Jan
31
2016

Safe Harbor: Coping with Uncertainty

Screenshot 2016-01-31 18.13.06

As January comes to end it seems that, despite best efforts to reach an agreement on both sides, negotiations for a new Safe Harbor framework will run into February. How can businesses cope with this ongoing uncertainty?

Firstly, the silence will not last long

Even if we don’t have a new framework this weekend we will have further updates from negotiators and regulators early next week. Vera Jerouva from the European Commission is scheduled to update the European Parliament on Monday evening in an Extraordinary Meeting of the LIBE Committee from 7-9pm CET on progress with the negotiations.

Screenshot 2016-01-31 10.07.35

On Tuesday and Wednesday the Article 29 Working Party (the European regulators) are due to meet and Safe Harbor is also top of their agenda.

While this does not necessarily mean we will have a new framework it does mean we will have further clarity on timelines for the negotiations and whether the enforcement grace period will be extended or the regulators intend to start taking action.

Secondly, TRUSTe can help manage the uncertainty

TRUSTe is here to help you ensure your data transfers are compliant whatever happens from a regulatory perspective

Our EU Data Transfer Privacy Assessment package will enable you to stay compliant with Model Contract Clauses now and then easily combine with or switch to Safe Harbor at the point a new framework is announced.

Our recent research found that three-quarters (78%) of companies are holding out for a new Safe Harbor framework. Half (53%) of these companies are also now using or preparing to use Model Contract Clauses. While 49% said they were looking to adopt a combined strategy going forward.

Currently Model Contract Clauses are the only way to achieve compliance. To adopt this mechanism companies must be able to demonstrate compliance, with the EU Data Protection Directive 95/46/EC, along with additional requirements stated under Model Contract Clauses.

Model Contract Clauses Assessment

To help companies implement and operationalize Model Contract Clauses, TRUSTe Assessment Manager includes two templates to guide you through the requirements or processes you may need to implement or update. The Model Contract Clause Assessments guides your company through an evaluation of Controller-Processor and Controller-Controller Sets 1 & 2. The Assessment will also flag requirements companies may need to incorporate into their processes, and make recommendations for addressing those requirements.

Screenshot 2016-01-31 18.13.06

Watch our short demo video here and learn more about the self-assessment process. Of course if you prefer full-service or have any questions, feel free to contact us directly for help at any time. Contact@truste.com

We’ll be following the Safe Harbor developments closely this week and will be sharing updates on our blog and by e-mail. Subscribe to the blog now and get in touch with your TRUSTe Account Manager to find out how TRUSTe can help you through this period of certainty.

Jan
28
2016

The State of Online Privacy 2016

Screenshot 2016-01-27 22.14.29

DPD-2

The TRUSTe/National Cyber Security Alliance U.S. Consumer Privacy Index reveals the extent of current consumer privacy concerns with more Americans concerned about not knowing how the personal information collected about them online is used than losing their principal source of income.

Released today, to coincide with the ninth Data Privacy Day (#PrivacyAware), the study found that online privacy concerns topped the loss of personal income by 11 percentage points, despite only 3 in 10 Americans understanding how companies share their personal information. The business impact of consumers’ privacy concerns remains high with 89% avoiding companies they don’t believe protect their privacy and 74% of those who worry about their privacy limiting their online activity in the last 12 months due to their concerns.

DPD-4

Consumers Demand Transparency

Just 56% of Americans trust businesses with their personal information online, exposing a significant lack of trust. What can companies do to close this gap? The answer is simple – transparency.

Consumers demand transparency in exchange for trust and want to be able to control how data is collected, used and shared with simpler tools to help them manage their privacy online. 46% don’t feel they have control of any personal information they may have provided online, 32% think protecting personal information online is too complex and 38% of those who worry about their privacy online say companies providing clear procedures for removing personal information would increase trust.

The Right to be Forgotten

Interestingly given that the so-called ‘Right to be Forgotten’ for Europeans is now enshrined in the new EU General Data Protection Regulation, 60% of Americans think they also have this right. Perhaps, unsurprisingly with the recent terrorist attacks in Paris the month before this survey was conducted, there has been a fall in the numbers who think online privacy is more important than national security (38%) down seven percentage points from last year’s study. In the context of the Internet of Things – 37% think losing online privacy is a part of being more connected

Good Privacy is Good Business 

“Consumer privacy concern is real and rising and businesses need to act now to rebuild trust with their customers before it hurts the bottom line through lost clicks, downloads and sales,” said Chris Babel, CEO of TRUSTe. “With 3 out of 4 Americans modifying their online activity last year due to privacy concerns this research shows privacy is not just good practice it is simply good business.”

