I have been following the International Association of Privacy Professionals (IAPP) on social media for years.
Last month, it was time to put faces to names and attend my first conference with them—the IAPP Privacy. Security. Risk. 2019 conference, held in Las Vegas. The days were jam-packed with sessions, often with up to eight—eight(!)—concurrent tracks. Note to self for next year: bring more colleagues with me.
The learning sessions helped me understand how companies are handling the details of implementing major privacy laws. How are they operationalizing the new requirements? What security measures have changed since implementing these laws? How are companies developing their products and services differently to accommodate privacy laws?
My top six takeawaysPrivacy and security software vendors are here to help
Considering GDPR, CCPA, Brazil’s LGPD, and new laws debuting nearly every week (have you heard about the new Portuguese Data Protection Act?), it is hard to keep a handle on what laws a company must comply with. Software and service vendors have stepped up to assist.
I made sure to visit every exhibitor at the IAPP Privacy. Security. Risk. 2019 conference. I met with representatives from consulting agencies, software and service providers, and even one hardware company (of encrypted USB drives).
These providers help customers with:
privacy and risk assessments
consent and cookie management
privacy regulation information platforms
data subject access requests (DSAR)
vendor and third-party management
data breach stakeholder response
employee privacy learning
secure collaboration and communication
With specific, actionable privacy and security policies becoming codified into law across the globe, technology vendors have stepped up to the plate. Technology buyers need an unbiased way to help them compare these privacy and security products and services more than ever before. That’s where G2 comes in. G2 is a real-time review platform that helps businesses discover, buy, and manage their technology.
At G2, we are dedicated to building software and service categories that reflect the current market. That’s why we’re building new privacy-specific software and service categories where verified users can leave reviews of the software and services they use.
In the next few months, I plan to build out these new privacy categories on our site to reflect the current market. However, in the meantime, to help potential buyers understand which software and service providers are best for their company, read trusted and verified peer reviews on G2’s website for a variety of software.
What about other laws and regulations?
There’s GDPR and HIPPA, but you’ve already heard of those. There are privacy laws in Nevada that went into effect on 01 Oct 2019 that allow opt-out rights for data sales. There are pending privacy bills in New Jersey, Washington, New York, Connecticut, and Illinois along with Maine’s internet service provider (ISP) privacy bill which forbids ISPs from selling customer data.
There is the Children’s Online Privacy Protection Rule (COPPA) which is enforced by the Federal Trade Commission (FTC). COPPA imposes specific requirements on operators of websites or online services targeted at children under 13-years-old such as the collection of personal information from a child under 13. In Sept. 2019, the FTC found that YouTube violated COPPA which culminated in an unprecedented $170 million settlement. Expect further COPPA enforcement in the near future. Service providers, take note. Consider using identity verification software when you need to confirm an online user’s age.
While at the conference, I learned that the Video Privacy Protection Act (VPPA) of 1998 and its amendments are currently some of the strictest privacy laws in the United States. The law was enacted shortly after Supreme Court nominee Robert Bork’s video rental history was released in a newspaper. The FTC has reaffirmed that consumers’ entertainment consumption habits are “sensitive data,” citing the Cable Privacy Act. Though the VPPA was created for a time when video rentals happened in brick-and-mortar stores, it can limit any service that provides video content. Bottom line, to ensure businesses are covered, assume VPPA applies to your online video platforms and give appropriate disclosures to consumers.
Biometric law in the United States
Now that biometric authentication is used (and often misused) in mainstream society, there have been a flurry of lawsuits--over 300 filed in Illinois in just the last two years--using the Illinois Biometric Information Privacy Act (BIPA) of 2008. The law requires consent before collecting biometric identifiers including fingerprints, voiceprints, and face geometry. Most of the cases regard employers’ timekeeping practices, specifically those who require employees to clock in and clock out using fingerprint scans, but never gave proper notices nor received consent from their employees to collect this biometric information.
What’s at stake? Well, let’s agree on what defines a violation. Is each time an employee clocks in and out considered a violation? That’s an important point to define, since the law allows people to recover $1,000 for each negligent violation and $5,000 for each intentional violation. I can see the dollar signs flashing before your eyes. Business owners: ensure your notices and consent forms are in order.
Other recent and proposed biometric data laws include San Francisco and Oakland, which have banned facial recognition software use by police and other government bodies. Massachusetts has a bill that would put a moratorium on facial recognition and other biometric surveillance systems. At a federal level, Congress is considering a bill to ban commercial face recognition technology from collecting and sharing data for identifying or tracking consumers without their consent. If you currently use visitor behavior intelligence software that utilizes biometrics in your consumer-facing spaces, keep an eye on this kind of regulation.
