Protect Your Data: How Blacklight Can Help You Avoid Mortgage Broker Websites Sharing Your Data with Facebook

How Mortgage Broker Websites Share Your Data

Mortgage broker websites share sensitive user data, such as estimated credit scores, addresses, and veteran status, with Facebook via Meta Pixel. This small software collects information as users fill out applications and browse home-buying pages, transmitting it to Facebook to develop more targeted ads.

Avoid Data Sharing with Blacklight

Users applying for a mortgage can avoid their information being shared with Facebook by using tools like Blacklight. Developed by The Markup, Blacklight is a “real-time privacy inspector” that reveals which mortgage broker websites share users’ information.

How Blacklight Protects Your Privacy

Blacklight helps users identify and avoid websites that track personal information by scanning for various tracking technologies:

  • Ad Trackers and Third-Party Cookies: Blacklight scans for ad trackers and third-party cookies, which profile users based on their internet usage.
  • Canvas Fingerprinting: Blacklight identifies trackers using canvas fingerprinting, which creates a unique image on your computer to track you across different websites.
  • Session Recording: The tool detects websites that record user sessions, capturing clicks and scrolls on a page.
  • Keystroke Logging: Blacklight spots websites that track and record individual keys pressed by users in real time.
  • Facebook Pixel and Google Analytics: Blacklight identifies websites with Facebook Pixel code or tracking permissions granted to Google Analytics.

Take Control of Your Data

Using Blacklight is a proactive step in protecting your personal information. Regularly scan the websites you visit to stay informed and take control of your data.

For more information check out our services or contact us today.

(This is not intended as legal advice. Contact a lawyer for assistance in your particular situation.)

Protecting Your Business’s Various Assets

Businesses today have more types of informational assets than they may initially realize.  These assets include company data, intellectual property, confidential information, and personally identifiable information.  While these categories are related, and in many cases overlap (for example, client lists, know-how, etc.), businesses should consider important distinctions between such assets that require different handling and protections.  These issues are particularly relevant in relationships between your business and a third party, for example:

  • Employee and independent contractor agreements that address access and use of such assets
  • Contracts with vendors (such as creative, technology, and manufacturing providers)
  • Business arrangements such as joint venture, investor, and profit-sharing agreements
  • Policies and agreements addressing privacy and data security

To ensure your assets are properly protected, your business needs written documents that clearly address ownership of each type of asset, and the rights and obligations of each party.  Our goal is to help your business obtain the desired outcome in any given relationship, and we can help you carefully consider how to treat certain types of information/assets and recognize aspects that may require they are handled differently.

Company Data

During the course of business, you may share certain company data with vendors, business partners, etc., that does not necessarily fall under the definition of PII, Confidential Information, or Intellectual Property.  However, it is important that businesses still protect such data, and we can assist by ensuring that language addressing your business’s ownership of company data, the retention and return/deletion of such data, etc., is included in all relevant contracts.  If your company follows a data management policy that mentions security and retention of data, that policy may be something you ask third parties you contract with/that you will be sharing data with to follow as well.  Including an overarching term for your company’s data/assets can help ensure that any information not otherwise defined does not slip through the cracks.

Intellectual Property

Intellectual Property generally refers to a company’s patents, trademarks, copyrights, and trade secrets.  Intellectual Property is a huge value to a business and should be treated by companies as a distinct asset whereby ownership, liability, and indemnity of the same is carefully considered when entering into agreements with third parties.  Businesses may wish to clearly address Intellectual Property in any internal data management and security policies as well.

Confidential Information

The term “Confidential Information” broadly refers to a business’s proprietary information and is commonly defined in agreements.  However, many contractual provisions covering parties’ treatment of Confidential Information are bilateral, meaning that the same obligations are placed on both parties to the agreement.  Thus, companies should be aware of the responsibilities they are agreeing to take on regarding their treatment of the other party’s Confidential Information.  An attorney can also assist you with drafting contractual language that addresses unintended disclosures of Confidential Information.

