Data Privacy Regulations For E-Commerce Platforms

Even without a state privacy law - New York is coming after your website tracking (and so can other states). Key points from a new advisory by the Office of the New York State Attorney General based on an investigation of websites: As we've been telling clients - Even without a state privacy laws, businesses’ privacy-related practices and statements are subject to a state's consumer protection laws that prohibit businesses from engaging in deceptive acts and practices. Mistakes to avoid: 🔹 Make sure that your cookie management tool does not leave uncategorized or miscategorized tags/cookies. 🔹 Make sure your cookie management tool works well with your tag management tool. (disabling tracking in one disables the other too). 🔹 Make sure your marketing or advertising tags work as described and DO NOT remain active even after visitors try to disable them using the sites’ privacy controls. 🔹 Ensure even tags that are hardcoded to the website get deactivated by the cookie management tool. 🔹 Do not rely on contract based restrictions like limited data use (LDU - Meta) or Restricted data processing (RDP - Google) in states where they don't actually work. 🔹 Before deploying a new tag, understand what data the tag collects and how the data may be used or shared. 🔹 Address NON cookie based sharing Things to do: Configuration of trackers: 🔹 Designate a qualified individual (or individuals) with appropriate training to be responsible for implementing and managing website-tracking technologies. 🔹 Before deploying a new tag or tool, or changing how an existing tag or tool is used, take appropriate steps (including active due diligence) to identify the types of data collected and how the data will be used and shared. 🔹 When deploying a new tag or tool, or changing use, ensure that it is appropriately categorized and configured. 🔹 Conduct appropriate testing (regularly and following a change) to ensure that tags and tools are operating as intended. 🔹 Conduct reviews on a regular basis to ensure tags and tools are properly configured Disclosure and interface: 🔹 Make sure that your representations on the website about privacy controls (whether express or implied through privacy controls configuration) are accurate 🔹 Avoid language that creates a misleading impression of how your website handles tracking and choice [Don't say "by clicking accept cookies" you accept - if the cookies deploy by default] 🔹 Ensure the user interface is not misleading - beware of dark patterns (e.g a faded gray color, and without any visual indication that the words could be clicked); ambiguous buttons. 🔹 If you can agree with a single click you should be able to opt out with single click. 🔹 Make the interface accessible (e.g. allow navigation of privacy controls with a keyboard to tab) 🔹 Don't use large blocks of text or complicated language #dataprivacy #dataprotection #privacyFOMO https://rb.gy/bei7cu

Last week, the California Privacy Protection Agency fined a retailer $345,000 for failing to effectively effectuate consumers’ opt-out preference signals to prevent the sharing of their personal information (see decision below). The remedies outlined in the settlement are a clarion call for #privacypros. In short, the CPPA says privacy tech alone is not enough, just as Teresa (T) Troester-Falk wrote in an op-ed published by the IAPP today https://lnkd.in/eNqYpD4x. The CPPA alleges that the retailer relied on third-party privacy management tools without assessing their limitations, validating their operations or monitoring their functioning. They also allege the retailer required consumers to provide too much personal information (including sensitive information) to process their opt-out requests. Privacy tech is often critical today – there are far too many consumer requests, data sources, third-party partners, and assessments to manage manually – but it is equally vital to have a knowledgeable #privacypro building and overseeing the privacy program around it. This will only get more important as AI achieves its potential and scales across society. So what does the CPPA settlement require specifically? Beyond correcting the alleged deficiencies, the CPPA specifically requires the retailer to: -       “develop, implement, and maintain procedures” to identify disclosures and ensure it processes opt out requests appropriately -         “establish and implement, and thereafter maintain policies, procedures, and technical measures designed to monitor the effectiveness and functionality” of its methods for complying with opt-out requests -         “develop, implement, and maintain procedures to ensure that all personnel handling Personal Information are informed of the Business’ requirements under the CCPA and its implementing regulations relevant to their job functions” – i.e. conduct #privacy training -         “maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of Personal Information” Lots for privacy pros to focus on as they gain efficiencies and scale with privacy and #AI governance tech.

