Government regulation is moving towards giving consumers the right to stop companies from selling or share their personal information. How easy do companies make it for consumers to make this request—and then have it mean something? This episode contrasts two companies that take very different approaches to the question.One company makes its money through advertising, and to do that it needs to collect and share personal information of those who use its browser and other offerings. Another was fined by the California Attorney General for failing to give its visitors a choice. It now posts a clear and simple way for consumers to stop it from selling or sharing their personal information to others.Consider in Episode 116 how websites can provide consumers the right to protect their privacy and what consumers can do about it when companies make it difficult or impossible to stop them from selling or sharing their personal data.Time stamps:00:30 — Sephora’s privacy policy07:57 — Google’s privacy policy

Many of us wonder how the internet knows so much about us. We are barraged with tailored ads as we use the internet. How does this happen? How does this affect the compliance risks of businesses and the data privacy of us all?Dan Frechtling, CEO of Boltive, explores the digital advertising ecosystem in Episode 115. Explore the sub-terrain of the internet, how it creates advertising revenue that is the business model of many tech firms, how unwanted ads and mal-advertising encroach, how it affects our personal privacy, and how regulation increasingly requires businesses to offer consumers the choice of refusing the sale or sharing of their information. Learn how businesses can minimize risk and avoid compliance violations and how consumers can make privacy choices within their control.For information about inadvertent data leakage, Visit Boltive at https://www.boltive.com/ to learn more about inadvertent data leakage. Visit https://www.linkedin.com/in/frechtling/ to connect with Dan. Time Stamps:01:40 — What brought Dan into the data privacy space?07:50 — Consumer privacy concerns about digital advertising09:06 — Data privacy minimization09:42 — What Boltive does to address these issues11:13 — What is the future of the digital advertising business model?

The Data Privacy Detective welcomes Frost Brown Todd attorneys Mike Nitardy and Yugo Nagashima to cover three important developments in the world of data privacy: -Updates to the California Privacy Rights Act (“CPRA”) – highlights of final regulations just issued-FTC settlement with GoodRX - the first enforcement of the Health Breach Notification Rule – its meaning for the healthcare industry and us-European Commission’s proposed “Data Act,” which could radically change the rules of data sharing and stimulate competition in tech sector Time stamps:01:15 - California Privacy Rights Act amendments07:58 - FTC settlement with GoodRX11:55 - EU Data Act proposal

Business Email Compromise – it’s a major way that global thieves steal trillions of dollars. Bill Repasky, an attorney at Frost Brown Todd LLP, with years of experience in electronic payments and cyber-fraud defense, explains how attacks of this type occur, why they are growing, what can be done to prevent them, and what a business can do if attacked this way.Common types of Business Email Compromise attacks are what appear to be incoming customer payments, outgoing payments to suppliers of goods and services, and internal attacks (where a mal-actor takes over an employee’s email account at the business). While anti-phishing training is important, it is not enough. Businesses can minimize risk of loss by upgrading institutional defenses this podcast discusses. Tune in for a tune up on how businesses can deal with the rising global crime wave of Business Email Compromise.Time stamps:00:46 - What is Business Email Compromise?03:28 - What businesses are being targeted?05:35 - What are the common threads we see in business email attacks?08:24 - How do internal business email attacks occur?11:00 - How is public information on social media used as part of email attacks?11:38 - Key things businesses can do to prevent attacks?14:20 - What is “out-of-band” verification and how can it help prevent attacks?17:15 - What should a business do once it knows it has been attacked?

In this bonus episode, we bring you the Data Privacy Detective's guest appearance on the Privacy Week podcast's "The Privacy Panel Discussion" special.

Canada and the United States are each other’s major commercial partner. Many U.S. companies have Canadian customers and collect and process personal information about Canadians. They must therefore understand Canada’s and its provinces’ regulation of personal data privacy. The Canadian regulation of data privacy is very complex, with a maze of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws and regulations.In this conversation with Lyndsay Wasser, a Toronto-based attorney at the Canadian law firm McMillan LLP, the Data Privacy Detective asks what cross-border businesses should know about privacy and data security in Canada, as well as looming changes on the U.S.’s northern horizon.Time stamps:01:05 - What is the general state of data privacy and security law and regulation within Canada?02:33 - What does Quebec do differently?03:18 - Do foreign companies need to consider individual provincial laws in addition to the federal laws?05:27 - How is the Canadian privacy regime similar to the EU's GDPR? How is it different?07:14 - What should a US company know if it collects data from Canadian users?08:16 - How does Canada address data localization?09:43 - What does the future look like for data privacy law in Canada?13:06 - What advice would Lyndsay give on the type of guidance companies should seek regarding Canadian data privacy?

