Categories
ccpa Data and Security data privacy data protection privacy regulations

What Prop 24 Means for Your Data Privacy Strategy

data security

California recently passed Proposition 24, a landmark data privacy referendum that expands privacy protections in the world’s fifth-largest economy. Starting in 2023, the nation’s most comprehensive privacy regulations will protect nearly 40 million people and govern $3.2 trillion in economic output.

Prop 24 will ripple across America, which still lacks a national privacy law. Most companies will choose to extend these privacy protections to all users — rather than address the privacy patchwork with state-specific solutions. That solution is easier and more economical.

So what does this mean for those of us working in technology and connected devices? We have a whole new set of rules to learn. Prop 24 replaces the CCPA with the CPRA, which stands for the California Privacy Rights Act. Here are a few action items to guide you as you reorient around the latest data privacy regulations.

#1: Prepare for data privacy enforcement

The passage of Prop 24 creates the Privacy Protection Agency, America’s first government watchdog for privacy and data protection. The statewide agency will have a budget of at least $10 million annually, finally putting enforcement muscle behind privacy protections, something that the previous privacy law (the CCPA) lacked.

Businesses that leak data (either knowingly, by sharing without permission, or unknowingly via a data breach) will pay $2,500 per violation. The per-violation fine triples fines for violating the privacy of minors, which means that each violation can cost your business $7,500! You’ll want to be very careful if any of your connected devices capture or otherwise interact with data from those under 15.

Also, know this: the threat of fines is blood in the water for hackers. In Europe, bad actors are forcing businesses to pay up using ransomware and the threat of GDPR fines. These attacks will likely shift to the US now that there’s a privacy enforcer. Now is the time to shore up your cybersecurity defenses and prepare staff!

TL; DR: Voluntary compliance is over. Get ready for America’s first privacy enforcer. Make a plan to verify your data tracking, collection and storage methods so that you have clear documentation and strong internal controls.

#2: Evolve for the end of cookies

Cookies — the small files used to track users across the internet — are on their way out. Good riddance! Cookies were intended to improve the user experience by remembering details about users between sessions. Instead, they became invasive trackers that enabled a massive industry to invade privacy, often without permission.

It’s long past time to rebalance the dynamic. Consumers have a right to privacy and the industry must catch up. We need to prepare for our cookieless future and create solutions that offer insights and anonymity simultaneously. We can no longer expect to know everything about consumers in a permissionless environment; rather, the marketing industry must evolve with innovations that aggregate data in useful ways while preserving privacy.

Most people are ok with this type of anonymized aggregation, also called “differential privacy.� It’s a data collection framework that collects data in aggregate without ever revealing the identity of individuals. It can even be used to automatically ensure that data sharing across borders conforms to local privacy laws.

TL; DR: Future-proof your data discipline. Preserve anonymity, avoid collecting unnecessary personal information and use pattern matching to build segments that give aggregated, actionable insights without compromising individual identity.

#3: Put AI to work for data privacy management

Artificial intelligence is at work in other areas of your business — why not put it to work for privacy too?

AI can detangle the complexities of privacy management by rapidly sorting and segmenting user data to conform to privacy regulations while still offering the benefits of personalization to both consumers and companies. AI can also make sure that you are only storing necessary information and thus minimize your data collection footprint — and privacy compliance exposure.

By using its capabilities to process massive data sets, you can both increase precision and reduce human intervention when it comes to privacy compliance. These two factors — precision and human intervention — are going to be key when the sheer volume of data that will soon be governed by Proposition 24 will accelerate investment and innovation. Companies will need to maintain data privacy while still preserving the reach, quality and precision that their advertising-based business models depend on.

TL; DR: When implemented strategically, AI can help you sort, segment and store data in ways that both preserve privacy and comply with CPRA. Use it!

#4: Monitor your thresholds

The CPRA changes the compliance thresholds in two key ways. First, sharing is now the same as selling. If your business shares data with third parties for commercial purposes (without necessarily selling that data), you’ll be on the hook for compliance.

Second, the CPRA doesn’t apply to businesses that bought, sold or shared data from fewer than 100,000 customers/households annually. That’s up from 50,000 customers/households, which is a good thing for startups seeking traction. But, in the trenches of startup life, it can be easy to cross this threshold and not even realize it.

