IAPP IAPP News https://iapp.org/news// IAPP News - IAPP News Understanding marketing privacy: Overlooked aspects, key questions and practical audits https://iapp.org/news/a/understanding-marketing-privacy-overlooked-aspects-key-questions-and-practical-audits https://iapp.org/news/a/understanding-marketing-privacy-overlooked-aspects-key-questions-and-practical-audits In the dynamic marketing and privacy realm, the intricate dance between innovative strategies and compliance is more crucial than ever. As legislative landscapes shift at an unprecedented pace, marketers must navigate this changing terrain with agility. For example, the integration of privacy by design and privacy by default principles is not merely a checkbox for compliance — it's a strategic imperative.

Frequently overlooked aspects

From a marketing perspective, minimal changes to adjust strategy can be made daily. Though changes may be small, they can be important for compliance. These possible, and sometimes overlooked, changes will affect privacy as well.

Website modifications. Adding new forms or extra data fields sounds easy, but beyond the visual appeal, marketing and privacy must both assess the impact of even the smallest changes on user data and the collection of new data.

Cookie considerations. The world of cookies is multifaceted. Delving deeper into distinctions between session and persistent cookies, or first-party and third-party cookies, is not just a technicality but a commitment to transparency. A clear and accessible cookie statement builds trust through articulate communication. This also means if anything changes in the cookies — or other tracking technologies — that are being used, the cookie statement needs to be updated.

New partners or vendors. The integration of new partners into the marketing technology stack is not a one-off event. Also, it is very "easy" to engage a new third party. Sometimes only a few clicks are needed. Engaging legal teams and privacy from the beginning and during kickoffs can alleviate delays that may come later. Regularly reviewing agreements ensures ongoing compliance, transforming what might seem like routine administrative work into a critical aspect of risk mitigation and relationship management.

Collecting ancillary information. A legal basis for each piece of information collected is paramount. For marketing purposes, consent is often the most common legal basis. Beyond mitigating privacy risks, it emphasizes clarity in communication about the purpose behind collecting specific information, fostering transparency.

Updating privacy notices. Consistency is the bedrock of trust. Regularly updating and maintaining clear and uniform privacy notices demonstrates a commitment to transparency, building trust with users and contributing to positive user experiences. Communicate these changes rather than expecting the user to discover them. Also, if new data is collected or shared with third parties, keep in mind updating the privacy statement won't be enough.

Utilizing free tools. While the allure of free tools is undeniable, the associated long-term implications must not be overshadowed. These tools tend to come with preset terms and clickwrap agreements that are generally accepted nonchalantly. Since no "real" contracts are needed, legal review tends to be overlooked. Educating teams about the risks, particularly with artificial intelligence tools like ChatGPT, is essential for making informed decisions that balance innovation with privacy considerations. The terms and conditions of free tools often contain critical details that might conflict with an organization's privacy stance. A careful examination of these terms is not only a legal necessity but an investment in long-term privacy compliance.

Abandonment tracking and user notification. Abandonment tracking, while a valuable tool, requires upfront user notification. Proactively incorporating a notification system ensures transparency and aligns with evolving privacy expectations, enhancing the overall user experience.

Data sharing with third parties. Securing third party-specific consent for data sharing for marketing purposes is imperative. Receiving and, thus, having the data as a third party is not enough. If consent for sharing the data is needed, it must be requested for the specific purposes of third-party use, respecting user choices.

Email collection. Implementing clear opt-in mechanisms for email collection and sending newsletters is a foundational step. Automatically consenting attendees into marketing lists without explicit permission can lead to serious violations, eroding trust and damaging brand reputation.

Spam complaints. Beyond legal consequences, unsolicited emails can tarnish a brand's image. Aligning marketing practices with regulations like the ePrivacy Directive, EU General Data Protection Regulation and the U.S. Controlling the Assault of Non-Solicited Pornography And Marketing Act ensures not just compliance but also positive brand perception and sustained user engagement.

Be creative: Work with marketing

For privacy professionals, it can feel like marketing colleagues speak a completely different language. But through close contact and working together, one can strengthen the other. Try to look at legal requirements with a creative eye, just as marketers look at data with a creative eye.

For example, opting for a creative cookie banner is not just a compliance necessity but an opportunity to engage users. Collaborating with the marketing team to design a banner that aligns with the overall aesthetic of the website turns a mandatory element into a user-friendly experience that reinforces brand identity.