Personally Identifiable Information (PII)

Several U.S. states have enacted data privacy laws that place requirements on covered businesses regarding their treatment of consumers’ PII.  Further, all U.S. states have passed some type of legislation that addresses data breaches involving PII.  Because PII is becoming more and more regulated, businesses should ensure that their internal data management/security programs, as well as their contracts with third parties, clearly define PII and set out requirements regarding the treatment of this type of information.  Best practices also require that businesses protect consumers’ PII via reasonable security measures considering the nature of the information.


The different types of data and assets mentioned above all provide unique value, but also present discrete threats to your company if not treated distinctly and properly.  We recommend having an attorney draft or review your business’s contracts with third parties to ensure that your assets are properly considered and protected, and that you have minimized legal risks as much as reasonably possible.

Rina Van Orden, Esq. and Courtney Reigel, Esq.


(This is not intended as legal advice. Contact a lawyer for assistance in your particular situation.)

Virginia Becomes 2nd State to Pass Comprehensive Data Privacy Law

On March 2nd, Governor Ralph Northam signed into law the Consumer Data Protection Act (“CDPA”), making Virginia the second state to enact comprehensive data privacy legislation.  The new law, which will go into effect on January 1, 2023, combines concepts from the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), as well as Europe’s General Data Protection Regulation (“GDPR”).  The CDPA grants numerous rights to residents of the Commonwealth to provide them with greater control over their personal data, and places new obligations upon covered businesses.  Specifically, the law gives Virginia residents (“consumers”) the right to access, correct, delete, and obtain a copy of their personal data, as well as the right to opt out of the sale or processing of their personal data by covered businesses for purposes of “targeted advertising.”[1]  The CDPA broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and excludes de-identified data or publicly available information.  Virginia’s new law also creates a special sub-category for “sensitive data” that includes: “(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (3) the personal data collected from a known child; or (4) precise geolocation data.”

Who is Covered?

The CDPA applies to businesses, whether physically located in Virginia or not, that conduct business in or target residents of the Commonwealth, and that either: (1) control or process the personal data of at least 100,000 consumers, or (2) derive over 50 percent of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.  In addition to excluding small business from its scope, Virginia’s law includes several other exemptions and provisions making it generally more business-friendly than Europe’s and California’s laws.   For example, the CDPA excludes non-profit organizations and institutions of higher education, as well as businesses that meet the above thresholds but are already subject to federal privacy laws such as the Gramm-Leach-Bliley Act and HIPPA.[2]  The law also defines “consumer” as “a natural person who is a resident of the Commonwealth acting only in an individual or household context. It does not include a natural person acting in a commercial or employment context.”  While California passed temporary business-to-business (“B2B”) and employment-related exemptions to lessen the burden of businesses’ compliance with the CCPA, the Virginia law considers and includes built-in exceptions for these types of personal data.

Requirements for Covered Businesses

Businesses subject to the provisions of the CDPA will need to develop processes to allow consumers to exercise the above-mentioned rights.  Covered businesses should also prepare to comply with the following obligations under the new law:

  1. The requirement that covered businesses provide a reasonably accessible, clear, and meaningful privacy notice (often referred to as a “privacy policy”) that includes specific information as outlined by the law.
  2. The requirement that covered businesses considered “controllers” put contracts in place with third party “processors” of personal data containing specific provisions related to the handling of consumers’ personal data.[3] Thus, businesses subject to the CDPA should adopt standard contractual language to include in any agreements with vendors that will touch personal data.
  3. The requirement that covered businesses limit the collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and that such businesses “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”[4]
  4. The requirement that covered businesses conduct and document a formal “data protection assessment.” The assessment must include specific information related to businesses’ processing of personal data.  The Office of Attorney General may request a copy of a business’s data protection assessment under its investigative authority (which, for example, is likely to occur during its investigation into a covered business’s data breach).
  5. The requirement that covered businesses obtain affirmative consent from consumers before collecting and using “sensitive data.” Because affirmative consent is not currently required under California’s data privacy laws, many covered businesses will likely need to consider how they will obtain such consent and if/why they are processing sensitive data, specifically.