The TRUSTe/National Cyber Security Alliance U.S. Consumer Privacy Index 2016 is based on data from an online survey conducted by Ipsos with around 1,000 US Internet users December 17 to 22, 2015. The research was commissioned by TRUSTe and the NCSA, building on tracking studies conducted over the past six years by both organizations. Comparable research was also conducted in Great Britain.

Check out the detailed findings in the infographics for the US and Great Britain.

Jan
25
2016

Privacy Meetup Event: Cross-Device Tracking Explained

PrivacyInnovationBreachMeetup

PrivacyInnovationBreachMeetup

Join the Privacy Innovation & Technology Group on Tuesday January 26th from 6-8 p.m. at the TRUSTe US offices, to review and discuss cross-device tracking–the cutting edge confluence of new information-collecting technology, “Big Data” and data broker profiling, and targeted advertising.

Although the cookie has not yet quite crumbled, cross-device tracking represents the next step in tracking and reaching consumers by enabling companies and marketers to follow users’ online activity not just across web pages within a browser, but across browsers, locations, devices and platforms.

This event titled ‘Cross-Device Tracking Explained: The Technology, Consumer Pros & Cons, and Privacy Approaches to Identifying Users Across Devices and Platforms” will be led by guest speaker Darren Abernethy, Technology and Data Privacy Attorney. The interactive discussion will address:

  • How cross-device tracking fits along a continuum that includes cookies and online behavioral advertising;
  • The different forms of cross-device tracking, including what the buzzwords “deterministic and probabilistic linking” mean;
  • The potential benefits and concerns of the practice, from enterprise and consumer privacy perspectives; and
  • Current regulatory and legal approaches, including considerations of transparency/consent, the FTC’s past enforcement in related contexts, and self-regulatory possibilities.

The schedule for the event is:

6:00PM – 6:30PM: Kick back and make nice with privacy professionals

6:30PM – 7:30PM: Cross-Device Tracking Explained – The Technology, Consumer Pros & Cons, and Privacy Approaches to Identifying Users Across Devices and Platforms

7:30PM – 8:00PM: Continued networking

Are you CIPP certified? Then attend this session to earn CPE credits from International Association of Privacy Professionals (IAPP)

To register for the event and read more about Darren visit the Privacy Innovation & Technology’s Meetup page.

Interested but can’t attend on Tuesday? Join this Meetup group to be alerted of future events.

 

Jan
21
2016

The GDPR Is Here: What’s a Privacy Pro To Do Next?

privacy regulation

Angelique Carson, CIPP/US | Editor, Privacy Advisor, IAPP

privacy regulation

This article was first published on the IAPP Privacy Advisor

On December 15, the European Parliament and Council announced that, after years of negotiating, they’ve reached an agreement on a consolidated text of a brand-new General Data Protection Regulation. The Luxembourg Presidency of the Council of the European Union called it a “historic agreement,” while Green MEP and rapporteur Jan Philipp Albrecht called it a “major step forward for consumer protection and competition,” ensuring “Europe has data protection rules that are fit for purpose in the Digital Age.”

Some of the 200-page document’s major provisions include that the law applies to any controller or processor of EU citizen data—regardless of controller or processor location—breach notifications for breaches involving “significant risk” for data subjects must be made within 72 hours of discovery; data protection authorities are granted more powers, including the ability to fine up to four percent of an organization’s annual revenue; many organizations will now be required to appoint a data protection officer, and data processing may only occur with explicit consent unless certain conditions exist.

For those who’ve been closely watching the various iterations of the text in the three years since draft one entered the scene, there may be few surprises—though the change in age for children’s consent to 16 was a doozy, wasn’t it? Regardless of whether you’ve been glued to the news or this is the first you’re hearing of the regulation, veterans in the field agree the time to daydream is over. The text is here, and the time to move is now, industry veterans agree.

“With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.” Field Fisher’s Phil Lee, CIPP/E, said while Parliament and the Council still have to formally adopt the text and implementation will come two years after that, what must happen now for some companies is no small feat.

“The significant nature of the changes, from revising internal policies, procedures and notices, to appointing DPOs, to instituting data breach management notices, to revising contracts, really means that companies need to being planning now,” he said. “With the threat of fines up to four percent of global turnover looking large, no one wants to be caught out.”

Lee said the changes will be most difficult for companies that have been outside the scope of the existing Directive. First, businesses should figure out if they’re subject to the law to begin with, and then get to work remediating.

