All Posts

A "global" privacy program that was built around U.S. state law usually isn't a global privacy program. Here's where the seams show. A common pattern: a U.S. company expands operations into Latin America — opens a Mexico City office, signs a Brazilian distributor, hires a customer success team in Colombia. The legal team is asked whether the company's privacy program covers the new operations. Someone looks at the CCPA program, decides it's a strong base, and tells the execut

Nineteen states. Three new ones this year. None of them agree. And the $12.75 million floor just got set. In late 2025, California regulators announced a $12.75 million settlement with General Motors for allegedly selling driver data — including precise geolocation and driving behavior — to consumer reporting agencies without adequate disclosure. As of this writing, it is the largest enforcement action under the California Consumer Privacy Act to date. The number is striking.

Most AI governance content assumes you're building a program before you launch AI. Almost nobody is. Walk into any U.S. company with more than fifty employees today and you'll find something interesting: there's already AI in production. A copilot in customer support. An agent that triages incoming tickets. A model summarizing legal documents. A vendor whose product quietly added an LLM to a feature you thought was rules-based. Most of it got there without a privacy review, w

🧑🏽‍💻 The United Nations (UN) report A/77/196, published on July 20th, ‘22 discusses the principles delineating the right to privacy...