Data Privacy Highlights

This week is Data Privacy Week! I am so excited to share this issue of Data Privacy Highlights with you to celebrate! This week, we've got a lot on our plate, so get your Data Privacy Cake and buckle up.

We also want to take this time to remind you, if you haven't had the chance to purchase the book I co-authored with Justin Daniels , "Data Reimagined: Building Trust One Byte at a Time", it is NOW on sale on Kindle for $.99 to celebrate! "Data Reimagined" is a number four Wall Street Journal best seller, USA Today top 100 best seller, and number one Amazon best seller about data privacy all about leveraging your company's data privacy and security practices to establish a trusting relationship with your consumers.

Even if you're not a business leader, it is an eye-opening look at privacy and security for consumers!

I'm also excited to share a recent article I appeared in for Martechvibe alongside Debbie Reynolds and Blake Brannon about whether trust can lead to revenue!

Check it out in this week's Data Privacy Highlights!

Happy Data Privacy Day! Prepare for 2023 with our Data Privacy Compliance Checklist

With the following steps—and the help of an experienced privacy consultant ?? —you can be well on your way to data privacy compliance in 2023.

? Establish privacy governance

Maintaining compliance continues to be a complex undertaking. To meet compliance requirements, organizations should enhance their privacy governance activities by implementing governance processes and activities that support:

1. Accountability
2. Authority
3. Risk management
4. Assurance

Confirm that your organization has appropriate resources, policies, and standards to maintain compliance amidst evolving privacy laws.

? Maintain a data inventory

To ensure the accuracy, completeness, and timeliness of personal data information inventories, establish and maintain a detailed personal data inventory. This will ensure that your organization fully understands the sources of personal data collected and how it is used.

? Identify sensitive personal data

Depending on the data privacy law, sensitive personal data may be subject to different treatment compared to other types of personal data. Be sure to implement procedures to limit the use of sensitive personal data, along with obtaining and tracking consent for use.

? Conduct PIAs or DPIAs

Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) should be conducted any time:

1. Your organization begins a new project that could put personal data at risk
2. There are significant changes to existing programs or activities that involve personal data

Implement consistent processes for your PIAs and DPIAs, and train staff accordingly.

? Obtain consent for processing the personal data of minors

When selling, sharing, or processing the personal data of minors, you must obtain appropriate consent. Make sure your privacy notices are written in clear, age-appropriate language, and that you have heightened security measures in place to protect minors’ sensitive data.

? Disclose the sharing of data to third parties

If you sell or share data to third parties for the purpose of targeted advertising, certain jurisdictions may require your organization to disclose this information. Allow individuals to opt-in/opt-out to the collection, processing, selling, or sharing of personal data, and give a clear notice that the information is not being sold.

? Update your privacy notices

Any and all of your privacy notices must be:

1. Easy to read
2. Available in languages your organization conducts business
3. Accessible to those with disabilities according to general industry standards
4. Compliant with applicable data privacy laws

Every so often, review your privacy notices to ensure that they’re readable, accessible, and up-to-date—and inform your employees of the updates, too.

? Ensure your data minimization and retention policy passes muster

How much data do you really need? According to privacy best practices, the answer is simple: only what is necessary. All US privacy regulations, along with GDPR, require that you limit the amount of data you collect to what is “reasonably necessary” to achieve the stated purposes of collection

? Thoroughly assess vendors

Your business relies on vendors to do its work, but in the process of building those relationships, you may be providing access to consumer information. It’s vital to ensure that any and all contracts with vendors establish a clear understanding of how that information may be used so you can maintain compliance with privacy laws.

? Manage individual rights requests (DSARs)

Are your customers aware of the rights they are entitled to with regard to their personal information? This information, including potential actions they may take, should be clearly detailed in your privacy notice. You should also:

1. Establish appropriate internal procedures to handle Individual Rights Requests, including timelines and appeals processes
2. Obtain and maintain consents according to applicable regulations
3. Record and track DSAR records
4. And more

? Get your cookie banners and Do Not Sell links in place

Cookie banners—they’re more complicated than you might expect. Cookie banner requirements vary by region, so it’s vital to deploy yours accordingly. And as far as Do Not Sell links? Make sure yours complies with changes brought about by CPRA .

? Train your team on privacy awareness

You can have the best privacy policies and procedures on the planet, but if your team doesn’t know how to use them or why they’re important, they won’t be much use. In 2023, implement robust (and ongoing) privacy training for all staff. Ensure that training is specific to departments and different levels of responsibility for managing personal information.

? Validate security practices

Security and privacy programs benefit when they work closely together towards organizational goals. Make it a priority to implement and document comprehensive security processes, procedures, and policies to support safeguarding personal information.

? Make compliance sustainable

Privacy compliance isn’t a one-and-done activity. To truly achieve an effective privacy program that can weather a changing landscape, you need to identify strategies to make it sustainable. This should involve steps such as:

1. Aligning privacy with your organization’s mission
2. Establishing a clear privacy framework
3. Dedicating appropriate resources to privacy
4. And more

More information on the privacy boxes to check for 2023 here: https://redcloveradvisors.com/2023/01/24/2023-data-privacy-compliance-checklist/

Can Trust Drive Tangible Revenue?

