Photo of Chiara Portner

Chiara holds the certificate for CIPP/US for U.S. private-sector privacy from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

The new decade started off with a flurry of emails informing us of updated privacy notices being posted on websites in response to the California Consumer Privacy Protection Act (“CCPA”). While most people began their new year resolutions or happily watching football on January 1, 2020, some of us were busy peeling through these updated privacy notices. What our review reveals is that companies are handling the CCPA in many different ways. Some take a strict approach to the letter of the law and proposed regulations, while others outright challenge the CCPA’s broad definitions and sweeping requirements by flouting language suggesting that their original privacy policy already disclosed everything it needed to, but, paraphrasing, “we now also have to disclose the same thing this way just because of CCPA.”
Continue Reading CCPA Is Here: What Does It Look Like So Far?

The California Consumer Privacy Act (CCPA) goes live in six weeks. While many companies have been working on mapping their data for some time, others are just getting started. Some of the issues left open by the language of the CCPA and the proposed regulations have yet to be resolved, but there is no question

As part of our blog series, we share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the second FAQ in our series.


Even though the California Consumer Privacy Act (“CCPA”) will be effective January 1, 2020, the time to plan for compliance is now.  It may seem as though you have plenty of time to prepare but it is a mistake to not start preparing. Indeed with the twelve-month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.

Under the CCPA, individuals have various new rights that must be detailed in a company’s just in time privacy notice (a new requirement under the Attorney General’s proposed regulations) and a company’s privacy policy, including the right to access their information, to request deletion of their information, to be informed of certain transfers of their information, to opt-out (if over 16) of or opt-in (if under 16) to sales of their information, and receive equal service and price even if they exercise their rights.

There are many nuanced questions to consider that may not be apparent on a cursory read of the CCPA or the proposed Attorney General regulations. Some basic common questions arise when companies first hear about the CCPA, as follows.
Continue Reading Privacy FAQ #2 – CCPA

Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA).  As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.

The Nevada statute (SB 220) is an amendment to Nevada’s existing law, which requires website operators to have a privacy policy with certain disclosures.
Continue Reading From the Golden State to the Silver State – Privacy Law in Nevada

With schools starting this fall, one invariably will think about the safety of their children – both online and in the real world. There are numerous security programs and apps now that tout data security technology and online measures to keep students safer in the real world classroom. The technology generally markets itself as having the ability to predict the propensity of students to conduct acts of violence in schools. In order to do so, the software offered by these companies reads our kids’ emails and social media posts insofar as they are publicly available or sent through school networks. The technology contains certain key words and phrases that trigger alerts, which are then sent to the provider’s customer, typically schools. It sounds promising and is definitely optimistic given today’s climate, which I like. But are they really getting the full picture? If a message is privately sent between students on social media as opposed to a school’s network email, it seems that the software would not have access important information indicating a kid’s nefarious plans or potential harmful activities if it were included in private interaction. It is also questionable if the limited scope of the protection services offered by these companies is worth what we give up in terms of privacy. 
Continue Reading School and Student Privacy vs. Security – How to Balance