SlideShare ist ein Scribd-Unternehmen logo

Privacy 101

Als PPTX, PDF herunterladen
T
Trish McGinity, CCSK

Privacy 101 with Deborah Shinbein Howitt

Technologie
1 von 28
Data Privacy 101 Deborah Shinbein Howitt Lewis Bess Williams & Weese
Comparing Privacy and Security Privacy • Concerned with collection and use of data – What type of data is being collected? – Why is the data being collected? – Are you collecting more than needed? – How may the data be used? – Are there harms from collecting or using it? – Who should be permitted to access the data? Security • Concerned with the protection of data from unwanted access or loss • Measures taken to prevent: – Unwanted intruders – Loss of data – Violations of data integrity
Privacy is a Fundamental Right No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. - Universal Declaration of Human Rights – Art. 12 2 of 33
Categories of Information • “Personally identifiable information” (PII) • Can be linked to a specific individual o Name, e-mail, full postal address, birth date, social security number, driver’s license number, account numbers, username, biometric data • “Non-personally identifiable information” (non-PII) cannot, by itself, be used to identify a specific individual › Aggregate data, zip code, area code, city, state, gender, age • Gray Area: may potentially be PII › Anonymized, de-identified or pseudonymized data › Non-PII may become identifiable when linked with other data such as persistent identifiers o Geolocation data o Site history and viewing patterns 2 of 33
Privacy Legal Framework • U.S. has a patchwork of laws and regulations governing the collection, use, and security of personally identifiable information • Challenges: which laws apply to which data • How to comply with multiple laws (often inconsistent) • FTC • State laws • Federal sectoral laws (HIPAA, GLBA, FERPA, etc.) • Email laws: CAN-SPAM, CASL • Children’s data (COPPA) • Telephone Consumer Protection Act • Various laws applicable if using “big data” • Self regulatory regimes • Laws of other countries 2 of 33
Federal Trade Commission Authority from Sec. 5 of FTC Act “unfair and deceptive practices in or affecting commerce” • Deceptive: “material representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment” › Use/dissemination of PII in violation of a privacy policy › Insufficient notice re: data collection/use practices (downloading spyware onto computer without consent) › Poor security practices if promised otherwise • Unfair: likely to cause substantial injury to consumers without countervailing benefit to consumers or competition, and is not reasonably avoidable › Retroactive changes, deceitful collection, improper use, unfair design/default settings, “unfair” data security practices, more 3 of 33
Federal Trade Commission (cont.) Fair Information Practice Principles (FTC in 1998, but concepts around much earlier) • Notice: provide appropriate notice re: collection, use, other practices • Choice: provide choice re: actions with data • Access: individuals should be able to know what is being done with their data • Security: data should be adequately protected • Enforcement: sanctions for noncompliance Privacy policy disclosures (web and mobile): - Follow FIPPs and disclose accordingly - Obtain consent as appropriate based upon nature of the data/uses - Say what you do/do what you say - Examples of enforcement: - Misrepresentation re: privacy of information (Facebook) - Failure to notify re: unexpected data collection practices (Brightest Flashlight Free) - Insufficient disclosure of location advertising/tracking (Nomi) 4 of 33
FTC: CAN-SPAM FTC enforcement: up to $16,000 per email Applies to commercial emails “primary purpose of which is commercial advertisement or promotion” – Compare with transactional/relationship message Prohibits knowingly sending of commercial messages with intent to deceive or mislead recipients If one company sending on behalf of another, both can be liable for violations 5 of 33
FTC: CAN-SPAM (cont.) Basic requirements: – Opt-out – must include unsubscribe link in every email, must process in 10 business days › Opt-out means must be functional for 30 days – No false or misleading header info (sender of message, etc.) – No deceptive subject lines – Identify message as an ad – Include physical address – Additional requirements for sexually explicit content 6 of 33