Transforming privacy statements into engaging, user-friendly experiences contributes not only to user satisfaction but also to a positive brand image. Visualize the process where possible, since this reduces user effort and enhances brand perception, fostering a sense of transparency. Also, ditch the checkbox for the privacy notice, since it should be an informative document, and not one to get consent for.

Introducing privacy considerations early in the development process is strategic, as well as efficient. Collaborating with marketing to integrate privacy into decision-making ensures it becomes an integral part of the organizational culture, encouraging a holistic approach to privacy.

Finally, seamlessly checking and auditing the organization's processes ensures privacy considerations do not stand alone but are an embedded aspect of routine operations. Encouraging a collaborative approach where marketing actively participates and takes shared responsibility for data protection and privacy promotes a culture of continuous improvement.

Practical audits

An audit guide can help to jump start your process. Seamlessly referring to the audit guide within the organization's processes ensures privacy considerations are not stand-alone entities but are embedded aspects of routine operations. Encouraging a collaborative approach, where marketing actively participates in audits, fosters a shared responsibility for privacy and promotes a culture of continuous improvement.

Balancing innovation, compliance is a shared goal

By meticulously addressing often overlooked aspects, conducting thorough audits and infusing creativity into privacy practices, organizations can establish robust frameworks that not only comply with regulations but also build trust, foster positive user experiences, and ultimately ensure sustainable growth in the digital era. Balancing innovation with compliance is not just a necessity, it's a shared goal for marketing and privacy that propels organizations toward a future where privacy and innovation coexist harmoniously.

]]>
2024-03-18 12:20:39
UK Parliament committee to review EU-UK adequacy agreement https://iapp.org/news/a/uk-parliament-to-review-eu-uk-adequacy-agreement-ahead-of-looming-renewal-decision https://iapp.org/news/a/uk-parliament-to-review-eu-uk-adequacy-agreement-ahead-of-looming-renewal-decision The U.K. House of Lords European Affairs Committee launched a formal inquiry to review the data privacy adequacy agreement between the EU and the U.K. ahead of a renewal decision. The inquiry includes reviewing the adequacy decision, examining potential challenges to the existing regime and understanding the implications if the adequacy agreement was dissolved or disrupted.
Full story

]]>
2024-03-18 11:45:44
UK DPDI Bill advances to House of Lords committee stage https://iapp.org/news/a/uk-dpdi-bill-advances-to-house-of-lords-committee-stage https://iapp.org/news/a/uk-dpdi-bill-advances-to-house-of-lords-committee-stage Members of the U.K. House of Lords will begin their review of the proposed Data Protection and Digital Information Bill. The House of Lords set committee hearings on the legislation 20, 25 and 27 March, during which several new amendments will be discussed, which include ensuring children's data is part of the definition of sensitive data. U.K. Information Commissioner John Edwards issued his updated opinions on the DPDI Bill. Additionally, the ICO released new guidance on issuing fines for violations of data protection laws.
Full story

]]>
2024-03-18 11:45:34
The key elements for understanding marketing privacy https://iapp.org/news/a/the-key-elements-for-understanding-marketing-privacy https://iapp.org/news/a/the-key-elements-for-understanding-marketing-privacy As data protection laws increase in complexity, "marketers must navigate this changing terrain with agility," Lime Legal founder Lisette Meij, CIPP/A, CIPP/E, CIPP/US, CIPM, CIPT, FIP, and Uplevel founder and Principal Raashee Gupta Erry, CIPP/US, CIPM, write. They said overlooked compliance areas include website modifications and legally integrating new clients and vendors. They also recommended privacy professionals better collaborate with marketing teams by looking at "legal requirements with a creative eye."
Full story

]]>
2024-03-18 11:44:49
US District Court rejects Meta's argument that FTC structure is unconstitutional https://iapp.org/news/a/us-district-court-judge-rejects-metas-argument-that-ftc-structure-is-unconstitutional https://iapp.org/news/a/us-district-court-judge-rejects-metas-argument-that-ftc-structure-is-unconstitutional The U.S. District Court for the District of Columbia ruled against Meta's efforts to prevent the Federal Trade Commission from pursuing an administrative hearing against the company, which could result in the FTC issuing a ban on monetizing children's personal data, MediaPost reports. The ruling follows a recent decision by the U.S. Court of Appeals for the District of Columbia Circuit allowing the FTC’s proceeding against Meta to continue.
Full story