There is always a concern about revenue in business, of course! But a big question is whether or not trust between the consumer and the company is going to lead to physical, tangible gains. After all, building trust is an investment.

I recently spoke with Martechvibe, alongside Debbie Reynolds, and Blake Brannon about just how important it is to build trust and maturity within organizations. By expressing a mature concern for privacy, organizations can retain consumer attention... or, lose the value generated by consumers.

For more about the correlation between privacy and consumer trust, check out the full article here: https://martechvibe.com/martech/can-trust-drive-tangible-revenue/

What Changes in Privacy Laws are Coming in 2023

There are a number of significant changes to privacy laws coming up this year. Things like -

1. changes and additions to U.S.-based legislation
2. new directives from the European Union (EU)
3. and a new privacy regulation in China

With new laws on the horizon, many organizations do not have the infrastructure in place to meet privacy or information security requirements.

Implementing and operationalizing privacy is a significant endeavor, and it doesn’t happen overnight.

Regardless of the maturity of your organization’s data governance or privacy programs, you should review the changes coming in 2023 to ensure that you can meet new or evolving requirements and maintain compliance.

For more on all you need to know about whats coming in 2023: https://redcloveradvisors.com/2023/01/24/2023-data-privacy-compliance-checklist/

Proposed State Privacy Law Update: January 23, 2023 by HuschBlackwell

It's been a busy start to the year for lawmakers! Four states introduced consumer privacy bills – Massachusetts, Hawaii, Indiana, and New York.

In Massachusetts, lawmakers introduced two sets of competing bills.

1. The Massachusetts Data Privacy Protection Act (MDPPA): a bill based on the federal American Data Privacy Protection Act with additional provisions relating to workplace surveillance.
2. The Massachusetts Information Privacy and Security Act (MIPSA)

In New York, lawmakers refiled two bills that were being discussed in 2022, The Online Consumer Protection Act and the Digital Fairness Act. They also introduced two biometric privacy bills

1. The New York Biometric Privacy Act which would create a private right of action around the collection of biometric information.
2. S2390 which would prohibit private entities from using biometric data for any advertising, marketing or other identified activities.

For more on the newly proposed laws and happenings in the the privacy law space: https://www.bytebacklaw.com/2023/01/proposed-state-privacy-law-update-january-23-2023/

Chicken Fried Data: Chick-Fil-A Hit With Class-Action Privacy Lawsuit Over Video Data Collection

According to a new lawsuit filed Sunday, January 22, Chick-Fil-A (CFA) has been sending data to Facebook’s parent company Meta in a way that violated one of the only federal privacy laws in the United States.

Every Christmas season CFA releases a holiday themed animated video titled “The Stories of Evergreen Hills.” They are housed on YouTube and on Chick-fil-A’s dedicated website, evergreenhills.com . That website caught privacy lawyers’ attention due to the way it tracks and shares data.

Like many other websites, evergreenhills.com has an embedded Meta pixel, a tracker that sends data to Meta about who’s visiting the site. The plaintiffs in the case allege that Chick-fil-A broke a law called the Video Privacy Protection Act (VPPA), which states that “video tape service providers” (or anyone who offers similar services) can’t disclose personally identifiable information about what videos you watch without your informed, written consent.

Over the last year there has been an uptick in class-action lawsuits filed for VPPA violations. Bloomberg Law identified 47 different lawsuits filing claims against companies including NBA, GameStop, CNN, BuzzFeed, and Dotdash Meredith, owner of People Magazine.

For more on this story: https://gizmodo.com/chick-fil-a-lawsuit-fried-chicken-privacy-class-action-1850020692

Online pharmacies share sensitive data with third parties

ProPublica reports some online pharmacies selling abortion pills are using tracking technology that shares sensitive data with third parties, which could potentially lead to prosecution from law enforcement.

On 9 of the 11 websites investigated by ProPublica there were web trackers found, including a Google Analytics tool. Data shared through the trackers include web addresses visited, items clicked on, search terms, and location and device information, as well as a unique identifier linked to a user's browser.?

While many people may assume their health information is legally protected, U.S. privacy law does little to constrain the kind or amount of data that companies such as Google and Facebook can collect from individuals.

Google pledged last year that it would delete location history data related to people’s visits to abortion and fertility clinics, but the company has not announced any changes since then related to data involving abortion pill providers or how it handles government requests for data.

“This is problematic and dangerous — both the potential access that law enforcement has to figure out who is violating our new state bans and that we’ve let tech companies know so much about our private lives,” said Anya Prince, a law professor at the University of Iowa who focuses on health privacy. “It shows us how powerful this data is in scary ways.”

https://www.propublica.org/article/websites-selling-abortion-pills-share-sensitive-data-with-google