Jordan Francis
@jordfran.bsky.social
1.3K followers 180 following 180 posts
Senior Policy Counsel @futureofprivacy.bsky.social | Nonresident Fellow cordellinstitute.wustl.edu | JD, UMN Law | CIPP/US, CIPP/E, CIPM | Views expressed here are my own. Likes and reposts are not endorsements.
Posts Media Videos Starter Packs
jordfran.bsky.social
This is a season for sipping tea, enjoying cooler temperatures, and writing as many reports as I can crank out before January rolls around
jordfran.bsky.social
Even in the "off-season" for legislative tracking, California is keeping me busy. Governor Newsom signed several privacy bills today, including AB 566, requiring businesses that develop a browser to include a user-enabled setting to send an opt-out preference signal ⬇️
www.gov.ca.gov/2025/10/08/g...
Governor Newsom signs data privacy bills to protect tech users | Governor of California
www.gov.ca.gov
jordfran.bsky.social
According to Macko, there are “hundreds” of open investigations, many of which concern businesses who have not yet been alerted by the agency.

⏩ Read the announcement here: cppa.ca.gov/announcement...

⏩ Read about the agency's enforcement update here: www.jdsupra.com/legalnews/ca...
jordfran.bsky.social
One of the consortium's purposes is to "coordinate efforts to investigate potential violations of applicable laws." This is especially interesting to me in light of CalPrivacy's September board meeting, at which Deputy Director of Enforcement Michael Macko provided an update on enforcement efforts
jordfran.bsky.social
Minnesota and New Hampshire joined the "Consortium of Privacy Regulators," according to CalPrivacy. The consortium now includes California, Colorado, Connecticut, Delaware, Indiana, New Hampshire, New Jersey, Minnesota, and Oregon.
jordfran.bsky.social
Yes. Not actually necessary for the job, but in most interviews I was told that they would only hire someone who could also do patent prosecution.
jordfran.bsky.social
This is my experience. During law school I wanted to be a patent lawyer and being patent bar ineligible was disqualifying for most jobs (even litigation).
jordfran.bsky.social
It's an important day in state privacy law as both the Maryland Online Data Privacy Act and youth privacy amendments to the Colorado Privacy Act go into effect.

⏩ Looking to stay on top of all these state laws? See FPF's effective dates chart at fpf.org/statelaws.
Key Dates for State Privacy Laws – Future of Privacy Forum
A significant new chapter for data privacy protections in the United States has commenced as more than twenty recently enacted significant state privacy laws have taken effect by July 1, 2025. To assi...
fpf.org
jordfran.bsky.social
Excited to share that I have been promoted to Senior Policy Counsel! Much like the state privacy law landscape, I've grown and evolved during my two years at FPF, and I'm excited to take on new responsibilities. As always, I'm grateful to my colleagues for their support and confidence in me.
jordfran.bsky.social
The Massachusetts Data Privacy Act (S.2608) passed the Senate 40-0 today, with several adopted amendments.
jordfran.bsky.social
The 2025 state legislative session is winding down but not over yet. Last week the Massachusetts Senate Committee on Ways & Means favorably reported a new comprehensive privacy bill, S.2608, as a substitute for S.2516. Read it here: malegislature.gov/Bills/194/S2...
What changed between drafts?
Bill S.2608
malegislature.gov
jordfran.bsky.social
Poetic considering how all of this started. The escalator giveth, the escalator taketh away.
jordfran.bsky.social
This is one bill worth keeping an eye on as we close out the year!
jordfran.bsky.social
• This bill would ban the sale of sensitive data (“sensitive data” is defined broadly and includes some uncommon categories such as government-issued identifiers and neural data); and
• The Attorney General would have rulemaking authority.
jordfran.bsky.social
• This bill would require affirmative consent to "transfer" a consumer's sensitive data to a third party, in addition to a MODPA-style restriction on transferring sensitive data unless doing so is "strictly necessary" to provide a requested product or service;
jordfran.bsky.social
• This bill includes a broad definition of "decisions that produce legal or similarly significant effects concerning the consumer," including decisions that result in "access to" the listed goods and services, not just the provision or denial of them;
jordfran.bsky.social
3. Some outlier provisions: This bill includes a few provisions that would either be novel or are found in only a minority of existing state comprehensive privacy laws. To name a few—
jordfran.bsky.social
2. Narrowed focus: This new bill is slimmed down and now only includes comprehensive consumer privacy legislation. The prior draft, in contrast, included sections concerning data broker registration, an accessible deletion mechanism for data brokers, and the Location Shield Act.
jordfran.bsky.social
For example, the substantive data minimization requirements are changed but still tie to what's necessary to provide a requested product or service. For background on Maryland-style substantive data minimization, see my report from earlier this year: fpf.org/wp-content/u...
fpf.org
jordfran.bsky.social
1. New model: The prior draft was modeled on the American Data Privacy & Protection Act (ADPPA), a 2022 federal bill. This new draft is based on the Maryland Online Data Privacy Act (MODPA). MODPA was heavily inspired by ADPPA, so many of the key aspects of the bill remain similar to before.
jordfran.bsky.social
The 2025 state legislative session is winding down but not over yet. Last week the Massachusetts Senate Committee on Ways & Means favorably reported a new comprehensive privacy bill, S.2608, as a substitute for S.2516. Read it here: malegislature.gov/Bills/194/S2...
What changed between drafts?
Bill S.2608
malegislature.gov
jordfran.bsky.social
Some personal news: I wanted to share that I recently relocated from Washington, DC back to Madison, WI, a city near-and-dear to my heart. I am extremely grateful to be continuing my role with FPF remotely, and I look forward to connecting with privacy and tech policy folks in Wisconsin!
jordfran.bsky.social
I couldn't remember if they had amended it to remove "browser engines" yet 😅
jordfran.bsky.social
Yes, I believe it has been amended to address concerns about the technology's suitability to mobile
jordfran.bsky.social
One of many important privacy bills to follow in California this week as they approach the end of the legislative session:
tomkemp00.bsky.social
Great to see #CALeg #AB566 pass the Senate, now back to the Assembly. This is the California Opt Me Out Act, that requires browsers to support Global Privacy Control (GPC) aka Opt-Out Preferences Signals (OOPS)