What do data privacy and protection have in common with prostate health?
More than you’d think.
Developing and managing a robust privacy program isn’t easy. But it’s better than getting fined by regulators, paying restitution, suddenly having to change one’s business model or delete algorithms developed using improperly collected data.
Prevention is the best cure.
“It’s no longer the time to hold your breath and hope everything will turn out all right,” said Jamie Barnard, CEO of privacy compliance software startup Compliant, during a virtual presentation last week about COPPA, child safety and the recent Adalytics reports.
“Forgive the analogy, but it’s like refusing to get your prostate checked,” Barnard said. “The experience probably brings tears to your eyes … but the problem won’t go away, and the longer you leave it, the worse it’s gonna get.”
The cure (not to be confused with The Cure)
And you don’t always get a do-over.
Yes, most privacy laws coming into effect in the US include cure provisions that give businesses a period of time – often 30 days but sometimes up to 90 days, depending on the statute – to deal with any alleged violations before facing penalties.
But that’s not the case everywhere.
There is no cure period under GDPR, for example. And the California Privacy Rights Act eliminated the 30-day cure window previously available under the California Privacy Protection Act, leaving it up to the California Privacy Protection Agency and the state’s attorney general to decide if businesses should be given an opportunity to fix the situation before getting hit with a fine or some other form of punishment.
Meanwhile, federal regulators are getting creative with their remedies.
If you’ve gots the poison, I’ve gots the remedy
Last year, the Federal Trade Commission ordered WW International (formerly Weight Watchers) to destroy any algorithms and AI models it had created that incorporated data gathered by Kurbo, its weight-loss app geared toward kids.
The FTC found that WW had collected data from children via Kurbo without parental consent, which is a violation of the Children’s Online Privacy Protection Act.
As part of its settlement, WW had to pay $1.5 million, but it was the algorithmic destruction, also known as disgorgement, that no doubt stung the most. (“Disgorgement” is the legal term for requiring a party to give up any profits they made as a result of wrongdoing or illegal activity.)
That’s what happens to tainted fruit, though. You’ve got to throw it away.
Algorithms trained on ill-gotten data simply “shouldn’t exist,” said Heidi Saas, a data privacy and technology attorney.
Not that perfect compliance is even possible.
Any business that thinks its data store is completely clean is “probably slightly deluded,” said Barnard, who spent more than 15 years at Unilever – including as general counsel for global marketing, media and ecommerce – before joining Compliant last year.
“The challenges of compliance are so difficult that there’s almost certainly a bunch of data in there that shouldn’t be,” Barnard said. “As a former lawyer, what I’m about to say might come as a surprise, but, frankly, unless you’re about to sink, I wouldn’t spend too much time bailing water out of the boat; I’d spend all my time trying to fix the leak.”
In other words, you can’t guarantee that you won’t develop prostate problems, but there are things you can do to bolster your general health. Perfect is the enemy of good. Oh, and don’t skip your physicals. That’s just good advice in general.
(Unrelated: Who wants to start a metal band with me called “Algorithmic Destruction”?)
As always, thanks for reading! Drop me a line at [email protected] to let me know what you think. Thanks, as well, for listening to our podcasts. We have two: The Big Story and AdExchanger Talks. Check them out if you’re in the mood. 🙂👂 And if you’re looking for more podcast recommendations, might I suggest this one.