Home Data Privacy Roundup Addressing The Risky Business Of “High-Risk” Data Activities

Addressing The Risky Business Of “High-Risk” Data Activities

SHARE:
data leakage

Remember when the ad industry glommed onto the phrase “Data is the new oil”?

Well, sensitive data is crude oil, at least from the perspective of any marketer who might want to collect and use it. The process of refining crude oil is dangerous and should be conducted with extreme care.

That’s not a perfect metaphor, so sue me. Although, lawsuits are more likely to come against companies that fail to handle high-risk data properly.

Risk regs

Processing sensitive data such as biometric information, precise geolocation, children’s data and information that could reveal a person’s race, sexual orientation or health diagnosis is considered a “high risk” activity under most state privacy laws.

Some state privacy laws, including in Connecticut, Virginia and Colorado, require businesses to conduct a separate privacy impact assessment, which is like an internal audit to make sure data is being handled properly for any processing that presents a heightened privacy risk.

But, in California, the requirements are even more stringent, with two separate types of assessment: one from a cybersecurity perspective and another to determine whether the processing of personal data could present a “significant risk” of consumer harm.

“You have an obligation to do due diligence on all of your vendors above and beyond what’s in your contracts,” said Richy Glassberg, CEO and co-founder of privacy compliance tech provider SafeGuard Privacy. “And when it comes to sensitive data, you really have to do so.”

As of now, the specific requirements for how to conduct these assessments aren’t finalized, and the California Privacy Protection Agency (CPPA) hasn’t yet started its formal rulemaking process.

But it did draft cybersecurity and risk assessment regulations on its website and discussed them during its most recent board meeting in early September. The preliminary comment period closed in March, but the CPPA will collect more feedback on the drafted regs as they circulate.

It’s a long road, though.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Once the regs are finalized, it’ll be a year before they can be enforced, said Daniel Goldberg, chair of the privacy and data security group at Frankfurt Kurnit Klein & Selz and co-chair of its ad tech group.

Can’t be too careful

Putting aside the bureaucracy of it all, what do ad tech companies need to know about the risk assessment rules the CPPA is establishing?

The most important thing to remember, said Julie Rubash, chief privacy officer and general counsel at data privacy software company Sourcepoint, is that the requirements – while important to follow – will not be new to anyone who hasn’t been living under a rock.

The concept of conducting a risk assessment should be familiar to any company that’s been exposed to GDPR and/or has been working on compliance with certain regulations in the US, Rubash said.

“I actually think it’s going to be beneficial for companies because it helps lay a foundation for your entire privacy compliance program,” she said. “This is really something companies should be doing internally anyway, regardless of any regulation.”

stethoscope on laptopStill, businesses should always consider the nuances between different data privacy regulations, of which there are already 12 in the US alone (not counting Washington state’s My Health, My Data Act, which is specific to health-related data).

“Companies may be able to rely on impact assessments conducted pursuant to other privacy laws,” Goldberg said, “but should review the specific obligations under the draft regs to ensure compliance.”

Not that enforcers are necessarily waiting to pounce on companies that make good-faith efforts at compliance.

The California attorney general, which has been enforcing the California Consumer Privacy Act while the CPPA is drafting regs for the California Privacy Rights Act, is usually pretty fair in its dealings, Goldberg said.

“In my experience, the California AG’s office has taken action against companies based on alleged substantive violations as opposed to ‘gotcha’ technical violations,” he said, noting that both the AG and the CPPA will probably approach enforcement of the new regs in a similar way.

But we’ll only really know once enforcement of the CPRA begins in March of next year. Because past practice is not always a predictor of future behavior.

“Things could change at any time,” Goldberg said.

As always, thanks for reading! And if there’s anyone you can trust with your sensitive data, it’s Dr. Fluffy. Feel free to drop me a line with any feedback at [email protected].

Must Read

LG Electronics

Alphonso Shareholders Win Their Suit Against LG Electronics Over Corporate Board Drama

After being summarily booted from the board of LG Ads in late 2022, Alphonso’s founding team has won its lawsuit against LG Electronics.

Bye-Bye Sizmek! Amazon Advances Flashtalking And Smartly As Alternatives In Advance Of The Shutdown

According to emails seen by AdExchanger that were sent to Amazon customers this week, Amazon is officially naming integration partners to offload clients of the Sizmek ad suite, now the Amazon Ad Server.

2024 Promises More Premium Inventory – And Bigger Budgets – For In-Game Ads

Given the deprecation of third-party cookies and the reemergence of contextual targeting, 2024 could be a big year for in-game ads – so long as game publishers position themselves as a source of premium inventory.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

AdExchanger’s Top 3 Connected TV Newsletter Issues Of 2023

This was such a busy year in CTV land that we had to launch a dedicated newsletter just to keep up with all the trends, from measurement, currency, targeting and attribution to streaming data, identity, supply-path optimization and new ad formats – just to name a few.

M&A 2023: Ad Tech Deals Were Muted, But That Could Be A Mark Of Maturity

Who got bought in 2023, and who did the buying? Here’s a non-exhaustive list of some of the most notable ad tech M&A activity from this past year (with a few media and agency deals tossed in for good measure).

Comic: The Great Data Lakes

Snowflake Acquires Data Clean Room Startup Samooha

Snowflake has acquired Samooha, a startup that develops software to make clean room technology accessible to marketers who aren’t necessarily SQL wizards or data scientists.