Avoiding Common Data Privacy Mistakes In Tech Firms

Even without a state privacy law - New York is coming after your website tracking (and so can other states). Key points from a new advisory by the Office of the New York State Attorney General based on an investigation of websites: As we've been telling clients - Even without a state privacy laws, businesses’ privacy-related practices and statements are subject to a state's consumer protection laws that prohibit businesses from engaging in deceptive acts and practices. Mistakes to avoid: 🔹 Make sure that your cookie management tool does not leave uncategorized or miscategorized tags/cookies. 🔹 Make sure your cookie management tool works well with your tag management tool. (disabling tracking in one disables the other too). 🔹 Make sure your marketing or advertising tags work as described and DO NOT remain active even after visitors try to disable them using the sites’ privacy controls. 🔹 Ensure even tags that are hardcoded to the website get deactivated by the cookie management tool. 🔹 Do not rely on contract based restrictions like limited data use (LDU - Meta) or Restricted data processing (RDP - Google) in states where they don't actually work. 🔹 Before deploying a new tag, understand what data the tag collects and how the data may be used or shared. 🔹 Address NON cookie based sharing Things to do: Configuration of trackers: 🔹 Designate a qualified individual (or individuals) with appropriate training to be responsible for implementing and managing website-tracking technologies. 🔹 Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps (including active due diligence) to identify the types of data collected and how the data will be used and shared. 🔹 When deploying a new tag or tool, or changing use, ensure that it is appropriately categorized and configured. 🔹 Conduct appropriate testing (regularly and following a change) to ensure that tags and tools are operating as intended. 🔹 Conduct reviews on a regular basis to ensure tags and tools are properly configured Disclosure and interface: 🔹 Make sure that your representations on the website about privacy controls (whether express or implied through privacy controls configuration) are accurate 🔹 Avoid language that creates a misleading impression of how your website handles tracking and choice [Don't say "by clicking accept cookies" you accept - if the cookies deploy by default] 🔹 Ensure the user interface is not misleading - beware of dark patterns (e.g a faded gray color, and without any visual indication that the words could be clicked); ambiguous buttons. 🔹 If you can agree with a single click you should be able to opt out with single click. 🔹 Make the interface accessible (e.g. allow navigation of privacy controls with a keyboard to tab) 🔹 Don't use large blocks of text or complicated language #dataprivacy #dataprotection #privacyFOMO https://rb.gy/bei7cu

Your brand is likely misusing first-party data and violating customer trust. It's not your intention, but it's probably happening. Here are some common issues I've seen: 1.) Scattering customer data in too many locations - email vendors/CRMs - data warehouses - spreadsheets (eek) 2.) Ignoring permission ...or defaulting to "allow everything" 3.) Not rolling off/expiring data no longer necessary - long-gone churned customers - legacy systems - inactive contact lists 4.) Lack of transparency in how the customer data will be used ...vague or complex privacy/consent policies 5.) Giving too many employees access to sensitive/data ...not everyone needs access to PII/PHI info 6.) Low-security storage - employees accessing cust data on personal devices - lack of roles/permissions - lack of logging 7.) Sharing passwords - bypassing MFA/2FA w/ shared logins - passwords in shared Google Docs - sent via email (ugh) Get caught, and you could face: - significant fines (we're talking millions) - a damaged reputation - loss of customer trust But you can fix this. Here's what to do: - Ask customers what data they're okay sharing - Keep customer data in one secure place (CDP/warehouse) - Only collect what you need (data minimization) - Set clear rules for handling data (who/what) - Offer something in return for data (value trade) - Only let employees access what they need for their job - Use strong protection for all sensitive info - Give each person their own login Your customers will trust you more. Your legal team will be happy. ...and bonus, your marketing will work better. What other data mistakes have you seen? Drop a comment. #dataprivacy #security #consent #dataminimization

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.