Privacy strategist Bob Siegel, CIPP/US, CIPP/C, CIPP/E, CIPM, CIPT, president of Privacy Ref, says that’s exactly what he’ll tell his clients: Get moving.

“Start looking at what the impact to business is going to be,” he said. “I think people now are going to have to realize it’s a reality and address those requirements,” he said.

What’s step one?

“The first thing I would do is to put together a cross-functional team; the privacy office, inside or outside counsel, IT and compliance [if it sits outside of those groups] to create an understanding of what the plan will be over the next 18 months to two years to begin implementing those changes,” Siegel said.

Director of TRUSTe’s consulting group, Eleanor Treharne-Jones, CIPP/E, agreed that a good place to start is to meet with the privacy management committee, if there is one, to establish the kind of initial work that should be done and who should be briefed first.

Treharne-Jones said TRUSTe’s research found 40 percent of companies would allocate budget toward the GDPR once the change had passed but before it went into effect. So for many, it may be a case of acquiring budget before progress toward compliance.

But it’s not necessary to wait for the funds to roll in before taking steps toward compliance, Trehaarne-Jones said, including briefing the board and senior management. For some, it’s been a question of how to package the GDPR as a priority in C-suite agendas.

“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal said.

“For many people, data protection is still not high on the C-suite agenda, but there’s potential this [regulatory change] will push it there,” she said.

K Royal, CIPP/E, vice president and privacy counsel at CellTrust, said companies who may have previously thought their privacy officer a bit of a Chicken Little, worried the sky might be falling without reason to believe so, are now realizing the sky is in fact falling. While Safe Harbor’s recent invalidation may have woken some companies up that slept through warnings about regulatory changes to come, the GDPR ruling got them out of bed entirely.

“With the GDPR, it’s going to be a case of any privacy officer that has been keeping their company posted along the way is probably about to become a lot more respected and listened to,” Royal said.

But Treharne-Jones said having the respect and attention of the C-suite means your messaging has to be on point, and privacy pros “need to be careful how they go about” their messaging for implementing changes. That means having understanding of what’s in the final draft before you go barging into the CEO’s office as well as appointing a project owner if there isn’t one already.

“That’s one of the key things needed before you even start the budget process,” she said.

Royal agreed, saying pros must read the new text. All of it. Know the rules.

David Smith, formerly deputy commissioner of the UK’s Information Commissioner and now counsel at Allen & Overy, said the political agreement means a major milestone has been passed and the end is in sight.

“Now that the shape of the regulation is clear, it’s time for CPOs to start preparing. This includes putting in place their arrangements for compulsory breach notification both to data protection authorities and to affected individuals, carrying out privacy impact assessments and being able to account for the effectiveness of their data protection compliance programs,” Smith said.

Beyond that, Royal said there will be three key actions that will be critical to companies now, especially U.S. companies. First, she said, you must map your data.

“Where’s it coming from? Why are you collecting it?” Royal said of questions pros must ask themselves. Next, it’s time to stop collecting data you don’t have a legitimate purpose to collect and stop using it for something other than what it was collected for.

“I think that’s going to have the biggest impact on U.S. companies, controlling the data,” she said. “In the U.S., we just love data. Even if we don’t know what we’re going to do with it now, we just love it. It’s like gold panning in the rivers, when you just pick out what you have and take the gold nuggets. Well, we just gotta start throwing the rest of it in the river.”

Lastly, companies are going to need to prep by taking a look at relationships with third-party vendors and ensuring none of those relationships mean you risk non-compliance with the rules.

Royal said she expects companies with BCRs to already be in decent standing, though they’ll need to go beyond the provisions of most BCRs to comply with the GDPR. But they likely won’t have as far to go as companies that haven’t had to reach compliance agreements with European supervisory authorities.

Siegel added that moving toward compliance with the final regulation is complicated further by the fact that the next version of Safe Harbor, the Transatlantic Data Protection Framework, is still being negotiated. “So while having this laid down is good,” he said, “there’s still a question of how to legally export data from Europe, and people are going to have to keep an eye on Safe Harbor while they’re doing this as well. They may find themselves having to pay attention to some things more than others, more than they may have had to do so six months ago.”

In any case, all agreed the time to act is the present. After all, Smith said, “The next two years will pass very quickly!”

Jan
20
2016

Implementing the new DAA Video OBA Guidelines

OBA

Helen Huang, Senior Product Manager, TRUSTe

OBA

The DAA released Video OBA guidelines in November 2015, which apply to in-stream video ads (pre-roll, mid-roll, post-roll), in-page and in-banner ads. Unlike desktop, the video ad serving industry standards are fragmented leading to more business and technical considerations for companies.