FTC: COPPA Children’s Online Privacy Protection Act • Applies to sites/apps collecting (or enabling collection of info) if: • Directed at kids or • Actual knowledge that collecting information from users under age 13 (Yelp) • Broad definition of information applicable (geolocation, photos, voice, etc.) • Primary requirements: – Obtain verifiable parental consent for the collection, use, or disclosure of personal information from children before collected – Post notice on site re: what information is collected from children, how used, and disclosure practices for such information – Maintain confidentiality & security of information collected from kids – Prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary 7 of 33
State Data Privacy/Security Laws Applicable based on location of the individual PII covered varies • Typically first & last name + SSN, driver’s license, credit/debit card, financial acct. number w/ password • Broader in some states (any online acct/pswd, biometric data, etc.) Variations – some to watch include • MA is the most stringent re: security • Requires written policies with specific elements, and includes computer security requirements, encryption requirements, and much more • Must oversee service providers (+ contracts) – NV incorporates PCI and has encryption requirements 9 of 33
State Data Privacy/Security Laws (cont.) California – leader in data privacy • Online privacy policies • Policy must be conspicuous • Websites must disclose • how they respond to Do Not Track (DNT) signals from browsers and other mechanism • whether third parties use or may use the site to track (i.e., collect personally identifiable information about) individual California residents “over time and across third party websites.” 9 of 33
State Data Privacy/Security Laws (cont.) California (continued) • “Online eraser” law for minors • Sites and apps “directed” to minors, or that have actual knowledge that a user is a minor, must allow registered users under 18 to remove (or ask the provider to remove or anonymize) publicly posted content • Must disclose information shared for direct marketing purposes (upon request) • Restricts online advertising of certain categories to under 18 9 of 33
State Data Privacy/Security Laws (cont.) Illinois Biometric Information Privacy Act • “Biometrics” is the measurement and analysis of an individual’s physical and behavior characteristics • May include fingerprints, voice prints, vein patterns in a palm, retinal scan, etc. • Requires • informed consent prior to collection - “written release” • Disclose specific purpose and length of term for which information is collected, stored and used • Recent class actions (Facebook, Shutterfly, employees re: time tracking tools) 9 of 33
State Data Breach Notification Laws  48 states currently have data breach notification laws  Based on location of the data subject  Notification requirements vary among states/countries/provinces  Different definitions of personal information  Triggers for notification obligations (access, risk of harm)  Encryption safe harbor (unless key accessed)  Content of notification  Timing of notification  Parties to be notified (state AG, credit bureaus, others)  Credit monitoring required  Notification to media if can’t contact the data subjects 23 of 33
“Little FTC Acts” – State Laws Focus on unfair/deceptive trade practices State law elements vary – Typically private right of action – Some include punitive damages CO Consumer Protection Act: • Private citizen must prove five elements: (1) unfair or deceptive trade practice; (2) in the course of the defendant’s business; (3) significantly impacted actual or potential customers; (4) the plaintiff suffered an injury to a legally protected interest; (5) the deceptive trade practice caused the plaintiff’s injury 12 of 33
Telephone Consumer Protection Act - TCPA FCC enforcement • Prior express consent required for autodialed calls/pre-recorded messages (includes texting) – Burden on company to show proof of the consent (track in CRM) › Best practice: maintain each consumer’s written consent for at least four (4) years (federal statute of limitations) – Limited exceptions for established business relationship, nonprofits, – Consent may not a condition of purchase • Do not call list – must check against this before making calls • $11,000 per incident (e.g. per text message) • Many class actions! 12 of 33
18 of 10Dell-Restricted-Confidential Federal Sectoral Laws Several federal sectoral privacy laws have provisions limiting sharing and/or use of data (in addition to marketing) • Gramm-Leach Bliley Act – disclosure notices, sharing provisions, opt-out • HIPAA - limitations on use of protected health information for marketing • Family Education Rights & Privacy Act – limits use/disclosure of student records • Video Privacy Protection Act – limitations on certain disclosures (including for marketing) • Many others 12 of 33