However, you’re still on the hook if your company made more than $25 million in gross revenue in the previous calendar year. And, if you use sister brands, these thresholds still apply if it’s clear to consumers that your sister brands share common ownership. So don’t think about circumventing these rules by making subsidiaries — unless they truly are standalone brands.

TL; DR: If you buy, sell or share data from more than 100,000 customers or households, you must comply with CPRA. Monitor this threshold closely.

#5: Innovate now to leap ahead later

In a nod to increased control, Prop 24 adds a new right to limit data sharing, which isn’t covered by California’s prior law, the CCPA. This is a step in the right direction. However, consumers want more than just the right to limit how companies collect, use and share their data. The onus shouldn’t be on the consumer to navigate these complexities; brands should implement user-centric privacy tools that empower consumers, not companies.

First and foremost, they want more transparency. In one survey, four out of five consumers will share more data if brands are transparent about how it’s used. They also want more control. In the National Privacy Survey, which my company did in anticipation of Prop 24’s passage, we found that not only did the majority of Americans want a national privacy law, but they also want new tools: 83% of Americans want the right to set an expiration date for their personal data.

These types of privacy innovations may be complex to deliver at scale, but it is the true benchmark for control. Data expiration controls empower consumers to determine the ideal privacy parameters for their unique needs, all on a case-by-case basis. That’s true transparency and control — and a way to earn customer loyalty.

TL; DR: Now’s the time to consider privacy innovations that help you not just comply but also leap ahead. Data portability, transparency and control, can earn you the trust (and loyalty) of your customers.

Future proof your business against a national privacy law

Absent a national law, California’s robust privacy regulations will likely shape the conversation around federal privacy regulations. It remains to be seen whether politicians will react by prioritizing a national law or if California will set the pace for everyone else.

One thing’s for certain: It’s a new dawn for data privacy in America. And it’s about time! Everyone deserves privacy — and our digitally-connected ecosystem must evolve to accommodate both privacy and profit. This isn’t an idealistic pipe dream; rather, it’s the most exciting business challenge of the coming decade.

I see the new privacy framework as an accelerant to a more responsible and user-centric approach across the digital ecosystem. Ultimately, our business models will strengthen, as will our bonds with customers. It’s a win-win; we just have to put in the work now to be ready for our inevitable privacy-first future.

Image Credit: fernando arcos; pexels

The post What Prop 24 Means for Your Data Privacy Strategy appeared first on ReadWrite.

Categories
Data and Security data privacy data protection Personal Data Store

A New Way to Enhance Consumer Privacy

privacy

Personal data is the raw material that fuels a significant proportion of business operations. A few examples include credit card scoring based on collated personal data from various sources, calculation of premiums based on past driving habits, or the use of online tracking to build complete profiles of individuals and then targeting them with personalized ads based on those profiles. While personal data is highly essential to these business operations, individuals have little to no control and oversight on the collection and usage of their personal data.

There is anger towards the data economy and frequent privacy violations; there are still ways to restore control to the people and rebuild a trust-based and transparent relationship.

This lack of control is due to a few practices common to the current data collection and usage practices:

  • Personal data is scattered across so many different companies that it is nearly impossible to keep track of who accesses it, how they use it or who they share it with. For example, data brokers’ business model depends on the collecting, collating, selling and licensing personal data on a mass scale. It is next to impossible to track data across systems and determine whether the data was obtained lawfully or object to the processing of data.
  • The reproducible nature of data exacerbates the risks even further, contributing to a growing fear over privacy. Once personal data enters into a business’ internal systems, it can be copied to multiple locations, used by employees on their personal devices, left unprotected on legacy servers. All these processing activities increase unauthorized use or access to personal data.
  • Collection, analysis, and personal data transfer are usually conducted behind closed doors not visible to individuals and often with technologies such as machine learning, which is opaque to ordinary individuals. Individuals are often not adequately informed about the use of their data due to reasons such as trade secrets, impracticality, or simply the bureaucratic hurdles caused by the relevant business itself. Even laws such as GDPR and CCPA may not be effective at coercing a business to provide the maximum transparency possible.