Word to the wise. Get consent before collecting and storing biometric data.
How do businesses comply with so many privacy laws?
How do businesses manage existing privacy law requirements and prepare for the patchwork of future privacy regulations? This fragmented legal framework has many calling for a comprehensive federal privacy law. With today’s legislative gridlock, we will see if that shapes up.
In the meantime, consider using privacy law information software to understand what laws apply to your company based on where you do business. These tools offer comprehensive and current legal definitions for research, comparison charts based on location, advice on how to comply with the regulations, and templates to help model your company’s policies.
Ad tech: an uncertain future
Until recently, the ad tech industry was self-regulated; GDPR and CCPA are changing that. There are currently two self-regulatory bodies for ad tech--Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA). Founded in 2000, the Network Advertising Initiative (NAI) has voluntary membership and self-regulation guidelines. Founded in 2010, the Digital Advertising Alliance (DAA) has non-voluntary self-regulation policies. Enforcement is conducted by the Better Business Bureau (BBB).
Considering various new privacy regulations, the ad tech industry is bracing for change to their data flows. This June, the Information Commissioner’s Office in the United Kingdom issued a report with concerns about the ad tech industry’s real-time bidding processes since they do not meet GDPR privacy law compliance. Alice Lincoln of MediaMath said that compliance with GDPR laws has already reduced ad tech revenues. For the CCPA law, the ad tech industry must prepare to handle costly requests for access and deletion.
Costs of holding and handling data
A recurrent theme at the conference was understanding data risks. There are now greater costs to holding sensitive consumer data than ever before. Not only does a company risk fines in the case of leaked or hacked data, but there are real costs associated with processing consumer requests for their personal data.
Before keeping or collecting new data, companies must assess the value and risk of that data to their business. For example, is it necessary for a company to keep middle names on file to process retail orders? If not, get rid of that data.
Companies should be able to answer certain questions when determining their risk. Some of these questions include:
Where their consumer data is obtained and stored, and if it should it be secured?
If the consumer data is meeting CCPA and other requirements when collected?
What kind of consumer data is it and what business purposes is it used for?
What third parties have access to the data and how do they categorize it?
Does the data needs to be encrypted, redacted, anonymized, or disposed?
Bottom line: companies must understand why their business needs this data and the risks associated with collecting it.
Responding to data subject access requests (DSAR)
Responding to consumer requests to access or delete their information, also known as data subject access requests (DSAR), is a time consuming and costly undertaking. Many organizations are using data privacy platforms to reduce some of the burden. Many of these platforms offer data inventory and data mapping tools to uncover where consumer data is stored and who within or outside of the organization has access to that data. When a consumer DSAR request comes in, the organization knows from where to access or remove the data. Many data privacy platforms offer workflows to ensure employees across the organization reply to the DSAR in a timely fashion and ensure management can enforce the process. The platforms document that a company verified the consumer’s identity prior to processing the request and that the company successfully fulfilled its DSAR obligations. These functions are critical for showing compliance with the law.
IoT privacy and security
Internet of Things (IoT) devices have caused a stir in privacy and security now that there are so many commercially available devices for the home. While it’s tempting for manufacturers to build cheap hardware, they must acknowledge privacy and security regulations.
Something IoT manufacturers must keep in mind is using as little data as possible when building products. Why? To cut down on the expense of responding to data access or data deletion requests, as allowed in GDPR and CCPA legislation. If a manufacturer must collect data, build the product with privacy by design. Conduct a privacy impact assessment and identify your security requirements during the product design phase. In the product development phase, understand threat models, review code, and conduct penetration testing. Once the product has been released, the vendor must manage vulnerability and security updates.
There’s a myth that IoT devices are unregulated; it’s not true. Existing negligence and privacy laws apply, as well as Section 5 of the Federal Trade Commission Act, which prohibits businesses from conducting unfair methods of competition. In California, SB-327 passed in 2018, which beginning on Jan. 1, 2020, will “require a manufacturer of a connected device to equip the device with a reasonable security features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Outside of legal issues, what do consumers want? Generally, consumers want an easily digestible “privacy nutrition label” on their devices. They want to quickly assess what data the device collects and for what purpose.
Would I go to the IAPP conference again?
Yes, I will definitely attend IAPP conferences in the future.
Meeting with the vendors in the exhibit hall was worth the cost of the conference ticket alone. Imagine the amount of time I saved by seeing live demos at the conference, versus scheduling multiple one-on-one demos back at my office. One of the most helpful parts of this conference was the ability to ask vendors comparative questions and get quick answers .
In case you missed the exhibit hall, here’s a list of the vendors who sponsored or exhibited at the IAPP Privacy. Security. Risk. 2019 conference.
Merry Marwig is a senior research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.