U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals

by Peter Swire, DeBrae Kennedy-Mayo

An Essential Text for Privacy Practitioners with Insights from Leading Experts in the Field of U.S. Privacy

Privacy practitioners seeking guidance on a constantly evolving U.S. privacy landscape can look to this third edition of U.S. Private-Sector Privacy: Law and Practice for Information Privacy Professionals as their indispensable guidepost.

Government and privacy law specialists, Peter Swire and DeBrae Kennedy-Mayo provide crucial analysis of U.S. laws, regulations and the current technological and societal developments that influence them. Together, they have written a comprehensive resource encompassing the essentials of privacy practice in the medical, financial, educational, telecommunications and marketing sectors, as well as enforcement, data breach and incident management, online activities, and privacy issues in investigations and litigation.

Reorganized, expanded and updated to reflect current issues in privacy law, this edition addresses key topics including:

- Limits on private-sector collection and data use
- Common principles and approaches to information privacy and data protection
- Critical components of the California Consumer Privacy Act (CCPA)
- Key elements of the European Union’s General Data Protection Regulation (GDPR)
- New information on federal and state best practices involving emerging technologies and privacy expectations

Genres: Nonfiction

565 pages, ebook

Published January 1, 2020

Reviews

[Coriander · Rating 4 out of 5]

Listen, is it the most engaging read in the world? No, it's a textbook. But for a textbook it is well-structured, utilizes interesting case studies, and is accessibly written. I used this in conjunction with the IAPP's CIPP/US certification online training, and I wish that training had been set up such that modules were in the same order as the textbook chapters (or at least such that relevant textbook chapters were highlighted in each module), but that's more a training program issue than an issue with the book itself.
The textbook can feel a little repetitive, but that's not necessarily a bad thing as far as reinforcing terminology definitions, concepts etc.

[John · Rating 3 out of 5]

This book is a comprehensive guide to US privacy law and information management related to privacy. It's an essential book for the shelf of anyone who has to deal with privacy regulations at work. You will learn not only about general ideas around privacy, but critical information concerning privacy rules around healthcare (HIPAA), children (COPPA), finance (GLBA), and the new California laws (CCPA), and those in the Euro zone (GDPR).

But . . . there is a lot that could be improved. Mary Berry, the Training Director for the IAPP (Internal Association of Privacy Professionals) notes on p. xvi that the book should be a "valuable resource in preparing for your CIPP/US certification as well as a practical reference to your daily professional lives." I'm going to address these two goals -- exam prep and work guide -- briefly here. But owing to the vast scope of the book I'm going to have to write a longer review on my blog.

How does the book satisfy as exam prep? I haven't taken the exam yet myself, but there are some major problems. Just skimming through the opening chapters, one needs to know about the OECD, APEC, HIPAA, HITECH, COPPA, GLBA, CAN-SPAM. Generally the book is organized conceptually by different interests of the law, then dipping into the various laws (APEC, HIPAA, etc.). The book desperately needs an appendix or link to a resource at IAPP ( :-) see above for this acronym) that provides expansions of all of these acronyms but also the related laws, their dates of inception, and some indication of their interplay. Perhaps this book is taking a page from the way law books are organized where the burden falls onto the student to define one's own study guide: But given the broadness of the audience of this book, that's not good enough. A chapter that is really weak on this count is Chapter 7, on State Privacy -- this is a bewildering mess (not only legally but in terms of what the book is trying to do), and the book really would be better if it directed the reader to an online guide on the various State-level rules. Indeed, one has to wonder if the whole pedagogical purpose would be better served by a sequence that goes law by law in chronological order, addressing scope as it goes along.

As a day-to-day guide, the book is awkward. Every one of these chapters should conclude with a concrete emphasis of key points: In particular, what is major and what is minor. Owing to the density of information here, it can't be all major: But the book is not good in helping the professional reader know what is truly critical, today. (On the bright side, all of the gritty detail is footnoted, so the interested reader can figure out where the discussion comes from.)

The last thing I want to note here is that this book is definitely a contemporary lawyer's idea of privacy -- so the account here is driven by competing business and governmental interests and the navigation of rules. But that's not the whole story. There is an anthropological dimension that is lacking. Our legal institutions are very invested in information privacy insofar as it is about documents and courtroom claims. But when we think about the world as a whole, we should wonder about how the experience of privacy works in, say, non-literate communities -- Or that we might have concerns about the ramifications of merely looking at or observing people in "private" situations; sometimes these are not reported or recorded but still we feel uneasy that they happen. Because the law is so invested in documents, there's something peculiarly missing here. Another thing that is a little weird here is that the book is really more narrowly about technology and privacy. I.e., I'm really not seeing much in this particular book that is not governed by that presumption. Can there be "privacy" without a consideration of "technology"? I'm thinking "yes" in the sense that you want to talk about that before going into whatever "technology" means. How do people feel "embarrassed" by a reveal of knowledge? The book has the usual allusions and citation of Justice Brandeis but I think it might kick off the very idea of privacy in a broader frame.

[Kat · Rating 4 out of 5]

I wanted to give 5 stars - this is a really excellent resource, and it gives a really good framework on which to hang the hot mess that is the US data privacy landscape. I had to dock a star, though, because of the typos! Some typos aren't a big deal, but there are several that are material. A chapter ends on an incomplete sentence that's promising to tell us what we should be sure to remember - and there the sentence ends. In another spot, the wrong law is referenced. I know this really densely information-packed book had to be updated for this new edition very quickly, but these are problems! Largely, though, this is a really excellent resource. I recommend it highly to anyone wanting to get a good high level understanding of the US data privacy landscape.

[P · Rating 4 out of 5]

Well, the book's purpose is to help you pass the CIPP/US exam, and it's written by the people who provide that exam and associated certification (IAPP). So it's got to be solid, right? All in all, no major complaints. I do have complaints about the IAPP, but they're not regarding this book. It's a solid summary of US privacy laws. And make no mistake about it -- this is to help you pass the CIPP/US, not necessarily to help you be a better practitioner of privacy law. Because it won't the needle much on the latter. Most of the laws wouldn't be applicable to your job, and it provides almost no guidance regarding how to put any of this theory into practice. But again, that's not the point of the book.

8/10

[Josh Singh · Rating 1 out of 5]

This book is the required reading for a U.S. private sector privacy certification a.k.a. i want some job security.