Location Based Advertising • Advertisers can identify real-world location of cell phone and serve targeted ads based on location (GPS, RFID) • Enables targeting consumers when they are most likely to make a purchase • Near the shoe store = coupon on phone • “Geofencing” – create virtual perimeters to facilitate delivery of content based on position of mobile device • “Beacons” – transmitter using Bluetooth technology to transmit signals to mobile device • ALWAYS obtain user consent before collecting precise location data 14 of 33
Self Regulation – Online Behavioral Advertising • Leading marketing and advertising industry associations collaborated to form the Digital Advertising Alliance (DAA) • Initiated a, self-regulatory effort and standards for online behavioral advertising (OBA) • Goal of answering the FTC’s calls to foster transparency, knowledge and choice for consumers re: OBA • Guidance re: ads on websites, mobile, cross device • Use DAA icon or otherwise notify that OBA taking place • Will refer to FTC for enforcement 14 of 33
International Privacy Laws - Canada PIPEDA - Personal Information Protection and Electronic Documents Act • Applies to all personal data - information ‘about’ identifiable individuals The Canada Anti Spam Law (CASL) – “Commercial Electronic Messages” – Messages that encourage commercial activity – Not messages re: existing business (e.g. invoice) – Includes SMS Must ID sender Consent required (burden on entity to prove this) – Must opt-in (e.g. checkbox) – Must allow opt-out – Can transfer consent, but complex – Implied consent if inquiry (6 mo. ONLY) 19 of 33
International Laws – EU/UK • EU Data Protection Directive and GDPR (other speaker covering this) • Extremely broad definition of covered personal data (relating to identified or identifiable person) • EU Cookie Consent Banner/Policy • Advance notice/consent for non-essential cookies • Opt-in required for marketing in EU (double opt in for Germany) • May only transfer EU personal data to countries w/ “adequate” protections (U.S. not adequate) • Privacy Shield • Model Clause Agreements • Binding Corporate Rules 15 of 33
Big Data • Where does it come from? • Purchases/other transactions • Social media • US Census • Technology • Use of websites/applications • Cookies (track across sites even unrelated) • Wi-fi, beacons, sensors • Emails • Advanced algorithms are used to interpret data, develop profiles and make predictions about individuals • Profiles validated and enhanced from data brokers and other sources 15 of 33
Potential for Big Data to do good or harm • Ethical issues will arise…having a framework to consider and mitigate is a best practice and an emerging legal requirement. • Weigh benefits and risks of harm, as well as other factors. • Ensure no disparate treatment/impact (violates equal protection laws) Ethical issues include Privacy Concerns Using data in a way your employees or customers would not have expected Discrimination Concerns Using data in a way that adversely impacts a segment of stakeholders 29 of 33
Best Practices – Do a Privacy Audit - Determine sources of data - Do consumers understand how/why it is collected? - Is the collection “creepy” in any way? More than needed? - How is data being used? - Would consumers expect this type of use? - Has consent been received for the use? - How long do you need to keep data? (also security issue) - Which vendors have access to PII - Limitations on use? Handling of breach? Indemnification? - Agreements with third party “partners” – data license 15 of 33
Best Practices –Privacy Policies - Needed if collecting any PII online/mobile apps - Sources of collection - How data will be used - If/when it will be shared, and with whom - Third parties obtaining data through the site/links - How to opt out of stated practices - How to contact the company to delete/modify data - How to obtain a copy of data in the company’s possession - CA requirements re: tracking - Notice when privacy practices change - Legal requirements re: kids, cookies, transfers, etc. - Don’t make promises you can’t keep! 15 of 33
Best Practices – Data Governance - Determine “data owners” in your company within departments or for different types of data: - HR - Sales - Marketing - Finance - Legal - IT - Establish who grants permission for data sharing/uses - Describe data actions require permission 15 of 33
Questions? Please contact me any time! dhowitt@lewisbess.com 303-228-2502 Lewis Bess Williams & Weese 1801 California St. #3400 Denver, CO 80202 23 of 33