]]>
2024-03-18 11:44:24
Op-ed: The arguments for, against US TikTok ban https://iapp.org/news/a/op-ed-explores-tiktok-banning-arguments-in-the-face-of-public-opposition https://iapp.org/news/a/op-ed-explores-tiktok-banning-arguments-in-the-face-of-public-opposition In an op-ed for The New York Times, Proof News founder Julia Angwin explored the movement in U.S. Congress to ban TikTok despite public opposition and existing protective measures in the U.S. concerning foreign government access to data. She noted comprehensive privacy legislation could address the access issues prevalent across many social media apps.
Full story

]]>
2024-03-18 11:43:24
EDPB begins work on age verification definitions https://iapp.org/news/a/aepd-edpb-approves-work-on-age-verification-definitions https://iapp.org/news/a/aepd-edpb-approves-work-on-age-verification-definitions According to Spain's data protection authority, the Agencia Española de Protección de Datos, the European Data Protection Board has taken up a mandate to craft online age verification guidelines. Spain's Council of Ministers recently formed a working group to study how such a system would work while protecting users' data and privacy.
Full story

]]>
2024-03-18 11:43:22
Garante announces accreditation of telemarketing monitoring body https://iapp.org/news/a/italys-dpa-announces-accreditation-of-telemarketing-monitoring-body https://iapp.org/news/a/italys-dpa-announces-accreditation-of-telemarketing-monitoring-body Italy's data protection authority, the Garante, announced the telemarketing monitoring body has been accredited and is set to enforce the previously adopted code of conduct. The body will ensure  telemarketers adopt the code, including "specific measures to guarantee the correctness and legitimacy of the data processing carried out along the entire telemarketing 'chain.'"
Full story

]]>
2024-03-18 11:42:37
Iceland DPA issues children's data protection advisory https://iapp.org/news/a/icelands-ppa-offers-advice-for-putting-childrens-images-online https://iapp.org/news/a/icelands-ppa-offers-advice-for-putting-childrens-images-online Iceland's data protection authority, the Personuvernd, offered advice on how to process children's data and post minors' images online prior to the authority's EU General Data Protection Regulation compliance checks. The agency suggested considering a child's view on whether they want to be posted and to follow the "special protection" measures under the GDPR.
Full story

]]>
2024-03-18 11:42:28
US senators, health care groups clash over cybersecurity regulations https://iapp.org/news/a/us-senators-healthcare-groups-clash-over-cybersecurity-regulations https://iapp.org/news/a/us-senators-healthcare-groups-clash-over-cybersecurity-regulations A group of U.S. senators is trying to impose mandatory cybersecurity regulations on health care groups after UnitedHealth Group experienced a data breach, CyberScoop reports. American Hospital Association President Richard Pollack, said the organization "cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime."
Full story

]]>
2024-03-18 11:41:48
Automaker, data broker sued for alleged consumer privacy violations https://iapp.org/news/a/automaker-and-data-broker-sued-for-alleged-consumer-privacy-violations https://iapp.org/news/a/automaker-and-data-broker-sued-for-alleged-consumer-privacy-violations A lawsuit filed in the U.S. District Court for the Southern District of Florida claimed General Motors and data broker LexisNexis violated consumer privacy laws with its data collection practices, The New York Times reports. The lawsuit claimed a "LexisNexis report" made it difficult for a resident to receive car insurance after data collected from the cars' system was shared with insurance companies without consent.
Full story

]]>
2024-03-18 11:41:39
A view from DC: US House ready to pass data broker bill  https://iapp.org/news/a/a-view-from-dc-us-house-is-ready-to-pass-a-data-broker-bill https://iapp.org/news/a/a-view-from-dc-us-house-is-ready-to-pass-a-data-broker-bill The clock may be ticking for TikTok, but the implications of recent U.S. government actions are far broader than the future of a single social platform.

The U.S. House of Representatives is only half finished with its pursuit of legislation related to the digital activities of companies with alleged connections to China and other "foreign adversaries" of the U.S. After passing House Resolution 7521 to force the divestiture of websites and applications with ties to certain countries this week, the House is scheduled to consider a second bill 18 March, focusing instead on the bulk sale of personal data to those same countries.

The companion bill, HR 7520, is known as the Protecting Americans' Data from Foreign Adversaries Act of 2024. Besides China, both bills would apply to Russia, Iran and North Korea based on a reference to an existing legislative definition of foreign adversary.

Coming so shortly after President Joe Biden's executive order on data security, these efforts bring to light the extraordinary scrutiny over certain data broker activities that has been brewing for some time. Not everyone is convinced focusing on foreign adversaries is the right approach. Even in the short time the bills have been in the public light, advocacy groups have pushed back on the approach. The American Civil Liberties Union led a last-minute coalition letter claiming "H.R. 7521 is censorship—plain and simple."

