I have been following the International Association of Privacy Professionals (IAPP) on social media for years.
Last month, it was time to put faces to names and attend my first conference with them—the IAPP Privacy. Security. Risk. 2019 conference, held in Las Vegas. The days were jam-packed with sessions, often with up to eight—eight(!)—concurrent tracks. Note to self for next year: bring more colleagues with me.
The learning sessions helped me understand how companies are handling the details of implementing major privacy laws. How are they operationalizing the new requirements? What security measures have changed since implementing these laws? How are companies developing their products and services differently to accommodate privacy laws?
Six takeaways:
Considering GDPR, CCPA, Brazil’s LGPD, and new laws debuting nearly every week (have you heard about the new Portuguese Data Protection Act?), it is hard to keep a handle on what laws a company must comply with. Software and service vendors have stepped up to assist.
I made sure to visit every exhibitor at the IAPP Privacy. Security. Risk. 2019 conference. I met with representatives from consulting agencies, software and service providers, and even one hardware company (of encrypted USB drives).
With specific, actionable privacy and security policies becoming codified into law across the globe, technology vendors have stepped up to the plate. Technology buyers need an unbiased way to help them compare these privacy and security products and services more than ever before. That’s where G2 comes in. G2 is a real-time review platform that helps businesses discover, buy, and manage their technology.
At G2, we are dedicated to building software and service categories that reflect the current market. That’s why we’re building new privacy-specific software and service categories where verified users can leave reviews of the software and services they use.
In the next few months, I plan to build out these new privacy categories on our site to reflect the current market. However, in the meantime, to help potential buyers understand which software and service providers are best for their company, read trusted and verified peer reviews on G2’s website for a variety of software.
There’s GDPR and HIPPA, but you’ve already heard of those. There are privacy laws in Nevada that went into effect on 01 Oct 2019 that allow opt-out rights for data sales. There are pending privacy bills in New Jersey, Washington, New York, Connecticut, and Illinois along with Maine’s internet service provider (ISP) privacy bill which forbids ISPs from selling customer data.
There is the Children’s Online Privacy Protection Rule (COPPA) which is enforced by the Federal Trade Commission (FTC). COPPA imposes specific requirements on operators of websites or online services targeted at children under 13-years-old such as the collection of personal information from a child under 13. In Sept. 2019, the FTC found that YouTube violated COPPA which culminated in an unprecedented $170 million settlement. Expect further COPPA enforcement in the near future. Service providers, take note. Consider using identity verification software when you need to confirm an online user’s age.
While at the conference, I learned that the Video Privacy Protection Act (VPPA) of 1998 and its amendments are currently some of the strictest privacy laws in the United States. The law was enacted shortly after Supreme Court nominee Robert Bork’s video rental history was released in a newspaper. The FTC has reaffirmed that consumers’ entertainment consumption habits are “sensitive data,” citing the Cable Privacy Act. Though the VPPA was created for a time when video rentals happened in brick-and-mortar stores, it can limit any service that provides video content. Bottom line, to ensure businesses are covered, assume VPPA applies to your online video platforms and give appropriate disclosures to consumers.
Biometric law in the United States
Now that biometric authentication is used (and often misused) in mainstream society, there have been a flurry of lawsuits--over 300 filed in Illinois in just the last two years--using the Illinois Biometric Information Privacy Act (BIPA) of 2008. The law requires consent before collecting biometric identifiers including fingerprints, voiceprints, and face geometry. Most of the cases regard employers’ timekeeping practices, specifically those who require employees to clock in and clock out using fingerprint scans, but never gave proper notices nor received consent from their employees to collect this biometric information.
What’s at stake? Well, let’s agree on what defines a violation. Is each time an employee clocks in and out considered a violation? That’s an important point to define, since the law allows people to recover $1,000 for each negligent violation and $5,000 for each intentional violation. I can see the dollar signs flashing before your eyes. Business owners: ensure your notices and consent forms are in order.
Other recent and proposed biometric data laws include San Francisco and Oakland, which have banned facial recognition software use by police and other government bodies. Massachusetts has a bill that would put a moratorium on facial recognition and other biometric surveillance systems. At a federal level, Congress is considering a bill to ban commercial face recognition technology from collecting and sharing data for identifying or tracking consumers without their consent. If you currently use visitor behavior intelligence software that utilizes biometrics in your consumer-facing spaces, keep an eye on this kind of regulation.
Word to the wise. Get consent before collecting and storing biometric data.
How do businesses comply with so many privacy laws?
How do businesses manage existing privacy law requirements and prepare for the patchwork of future privacy regulations? This fragmented legal framework has many calling for a comprehensive federal privacy law. With today’s legislative gridlock, we will see if that shapes up.