Empfohlen

GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
Gydeline Ltd
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
Findwise
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
Elizabeth Baker, JD, CRCMP
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 

Empfohlen

GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
Gydeline Ltd
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
Findwise
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
Elizabeth Baker, JD, CRCMP
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
Benoît De Nayer
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketing
Spotler
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
Huub de Jong
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
mrmwood
 
Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)
Jason Haislmaier
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
Anil Yadav
 

Weitere ähnliche Inhalte

Was ist angesagt?

General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketing
Spotler
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
Huub de Jong
 

Was ist angesagt? (20)

GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
GDPR for dummies
GDPR for dummies GDPR for dummies
GDPR for dummies
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketing
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Data protection
Data protectionData protection
Data protection
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 

Ähnlich wie Privacy 101

Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Behavioraltargeting
BehavioraltargetingBehavioraltargeting
Behavioraltargeting
jegayer
 

Ähnlich wie Privacy 101 (20)

Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)Crash Course on Data Privacy (December 2012)
Crash Course on Data Privacy (December 2012)
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
ethcpp04-Unit 3.ppt
ethcpp04-Unit 3.pptethcpp04-Unit 3.ppt
ethcpp04-Unit 3.ppt
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to know
 
IT risk discusion qustion.pdf
IT risk discusion qustion.pdfIT risk discusion qustion.pdf
IT risk discusion qustion.pdf
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Privacy and Civil Liberties
Privacy and Civil LibertiesPrivacy and Civil Liberties
Privacy and Civil Liberties
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Privacy - USC 2005
Privacy - USC 2005Privacy - USC 2005
Privacy - USC 2005
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 
Behavioraltargeting
BehavioraltargetingBehavioraltargeting
Behavioraltargeting
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
 
Data Security Law and Management.pdf
Data Security Law and Management.pdfData Security Law and Management.pdf
Data Security Law and Management.pdf
 
Gagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago PresentationGagnier's Portion of TechWeek Chicago Presentation
Gagnier's Portion of TechWeek Chicago Presentation
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 

Mehr von Trish McGinity, CCSK

Mehr von Trish McGinity, CCSK (14)

Cloud Seeding
Cloud SeedingCloud Seeding
Cloud Seeding
 
Token Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure WebToken Binding as the Foundation for a More Secure Web
Token Binding as the Foundation for a More Secure Web
 
Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?Security and Automation: Can they work together? Can we survive if they don't?
Security and Automation: Can they work together? Can we survive if they don't?
 
Practical AWS Security - Scott Hogg
Practical AWS Security - Scott HoggPractical AWS Security - Scott Hogg
Practical AWS Security - Scott Hogg
 
CSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassageCSA colorado 2016 presentation CloudPassage
CSA colorado 2016 presentation CloudPassage
 
Csa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghxCsa presentation november 2016 sloane ghx
Csa presentation november 2016 sloane ghx
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA Technologies
 
Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3Andrew Useckas Csa presentation hacking custom webapps 4 3
Andrew Useckas Csa presentation hacking custom webapps 4 3
 
Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities Steve Kosten - Exploiting common web application vulnerabilities
Steve Kosten - Exploiting common web application vulnerabilities
 
Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2Shawn Harris - CCSP SAH v2
Shawn Harris - CCSP SAH v2
 
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa versionLarry Whiteside - Optiv Cloud ready or steam rolled csa version
Larry Whiteside - Optiv Cloud ready or steam rolled csa version
 
Ed Rios - New ncc brief
Ed Rios - New ncc briefEd Rios - New ncc brief
Ed Rios - New ncc brief
 
Scott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certsScott Hogg - Gtri cloud security knowledge and certs
Scott Hogg - Gtri cloud security knowledge and certs
 
Davitt Potter - CSA Arrow
Davitt Potter - CSA ArrowDavitt Potter - CSA Arrow
Davitt Potter - CSA Arrow
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Privacy 101