“If it’s free, then you are the product.” We carry in our pockets devices that have powerful mechanisms for collecting our information–where we go, what we buy, and even how fast we move. Every time we scroll through social media on our phones, we are submitting extremely precise data about what we might be interested in… even down to how many seconds we slow down to look at an individual post. By using these products and services, we are in effect consenting to this data collection, which comes back to us in the form of targeted advertising. But is there an alternative? What can we do if we want to use these services but don’t want to give over so much of our personal information? Ryan Patersen’s company Unplugged is betting that there are many people willing to pay more for more privacy. The products and services Unplugged offers present a fascinating test case in how much people value their privacy, and Ryan joins the Data Privacy Detective podcast to tell us all about it. Learn more about Unplugged at their website – https://www.unplugged.com/ Time stamps:01:23 – How do our devices collect data on us?03:57 – How do companies use our data?07:22 – What are the privacy risks?08:44 – What is Unplugged doing differently?14:10 – How much money is each user worth to the big tech companies as an ad delivery conduit?

Tech giants like Google, Apple, and Facebook incur huge Euro fines from European Union data privacy authorities. This is a “stick” approach, perhaps more like a “club,” of forcing EU rules upon global companies, aiming to force tech giants to change data privacy policies and practices to GDPR’s strict demands.Enter the Netherlands - with a different way of achieving changes in privacy practices through a joint approach. A January 23, 2023 New York Times article by Natasha Singer highlighted the Dutch carrot and teamwork way of getting companies to embrace EU rules without first resort to financial penalties. This podcast considers how the Dutch treatment – an audit and negotiation approach – offers a successful means of boosting personal privacy through collaborative solutions. Tune in for a refreshing example of how data privacy authorities and technology giants can work together to achieve common personal data privacy goals.New York Times article - How the Netherlands Is Taming Big Tech (Jan 18, 2023) by Natasha Singer - Link: https://www.nytimes.com/2023/01/18/technology/dutch-school-privacy-google-microsoft-zoom.htmlTime stamps:0:21 - How the Netherlands has approached GDPR compliance1:41 - GDPR fines have gotten the attention of Big Tech companies3:03 - NYT article by Natasha Singer on Dutch approach to Big Tech7:40 - The Dutch’s different approach of collaboration rather than lawsuits has been effective

If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com

William McKnight, one of the most highly published analysts in information management, offers insights into the future of how big data and artificial intelligence are changing the world. The McKnight Consulting Group is a leading data strategy and implementation firm that helps businesses solve complex problems through the use of growing personal information databases. Learn from this podcast who is watching us and how our personal data is collected, shared, and used. Discover new analytic uses by enterprises in master data management, how artificial intelligence mines our data to create a burgeoning array of products and services. Hear how AI and other critical technologies will change the world in the next ten years. And consider how this will affect our privacy and what we can do about it. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com

