Learning from Twitter’s Privacy Mistakes

Because of the ever-changing landscape of privacy laws, standards, and guidelines, it has become difficult for businesses to know what their obligations are, and even harder to determine what could constitute non-compliance. Fortunately, Twitter’s mistakes now provide us with an example of what a violation looks like. Twitter has been in the spotlight for a recent hack, and now the Federal Trade Commission is investigating its privacy practices regarding targeted ads.

What Led to the FTC’s Investigation at Twitter?

In October 2019, Twitter admitted to using personal data obtained for security reasons for targeted ads purposes. The company stated, “We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.”

We now know, through Twitter’s SEC filing, that the FTC began its investigation after this announcement and Twitter received a complaint on July 28, 2020. Twitter faces a fine of up to $250 million for the violation.

3 Takeaways from Twitter’s Privacy Choices

We asked our privacy experts to comment on the FTC’s investigation and they found three key takeaways for businesses looking to avoid privacy mistakes.

  1. Qualified, third-party verification of privacy practices is critical because almost every organization believes they are using personal data appropriately. Twitter does not admit to intentionally misusing personal data (i.e. using the data for a purpose other than what the data was originally collected for). Twitter says the use of the personal data collected for security purposes in advertising was “inadvertent.” This is why privacy auditing is so important. An auditor can help you verify that your business is not misusing personal data and provide that assurance as a third party.
  2. There are legal and compliant ways to use existing personal data for new purposes. Twitter could have addressed this issue by getting a second level of consent, prior to using the personal data in ads, by asking users for permission to use the personal data obtained for security purposes in targeted advertising. If you’re a Twitter user, you may have been asked about this on your account recently, because the platform is now obtaining that second level of consent – but it’s too little too late for Twitter.
  3. Voluntary privacy commitments are just as significant as legal requirements. Twitter is in the hot seat because they broke their own promise that they make in their privacy commitments, not because they broke a law. You may not even be aware of it, but your business could be at risk for privacy sanctions even if there isn’t a specific law that applies to the collection and use of personal data for your industry, clients, or location. If an organization makes a promise regarding the use of personal data and breaks that promise, the FTC can fine them.

8 Elements of Privacy

As you navigate the privacy practices and obligations of your business, it is crucial to follow the industry best practices that already exist. This will empower your organization to develop appropriate processes for collection and use of personal data that are adaptable to new laws, regulation, and enforcement activity. We recommend reviewing and following the eight privacy criteria under SOC 2, stipulated by the AICPA, which are organized as follows:

  1. Notice and Communication of Objectives
  2. Choice and Consent
  3. Collection
  4. Use, Retention, and Disposal
  5. Access
  6. Disclosure and Notification
  7. Quality
  8. Monitoring and Enforcement

Could your organization unintentionally fail to meet any of these eight criteria? Twitter’s issues stem from failing to provide proper notice and communication of its objectives related to privacy, failure to obtain consent for the use of personal data for targeted advertising, improper use of personal data collected for security purposes, and potentially failing to perform proper monitoring.

At KirkpatrickPrice, we want to help your organization navigate your privacy obligations and enhance your privacy practices. We have a built a team of privacy experts to perform assessments, and they are watching enforcement trends, state laws, and federal legislation closely to ensure that you protect the personal data you are responsible for. Let’s talk today!

What’s Going On With the EU-US Privacy Shield Agreement?

The Latest With Privacy Shield

On July 16, the Court of Justice for the European Union made a landmark decision to invalidate the EU-US Privacy Shield arrangement for international data transfers. Prior to this announcement, Privacy Shield was one of several mechanisms for meeting GDPR data protection requirements for data leaving the EU for the US. The Court’s decision impacts the thousands of organizations participating in and relying on Privacy Shield to facilitate international commerce.

Privacy advocates and the Court’s real contention was not with Privacy Shield itself, but with the nature of US federal surveillance abilities and practices. The Court’s statement explains, “In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the EU to that third country…not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”

How Does This Impact Your Business Today?

First, data transfers between the EU and the US will still be permitted, but the invalidation of the EU-US Privacy Shield agreement will require US businesses receiving EU data to find an alternative compliance solution. Specifically, US organizations will need to use either the standard contract clauses or binding corporate rules to satisfy GDPR’s international data transfer requirements.

Second, just because Privacy Shield no longer satisfies GDPR does not mean that you can stop following Privacy Shield requirements. The Federal Trade Commission commented, “We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.”