  • 1. Data Privacy 101 Deborah Shinbein Howitt Lewis Bess Williams & Weese
  • 2. Comparing Privacy and Security Privacy • Concerned with collection and use of data – What type of data is being collected? – Why is the data being collected? – Are you collecting more than needed? – How may the data be used? – Are there harms from collecting or using it? – Who should be permitted to access the data? Security • Concerned with the protection of data from unwanted access or loss • Measures taken to prevent: – Unwanted intruders – Loss of data – Violations of data integrity
  • 3. Privacy is a Fundamental Right No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks. - Universal Declaration of Human Rights – Art. 12 2 of 33
  • 4. Categories of Information • “Personally identifiable information” (PII) • Can be linked to a specific individual o Name, e-mail, full postal address, birth date, social security number, driver’s license number, account numbers, username, biometric data • “Non-personally identifiable information” (non-PII) cannot, by itself, be used to identify a specific individual › Aggregate data, zip code, area code, city, state, gender, age • Gray Area: may potentially be PII › Anonymized, de-identified or pseudonymized data › Non-PII may become identifiable when linked with other data such as persistent identifiers o Geolocation data o Site history and viewing patterns 2 of 33
  • 5. Privacy Legal Framework • U.S. has a patchwork of laws and regulations governing the collection, use, and security of personally identifiable information • Challenges: which laws apply to which data • How to comply with multiple laws (often inconsistent) • FTC • State laws • Federal sectoral laws (HIPAA, GLBA, FERPA, etc.) • Email laws: CAN-SPAM, CASL • Children’s data (COPPA) • Telephone Consumer Protection Act • Various laws applicable if using “big data” • Self regulatory regimes • Laws of other countries 2 of 33
  • 6. Federal Trade Commission Authority from Sec. 5 of FTC Act “unfair and deceptive practices in or affecting commerce” • Deceptive: “material representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment” › Use/dissemination of PII in violation of a privacy policy › Insufficient notice re: data collection/use practices (downloading spyware onto computer without consent) › Poor security practices if promised otherwise • Unfair: likely to cause substantial injury to consumers without countervailing benefit to consumers or competition, and is not reasonably avoidable › Retroactive changes, deceitful collection, improper use, unfair design/default settings, “unfair” data security practices, more 3 of 33
  • 7. Federal Trade Commission (cont.) Fair Information Practice Principles (FTC in 1998, but concepts around much earlier) • Notice: provide appropriate notice re: collection, use, other practices • Choice: provide choice re: actions with data • Access: individuals should be able to know what is being done with their data • Security: data should be adequately protected • Enforcement: sanctions for noncompliance Privacy policy disclosures (web and mobile): - Follow FIPPs and disclose accordingly - Obtain consent as appropriate based upon nature of the data/uses - Say what you do/do what you say - Examples of enforcement: - Misrepresentation re: privacy of information (Facebook) - Failure to notify re: unexpected data collection practices (Brightest Flashlight Free) - Insufficient disclosure of location advertising/tracking (Nomi) 4 of 33
  • 8. FTC: CAN-SPAM FTC enforcement: up to $16,000 per email Applies to commercial emails “primary purpose of which is commercial advertisement or promotion” – Compare with transactional/relationship message Prohibits knowingly sending of commercial messages with intent to deceive or mislead recipients If one company sending on behalf of another, both can be liable for violations 5 of 33
  • 9. FTC: CAN-SPAM (cont.) Basic requirements: – Opt-out – must include unsubscribe link in every email, must process in 10 business days › Opt-out means must be functional for 30 days – No false or misleading header info (sender of message, etc.) – No deceptive subject lines – Identify message as an ad – Include physical address – Additional requirements for sexually explicit content 6 of 33
