“When brands use their own data to know customers and prospects better, wonderful things start to happen. This is really about Identity – not cookies.”

“What to do:
  • Assess your current state
  • Embrace the first-party future.
  • Take ownership when it comes to identity and only allow processors (companies like identity providers or adtech partners) to access the data as needed, with strict privacy and security policies governing any sharing or access outside their firewalls.
  • Do not settle for less (than a complete customer view).
  • Prove the value.
  • Be transparent. The brand or “controller” has the greatest responsibility to protect the privacy and the rights of known customers as well as visitors. Processors should act as trusted partners and a direct extension of the brand by providing the people, processes, and technology to build and maintain highly precise and scalable real-time consumer recognition, activation, and measurement that help ensure transparency, privacy and security are held to the highest standard at every step. All this is done within the brand’s private, owned, and dedicated environment.
  • Do it now.”

Details in this MarTech Today article.

In the Connected and Automated Mobility (CAM) ecosystem, cybersecurity … should be seen as a core enabler that protects safety and provides value to products and services, and is integrated in the lifecycles of products’ and services’ activities., says the European Union’s Agency for Cybersecurity (ENISA) in a new report on the cybersecurity challenge in CAM.

Key points:
  • Raise awareness to the top management level.
  • Raise awareness throughout the organization, and especially at the right decision level.
  • Promote the integration of cybersecurity along with digital transformation at the board level.
  • Advise on fast-moving business and technology topics such as cybersecurity on a permanent basis at board level.
  • Promote procurement processes to integrate cybersecurity risk-oriented requirements.
  • Address cybersecurity skills to keep up with the creative (e.g. design thinking) skills that the company’s strategy aims to foster.
  • Define clear roles and responsibilities regarding cybersecurity.
  • Take into regard the cybersecurity needs of both business and supporting processes.
  • Define a risk management process.


“I strongly support legislation that would provide Connecticut residents with express and — frankly, overdue — privacy rights. My office has always maintained that consumers should have as much notice and control over the collection and use of their personal information as possible. Connecticut residents should be afforded the right to know, the right to correct, the right to delete and the right not to be treated differently if they exercise those rights. They should also have the power to stop businesses from selling their sensitive data,” says Connecticut Attorney General William Tong.

“There is also currently a focus on being proactive. When we are reacting, the damage has been done already — information has been compromised or a privacy violation has occurred. In our view, it is far more efficient to proactively ensure that privacy policies and practices comply with the law and are clear to consumers. We meet periodically with companies to discuss the privacy and security implications of upcoming or new products and services, and we have been able to have concerns addressed up front in a productive and cooperative fashion.”

Details from the International Association of Privacy Professionals.

“Perfect is the enemy of the good where it comes to regulation of data privacy rights,”  agree both Washington State Sen. Reuven Carlyle and California Supervising Deputy Attorney General Stacey Schesser in the International Association of Privacy Professionals panel, “State of the States.”

Per Carlyle
  • The Washington Privacy Act (WPA) is coming back next year and in the meantime will hopefully continue to inspire other states.
  • You need to figure out your focus: enforcement of the right of a particular individual or fixing systemic wrongs.
  • Private right of action calls out the balance between the risk of over enforcement and under enforcement.
Per Schesser
  • This is the “California Consumer Privacy Act” not the California Act of Businesses trying to mitigate risk, but actually pretty much doing the same thing as before.
  • The right to cure has surprisingly proven an effective tool to provide companies with clarity.
  • Dark patterns is a new area of proactive enforcement focus.
Per Colorado AG Phil Weiser:
  • You need to balance between being over prescriptive and too vague when drafting legislation.
  • The enforcement authority should have as many tools as possible, including something similar to the DOJ ‘no action letters’.

“Contrary to popular belief, data security begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration.” – says the  Federal Trade Commission. in a new blog post.

  • Build a team of stakeholders from across your organization
  • Establish board-level oversight
  • Hold regular security briefings

A strong data security program should never be reduced to a “check the box” approach geared toward meeting compliance obligations and requirements.

Read the blog post.

“When it comes to data — if you can’t protect it, don’t collect it,” says Maarten Bron of Riscure.