Data brokers acquire and sell data that includes personal location information. This exposes to others visits of women seeking pregnancy healthcare options, the church, synagogue, or mosque we attend, and other sensitive information we would prefer to be kept private. In August 2022, the U.S. Federal Trade Commission sued Kochava, an Idaho based data broker, claiming that it engages in an unfair business practice by sharing location data it gathers from data sources. Mike Swift, Chief Global Digital Risk Correspondent for MLex Market Insight, a Lexis-Nexis global news organization, discusses the lawsuit and the vital privacy interests at stake. On October 25, 2022, Kochava filed a motion to dismiss and earlier preemptively sued the FTC. Kochava aggressively argues that the FTC lacks authority to make its claims and that data brokers serve an important, positive function. The Kochava suit will test whether there is federal authority to regulate the sharing of sensitive private information through data brokers. If not, data brokers may be almost entirely unregulated, able to do virtually anything they wish with personal information we did not knowingly authorize them to obtain and sell. You’ll learn what businesses can do amidst a chaotic and evolving global legal compliance and what individuals can do to protect their sensitive personal location information. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Data breaches are now daily news, like weather reports. Podcast 101 digs beneath the headlines into what happens with data incidents that result in breaches – where our personal information goes, whether it’s ever truly recoverable, what businesses can to do to prevent and address breaches, what consumers can do about it, and how one company officer became the first U.S. person to be criminally convicted for mishandling a company’s data breach. Andy Lunsford, founder/CEO of BreachRx, offers insights and advice for what companies and individuals can do about data breaches. Companies that have a data response plan in place and test it in advance are best positioned to deal with them. The October 5, 2022 conviction of Uber’s former Chief Information Security Officer highlighted the rising risks involved for business officers charged with data breach management. Consumers can act immediately when informed that their data was breached. Despite the need for a global standard about data breach response time and other non-political aspects of cross-border data, there is none, and not even a U.S. common approach. Tune in to understand what happens when a data breach occurs and what each of us can do to respond to it. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Spell-jacking: a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening. When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would avoid if they could. Otto-js co-founders Maggie Louie and Josh Summitt tell how this problem was discovered and share how risks can be mitigated. While legitimate enterprises have no interest in releasing PII to mal-actors, spell-jacking as such is currently unregulated or under-regulated. Learn how industry and regulators are addressing this issue – and what consumers can do about it to protect their own personal privacy. Helpful guides for developers and consumers are available on the otto-js website. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Cybersecurity Awareness Month is co-led by the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA). For more information about ways to keep you and your family safe. 1. Instagram fined 405M Euros for GDPR violations. 2. Google and Meta were fined a total of $72 million by South Korea’s Privacy and Protection Commission for tracking behavior on other sites without consumer approval, then using that data for advertising. 3. The Internal Revenue Service acknowledged Friday that it had inadvertently exposed a batch of taxpayer information linked to some non-profits and other tax-exempt organizations, following a Wall Street Journal report that said as many as 120,000 individuals may have been affected by the error. 4. While its contents might seem unremarkable for China, where facial recognition is routine and state surveillance is ubiquitous, the sheer size of the exposed database is staggering. At its peak the database held over 800 million records, representing one of the biggest known data security lapses of the year by scale, second to a massive data leak of 1 billion records from a Shanghai police database in June. In both cases, the data was likely exposed inadvertently and as a result of human error. 5. China hopes to tighten its cybersecurity laws with higher fines for some violations. If the amendments are approved, fines for critical information infrastructure operators who use products or services that have not undergone security reviews could be 5% of revenue or 10 times their cost. 5. According to Acronis, ransomware losses worldwide are expected to surpass $30 billion by the end of 2023. 6. Lloyd’s of London Ltd. has told insurers that nation-state attacks and related losses will be excluded from insurance coverage after 1Q 2023. A 2022 court ruling dashed insurers’ hopes that “cyber war” exclusions would let them avoid payment for such losses. 7. Québec’s personal information privacy act takes effect September 22, a provincial statute that supplements Canada’s federal legislation, including the term “confidentiality incidents” and addressing biometric information. 8. Euractiv reports that the EC will introduce its proposal for a Cyber Resilience Act this week. The Act will address cybersecurity issues with consumer-connected devices. 9. UK - The Telecommunications (Security) Act 2021 (Commencement) Regulations 2022 have been made. They bring the Telecommunications Security Act 2021 (TSA) into force from 1 October 2022. The Electronic Communications (Security Measures) Regulations 2022 under the TSA will come into force on the same date. 10. After TikTok allegedly violated U.K. privacy regulations, the Information Commissioner’s Office sent a notice of intent including a possible fine of £27 million. 11. California Governor Gavin Newsom has signed The California Age-Appropriate Design Code Act into law. The new legislation, signed by Newsom on September 15, 2022 and passed by the state congress in late August, will implement some of the strictest privacy requirements for children in the US, especially in relation to social media. 12. U-Haul International disclosed that it has experienced a data breach of names, drivers’ licenses/state IDs but indicated no credit card or financial information was compromised. 13. A teenage cyberattacker gained full access to Uber’s systems after impersonating an IT professional from the popular rideshare company to gain VPN access. 14. Congress is investigating Meta after The Markup discovered the tech giant’s Pixel tool gathered information on users’ private health records. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

