Enterprise-level technology companies are becoming more innovative with the privacy solutions they adopt in an effort to meet customer expectations and legal compliance goals. HP's Privacy Engineering Center of Excellence seeks to be a leading example of a cutting-edge privacy-enhancing solution. The team running HP's program seeks to establish new company standards across business units to build a transparent user privacy experience for products and services. The key to establishing desired st... Read More

Regulations and policies alone won’t get us to a world that effectively respects privacy. To get there, we need multiple things: (1) systems we can trust to robustly implement policy, (2) technology that enables better choices than the ones we have today and (3) a deep understanding of the wide spectrum of humans who interact with our systems. In short, we need privacy engineering. Organizations’ understanding of privacy engineering and their need for it is evolving rapidly alongside new techno... Read More

When a user is taking an action, they need to know who, what and where. But what happens once they’ve taken that action? When a user shares something with another user, like a photo or a document, they need to know who, why and how to make it stop. First, let me differentiate sharing and sending. Sending is when someone transmits data to another entity and that data passes into the possession of that entity. For example, if you were to send me an email, that email goes into my inbox. You can’t ... Read More

An unprecedented shakeup in the advertising technology space has arrived in Europe. Changes are coming to adtech's approach to privacy and consent around personalized advertising after the European Data Protection Board issued an urgent binding decision to ban Meta's data processing for behavioral advertising. The EDPB decision applies to Meta's Facebook and Instagram users across EU member states and European Economic Area countries. It stems from a request from Norway's data protection author... Read More

Privacy technology is undergoing a radical transformation and many exciting technologies are available to help companies create better privacy programs and do right by their customers. Data is at the heart of privacy. If we simplify privacy, the top-level questions to ask should be: What type of data is processed; what or who is processing that data; and why is an entity processing it? Enterprise platforms generate data at record speed and if a privacy team even attempts to answer these three ... Read More

Features designed to improve privacy and protect children in online services, apps and networked devices also make it easier for abusers to maintain control in abusive relationships.  "Ever since caller ID and GPS became part of our lives, we've known that digital technologies can be used by abusers to harm or track their victims, and that's only become more complicated and more prevalent as technology has," Clinic to End Tech Abuse Director of Operations Lana Ramjit told an audience of cyberse... Read More

Spain's data protection authority, the Agencia Española de Protección de Datos, published guidance on the use of privacy-enhancing technologies in data systems, noting they can be used to implement governance policies, and increase trust and data sovereignty. "PETs can be, and should be, 'dual-use' technologies to be efficient and effective, integrated in the core of the Data Spaces, fulfilling different purposes in the data-access sharing economy," the AEPD said. Full story... Read More

A report by the American Civil Liberties Union examines the education technology surveillance industry and its potentially harmful impact on students. The ACLU said the report found companies are "using fear-based tactics to sell surveillance products that not only fail to keep our kids safe but actually increase discrimination, invade students' privacy, and erode trust between students and educators."Full story... Read More

For privacy professionals to appropriately serve their organizations, they often delve into obscure, unexpected functional rabbit holes. One rabbit hole is the current conflicted dynamic between information technology asset management and IT asset disposition, which hides ongoing regulatory noncompliance and results in a growing and unsustainable risk.  The ITAM/ITAD status quo Modern organizations are brimming with IT assets that require management. Organizations batch this into two big bucke... Read More

Following the passage of several U.S. comprehensive state privacy laws in the last year, the Interactive Advertising Bureau gauged advertisers on their ability and preparedness to comply with incoming statutes. In an interview with MediaPost, IAB Executive Vice President and General Counsel Michael Hahn and Assistant General Counsel Tony Ficarrotta said survey results issued to both sell-side advertisers and buy-side advertisement technology companies showed almost half of respondents "do not fe... Read More

Like most of the "free" internet, online social media is funded through online advertising tailored to individual users' behavior and interests. The Court of Justice in the European Union decision in Case C-252/21 relates to one such platform, Meta, regarding its online social network, Facebook. The case is noteworthy for the advertising industry because it involves a competition authority determining data protection issues and calls into question whether platforms can carry out personalized adv... Read More

How data moves so quickly between clouds, data centers and jurisdictions is abundantly clear. One of privacy professionals' tasks is to consider the current progress of the technology. In this data-driven economy, privacy pros, architects, data scientists, engineers, researchers, regulators and industry groups should focus their attention on technologies that protect privacy and support security principles without losing the utility and functionality of the data: so-called privacy-enhancing tec... Read More