Neither bill has a companion in the Senate, so the path to passage remains uncertain. Nevertheless, given the speed with which the bills moved through the House, there is a strong chance the same political will could be mustered in the higher chamber.

But what, specifically, would these bills do?

Despite its name, the Protecting Americans from Foreign Adversary Controlled Applications Act applies to "any a website, desktop application, mobile application, or augmented or immersive technology application" controlled by a foreign adversary.

The scope is limited to any such app or website that "(i) permits a user to create an account or profile to generate, share, and view text, images, videos, real-time communications, or similar content; (ii) has more than 1,000,000 monthly active users … (iii) enables 1 or more users to generate or distribute content that can be viewed by other users … and (iv) enables 1 or more users to view content generated by other users." The bill excludes websites and apps with the primary purpose of allowing "users to post product reviews, business reviews, or travel information and reviews."

Other than TikTok, which is expressly included, the bill would only apply to a covered app or website after the president determines it presents "a significant threat" to U.S. national security, after issuing a public notice and a report to Congress.

Once within scope of the act, the covered app or website needs to be sold to a company not controlled by a foreign adversary, or it will be prohibited from operating. Importantly, in the event of a ban, the bill would also prohibit app stores and internet service providers from hosting or providing access to the app or website.

Though this is a remarkable and novel bill, the second bill will likely have more of a profound impact on the work of privacy professionals.

Rather than applications, HR 7520 focuses on data brokers. It would make it unlawful for a data broker to provide access to the "personally identifiable sensitive data" of any U.S. person to an entity controlled by a foreign adversary, including any company with more than 20% ownership by an entity established in a covered country.

The breadth of this prohibition, especially compared with the recent executive order, is stark. This is not limited to the bulk sharing of personal data.

The categories of sensitive data are borrowed from the most recently proposed comprehensive privacy bill from the House Committee on Energy and Commerce. Specifically, the bill covers the following categories:

  • Government ID numbers.
  • Health data, including "any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare condition or treatment of an individual."
  • Financial data.
  • Biometric information.
  • Genetic information.
  • Precise geolocation information.
  • Private communications.
  • Account log-in credentials.
  • Sexual behavior.
  • "Calendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual, regardless of whether such information is stored on the individual's device or is accessible from that device and is backed up in a separate location."
  • Intimate imagery.
  • Information revealing video content.
  • Information about an individual under 17 years old, with no knowledge standard specified.
  • Race, color, ethnicity and religion.
  • Web browsing activity.
  • Any other data that is shared for the purposes of identifying the above types of data.

To be considered a data broker under the bill, a company would need to be subject to the jurisdiction of the U.S. Federal Trade Commission and expose sensitive data to foreign adversaries. It is not just sales of data that are covered, but transactions in which the company, "for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider."

Other than service providers, the bill exempts transactions "at the request or direction" of the individual, "providing, maintaining, or offering a product or service with respect to which personally identifiable sensitive data, or access to such data, is not the product or service," as well as those related to news and media.

Unlike the executive order, which creates a regulatory regime administered by the Department of Justice, HR 7520 would empower the FTC to enforce the ban on sensitive data sales to foreign adversaries as an unfair trade practice under the agency's existing enforcement powers.

If brought to the House floor as scheduled 19 March, there is little reason to believe this bill will not pass as easily as HR 7521. The bigger question is what happens in the Senate.

Yet, even if the proposal fails, the policy conclusions are clear: data brokers and anyone who shares sensitive personal data must establish robust processes to know who is buying their data and for what purposes. Without those processes in place, they will be unable to comply with national security-related restrictions.

The clock is ticking for everyone.

Upcoming happenings:

  • 26 March: The IAPP's KnowledgeNet chapters in the DMV region jointly host a discussion about FISA Section 702 reauthorization at the Conference Center at the Row on 19th.
  • 2 April: The IAPP's D.C. KnowledgeNet chapter hosts a happy hour sponsored by CYPFER at The Dignitary.
  • 3-4 April: The IAPP hosts its annual Global Privacy Summit.

Please send feedback, updates and chronometric insights to cobun@iapp.org.

