Companies Must Keep Up With Evolving Privacy Concerns and Rules, Experts Say
Privacy is an ever-evolving landscape, meaning that company privacy policies, technologies and teams must be constantly updated, panelists said Wednesday during a webinar hosted by Didomi, a consent-management software vendor. With enforcement actions by regulators increasing and legislators continuing to implement new laws, companies must stay on top of the latest developments, they added.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“Investigative sweeps can happen for various reasons,” but a common way “is that a regulator gets interested in an area,” like vehicles, for example, said Daniel Goldberg, a data strategy and privacy lawyer at Frankfurt Kurnit. “They send out a letter to various vehicle manufacturers to say, ‘Hey, we want to understand what your data practices are.’”
Another scenario "might be that a regulator walks into a large retail store and sees some issues around their loyalty program and goes, ‘Oh, wow. This is a concern, so now we're going to send letters to everybody who you know has loyalty programs in this area,’” Goldberg said. “What I've heard from regulators is that they think of themselves … also [as] consumers.”
One consumer complaint sparked the California Privacy Protection Agency’s $1.35 million settlement this week with Tractor Supply Co., noted Goldberg. “Do not underestimate” receiving “a complaint from a consumer or data subject request,” because if it goes unaddressed, “those seem to be like the highest areas that lead to an investigation or sweep.”
“Privacy isn't the same for everyone,” said Julie Rubash, chief privacy officer at Sourcepoint, a software company recently acquired by Didomi. “You can't just take an off-the-shelf solution, plug it in and expect it to work perfectly for you. It's really about what your specific data flows are, who your vendors are, how you're using the data, and you need to make sure that the way that you configure the tool is reflecting all of that and the disclosures you make.”
It's also important to remember that “all of this changes on a constant basis,” from technology to third parties to laws, she added. “It has to be something you're constantly monitoring, constantly making sure it's working as intended … and that you're making adjustments.”
Michael Hahn, Interactive Advertising Bureau general counsel, said one area that “is going to continue to grow and mature” is determining consumers' reasonable expectations regarding what data is shared. For example, in July's Healthline settlement in California (see 2507030026), the titles of articles that users were reading -- often indicating a specific health issue -- were being shared downstream with third parties, he said.
Using the data minimization provision, regulators found that it was “inconsistent with a consumer's reasonable expectations” that the title of an article would be shared, “and it was found to be unlawful on that basis,” Hahn said. This is an area “we're going to definitely need to pay very careful attention to over the next two years.”