Third, now is the time to review your contracts and requirements of your processors or sub-processors. What is their plan to replace Privacy Shield? How will their plan impact you?

What Will Happen to EU-US Data Transfers in the Future?

The bottom line is that we are operating in a period of uncertainty. Fortunately, we now have a baseline for privacy best practices, but it gets complex when then there are specific regulations and requirements for your business. That is why it’s crucial for your organization to continue to meet the baseline, but also assign responsibility to someone internally to monitor new developments.

In the future, the US may create a Privacy Shield replacement. U.S. Secretary of Commerce Wilbur Ross stated, “While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-US Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.”

KirkpatrickPrice’s team of privacy experts will be closely watching new developments with Privacy Shield and other data privacy regulations. If you have concerns or questions about this update’s implication for your business or if you need GDPR compliance solutions, let’s talk.

More Privacy Resources

CCPA Roadmap for Compliance

How to Write a Privacy Policy

Trends in Privacy, Breach Notification, and Data Security Legislation

How to Write a Privacy Policy (With 3 Sample References)

The Importance of Privacy Policies in Today’s Data-Centric Landscape

It’s no secret that data is now the most valuable asset worldwide. With nearly all organizations relying on some form of data to fuel their business, consumers and policy makers have started highlighting the need to more transparent about how they collect, use, store, and transmit data, starting with their privacy policies. Because consumers have become more interested in how their data is being collected, used, stored, and transmitted, it is essential that businesses recognize the importance of creating a robust privacy policy. So, how can they write a privacy policy? Are there any privacy policy samples to reference?

Emerging Data Privacy Laws

Across the globe, law makers are enforcing data privacy laws. In the United States, many state-level privacy laws have been enacted. While CCPA is the most talked about of those recently enforced, other states have made progress with enforcing their own laws and the federal government is evaluating whether it pass a federal data privacy law. Aside from CCPA, regulations like HIPAA and GBLA require that organizations be transparent about the kind of data they’re collecting and how they’re protecting it. In Canada, PIPEDA was recently enforced, and perhaps the most infamous data privacy law of our time, GDPR, was the force that led to the data privacy law evolution.

How to Write a Privacy Policy

Because so many countries are creating and enforcing their own data privacy laws, knowing what your privacy policy needs to include can be confusing. If you’re questioning how to write a privacy policy, try using these four basic steps to get started.

  1. Identify which regulations you must comply with and any privacy commitments you make separate from regulatory requirements.
  2. Map the data you’re collecting – know that you receive it, where it is, who interacts with it, how it’s used, who you share it with, etc.
  3. Create an outline – Determine which sections you must include and which you can leave out.
  4. Use clear, easy-to-read language. Users should be able to clearly understand your processes for collecting, using, and protecting their data.

Topics to Cover in a Privacy Policy

Want to know how to write a privacy policy? Privacy policies will usually differ based on your industry, location, and applicable legal regulations. Nevertheless, there are common topics to cover in a privacy policy, including:

  • A scope of the policy
  • An introduction or description of your company
  • A list of the types of data you collect
  • A description of how you collect that data
  • A description of how you use that data (Do you share it with third parties? Do you use it for targeted marketing? Do you use it for product or service development? Do you use it to fix bugs or address data security concerns?)
  • A description of the length you will hold the data
  • A list and description of consumer rights, such as the right to opt-out and the right to deletion, and how to exercise those rights
  • Impact that consumer rights and choices will have on their ability to use services and products
  • Children’s privacy rights (Typically this addresses 13 and under)
  • A description of how updates to the privacy policy are made and how users will be notified if a change occurs
  • Ways to contact your organization

3 Privacy Policy Samples: Pros and Cons

While there are basic components that privacy policies need to address, it can still be confusing when it comes time to write the document. Let’s take a look at three privacy policy samples and evaluate what they do well and areas they can improve on.

Twitter

As one of the world’s largest and most-used social media sites, Twitter’s privacy policy is a great example of a comprehensive, yet understandable privacy policy. Using color coding, links, and highlighting, it is clearly laid out and easy to navigate. However, a major pitfall to this privacy policy is the length. Notice the scroll bar? This doesn’t make it so easy on the user to dig through and easily understand how Twitter is collecting, using, and protecting data.