How a California statute works in practice In August 2022, California’s Attorney General settled a case with Sephora, a beauty products company. Under the California Consumer Privacy Act (CCPA), California requires companies subject to its laws that they must provide their customers the right to stop the companies from selling their personal information to others. The privacy policy on Sephora’s website did not have such a provision. The case was settled for a $1.2 million civil penalty and an agreement to provide what the CCPA requires. Sephora promptly changed its website. But how? This podcast discusses how in this CCPA example, the consumer’s ability to exercise a legally protected right was not made clear or easy. The settlement also shows how the word “sell” itself has no settled definition. Sephora argued that it was merely “sharing” rather than “selling” its customers’ personal information to other businesses, but the attorney general disagreed. The California Privacy Rights Act (CPRA) effective in 2023 will address the “sharing” of personal information, a much broader reach than “selling.” Tune in to Episode 98 to learn how a privacy law moves from theory to practice, what it means for personal privacy rights, and how businesses that rely on data sharing and selling may not make it simple for their customers to exercise rights that a law creates. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Get an update on lawsuits launched and settled in August 2022. Consider FBI warnings about DeFi platform and CISA declarations about protecting critical infrastructure. Learn of a draft bill circulating in California about an age-appropriate code for websites. A data broker is sued by the Federal Trade Commission for selling geolocation data that can be used to track who’s visiting a women’s reproductive health center, an addiction treatment facility, and everywhere else a smartphone travels. Tune in for this September 2022 update of what’s been happening in data privacy and cybersecurity. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Data privacy and the laws that protect our personal information mostly deal with digital data and data equipment like computers and smartphones. But the Internet of Things – IoT – is meeting data infrastructure (listen to Episode 90 about the Edge for more on that). Things we don’t think of as data collectors collect our personal information and share it with others, often without our notice or consent, and sometimes in ways we do not want. Is the law ready to deal with this? Daniel Murray, an intellectual property and technology transactions attorney at Frost Brown Todd LLC join the Detective in exploring the issues. With a mishmash of state and federal rules, the U.S. lacks a comprehensive data privacy code. International laws differ greatly, some granting control to individuals over their personal data and others giving central government authorities almost total control over personal data about residents. As IoT devices, including automobiles and home furnishings, watch and record us and our visitors, the challenges to protecting privacy proliferate, and existing rules may not apply. This podcast discusses the challenges to data privacy in the IoT world, issues including interoperability, inadvertent and unconsented collection, and other questions of modern life and the future of personal data privacy. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Data localization – we’ve devoted several episodes to what countries are doing to control and restrict data flows involving their residents. What happens when there’s a war (or “military operation” if you prefer) going on? Do recent actions by the Russian government reflect a growing trend toward a splinternet, treating data as though it were national cattle being locked within a corral? Or is this more a reaction to sanctions imposed by other nations, having little do with data? This podcast considers how data localization is on the rise in democracies like Indonesia, but India’s government shelved a draft national data law that would have increased control and domestication of data after pressure and objection from its broader society. With Yugo Nagashima, a Frost Brown Todd attorney focused on international and domestic data privacy and technology, we discuss expanding fines and Russia’s seizure of Google’s Russian subsidiary’s bank account, aiming to force U.S. and other non-Russian companies to agree to Russia’s controls over data as a condition of offering services to Russians. Will the internet achieve its dream of global information flows with reasonable privacy protections, or are we headed to a splinternet, where nations control and restrict what their residents can share and receive across borders? If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

Cryptography comes from the ancient Greek word “cryptos,” meaning “hidden” or “secret.” Encryption is a cybersecurity pillar, a key defense against invasion of our privacy. But it may be underappreciated in practice. Tune in to learn about the growing need for encryption technology to combat the rising tide of cyber-attacks. A recent report by the Port of Los Angeles to the FBI indicated that it suffers from over one million cyber-attacks per day. Dan Draper, CEO and Founder of CipherStash, explains from his home in Sydney, Australia the role of cryptography in protecting sensitive personal and other information. Dan’s company provides a data storage platform for sensitive data that uses searchable encryption technology to protect against attacks. Dan discusses how encryption protects personal data and how traditional databases are vulnerable to hacking and other risks. Learn why cryptography is becoming increasingly crucial in guarding data privacy and why Dan is optimistic about the use of encryption even as the age of quantum computing dawns. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.

5G is the buzzword for the new generation of mobile networking. It brings blazing speed to digital communication. With that comes concern about the impact on our privacy. 5G speeds up data sharing – the good, the bad, the annoying, the criminal. With the emergence of the Edge linking devices and data infrastructure (DPD podcast 90), 5G shares information in virtual real-time about your health, your highway speed, your browsing and entertainment, your choices in a grocery store, and your location. In equally instant time, this data will be shared by a growing number of companies and people watching and listening to us (known and unknown), who will turn the information into benefits for themselves and risks for your privacy. National security is also at stake. Criminal elements will exploit the benefits, along with governments foreign and domestic. Explore in this episode the intersection of 5G and personal information. What does 5G mean for data privacy and what can the U.S. Government do to address the national security risks? Our tour guide is Sohan Dasgupta, former Deputy General Counsel of the U.S. Department of Homeland Security and a leading data privacy expert, an attorney with Frost Brown Todd LLC’s Washington, D.C. office. If you have ideas for more interviews or stories, please email info@thedataprivacydetective.com.