California's recent "do not sell" and "do not share" privacy enforcement sweep targeted streaming services, but it has relevant reminders and lessons for all companies.    1️⃣ "Selling" isn't just trading personal data for money--it can also be sharing data with vendors to make products work or for advertising. "Sharing" encompasses many data exchanges for #DigitalAdvertising.   2️⃣ "Selling" and "sharing" requires specific disclosures before the data is collected, including that the data will be sold or shared and opt-out process details.      3️⃣ Opt-out processes need to be available in the context that consumers interact with the company. Different processes may be required in-app, with connected services or devices, on websites, and in physical locations.   4️⃣ Opt-out processes need to be frictionless, with minimal steps to take.   5️⃣ Opt-out processes need stop the "sales" and "sharing" on a go forward basis across all methods by which the specific customer's #PersonalData is "sold" or "shared".    6️⃣ Starting late next month, detailed regulations regarding technical and operational processed to respond to, honor, and persist preferences (including for known customers) from opt-out signals like the #GlobalPrivacyControl become enforceable. To date, these regulations have been delayed by court order.   If your company has not looked at these issues recently, this quarter is a good time for a tune-up, especially with the California and Connecticut AG record of enforcement in this area, and the forthcoming Washington My Health My Data and #litigation risks that involves.   Here's a tune-up action plan:   ☑️Validate you understand all methods used to transmit data to third parties. Consider offline sharing, server-to-server integrations, SDKs in your apps, and #pixel/tracker/cookie based sharing. ☑️Confirm your process for identifying the third parties that data is disclosed to is current and working. ☑️Check in that protocols for disclosing data to third parties are defined and working, including with your opt-out processes. ☑️For necessary data disclosures that cannot be opted out of, test that #contracting processes are getting the necessary contract terms for sharing with those vendors and partners not to be a "sale" or "sharing" under the law. ☑️Confirm your data practices align with your commitments to customers (including in privacy policies, #cookiebanners, etc.). ☑️Probe that the methods in which customers provide data to your company that may be "sold" or "shared" are also contexts where they can opt-out. ☑️Explore the opt-out processes offered to determine that there isn't unnecessary friction. ☑️Test that your opt-out processes are working, including within the specified timelines.  ☑️Validate opt-out processes respond to the Global Privacy Control, adjusting as needed under privacy regulations such as to associate signals with known customer records. #MHMDA #privacy #privacyoperations #CCPA #donotsell

✅ Starting yesterday, Europe’s Digital Services Act is fully in force. ✅ Heads up privacy lawyers: on February 17, 2024, the Digital Services Act (DSA) came into full force and effect. What does it mean for online businesses? Quite a lot actually. For an in depth overview, don't miss this indispensable piece by Dr. Gabriela Zanfir-Fortuna and Vasileios Rovilos https://lnkd.in/eArUMvS7 *** The DSA has been in effect since last August for a number of specifically designated “very large online platforms or search engines” (> 45 million MAUs), namely the largest tech companies. *** But now, it came into force for numerous other online hosting services (e.g., cloud services) and online platforms. This includes social media services, e-commerce sites, search, navigation and more. Like GDPR, DSA has broad extraterritorial reach, applying to online platforms with users in the EU.  And with sanctions reaching 6% of annual global turnover, DSA has teeth. It even provides EU individuals with a private right of action! (Article 54). So if you operate an online platform with users in Europe you should immediately take steps to comply. *** The DSA exempts small or micro enterprises from most requirements. But the thresholds are quite low = maximum 10m euros in annual revenue or 50 employees.   *** How does the DSA impact your business? It sets forth a plethora of transparency and accountability obligations, including appointing an EU representative, similar to Art 27 of GDPR. The main requirements for most online businesses are:   *** 1️⃣ DSA prohibits targeted ads based on sensitive data or based on profiling minors (meaning under 18; not COPPA’s under 13). Unlike GDPR, which allows for a consent override, DSA is framed as an absolute restriction. (DSA Articles 26(3) and 28(2). 2️⃣ DSA prohibits “dark patterns” in online UX. Dark patterns are already restricted by GDPR, but DSA adds additional language and heft to existing requirements (DSA Article 25).   3️⃣ DSA requires anyone serving targeted ads and recommender systems to provide users with full transparency about why they’re seeing specific ads or content. 4️⃣ Less privacy related, but the DSA sets forth notice-and-action mechanisms for content moderation and removal (remember DMCA?) 5️⃣ The DSA has a special provision dedicated to online T&Cs. (DSA Article 14) It requires businesses to provide users with a concise and easily accessible summary of the T&Cs in machine-readable format, and to inform them of any significant change made to the T&Cs.