Over the last few weeks, it has been nearly impossible to avoid news relating to the explosion of generative artificial intelligence, like Google's Bard or OpenAI's ChatGPT. Through it all, many in the privacy community have questioned what role privacy professionals should play in the governance of AI. How do we explain in a privacy notice how AI collects and uses personal information? How do we modify data protection impact assessments to adequately assess AI models? How can we "untrain" an AI... Read More

Privacy professionals are witnessing a revolution in privacy technology. The emergence and maturing of new privacy-enhancing technologies that allow for data use and collaboration without sharing plain text data or sending data to a central location are part of this revolution. The United Nations, the Organisation for Economic Co-operation and Development, the U.S. White House, the European Union Agency for Cybersecurity, the UK Royal Society, and Singapore’s media and privacy authorities all r... Read More

Launched in November 2022, OpenAI’s chatbot, ChatGPT, took the world by storm almost overnight. It brought a new technology term into the mainstream: generative artificial intelligence. Generative AI describes algorithms that can create new content such as essays, images and videos from text prompts, autocomplete computer code, or analyze sentiment. Many may not be familiar with the concept of generative AI; however, it is not a new technology. Generative adversarial networks — one type of gene... Read More

Firefox Android launched its "Total Cookie Protection," which reportedly stops cookies from tracking users as they navigate from website to website, according to a company blog post. Total Cookie Protection maintains separate "cookie jars" that isolate cookies embedded to that webpage alone and do not allow other websites to access data collected from a given user. Full Story... Read More

As privacy concerns become top-of-mind for web developers and systems engineers around the world, privacy standardization efforts become more important. The World Wide Web Consortium and the Institute of Electrical and Electronics Engineers are leaders in this domain, assisting privacy professionals by drafting standards and other reference material to ensure compliance with global privacy regulations and advocating for privacy best practices. Parts one and two of this article series explore oth... Read More

Artificial intelligence applications, such as language translation, voice recognition and text prediction apps, typically require large-scale data sets to train high-performance machine learning models such as deep neural networks. There can be challenges when the data needed to train the model is personal or proprietary. How can ML algorithms be trained on multiple data sets when, potentially, those data sets cannot be shared? With its capability to train algorithms on various data sets without... Read More

With the EU elections in May 2024 fast approaching, policymakers in Brussels are scrambling to close open files, plan their next move and set the groundwork for the upcoming mandate. At this stage of the legislative cycle, the European Commission assigns external studies that provide significant indicators of its future areas of interest. Online advertising seems to have caught the regulators’ attention in the digital domain. The appetite to regulate this sector became evident during negotiatio... Read More

Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-source systems such as ChatGPT, AI is now consumer-facing and usable. The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems t... Read More

The U.S. took a big step in the development of a national artificial intelligence strategy with the release of the U.S. Department of Commerce National Institute of Standards and Technology’s Artificial Intelligence Risk Management Framework 1.0, Jan. 26. Required under the National AI Act of 2020, the framework is the product of 15 months of work by NIST scientists who compiled public comments from more than 240 AI stakeholders through multiple listening sessions and workshops, while producing... Read More

Business goals and competition are pushing advertisers, publishers and retailers to get creative with user outreach and engagement. Personal data collection and user tracking are paramount to these efforts, but doing so with regulatory compliance and user trust is proving more difficult as time goes on. Challenges include the anticipated deprecation of third-party cookies, use of Apple's App Tracking Transparency framework and increased regulation of targeted advertising in the EU and at the st... Read More

The Irish Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram, fining the company a total of 390 million euros and potentially leading to an upheaval of its personalized advertising model in the EU. The DPC announced Meta’s basis for seeking user permission to collect data for personalized advertising, used by its Facebook and Instagram platforms, is invalid and gave the company three months to bring its data processing operations into complian... Read More

A recent statement from Italy’s data protection authority, the Garante, opens a new chapter in the never-ending story of profiling cookies. In order to understand the weight of the Garante's words, we must look back to June 10, 2021, when the DPA issued a new set of cookie guidelines and changed the rules for online behavioral advertising in Italy. The Garante mandated website operators to show a cookie banner as soon as a user accesses the website and present a user-friendly option to express ... Read More

Cities around the world are getting smarter. For municipalities, becoming a smart city requires utilizing numerous data sets containing residents’ and visitors’ personal information in order to provide better services. However, municipal IT systems are often targets for cyberattacks. Compounding the issue are some cities that may have outdated cybersecurity infrastructure safeguarding personal data. In Canada, a new effort was launched to help cities transition from using personal data to usi... Read More