The National Institute of Standards and Technology (NIST) has issued a report on its workshop on home IoT devices.

Key takeaways which apply to other IoT devices like connected vehicles:
  • Creating a more secure IoT ecosystem for consumer devices can benefit all manufacturers and the “common good.”
  • Manufacturers are challenged by balancing the design and functionality of consumer IoT devices against maintaining a viable cost structure for their target market.
  • Manufacturers can benefit by having a recognized business model around a “connected device lifecycle” that covers the mechanical and information technology (IT) components of a home IoT device.
  • Consumers cannot bear the sole responsibility of maintaining cybersecurity on IoT devices.
  • Software and patch updates are critical to maintaining security, but a consumer’s ability to deploy them is limited.
  • Privacy plays a role in the manufacture and consumption of home IoT devices but is not well understood by consumers, especially third-party sharing.
  • Consumer education about home IoT cybersecurity should be an ongoing, shared responsibility among stakeholders.

Read the full report.

Better (cyber)safe than sorry.

“Cybersecurity is going to be the new safety, says Ikjot Saini, PhD Saini of University of Windsor.

“Unlike other technologies with links to electronic networks such as smartphones and smart appliances, physical accidents can happen if smart automobile systems are compromised through hacking or computer viruses, and these can cause real market damage.”

Cybersecurity “has many faces in today’s automotive industry and poses significant risks if left unchecked,” says Flavio Volpe, Automotive Parts Manufacturers’​ Association (APMA) president. “Companies must safeguard their products, operations and systems no matter the type of components, parts, systems and assemblies they produce.”

The SHIELD Automotive Cybersecurity Centre of Excellence is based at the University of Windsor will work with APMA to reduce cyber-vulnerabilities within autos and their components among manufacturers, researchers and motorists – with plans to offer consultation and test services to small and medium-sized Canadian companies.

Read the full article in Ward’s Auto.

Hey voice assistant: you’ve got some complying to do.

The European Data Protection Board has issued draft guidelines on the data protection aspects of using the increasingly prevalent virtual voice assistants.

Some key points:
  • Transparency is key but is also not easy to do well: 30 pages of single-spaced privacy notice won’t cut it. Think more like dashboards and voice commands.
  • Mind your legal basis. “Necessary for contract” might work for certain things but “consent” might be more appropriate in others, especially when there is biometric data used for identification (which is Article 9 special category data).
  • Approach your data retention mindfully. It should be granular and specific for the different processing purposes.

Deeper dive in this insight article for OneTrust DataGuidance.

“Consumer data should be owned by the consumer. If we want to collect and use it for any marketing purpose, we must explain how we will do so – and obtain consent and permissions. (GDPR explains this quite nicely.)

But to get that agreement, the consumer must understand the trade-off. They need to understand what’s in it for them and see real value in the arrangement. On the whole, I’d argue we’re not yet holding up our end of the bargain,” says Robin ‘Bob’ Caller, CEO and founder of Overmore Group.

“That data is not, and never will be, ‘your’ first-party data. The customer is the first party in this transaction – you, as the marketer, are the second party.”

“As second-party data holders (i.e., you, the marketer), brands must obtain permission from the first party.”

“The path of least resistance is accepting that ‘privacy-first’ means ‘user-first.’ That needs to be buttressed by express and informed consent, an unbundling of permissions and empowering consumers to retain sovereign control over the what, as well as the why, when and how their personal data is used.

Details in this AdExchanger article.

About face.

“Obscuring your face does not hide you from facial recognition systems, researchers have found.”

“A group from the Max Planck Institute found that blurred images were still individually identifiable with just a few non-obscured images to train from. With the proliferation of images on social networks, it is possible that almost anyone’s blurred face could still be identified.”

“The researchers said only 10 fully visible examples of a person’s face were needed to identify a blurred image with 91.5% accuracy. With an average of just 1.25 tagged images, the system could still correctly identify an individual 56.8% of the time, which is 73 times higher than chance would allow.”

“The best method for staying anonymous is to post all your pictures …with a black box over your face and shoulders. The next safest would be blocking it out with a white box, then a Gaussian blur.”

Details in Wired magazine.