In light of the new video guidelines, although there are significant overlaps with previous desktop and mobile guidelines, here are some key highlights below:

  • Implement the icon where it would least conflict with the video experience, taking into consideration: corner of icon, video coloring, and other embedded calls of action.
  • The icon should not “float” within a video ad.
  • The icon should persist throughout the video ad; But if the user suspends the video ad to engage with an interactive element, the icon doesn’t need to be in the element. However, the icon should remain or re-appear when the user returns to engage with the video ad.
  • If clicking on the icon opens an interstitial, the interstitial should cover less than 50% of the video.
  • While the (optional) interstitial is expanded, the company has the option to continue to play or pause the video ad.
  • Finally, companies may work with publishers to place the icon adjacent to the video and if there are technical implementations with an icon overlay.

Depending on where the company is in the chain of video ad serving and the creative format it has to work with, the company has a range of implementation options including a raw impressions/click pixels, flash component, js component, swf files in AS2 or AS3, or VAST 3.0.

Since many companies are still on VAST 2.0, it’s important to note that the DAA guidelines also recognize this as a difficulty for the industry.

“Given the diversity of video players and formats across the desktop and mobile environments, the DAA recognizes that in some cases serving a clickable Ad Marker is not possible in connection with video ads. However, when serving the Ad Marker is not possible for participating companies, the examples presented in these Guidelines are intended to help such companies deliver a consistent consumer experience.”

1 For example, video ads in VAST 2.0 format do not natively support the inclusion of a clickable Ad Marker.

TRUSTe has seen many businesses approach the implementation differently. Buy-side companies tend to require the icon within their contracts with the video partners they work with. This is aligned with companies pushing others to include the notice where it makes most technical sense while the industry evolves to a standard where the implementation is scalable. Networks that have native ad servers tend to pick one of the technical implementations above and apply them across all their inventory and campaigns.

Even though the industry is working through these technical challenges, video advertising is increasing in popularity within the ecosystem across desktop, mobile and smart tv. The video DAA guidelines remind us that consumer choice needs to be offered in video because notice and choice is important to protecting a user’s privacy regardless of format and platform.

TRUSTe has supported a video OBA solution since 2012 and is able to support all technically possible ways of integrating the icon into a video ad. If you are serving behaviorally targeted video advertising and need assistance in implementing the OBA icon in your video ads, please talk to a TRUSTe representative or contact me for any questions on hhuang@truste.com

To find out more about the new video guidelines and the latest DAA developments register for our webinar “2016 DAA U.S. Update: What Recent Innovations Mean” on Thursday January 21 from 10-11am PT. You can register here.

 

 

Jan
14
2016

How can TRUSTe help your company? Hear from our clients

homeBanner_Hear_010616_noplay2

We spoke a number of our clients to find out what they thought people should know about TRUSTe. Here’s what they had to say:

‘TRUSTe is more than just a seal to put on your website [there] is real depth and breadth in [TRUSTe]’s services and the professionals have real experience at Commerce and other agencies. I would encourage people to look at TRUSTe as a trusted advisor,” said Brian Costello VP Information Security and ISO, Envestnet | Yodlee

TRUSTe’s privacy innovation was a key theme for Dennis Dayman who explained how “ [TRUSTe] has transformed itself into looking at more than just that legal [website privacy policy] language. They look at your apps, mobile ads, all the new technologies out there. It is a very evolving organization and they stay up with the technologies.”

homeBanner_Hear_010616_noplay2

Hilary Wandall AVP, Compliance and Chief Privacy Officer at Merck and Co., Inc. shared how they are partnering with TRUSTe “to develop what, we categorize at Merck, as the next generation Privacy Impact Assessment (PIA) Solution. [We] are really excited by the opportunity TRUSTe is bringing to us … a cloud-based solution for PIA where we have the potential for benchmarking as well as to be able to tailor and adjust to various different kinds of PIAs. We look at TRUSTe as a great partner to us in enabling privacy compliance within our organization.”

Clients also value TRUSTe’s ongoing privacy support and guidance both through webinars and whitepapers but also access to experienced privacy experts. Emily Wall Global Compliance Manager at Live Nation Entertainment said “TRUSTe are very good at supplying us with details of the latest laws that have passed or even papers that talk about what’s coming but then they also help us take [that] and apply it to our own business. I would recommend TRUSTe. They have been a great partner with us and excellent to go to for advice and also to help us navigate the legal world.”

Dennis Dayman concluded: “You may not have all the expertise in house but TRUSTe does.”

