Creating A Data Privacy Strategy For Your Business

The Office of the Australian Information Commissioner has published the "Privacy Foundations Self-Assessment Tool" to help businesses evaluate and strengthen their privacy practices. This tool is designed for organizations that may not have in-house privacy expertise but want to establish or improve how they handle personal information. The tool is structured as a questionnaire and an action planning section that can be used to create a Privacy Management Plan. It covers key #privacy principles and offers actionable recommendations across core areas of privacy management, including: - Accountability and assigning responsibility for privacy oversight. - Transparency through clear external-facing privacy notices and policies. - Privacy and #cybersecurity training for staff. - Processes for identifying and managing privacy risks in new projects. - Assessing third-party service providers handling personal data. - Data minimization practices and consent management for sensitive information. - Tracking and managing use and disclosure of personal data. - Ensuring opt-out options are provided and honored in direct marketing. - Maintaining an up-to-date inventory of personal data holdings. - Cybersecurity and data breach response. - Secure disposal or de-identification of data when no longer needed. - Responding to privacy complaints and individual rights requests. This self-assessment provides a maturity score based on the responses to the questionnaire and tailored recommendations to support next steps.

Even without a state privacy law - New York is coming after your website tracking (and so can other states). Key points from a new advisory by the Office of the New York State Attorney General based on an investigation of websites: As we've been telling clients - Even without a state privacy laws, businesses’ privacy-related practices and statements are subject to a state's consumer protection laws that prohibit businesses from engaging in deceptive acts and practices. Mistakes to avoid: 🔹 Make sure that your cookie management tool does not leave uncategorized or miscategorized tags/cookies. 🔹 Make sure your cookie management tool works well with your tag management tool. (disabling tracking in one disables the other too). 🔹 Make sure your marketing or advertising tags work as described and DO NOT remain active even after visitors try to disable them using the sites’ privacy controls. 🔹 Ensure even tags that are hardcoded to the website get deactivated by the cookie management tool. 🔹 Do not rely on contract based restrictions like limited data use (LDU - Meta) or Restricted data processing (RDP - Google) in states where they don't actually work. 🔹 Before deploying a new tag, understand what data the tag collects and how the data may be used or shared. 🔹 Address NON cookie based sharing Things to do: Configuration of trackers: 🔹 Designate a qualified individual (or individuals) with appropriate training to be responsible for implementing and managing website-tracking technologies. 🔹 Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps (including active due diligence) to identify the types of data collected and how the data will be used and shared. 🔹 When deploying a new tag or tool, or changing use, ensure that it is appropriately categorized and configured. 🔹 Conduct appropriate testing (regularly and following a change) to ensure that tags and tools are operating as intended. 🔹 Conduct reviews on a regular basis to ensure tags and tools are properly configured Disclosure and interface: 🔹 Make sure that your representations on the website about privacy controls (whether express or implied through privacy controls configuration) are accurate 🔹 Avoid language that creates a misleading impression of how your website handles tracking and choice [Don't say "by clicking accept cookies" you accept - if the cookies deploy by default] 🔹 Ensure the user interface is not misleading - beware of dark patterns (e.g a faded gray color, and without any visual indication that the words could be clicked); ambiguous buttons. 🔹 If you can agree with a single click you should be able to opt out with single click. 🔹 Make the interface accessible (e.g. allow navigation of privacy controls with a keyboard to tab) 🔹 Don't use large blocks of text or complicated language #dataprivacy #dataprotection #privacyFOMO https://rb.gy/bei7cu

A court recently let a California CCPA class action lawsuit proceed against a company for its website's use of Google Analytics. Here's what to know and do ⬇️ A federal district court in California allowed a CCPA #ClassAction to survive a motion to dismiss. The defendant offers a website-based service for connecting people to mental health therapists, and allegedly allowed #GoogleAnalytics to collect information like mental health conditions entered into its website. Google offered an IP address anonymization feature that defendant allegedly didn't use.    The court ruled that the CCPA claim under its limited private right of action (Cal Civ Code § 1798.150) could proceed even though there was no data breach. It reasoned that a data breach isn't required--a claim could proceed if personal information is subject to unauthorized disclosure as a result of the business's failure to maintain reasonable security procedures (presumably the use of the Google IP address anonymization feature). While this isn't a ruling on the merits, the fact that the CCPA allows statutory damages of $100-$750 per consumer/incident (or actual damages if greater) could lead to claims against other companies on this theory for using cookies, pixels, and other tracking technologies for common business practices like #TargetedAdvertising and #website #analytics.   What should your company do? Here's four steps to consider: 1️⃣ Don't panic. This case isn't a ruling on the merits, and it's not clear this theory will ultimately prevail. 2️⃣ Assessments. Validate that your privacy or tracking technology assessment processes: 🔹Identify what data is passed by each tracking technology; 🔹Determine whether all data need to be passed & remove any that don't; and 🔹Use privacy-protective tracking technology provider tools and settings (Know what team at your company identifies what options are available, and determine whether they have the privacy knowledge to know what to look for and use. Reviews of providers’ documentation and settings are often needed.). 3️⃣ Governance. Establish or validate an approach to governing the use of tracking technologies on your company's website and mobile #apps, including: 🔹Keeping an up to date understanding of the technologies used and business purposes they serve; 🔹Knowing what specific data types are passed; 🔹Triggering reviews or re-assessments when there are changes to data passed or business purposes the technologies are used for; and 🔹Getting buy-in and alignment on roles and responsibilities with stakeholders that can place, use, or configure the technologies. 4️⃣ Consider Consent. Especially when website/app events or other data types passed could reveal something sensitive, obtain opt-in consent before allowing the data to be transmitted. This is viewed as required by the FTC, and is required under some of the state comprehensive #privacy laws.

You’re the new Privacy Analyst at a U.S. retail company. Your manager just asked you to ensure the company is compliant with the California Consumer Privacy Act (CCPA), but you quickly realize there’s no data inventory or record of what personal data is being collected, where it’s stored, or who it’s shared with. How would you even begin? First, you’d start by building a data inventory — that means identifying what personal data the company collects (names, emails, browsing history, etc.), how it’s collected (forms, cookies, third-party platforms), and where it lives (CRM, marketing tools, cloud storage, etc.). You’d likely send out a questionnaire or meet with key teams (marketing, IT, sales) to gather this info. Then, you’d map the data flows — what systems touch this data, who has access, and whether it gets sent to vendors or service providers. This is essential for understanding risk and creating compliant privacy notices. Finally, you’d document it all and check it against the CCPA requirements — can users request access to their data? Can they delete it? Is there a way to opt out of data selling? This is GRC work in action.. breaking down compliance into trackable steps and helping the business stay accountable.