Transparency might be the most important food group in data privacy compliance, especially with the Federal Trade Commission, Office of the New York State Attorney General and California Privacy Protection Agency focusing their enforcement on true, meaningful disclosures that people can understand.
That was just one of the lessons US-based companies and multinationals learned last week during Fox Rothschild’s annual Privacy Summit in Philadelphia.
Some other takeaways:
- You may end up on a regulator’s radar even if you think you are not. This can happen through competitor, consumer or employee complaints (40% of all data subject complains received by the Data Protection Commission Ireland are data access requests gone wrong) or if you have a data breach.
- If you focus on the allowed restrictions regarding privacy notices or access requests rather than providing a picture of the data collection and sharing that the user can really understand, you may end up winning the battle but losing the war when the regulator gets numerous complaints about your access request responses. It is better to be more transparent up front and reduce the number of requests and the back and forth about them.
- Even once a company is on a regulator’s radar, there have been cases where the company has been found to be not liable (or at least not ordered to pay significant penalties). The key is how seriously did the company take data protection, and what steps did they take to set in place a privacy framework and system that works.
- Children’s information is on the radar of regulators everywhere, and it’s not just COPPA anymore. It’s also laws that apply to services that are “likely to be accessed by under 18s.” How do you know whether this is the case? Age verification tools are still being developed. When using them, you need to make sure that you don’t collect too much information (see CPPA advisory on data minimization in consumer requests).
- Even if they don’t have to, regulators read each other’s work and often share information. They also collaborate in many ways. If you see an enforcement in another state involving a privacy law you are not subject, you should still see what it means for your compliance going forward so you can avoid being approached by your own regulator.
Thanks to the panelists, the awesome Graham Doyle from DPC and Dona J. Fraser from BBB National Programs.