Data Management Strategy

When creating a privacy program, it is important to look ahead and think strategically about who your audience might be. For businesses that might find themselves under the scrutiny of regulators and judges because of a lawsuit, unwanted publicity, or data breach, it is critical to be able to demonstrate substantial compliance for the program they’ve implemented. This can be accomplished by developing privacy programs that follow guidance promulgated by their audience—regulators and courts. This guidance includes the CNIL’s (the French Data Protection Authority’s) Six Steps for GDPR Compliance, along with Federal Trade Commission orders such as the Vizio 2017 order, which provide a roadmap for a comprehensive privacy program that can be distilled down to six main phases
Continue Reading

After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g.Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks).
Continue Reading

For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals.
Continue Reading

You might have heard of data brokers—entities that collect personal information and analyze, append, and repackage it for sale to third parties—from reports such as the FTC’s 2014 study or a 2017 proposed congressional bill that would have imposed breach notification obligations on brokers following the Equifax breach. But you may have never thought that your company’s practices could land you in this category.

Beginning on January 1, 2019, Vermont will be the first state in the nation to regulate data brokers that process personal information regarding its residents. This new law incorporates a very broad definition of “data broker” and requires businesses defined as such to register annually and report on security breaches to the Secretary of State. 
Continue Reading

Does your company use mobile apps, Internet of Things, AI, health tech or other technologies to develop consumer profiles, create products or deliver targeted advertising? If so, you should be aware that the technologies used to perform these tasks are highly regulated and the subject of multiple privacy and data security laws. Specifically, it is worth asking your digital marketing department whether it is using persistent unique identifiers (or IDs) to track users. Persistent IDs are the tools that marketers use behind the scenes to connect consumers with their devices. The information gathered is used for marketing, product development and analytics.
Continue Reading