  • 10. FTC: COPPA Children’s Online Privacy Protection Act • Applies to sites/apps collecting (or enabling collection of info) if: • Directed at kids or • Actual knowledge that collecting information from users under age 13 (Yelp) • Broad definition of information applicable (geolocation, photos, voice, etc.) • Primary requirements: – Obtain verifiable parental consent for the collection, use, or disclosure of personal information from children before collected – Post notice on site re: what information is collected from children, how used, and disclosure practices for such information – Maintain confidentiality & security of information collected from kids – Prohibit conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary 7 of 33
  • 11. State Data Privacy/Security Laws Applicable based on location of the individual PII covered varies • Typically first & last name + SSN, driver’s license, credit/debit card, financial acct. number w/ password • Broader in some states (any online acct/pswd, biometric data, etc.) Variations – some to watch include • MA is the most stringent re: security • Requires written policies with specific elements, and includes computer security requirements, encryption requirements, and much more • Must oversee service providers (+ contracts) – NV incorporates PCI and has encryption requirements 9 of 33
  • 12. State Data Privacy/Security Laws (cont.) California – leader in data privacy • Online privacy policies • Policy must be conspicuous • Websites must disclose • how they respond to Do Not Track (DNT) signals from browsers and other mechanism • whether third parties use or may use the site to track (i.e., collect personally identifiable information about) individual California residents “over time and across third party websites.” 9 of 33
  • 13. State Data Privacy/Security Laws (cont.) California (continued) • “Online eraser” law for minors • Sites and apps “directed” to minors, or that have actual knowledge that a user is a minor, must allow registered users under 18 to remove (or ask the provider to remove or anonymize) publicly posted content • Must disclose information shared for direct marketing purposes (upon request) • Restricts online advertising of certain categories to under 18 9 of 33
  • 14. State Data Privacy/Security Laws (cont.) Illinois Biometric Information Privacy Act • “Biometrics” is the measurement and analysis of an individual’s physical and behavior characteristics • May include fingerprints, voice prints, vein patterns in a palm, retinal scan, etc. • Requires • informed consent prior to collection - “written release” • Disclose specific purpose and length of term for which information is collected, stored and used • Recent class actions (Facebook, Shutterfly, employees re: time tracking tools) 9 of 33
  • 15. State Data Breach Notification Laws  48 states currently have data breach notification laws  Based on location of the data subject  Notification requirements vary among states/countries/provinces  Different definitions of personal information  Triggers for notification obligations (access, risk of harm)  Encryption safe harbor (unless key accessed)  Content of notification  Timing of notification  Parties to be notified (state AG, credit bureaus, others)  Credit monitoring required  Notification to media if can’t contact the data subjects 23 of 33
  • 16. “Little FTC Acts” – State Laws Focus on unfair/deceptive trade practices State law elements vary – Typically private right of action – Some include punitive damages CO Consumer Protection Act: • Private citizen must prove five elements: (1) unfair or deceptive trade practice; (2) in the course of the defendant’s business; (3) significantly impacted actual or potential customers; (4) the plaintiff suffered an injury to a legally protected interest; (5) the deceptive trade practice caused the plaintiff’s injury 12 of 33
  • 17. Telephone Consumer Protection Act - TCPA FCC enforcement • Prior express consent required for autodialed calls/pre-recorded messages (includes texting) – Burden on company to show proof of the consent (track in CRM) › Best practice: maintain each consumer’s written consent for at least four (4) years (federal statute of limitations) – Limited exceptions for established business relationship, nonprofits, – Consent may not a condition of purchase • Do not call list – must check against this before making calls • $11,000 per incident (e.g. per text message) • Many class actions! 12 of 33
  • 18. 18 of 10Dell-Restricted-Confidential Federal Sectoral Laws Several federal sectoral privacy laws have provisions limiting sharing and/or use of data (in addition to marketing) • Gramm-Leach Bliley Act – disclosure notices, sharing provisions, opt-out • HIPAA - limitations on use of protected health information for marketing • Family Education Rights & Privacy Act – limits use/disclosure of student records • Video Privacy Protection Act – limitations on certain disclosures (including for marketing) • Many others 12 of 33
