing oversight mechanisms for high-risk applications. The lecture stresses that insurers must tailor AI governance to their size and complexity while remaining compliant with existing regulatory expectations.

This lecture reviews eight U.S. state privacy laws taking effect in 2025 and 2026: Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island. Key distinctions include Maryland’s strong protections—such as limits on sensitive data processing, bans on geofencing, and prohibitions on advertising to teens—and Minnesota’s special rights related to automated decision-making. States like Iowa and Kentucky are more business-friendly, offering generous cure periods or omitting universal opt-out requirements. Applicability thresholds and rulemaking authority vary, with New Hampshire and Nebraska adopting population- or business-based exemptions, and New Jersey and Rhode Island emphasizing transparency and regulatory oversight.