Live blogged from the 2015 MRA Insights & Strategies Conference, June 3-5, 2015 in San Diego. Any errors or bad jokes are my own.
- This is not legal advice 🙂 [and along those lines, please assume my notes are completely wrong. do the research properly and that doesn’t mean perusing this blog post.]
- There are federal and state laws, then more laws segmented by the vertical, and by modality of how you collect information
- a data breach can cost millions, if one data breach is $200, then thousands or millions of breaches is huge money
- be transparent about what you do and don’t do, accurately describe what you do
- data security breaches
- playstation, sony cyber attack, target, home depot, anthem all lost millions of records; most states have data breach notification laws, when a breach occurs, you must report it
- states have different definitions of PII, different time frames, safe harbour for encryption so advisable to encrypt, build your policy for the most restrictive policy
- must have a conspicuous descriptive privacy policy
- Do Not Track requests – you need to specify whether you honour these request though you aren’t required to honour them [wow, did not know that]
- Eraser Law – minors have a right to be forgotten, if you know they are minors or your site appeals to minors it applies to you
- 2 beacons and mobile tracking
- tracking in around between brick and mortor without cash register receipts
- where is data going and where is it being shared, can you opt out, how identifiable is the data
- are consumers notified when they’re being tracked, if you don’t like it you can turn off your device [that makes me uncomfortable – IIII have to change my device as opposed to you buggering off?]
- Nomi tracking – say what you do and do what you say, they didn’t let people opt out because people didn’t know they were being tracked
- emerging area with great potential but must be very careful
- Spokeo case – firm does deep web crawls and aggregates it into reports, you can look up yourself or your friends
- must it be concrete harm to bring forward a case? if information is wrong and you can’t prove it, do you have a case; this case could open floodgates. in this case, the information seemed to be better than reality. [better is in the eye of the beholder]
- international data transfer – if you focus on US domestic you’re generally ok, but if one project is outside, then it matters
- if you work with EU, make sure you know the data principles; you can self-certify but then you must adhere to those principles, must renew it every year; requirements for regular privacy assessments; need a privacy officer if you have 250 or more employees
- MR is a data broker, FTC won’t rule our MR
- policy makers are concerned with brokering data for marketing purposes, and verification of respondents
- need option to be able to delete all the information they have about you, this is because we are sometimes lumped in with creepy businesses
- Internet of things – hypothetical security risks right now, unauthorized use of PII, attacks on systems, personal safety
- focus on privacy by design, select providers carefully, control access and monitor constantly
- how do you deliver notifications on a device with no readout
- American community survey – gets response rates around 95%, because government survey and because its mandatory, but mandatory upsets people, voluntary would cut repsonse rates to 50% and we wouldn’t get data from about 40% of the country
- BYOD – bring your own device
- employees can access sensitive company data on their own device – HR, health, financial, trade secrets, client lists, confidential information, or, employees use company devices at home
- if its your own device, you can control it or lock it, otherwise you have no control
- still must notify if data is breached even though its not your device
- Employers could say you’re not allowed to use your own device but this is not realistic, its better to have a policy
- Policy – onboarding documentation, agreements to keep data secure, remote data deletion and limits on apps, data retention, termination process, be clear on who pays for what
- Federal Trade Commission – deceptive and unfair trade practices, polices data privacy and data security
- LabMD/Wyndham hotels cases – failed to institute reasonable and appropriate security measures, case is under appeal and suspect FTC will be allowed to police data privacy