]]>
2024-03-15 12:17:56
NSTAC urges federal government to strengthen cybersecurity safeguards https://iapp.org/news/a/nstac-urges-federal-government-to-strengthen-cybersecurity-safeguards https://iapp.org/news/a/nstac-urges-federal-government-to-strengthen-cybersecurity-safeguards The U.S. National Security Telecommunications Advisory Committee released a report urging the federal government to invest in cybersecurity, CyberScoop reports. The NSTAC report claimed many government services do not know about cybersecurity programs that are offered and "often struggle to adopt best practices or invest sufficient resources into their cybersecurity operations."
Full story

]]>
2024-03-15 12:10:16
CPPA publishes 2024-2027 strategic plan https://iapp.org/news/a/cppa-publishes-2024-2027-strategic-plan https://iapp.org/news/a/cppa-publishes-2024-2027-strategic-plan The California Privacy Protection Agency released its 2024-2027 strategic plan. The CPPA outlined four major goals: strengthening "public education, outreach and engagement," enforcing privacy laws, enhancing California privacy rights, and "operational excellence."
Full story

]]>
2024-03-15 11:41:51
European Commission requests information from multiple VLOPs, VLOSEs under DSA https://iapp.org/news/a/european-commission-issues-rfis-to-multiple-vlops-vloses-under-dsa https://iapp.org/news/a/european-commission-issues-rfis-to-multiple-vlops-vloses-under-dsa The European Commission issued requests for information on risks posed by generative artificial intelligence use by six very large online platforms and two very large search engines under the Digital Services Act. These inquires were issued to Facebook, Instagram, Snapchat, TikTok, YouTube and X, formerly Twitter, as well as Bing and Google. Meanwhile, the Commission also issued a request for information to Linkedin on its alleged use of targeted advertising and a formal inquiry against AliExpress for alleged DSA violations.
Full story

]]>
2024-03-15 11:41:48
A view from Brussels: EU AI Act adoption is 'not the arrival point for AI legislation'  https://iapp.org/news/a/a-view-from-brussels-eu-ai-act-adoption-is-not-the-arrival-point-for-ai-legislation-2 https://iapp.org/news/a/a-view-from-brussels-eu-ai-act-adoption-is-not-the-arrival-point-for-ai-legislation-2 While the European Parliament's adoption of the EU Artificial Intelligence Act dominated headlines this week, IAPP Managing Director, Europe, Isabelle Roccia writes this week's vote "is not the arrival point for AI legislation." Roccia outlines what work is ahead on AI and other newsworthy updates, including recommendations from France's AI Commission to strengthen the country's position on AI.
Full story

]]>
2024-03-15 11:41:32
A view from DC: Appetite for US data broker bill https://iapp.org/news/a/a-view-from-dc-appetite-for-us-data-broker-bill https://iapp.org/news/a/a-view-from-dc-appetite-for-us-data-broker-bill IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, offers his take on the latest privacy and artificial intelligence governance developments in the nation's capital and around the U.S. This week, he unpacks the broader data broker implications stemming from U.S. Congress' attempt to sever TikTok's ties to China and potential foreign surveillance.
Full story

]]>
2024-03-15 11:41:23
US Senators introduce bipartisan FISA Section 702 reauthorization bill https://iapp.org/news/a/us-senators-introduce-bipartisan-fisa-section-702-extension-bill-with-warrant-requirements https://iapp.org/news/a/us-senators-introduce-bipartisan-fisa-section-702-extension-bill-with-warrant-requirements U.S. Sens. Dick Durbin, D-Ill., and Mike Lee, R-Utah, introduced the bipartisan Security and Freedom Enhancement Act, which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act with new requirements for intelligence agencies, prior to the law sunsetting 19 April. Under the proposed bill, intelligence agencies would either have to obtain a FISA Title I order or a search warrant before being permitted to query U.S. citizens' communications data.
Full story

]]>
2024-03-15 11:41:00
Provisional agreement reached on European Health Data Space https://iapp.org/news/a/council-of-european-european-parliament-reach-provisional-agreement-on-ehds https://iapp.org/news/a/council-of-european-european-parliament-reach-provisional-agreement-on-ehds The Council of the European Union and European Parliament struck a provisional agreement on the establishment of the European Health Data Space. The law attempts to give EU citizens greater access to and control of their electronic health data, while also enabling certain data to be reused for public health improvements and scientific research.
Full story

]]>
2024-03-15 11:40:48
FCC approves voluntary IoT cybersecurity labeling https://iapp.org/news/a/fcc-votes-to-create-cybersecurity-labeling-for-smart-devices https://iapp.org/news/a/fcc-votes-to-create-cybersecurity-labeling-for-smart-devices The U.S. Federal Communications Commission voted to introduce a voluntary program that would create a cybersecurity label for Internet-of-Things and smart devices. The program would allow companies to obtain a "U.S. Cyber Trust Mark" to ensure consumer products have proper cybersecurity safeguards.
Full story

]]>
2024-03-15 11:40:21