Individuals’ lack of knowledge on collection, use and sharing of their personal data inevitably leads to distrust in companies involved in personal data collection.

The imbalance of power and lack of trust is evidenced by a PRC study that found that 76% of Americans do not trust third-party businesses to handle their personal data and feel a sense of lack of control over how their data is collected, managed and used.

Furthermore, Americans outside of California want to have more control over their data and want to have the same protections on their personal data as regulated under CCPA (91%).

While consumer demands are crystal-clear, how to deliver on those demands remains unclear. Personal Data Stores, however, can be an effective solution to remedy consumer concerns and provide them the visibility and control over their data.

Personal Data Stores – An unconventional solution to a bleeding problem

What is the Personal Data Store?

Personal Data Store (PDS) is like a safe for individuals to upload, share, store, edit and erase their personal information, such as addresses, passport numbers, credit history, health records and other information.

One unique character of the PDS is that users(consumers) can unilaterally grant or withdraw consent to access their personal data. Once the consumer decides to block access to her data, the relevant business is prevented from accessing it.

How Personal Data Stores help consumers regain control over their data?

1. Increased transparency equals stronger control

Firstly, Personal Data Store gives complete visibility over what data an individual has, who accesses it, how it is used, and for what purposes.

The scattered nature of personal data in the current ecosystem makes it impossible for individuals to track who retains their data and who they share it with. For example, home address data could be captured and stored by data brokers, postal offices, e-commerce companies and various other entities. If individual wishes to find out who uses their data and how, it would be challenging to contact each entity, fill out forms, and then track requests.

With Personal Data Stores, however, individuals are given exclusive control and visibility over how their data is processed and by whom. Increased transparency is a prerequisite to having control over data and this is what personal data stores achieve.

Thanks to this visibility, consumers can withdraw access to certain third parties, edit personal data that is not accurate and ask for the deletion of their data.

2. Stronger control enables the exercise of privacy rights under the relevant laws

New privacy laws such as GDPR and CCPA provided new rights to consumers, such as the right to deletion of their data, the right to rectify inaccurate data and the right to restrict access to their data.

For consumers to properly exercise their rights under these laws, they first must have complete information about the collection and use of their data. Exercising privacy rights is a decision, and this decision will not be well-informed without individuals having control and visibility.

Via Personal Data Stores, individuals can see which specific data is accessed by which specific third-party on a granular level.

One factor that plays a vital role in the successful implementation of privacy rights is a convenient and swift exercise of those rights. If a consumer has to fill out tens of details to complete a form, wait for weeks to get her privacy right fulfilled, then the essence of such privacy rights would be undermined because the consumers would be discouraged from using their rights.

What if a person changes her health insurance plan and now has to contact multiple pharmacies and hospitals to update this detail?

New privacy laws exist to restore control to the individuals, and this cannot be achieved with processes that make it unbearable for individuals even to try to exercise their rights. In other words, the individuals would not be empowered but rather find themselves in the same powerless position.

Personal Data Store serves the purpose of privacy laws because it streamlines the process of exercising privacy rights such as deletion and data rectification rights. It provides a single user-interface that people can use to send their requests without dealing with the separate and cumbersome procedures set by third-party businesses.

Suppose an individual wishes data concerning her unsuccessful job applications deleted, for instance. In that case, she can log this request via the Personal Data Store, and all relevant third parties will be notified of this request and they will have to execute on such request.

A better future for privacy lies ahead.

New privacy regulations across the globe brought significant obligations on businesses to respect privacy and allow individuals to exercise certain rights over their data. While these new laws and the expansion of privacy is to be celebrated, there is still more work to be done. Personal Data Store can contribute to individuals’ empowerment by allowing them to exercise stricter control over the access and usage of their data.

The post A New Way to Enhance Consumer Privacy appeared first on ReadWrite.

Categories
ccpa cybersecurity Data and Security data privacy data protection GDPR Lead privacy privacy regulations Tech

Privacy Regulations — Are They Really Working to Protect Your Data?

protect your data

Data breaches are happening at an alarming rate. The first half of 2019 saw 4.1 billion compromised records, with the business sector accounting for 67% of the reported breaches and 84.6% of exposed records.