The CDPA will be enforced by Virginia’s Office of the Attorney General, which will have investigative authority and may seek injunctions and/or impose civil penalties of up to $7,500 per infraction for covered businesses that violate the law.  Any penalties and fees collected will go into a “Consumer Privacy Fund” used to support the work of the Office of the Attorney General to enforce the provisions of the CDPA.  Like the CCPA, Virginia’s new law also provides for a 30-day cure period for violations.  However, quite notably and unlike the CCPA, the CDPA does not include any private right of action.  Further, while the Virginia law does not contain language regarding rulemaking authority or procedures, it creates a “work group” to review the CDPA and issues related to its implementation.[5]  The work group’s findings, best practices, and recommendations regarding the implementation of the CDPA shall be submitted to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.

Generally, the CDPA avoids several areas of uncertainty that lawmakers and California’s Attorney General, as well as covered businesses seeking to comply, encountered during the rollout of the CCPA.  Thus, Virginia’s law may provide a clearer model for consumers and businesses to follow, as well as for other states and possibly the federal government when developing their own data privacy legislation.  Gavin Law Offices, PLC will continue to monitor updates regarding the CDPA and other U.S. data privacy laws.

(This blog post is not intended as legal advice.  Please contact us for more information and assistance regarding your particular situation.)

[1] “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.  “Targeted advertising” does not include: (1) Advertisements based on activities within a controller’s own websites or online applications; (2) Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; (3) Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or (4) Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.

[2] This language is considerably more favorable for businesses than a similar exception under the CCPA, which applies to only “personal information” collected, processed, sold, or disclosed pursuant to a specified federal law such as GLBA or HIPPA, and does not exclude the entity as a whole like the new Virginia law.

[3] Under the CDPA, “controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.  Meanwhile, “processor” means a natural or legal entity that processes personal data on behalf of a controller.  Both terms will be familiar to those acquainted with data privacy legislation, as they are borrowed from the GDPR.

[4] This “reasonable” safeguard standard is also included in the CCPA/CPRA and the GDPR.  The CDPA also includes language that “such data security practices shall be appropriate to the volume and nature of the personal data at issue.”  Thus, like existing data privacy law, Virginia’s will allow businesses to determine their own “reasonable” security practices and does not obligate covered businesses to put in place any specific data security measures.

[5] Specifically, the “Chairman of the Joint Commission on Technology and Science shall create a work group composed of the Secretary of Commerce and Trade, the Secretary of Administration, the Attorney General, the Chairman of the Senate Committee on Transportation, representatives of businesses who control or process personal data of at least 100,000 persons, and consumer rights advocates.”  Interestingly, this does not include representatives of businesses who derive over 50 percent of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.


–  Courtney Reigel, Esq.

2021 JOLT Symposium: Emerging Technology in Law

Rina Van Orden recently attended the University of Richmond’s Journal of Law & Technology Spring Symposium. The event focused on “Emerging Technology in Lawand included topics such as artificial intelligence, blockchain, and bridging the access gap.

One panel covered “The Future of Law Post-Pandemic” presented by Sharon Nelson and John Simek. Nelson and Simek covered the many ways that the past year has changed the ways we work. Legal considerations for modifying operations represent their own opportunities for creative solutions. Web-based solutions like electronic signature and document services have helped maintain integral professional processes. Similarly, telecommunicating services provide safe ways to consult with coworkers and clients.

The event concluded with an engaging panel focused on Women in Technology Law. A highlight of the event, this topic was particularly relevant to our firm. The panel included attorneys, educators, and other professionals who were able to give perspective on what it’s like to be a woman in this field and ways to increase future technology law opportunities.

We want to thank the Journal of Law & Technology for a wonderful program. As the legal industry grows and adapts, we continue to stay informed of the ways to better serve you.

U.S. Data Privacy Law – 2020 Update 

By now, many of you have likely heard of the California Consumer Privacy Act (the “CCPA”).  The law, passed by California’s State Legislature in 2018, became effective on January 1, 2020.  The CCPA gives California residents more control over the personal information that businesses collect about themgranting residents the right to know how businesses use/share their personal information, the right to request that a business delete their collected personal information, and the right to opt-out of the sale of their personal information.  The CCPA borrows many of its provisions from the European Union’s General Data Protection Regulation (“GDPR”) While many believed that the GDPR (adopted by the EU in 2016) would serve as a catalyst for the United States to enact similar data privacy law, the U.S. has yet to pass, or even seriously consider, any comparably comprehensive data privacy legislation at the national level.  