Survey Monkey

Ensuring that consumers willingly give consent and opt-in to their data being collected is becoming more and more common – and required! Survey Monkey understands that, and it’s clearly demonstrated in their privacy policy. Like Twitter, they use color coding, links, and highlighting to help users navigate the policy. In addition to this, it’s brief – making the document more readable for users.

The Guardian

In many instances, organizations will be required to comply with multiple data privacy laws, like CCPA and GDPR. Sometimes, this means that businesses will need to create two separate policies; however, there are also times when it is appropriate to combine them, which is exactly what The Guardian has done.

Whether you’re just starting out developing your privacy policy, or you’re looking to revamp the one you currently have in place, KirkpatrickPrice is here to help. Still questioning how to write a privacy policy? Don’t just download some basic template online – utilize one of our experts to make sure you’re on the right track. Contact us today to get the process started.

More Privacy Policy Resources

Privacy Policies Built for GDPR Compliance

Privacy Policies Built for CCPA Compliance

Most Common Privacy Gaps

Breach Notification in New York: The SHIELD Act

On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which amends the state’s breach notification law in order to “impose stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.” The breach notification amendments took effect in October 2019, while the data security requirements will take effect on March 21, 2020.

New York’s Commitment to Data Security, Privacy, and Breach Notification

As one of the technology epicenters of the world, there is a dire need for New York to position itself has a leader in data security, privacy, and breach notification. Over the last two years, we’ve seen New York make progress by placing a focus on cybersecurity via the Cyber NYC initiative and emphasizing vendor management and cybersecurity through the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23. But, New York’s data security, privacy, and breach notification laws have still fallen short considering the type of controls needed to secure businesses and the type of data privacy laws other states are working to implement. Considering this, the most recent move by Governor Cuomo to implement the New York SHIELD Act is a clear indication that New York is committed to establishing and enforcing protective measures for New York consumers’ private information.

What is the New York SHIELD Act?

Born out of the need for stricter breach notification laws, the SHIELD Act makes it a requirement that entities who collect, handle, use, or store the personal or private information of New York residents must have robust data security measures and must report breaches within a timely manner. Ultimately, according to the New York State Senate, the SHIELD Act has three main intentions:

  1. To broaden the scope of information covered under New York’s breach notification law and update requirements
  2. To broaden the definition of a data breach
  3. To require reasonable data security, provide standards tailored to the size of a business, and provide protections from liability for certain entities

How Does the SHIELD Act Impact Your Organization?

Similar to the California Consumer Privacy Act (CCPA), the New York SHIELD Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that businesses who have just one set of data from a New York resident or employee are privy to the requirements of the law. In other words, the SHIELD Act does not only apply to businesses who physically do businesses within the borders of New York – it is far-reaching and will likely have a nationwide and global impact.

How to Comply with the SHIELD Act?

The SHIELD Act requires that organizations, at a minimum, do the following:

Implement reasonable administrative safeguards

According to § 899-bb(2)(b)(ii)(A), organizations can do this by:

  • Designating one or more employees to coordinate the security program
  • Identifying reasonably foreseeable internal and external risks
  • Assessing the sufficiency of safeguards in place to control the identified risk
  • Training and managing employees in the security program practices and procedures
  • Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
  • Adjusting the security program in light of business changes or new circumstances
Establish reasonable technical safeguards

According to § 899-bb(2)(b)(ii)(B), organizations can do this by:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Create reasonable physical safeguards

According to § 899-bb(2)(b)(ii)(C), organizations can do this by:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
  • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

Cost of Non-Compliance

In today’s data-driven world, the cost of a data breach can be detrimental to a business, especially medium and small-sized businesses. If data security and privacy isn’t made a priority from the start, compliance and security issues may later be the downfall of a seemingly secure, successful company. When a data breach occurs, there are endless impacts to not only the entity that was hacked, but potential vendors, partners, and most importantly, the consumers. Because Governor Cuomo understood that adequate breach notification is such a vital part of breach recovery,  the SHIELD Act explains that if entities fail to comply, the New York State Attorney General can seek up to $250,000 for violations by a company.

Data breaches are only a matter of when not if they’ll occur, which means that it is imperative that organizations have a thorough breach notification strategy in place. But more often than not, organizations fail to do this and can incur costly fines and penalties for their negligence, like with Uber’s infamous data breach cover-up. Consumers have the right to know when their personal and private information has been compromised by malicious individuals, and businesses must be sure to ensure those rights are given. The SHIELD Act is one way New York is making sure this happens.

