[ad_1]
As always, this year featured many high-quality original studies PrivacyCon. Hosted by the US Federal Trade Commission, the annual workshop provides a platform for privacy researchers to speak directly with FTC staff and the broader community. The seventh annual iteration of the gathering showcased work to examine whether:
One is worth noting research included a network-level study of 150 of the most popular apps built for the Meta Oculus platform, mapping app data flows to privacy policies. Although the researchers found some inadequacies in the disclosure of shared personal data, I was most surprised by one finding: More than 25% of the apps examined in the study allegedly did not publish a privacy policy at all.
The idea that a public privacy policy provides a meaningful “notice” is probably a legal fiction, but it goes without saying that writing and publishing a privacy notice is also a fundamental component of any privacy program. As many have pointed out before me, privacy messaging is written more for regulators than for consumers, although great, layered messaging can also be valuable to users. Privacy policies are particularly important to regulators in regions such as the United States, where privacy is governed by consumer protection law. If you don’t make privacy promises, you can’t break them.
Back in 2000, the FTC required companies to post online privacy policies as a remedy Rennert executive actions And since 2003, California law has required all “commercial websites or online services” to post a privacy policy. Best practices followed suit. The privacy policy is now the default place to find any mandatory or voluntary notices about the use of personal data.
However, as with many compliance goals, it is dangerous to focus on privacy policy as an end in itself. In an authentic process, writing a privacy policy requires an organization to consider its data processing practices and purposes. If writing a privacy policy is approached as an exercise, it often creates inaccurate or insufficient information.
Platforms like Google and Apple seem to have realized that it’s not enough to require third-party developers to link to their old privacy policies. These dominant mobile app stores have implemented robust review processes and extensive developer documentation, including resources to help developers understand privacy best practices (Apple) and how to implement them (Google). Over the past year, as both platforms began implementing “food label”-style privacy notices, their policies for developers became even stricter. demanding not only privacy policybut also standardized disclosure of information data practitioner.
The evolution of these efforts demonstrates the responsibility shared by platforms to ensure a robust marketplace and use applications that meet users’ privacy expectations. We may see more convergence in the platform’s education and compliance efforts over time.
Here’s what else I’m thinking:
- ADPPA Episode IV: A New Hope. “My boss is committed to completing the work by the end of the year.” Timothy Kurt said on the Privacy+Security Academy stage. Curt serves as principal counsel to the Subcommittee on Consumer Protection and Trade of the House Committee on Energy and Commerce. His boss, U.S. Rep. Cathy McMorris Rogers, D-Washington, was a major force behind the American Privacy and Data Protection Act. The statement reflects widespread sentiment that a lame-duck session is possible after next week’s election, although passage in the Senate remains unlikely. Relative to Nov op-ed in the San Francisco Examiner, New America’s David Morar calls on Californians to stop opposing the “higher level of civil rights and privacy protections” that the ADPPA will enshrine for “hundreds of millions” of Americans.
- The FTC continued to be aggressively active at the end of the year another case of data security. I wonder what Chegg Consent Order contains a requirement to adhere to a retention schedule with well-documented target constraints, as recently Drizly case. But unlike Drizly, Chegg is not required to publish its mandatory retention schedule or share it with the FTC. This difference may be explained by the fact that Chegg, which among other services provides students with a scholarship search feature that required the collection of sensitive information, has not been accused by the FTC of collecting more information than was necessary for its business. However, the inclusion of a purpose limitation requirement is a notable trend.
- This week’s view from DC is a little misleading, but not unfairly so. I am actually writing to you from Seoul, Republic of Korea, where I spoke at a workshop on cross-border privacy regulations. There is still much work to be done as member countries work to transition from APEC to CBPR Global Forum, reconstruction and modernization of the multi-level accountability system. To this end, the workshop saw many productive conversations between international regulators, accountability agents and certified companies. Note: Recently report presented by the Center for Leadership in Information Policy found 61% overlap between the requirements of the CBPR program and the UK General Data Protection Regulation.
Under close attention
- Advanced decision-making algorithm Washington, DC, is the subject of a complex report from EPIC highlighted in this Wired article.
- Appearance the culture of public surveillance described in another Wired piece.
- Practical impact EU the emphasis on “digital sovereignty” is explored in a report from the European Center of the Atlantic Council.
- Uber A policy change that allows marketers to target passengers based on destination is described in this Wall Street Journal article analysis.
Future events
- On November 8, midterm elections are held in the United States, which will determine the legislative activity of the District of Columbia for the next two years ¡Vamos a votar!
- On November 9 at noon EST, the FCBA Young Lawyers and Data Privacy and Security Committees are hosting a Lunch and Learn Location data 101 (virtual).
- On November 10 at 5:00 PM EST, Knowledge Networks in Washington, DC, Boston, and Des Moines are hosting panel titled 2023 Countdown: Are You Ready for CPRA and Other Privacy Law Changes? (virtual).
- On November 10th at 5:00 PM EST, Women in Safety and Privacy is hosting a presentation on trust and security methods without regard to content (virtual).
Please send feedback, updates and confidential nutrition information to: cobun@iapp.org.
[ad_2]
Source link