While several other states have passed data privacy and protection laws since 2018, arguably none have enacted laws as extensive as the CCPA.  However, due to revisions California’s legislature made to the original text of the CCPA, as well as certain language included in the Final CCPA Regulations published by California’s Office of the Attorney General (OAG) earlier this year, many Californians and consumer advocacy groups do not believe the CCPA goes far enough to protect consumers’ personal information.  Thus, on election day this year, California voters approved ballot initiative “Proposition 24”  the California Privacy Rights Act of 2020 (the “CPRA”).  The CPRA gives additional rights to California residents and further limits businesses ability to use/sell/share personal informationamending and expanding upon the CCPA.   

Most of the CPRA’s substantive provisions will not become effective until January 1, 2023.  However, businesses may begin preparing for compliance with the CPRA by familiarizing themselves with the following highlights of the new law: 
  1. Applicability Just because the CCPA was or was not applicable to your business does not mean the same for the CPRA.  For example, the CPRA will cover businesses that buy, sell, or share over 100,000 consumers personal information (up from 50,000 under the CCPA), reducing the applicability of the law to small and midsize businesses. 
  1. Enforcement – The CCPA is currently enforced by California’s Office of the Attorney General (OAG) However, the CPRA establishes the California Privacy Protection Agency, which will have investigative, enforcement, and rulemaking powers instead of the OAG.  The CPRA also removes the 30-day cure period businesses have under the CCPA and increases maximum penalties for violations concerning minors. 
  1. New category of “sensitive personal information – The CPRA will keep the existing categories of personal information defined in the CCPA, but will add a new category for “sensitive personal information.”  Californians will have increased rights when their sensitive personal information is involved.  
  1. Expanded contractual requirements – The CPRA limits the use of personal information by service providers and contractors and adds contractual requirements regarding relationships between businesses and such third parties.   
  1. Modifying/adding new consumer rights – New rights include the CPRA’s expansion of an individuals’ private right of action for certain types of data breaches and requires that covered businesses provide consumers with two or more methods for submitting requests to correct inaccurate personal information 
  1. Regulates “sharing” in addition to “selling” personal information, to include cross-context behavioral advertising – The CPRA expands upon the CCPA’s limitations on businesses “sale” of consumers’ personal information to cover the “sharing” of consumers’ personal information even if such information is not being sold for monetary value.  Specifically, this will regulate cross-context behavioral advertising,” defined by the CPRA as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”  Businesses that share personal information, including in the cross-context behavioral advertising context, will need to provide an opt-out choice for consumers, such as “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”    

The above highlights, as well as the other provisions of the CPRA, bring California’s data privacy laws closer to resembling the GDPR.  It will be interesting to see whether other states follow suit in 2021.  While Virginia established a task force to study data privacy issues last General Assembly session, it has not yet passed any data privacy law as comprehensive as the CCPA/CPRA.  The Commonwealth, as well as numerous other states, will likely consider data privacy legislation next year. 

In the meantime, while the effective date of the CPRA may seem far away, California’s OAG continues to publish updates to the CCPA Regulations and to enforce existing law.  For example, while the Final Text of the CCPA Regulations was published in August, the OAG released fourth set of modifications to the Regulations on December 10, 2020.  The latest modifications include further clarifications on the CCPA, including much-awaited guidance on the “Do Not Sell My Personal Information ‘Button.’”  Thus, businesses still need to regularly review their CCPA compliance while they prepare for the CPRA.  You can find more information on the CCPA, including updates, here:  Gavin Law Offices will continue to track data privacy-related issues in California, Virginia, and across the U.S. and abroad, and are here to help you navigate this complex field of law. 

– Courtney Reigel, Esq.


For more information on our data privacy experience and services, click here