In the meantime, consider using privacy law information software to understand what laws apply to your company based on where you do business. These tools offer comprehensive and current legal definitions for research, comparison charts based on location, advice on how to comply with the regulations, and templates to help model your company’s policies.
Until recently, the ad tech industry was self-regulated; GDPR and CCPA are changing that. There are currently two self-regulatory bodies for ad tech--Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA). Founded in 2000, the Network Advertising Initiative (NAI) has voluntary membership and self-regulation guidelines. Founded in 2010, the Digital Advertising Alliance (DAA) has non-voluntary self-regulation policies. Enforcement is conducted by the Better Business Bureau (BBB).
Considering various new privacy regulations, the ad tech industry is bracing for change to their data flows. This June, the Information Commissioner’s Office in the United Kingdom issued a report with concerns about the ad tech industry’s real-time bidding processes since they do not meet GDPR privacy law compliance. Alice Lincoln of MediaMath said that compliance with GDPR laws has already reduced ad tech revenues. For the CCPA law, the ad tech industry must prepare to handle costly requests for access and deletion.
A recurrent theme at the conference was understanding data risks. There are now greater costs to holding sensitive consumer data than ever before. Not only does a company risk fines in the case of leaked or hacked data, but there are real costs associated with processing consumer requests for their personal data.
Before keeping or collecting new data, companies must assess the value and risk of that data to their business. For example, is it necessary for a company to keep middle names on file to process retail orders? If not, get rid of that data.
Companies should be able to answer certain questions when determining their risk. Some of these questions include:
Bottom line: companies must understand why their business needs this data and the risks associated with collecting it.
Responding to data subject access requests (DSAR) Responding to consumer requests to access or delete their information, also known as data subject access requests (DSAR), is a time consuming and costly undertaking. Many organizations are using data privacy platforms to reduce some of the burden. Many of these platforms offer data inventory and data mapping tools to uncover where consumer data is stored and who within or outside of the organization has access to that data. When a consumer DSAR request comes in, the organization knows from where to access or remove the data. Many data privacy platforms offer workflows to ensure employees across the organization reply to the DSAR in a timely fashion and ensure management can enforce the process. The platforms document that a company verified the consumer’s identity prior to processing the request and that the company successfully fulfilled its DSAR obligations. These functions are critical for showing compliance with the law.
Internet of Things (IoT) devices have caused a stir in privacy and security now that there are so many commercially available devices for the home. While it’s tempting for manufacturers to build cheap hardware, they must acknowledge privacy and security regulations.
Something IoT manufacturers must keep in mind is using as little data as possible when building products. Why? To cut down on the expense of responding to data access or data deletion requests, as allowed in GDPR and CCPA legislation. If a manufacturer must collect data, build the product with privacy by design. Conduct a privacy impact assessment and identify your security requirements during the product design phase. In the product development phase, understand threat models, review code, and conduct penetration testing. Once the product has been released, the vendor must manage vulnerability and security updates.
There’s a myth that IoT devices are unregulated; it’s not true. Existing negligence and privacy laws apply, as well as Section 5 of the Federal Trade Commission Act, which prohibits businesses from conducting unfair methods of competition. In California, SB-327 passed in 2018, which beginning on Jan. 1, 2020, will “require a manufacturer of a connected device to equip the device with a reasonable security features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”
Outside of legal issues, what do consumers want? Generally, consumers want an easily digestible “privacy nutrition label” on their devices. They want to quickly assess what data the device collects and for what purpose.
Yes, I will definitely attend IAPP conferences in the future.
Meeting with the vendors in the exhibit hall was worth the cost of the conference ticket alone. Imagine the amount of time I saved by seeing live demos at the conference, versus scheduling multiple one-on-one demos back at my office. One of the most helpful parts of this conference was the ability to ask vendors comparative questions and get quick answers .
In case you missed the exhibit hall, here’s a list of the vendors who sponsored or exhibited at the IAPP Privacy. Security. Risk. 2019 conference.
If you’re looking to meet industry peers and learn more about current and emerging trends in privacy and security space, the IAPP Privacy. Security. Risk. conference is an excellent resource.
*Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.*
OneTrust, a data privacy platform vendor, announced in a press release on Nov. 20, 2019, its...
by Merry Marwig, CIPP/US
One of the hottest topics in data privacy management in 2020 is automation—specifically,...
by Merry Marwig, CIPP/US
G2’s 2022 Fall Reports for software categories are out. Let’s get an update on the state of...
by Merry Marwig, CIPP/US