You can see all the video interviews here. To find out more about how we can help your company manage privacy compliance call 1-888-878-7830 or visit http://www.truste.com

 

Jan
11
2016

Majority of companies still holding out for Safe Harbor 2.0

EU Data Benchmark_blog

As the EU compliance grace period ends this month, new research amongst companies who previously relied on the Safe Harbor framework shows that three-quarters (78%) are holding out for a new Safe Harbor 2.0, but many are hedging their bets and looking to a combination of solutions to ensure EU data transfer compliance in 2016. With limited time and budget and increased regulatory scrutiny as major concerns, TRUSTe announced today a new EU Data Transfer Privacy Assessment solution that provides a flexible approach to the changing compliance requirements ahead.

EU Data Benchmark_blog

TRUSTe conducted research between December 15-29 2015 with 248 US companies that had used Safe Harbor prior to the European Court of Justice (CJEU) ruling on October 6. Three-quarters (78%) of companies are continuing with Safe Harbor and preparing for the announcement of Safe Harbor 2.0. Half (53%) of these companies are also now using or preparing to use Model Contract Clauses. A quarter (24%) are now considering localized data centers in the EU and 4% are looking to scale back their EU investment. Limited time and resources (72%), limited budget (56%) and an unclear or unwieldy assessment process (57%) are the major concerns around managing EU data transfers. Compliance is a high priority with 87% thinking there will be increased regulatory scrutiny should a new Safe Harbor 2.0 framework be introduced.

The new TRUSTe EU Data Transfer Privacy Assessment privacy solution uses both TRUSTe’s team of privacy experts and the SaaS-based TRUSTe Assessment Manager to help companies quickly and efficiently assess compliance versus any combination of Safe Harbor and Model Contract Clauses they select. Assessment Manager helps automate the review process providing an easy path across the different standards, enabling companies to move from Safe Harbor 1.0 to Model Contract Clauses and / or Safe Harbor 2.0 and produce a compliance report to support their work.

For further details see EU Data Transfer Privacy Assessment Solution and for pricing call 1-888-878-7830.

For further details on the research findings and methodology see the TRUSTe EU Data Transfer Privacy Benchmark Report

 

 

Jan
06
2016

January Spotlight: Data Privacy Day events, DAA Update, live demo of Assessment Manager 2.0

data-privacy-day

data-privacy-day

January 14, 10:00 – 10:30 a.m. (PT)

Live Assessment Manager DEMO

If you’re conducting privacy assessments or PIAs with spreadsheets and email, you’ve probably wondered if there’s a better, faster, and cheaper way to get the job done. Luckily, with TRUSTe Assessment Manager there is. TRUSTe Assessment Manager enables privacy professionals to efficiently assess compliance and risk for a wide variety policies and regulations. Greatly reducing the time and effort needed for an assessment, you’ll extend your team’s capacity to get more done.

Register here

 

January 21, 10-11 a.m. (PT)

Webinar: 2016 DAA U.S. Update: What Recent Innovations Mean

As you plan your advertising programs for the New Year, make sure you’re up to date with the latest innovations around video interest-based ads, cross-device and cross-app data collection. This Webinar will give you the insight you need from DAA experts on how each of these developments can and may be applied — enabling responsible data collection, trust and engagement, and a consistent privacy experience for the consumer.

Register here

 

January 28, 9-10 a.m. (PT)

Webinar: State of Privacy 2016 – Managing Risk, Prioritizing Investment

The pace of change for privacy teams is relentless. Whether it’s regulatory developments like the GDPR and the recent CJEU ruling on Safe Harbor or technological changes in the rise of ad blockers and cross-device targeting it is hard to keep your finger on the pulse. What are the top privacy risks to prepare for in 2016? How can you assess and manage these risks effectively within your organization? This webinar timed to coincide with Data Privacy Day will review the key risks ahead and the investment you need for success including the right cross-functional team, good governance practices, and the technology to ensure that all of your systems are in compliance with both laws and internal privacy guidelines.

Register here

 

January 28, 10.30 a.m.-2 p.m. (ET)

Data Privacy Day – The State of Privacy

Washington, DC (This event will also be viewable LIVE online)

In honor of Data Privacy Day, and in partnership with the Computers, Privacy & Data Protection Conference, NCSA will host leaders from both sides of the Atlantic to initiate a practical and solutions-focused dialogue addressing the current state and future of privacy. TRUSTe CEO Chris Babel will join speakers including European Data Protection Supervisor Giovanni Buttarelli, U.S. Federal Trade Commission (FTC) Commissioner Julie Brill, Deputy Norwegian Data Protection Commissioner Helge Veum and more. Get additional information and register here.

 

Older posts «