International data transfer regulation is rooted in heavy manual processes and paperwork. It impacts business decisions and leaves room for risk. Legal and regulatory teams have to jump through a host of complexities — requiring the assessment of specific circumstances of data transfers like relevant country laws and practices and any additional contractual, technical or organizational safeguards. As tedious as international data transfers may be, they are an essential pillar for global economi... Read More

Two recently settled enforcement actions by the U.S. Federal Trade Commission, combined with new guidance from the Cybersecurity and Infrastructure Security Agency, represent a big leap forward in the expectations placed on data custodians for use of multifactor authentication. Read together, they require privacy and information security professionals to reassess their organizations’ approaches to controlling employee, contractor and affiliate access to enterprise systems that contain personal i... Read More

In October 2020, the Global Privacy Control was created to allow consumers to exercise their privacy rights with the click of a mouse. This January, the team behind the GPC announced a major milestone through the GPC's adoption by major publishers and consent management platforms. Despite this, the GPC only recently gained wider traction with the privacy and compliance communities after California Attorney General Rob Bonta announced a $1.2 million settlement with cosmetic retailer Sephora for v... Read More

As privacy concerns mount — both cyber threats and legal requirements — a clear, formal, standard model of data components and their history has become necessary. Here, we introduce the concept of the data bill of materials or personal data bill of materials, a comprehensive inventory of personal data used in software systems. The DBoM records the ownership, sharing history, storage and collection purpose of a unit of data. The purpose of a DBoM is to identify personal data as an asset and an e... Read More

On Tuesday, June 14, the U.S. House Committee on Energy and Commerce held a hearing on the American Data Privacy and Protection Act discussion draft — a leading contender for a comprehensive federal privacy framework. The famed sticking points of individual redress mechanisms, preemption of state laws and the role of the U.S. Federal Trade Commission — the law’s likely federal enforcer — were among the slew of debated aspects. However, the cybersecurity provisions and data security requirements ... Read More

Standards and frameworks provide real benefits for privacy management. Standards are established norms to be applied consistently across organizations, while frameworks are a set of basic guidelines to be adapted to an organization's needs. Both can help to fulfill compliance obligations, build trust, benchmark against industry best practices, support strategic planning and evaluation, enable global interoperability, and strengthen an organization's market position. Just as in information secur... Read More

What if there was a formula describing the best methods, techniques and guidelines for privacy? In the face of rapid evolution of information technology and regulations for privacy and data protection, working along the lines of clearly defined controls, concepts and principles is a necessity to tackle the complexity of this constant change. A pathway to best privacy practices In the domain of information and communication technology, the International Organization for Standardization provides... Read More

In Connecticut and Virginia, the new consumer privacy laws that comprehensively adopt the fair information practice principles, including data security, have left large swaths of data exempt from any cybersecurity requirements. States using the same consumer privacy template as Connecticut and Virginia should consider the exceptions language very carefully lest, while advancing consumer rights, they actually fall behind other states in protecting cybersecurity. Section 6(3) of the Connecticut l... Read More

The concept of privacy and data protection by design is not new in the privacy world. We know privacy should be integrated in the foundational design of a product or service; that is should be baked in, not bolted on. But what that means in practice is often elusive. In 2018, Enterprivacy Consulting Group founder R. Jason Cronk, CIPP/US, CIPM, CIPT, FIP, wrote the book "Strategic Privacy by Design," which was published by the IAPP. In it, Cronk offered insights for building processes, products a... Read More

Many U.S. states have launched mobile driver’s license pilots and conducted legislative studies, with some states nearing full-scale mDL production. An enormous benefit of providing the option of an mDL is that the mDL application can give citizens greater control over their personal data than physical cards. We’ve grown used to the privacy holes that our physical ID documents leave, but the potential of the electronic versions raises legitimate concerns about whether mDLs are in the best intere... Read More

The French government published Decree No. 2021-1306 Oct. 7, 2021, concerning the implementation of measures to protect minors from accessing sites broadcasting adult content. This allows us to take a closer look at the implementation of technical processes to check the age of users online. At the European Union level, the Audiovisual Media Services Directive requires the adoption of appropriate measures to protect children from harmful content, including age verification. In addition, Article ... Read More

“Privacy by design” implies putting privacy into practice in system architectures and software development from the very beginning and throughout the system lifecycle. It is required by the EU General Data Protection Regulation in Article 25. In the U.S., the Federal Trade Commission included an entire section on privacy by design in its 2012 report on recommendations for businesses and policymakers. Privacy by design is also covered by India’s PDP Bill and by Australia’s Privacy Management Fram... Read More