If your organization has to comply with the latest New York breach notification law or you’re in need of guidance for creating your own breach notification strategy, let’s find some time to talk!

More Data Security, Privacy, and Breach Notification Resources

Introducing the New York SHIELD Act

Breach Notification: Who, When, Why

Best Practices for Data Privacy

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

CCPA Compliance and Your Marketing Team

CCPA Implications for Marketing

It’s no secret that digital marketing is undergoing a major transformation – one that is centered on giving consumers more autonomy over the way their personal information is collected, used, stored, sold, and transmitted. Last year, we saw how the EU’s General Data Protection Regulation changed the international landscape of marketing, and 2020 will be the year the US really feels the brunt of the data privacy revolution, starting with the California Consumer Protection Act (CCPA). What are the implications of the latest data privacy law to go into effect? What does CCPA mean for marketing? How can marketers prepare? Let’s find out.

How Can Marketers Prepare for CCPA?

Do you market or sell your products to California residents? Even if your business is not physically located within the borders of California, you are still required to comply with the new data privacy law as CCPA applies to any for-profit organization that meets any of the following criteria: has an annual gross revenues of over $25,000,000; buys, sells, or shares the personal information of 50,000+ consumers per year; or, derives 50% or more of their annual revenues from selling consumers’ personal information. This means that, for most organizations across the United States, there is an immediate tension between CCPA and  their marketing activities. Because today’s digital marketing landscape depends on the collection of personal information (i.e. names, emails, birthdays, phone numbers, Social Security Numbers, etc), marketers must make data privacy a priority. Here are some of the ways that marketers have gotten started on their CCPA compliance efforts.

  • Education: It’s hard to not see CCPA topics throughout webinars, blogs, infographics, white papers, videos, and social media. The experts are providing educational content to marketers. There’s no excuse not to learn and prepare for CCPA compliance.
  • Data Mapping: Data mapping is a critical area of data privacy. In order to ensure that the data you’ve collected is as secure as possible, you need to first know what data you’re collecting, why you’re collecting it, who interacts with the data, where it’s stored, and how it’s used, transmitted, and/or secured. Data mapping also gives you the opportunity to ensure your vendors, like email services, are also CCPA compliant.
  • Collecting Consent: When it comes to CCPA and marketing consent, entities must provide four easily accessible notices. According to the California Attorney General’s newly released regulations, organizations must provide a Notice at Collection of Personal Information, Notice of Right to Opt-Out of Sale of Personal Information, Notice of Financial Incentive, and Privacy Policy to consumers. This helps ensure that consent is affirmatively and freely given, and that consumers have been informed of their rights to access and erasure under CCPA.
  • List Cleaning: Data mapping and revising consent collection processes will help you create clean list; however, organizations must still work through cleaning the lists that they currently use. Organizations should evaluate how the data was collected, whether consent was freely given, and if the data is still being used and/or is necessary.

Benefits of Data Privacy and Compliance for Marketers

Although compliance may seem daunting right now, embracing data privacy regulations will prove to be fruitful for organizations in the long run. Why? Because when organizations demonstrate their compliance with data privacy laws, like CCPA, GPDR, or PIPEDA, they reap the following benefits:

  • Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. CCPA compliance is an opportunity to present your organization as a secure and trustworthy service or source, and even has the potential to rebuild the trust that many digital consumers have lost. This trust may actually result in greater sharing of personal data.
  • Complying with CCPA pushes marketers to put the user experience first and demonstrate that you respect user preferences.
  • CCPA compliance gives marketers the opportunity to improve their data security as they engage with prospects and consumers.
  • Because email marketing strategies may need to be shifted for CCPA compliance, this gives marketers an opportunity to focus on areas that may not be so heavily impacted by GDPR, like social media, SEO strategies, and content creation.
  • CCPA compliance may bring a competitive advantage for two reasons. First, meeting CCPA compliance demonstrates to prospects and consumers that your organization prioritizes data security and user privacy. Second, once you’ve taken steps towards CCPA compliance, you can reduce the likelihood that your organization or your clients will face regulatory investigations and fines.

As a data-centric industry, marketing departments and agencies alike will have to swiftly adopt data privacy best practices, or they’ll be left in the dust. If your organization is just starting out on your CCPA compliance efforts or has questions about how your marketing practices need to evolve in order to become CCPA-compliant, contact us today to speak to one of our data privacy experts.

More CCPA Resources

5 Facts to Know About CCPA

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know