People are starting to take the protection of their own digital identities more seriously.

According to a recent privacy survey, 81% of consumers are more concerned about how companies use their data and 89% say companies should be clearer about how their products use data.

This is why more than 80 countries and regions have adopted comprehensive data protection laws and others will soon follow. But are these laws really working to keep the massive amounts of personal data from falling into the wrong hands?

Regulations like GDPR and the California Consumer Privacy Act (CCPA) are developed with the intent to protect the privacy of consumers in an age where social media and other digital footprints are making it harder to keep that personal information safe and secure.

There are two interesting factors in play that exempt companies from disclosing what they plan to do with the consumer data they collect in certain situations.

Exemptions

In section 1798.105(d), CCPA states, “a business or service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the customer’s personal data in order to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.�

The statement appears to exempt anyone in cybersecurity from the request if they can prove the data is required to meet one of those activities.

Items within certain security platforms that leverage the device and user identity for detection can operate under this exclusion, which is something both the security vendor and customer should, therefore, be cognizant of.

Services Provided

Additionally, section item 1798.105(3) of CCPA states that business shall not be required to comply with the act if they provide a service to “debug to identify and repair errors that impair existing intended functionality.�  

Read that statement again, please!

It opens another huge exception for businesses that debug or repair devices. It appears they are removed from any responsibility to destroy or delete the data after any period of time.

Another implication of this “law” ties into the consumer’s right to repair. Consider a consumer who has their private data stored on a personal device but modifies or repairs that device in some way that leaves the device susceptible to attack or breach.

Who is responsible? The manufacturer or the consumer?

CCPA does not provide guidance on this leaving ambiguity and potential loopholes.

While businesses may comply within these exemptions and services loopholes, that shouldn’t exclude them from the basic ethical obligation they have to inform their customers on what they plan to do with their data.

And these exemptions aren’t winning any favors with consumers, which is why nearly half of Americans don’t trust the government or social media sites to protect their data.

While governments are attempting to help by enacting privacy legislation, consumers must take the protection of their privacy into their own hands by following a few basic guidelines.

Don’t Open that Link

Phishing attempts have grown 65% in the last year and those attacks account for 90% of data breaches. And attackers are finding new ways to make their phishing scams even harder to detect.

An example shows how these attacks are now happening in real-time. The bad actor pretends to be known to the user who claims to have limited cellphone reception, so a confirmation call is not possible. The victim then helps, which then leads to handing over sensitive data to the attacker.

While phishing is getting harder to detect, there are ways to defend against them.

For instance, if there is a request to click on a link, CHECK to see if there any misspellings or weird characters in the URL.

In these cases, it’s a safe bet you can just delete the email (and link) right away.

Make it a habit to avoid clicking on links sent to you via email or social media solutions – especially those from your bank, utility companies, social networks, etc.

Instead, go to the source and type out the URL in the browser and login there.

Multi-Factor Authentication

Multi-factor authentication is one of the easiest ways to protect one’s information, yet many consumers don’t know this capability exists. With multi-factor authentication, a user is asked to provide two or more pieces of information for logging into his/her devices.

For example, along with providing a password, an individual can arrange to have a code sent to their device before access is granted. When you login this way, if an unauthorized third-party somehow steals the password, they still can’t log into the account because they won’t receive the follow up mobile text code.

Many consumer services like Google and Facebook support this capability and individuals are well-advised to use this extra security.

Multiple Passwords

People still fall victim to bad password habits despite the incentives to avoid them.

Using unique passwords for all accounts helps ensure hackers only gain access to the one system associated with that password.

You can check sites like haveibeenpwned.com to determine if your information was lost in a breach.

Please use different passwords for every account — whether it’s for business or personal use.

I know it’s a pain in the butt — however, the longer the password, the better. Password manager applications can then help you store all of these passwords securely and protect them with multi-factor authentication.

There is no one sure-fire way to ensure that the billions of global data records remain protected.

Privacy regulations are a first (and much needed) step in the right direction. However, it’s up to everyone – including consumers – to do their part in protecting their personal identities online.

The post Privacy Regulations — Are They Really Working to Protect Your Data? appeared first on ReadWrite.