  • 19. Location Based Advertising • Advertisers can identify real-world location of cell phone and serve targeted ads based on location (GPS, RFID) • Enables targeting consumers when they are most likely to make a purchase • Near the shoe store = coupon on phone • “Geofencing” – create virtual perimeters to facilitate delivery of content based on position of mobile device • “Beacons” – transmitter using Bluetooth technology to transmit signals to mobile device • ALWAYS obtain user consent before collecting precise location data 14 of 33
  • 20. Self Regulation – Online Behavioral Advertising • Leading marketing and advertising industry associations collaborated to form the Digital Advertising Alliance (DAA) • Initiated a, self-regulatory effort and standards for online behavioral advertising (OBA) • Goal of answering the FTC’s calls to foster transparency, knowledge and choice for consumers re: OBA • Guidance re: ads on websites, mobile, cross device • Use DAA icon or otherwise notify that OBA taking place • Will refer to FTC for enforcement 14 of 33
  • 21. International Privacy Laws - Canada PIPEDA - Personal Information Protection and Electronic Documents Act • Applies to all personal data - information ‘about’ identifiable individuals The Canada Anti Spam Law (CASL) – “Commercial Electronic Messages” – Messages that encourage commercial activity – Not messages re: existing business (e.g. invoice) – Includes SMS Must ID sender Consent required (burden on entity to prove this) – Must opt-in (e.g. checkbox) – Must allow opt-out – Can transfer consent, but complex – Implied consent if inquiry (6 mo. ONLY) 19 of 33
  • 22. International Laws – EU/UK • EU Data Protection Directive and GDPR (other speaker covering this) • Extremely broad definition of covered personal data (relating to identified or identifiable person) • EU Cookie Consent Banner/Policy • Advance notice/consent for non-essential cookies • Opt-in required for marketing in EU (double opt in for Germany) • May only transfer EU personal data to countries w/ “adequate” protections (U.S. not adequate) • Privacy Shield • Model Clause Agreements • Binding Corporate Rules 15 of 33
  • 23. Big Data • Where does it come from? • Purchases/other transactions • Social media • US Census • Technology • Use of websites/applications • Cookies (track across sites even unrelated) • Wi-fi, beacons, sensors • Emails • Advanced algorithms are used to interpret data, develop profiles and make predictions about individuals • Profiles validated and enhanced from data brokers and other sources 15 of 33
  • 24. Potential for Big Data to do good or harm • Ethical issues will arise…having a framework to consider and mitigate is a best practice and an emerging legal requirement. • Weigh benefits and risks of harm, as well as other factors. • Ensure no disparate treatment/impact (violates equal protection laws) Ethical issues include Privacy Concerns Using data in a way your employees or customers would not have expected Discrimination Concerns Using data in a way that adversely impacts a segment of stakeholders 29 of 33
  • 25. Best Practices – Do a Privacy Audit - Determine sources of data - Do consumers understand how/why it is collected? - Is the collection “creepy” in any way? More than needed? - How is data being used? - Would consumers expect this type of use? - Has consent been received for the use? - How long do you need to keep data? (also security issue) - Which vendors have access to PII - Limitations on use? Handling of breach? Indemnification? - Agreements with third party “partners” – data license 15 of 33
  • 26. Best Practices –Privacy Policies - Needed if collecting any PII online/mobile apps - Sources of collection - How data will be used - If/when it will be shared, and with whom - Third parties obtaining data through the site/links - How to opt out of stated practices - How to contact the company to delete/modify data - How to obtain a copy of data in the company’s possession - CA requirements re: tracking - Notice when privacy practices change - Legal requirements re: kids, cookies, transfers, etc. - Don’t make promises you can’t keep! 15 of 33
  • 27. Best Practices – Data Governance - Determine “data owners” in your company within departments or for different types of data: - HR - Sales - Marketing - Finance - Legal - IT - Establish who grants permission for data sharing/uses - Describe data actions require permission 15 of 33
  • 28. Questions? Please contact me any time! dhowitt@lewisbess.com 303-228-2502 Lewis Bess Williams & Weese 1801 California St. #3400 Denver, CO 80202 23 of 33