1.
1

2.
2
Legal Requirements for a Privacy Policy
• Online Privacy Act of 2003
• FTC recently ruled that Facebook deceived
users by telling them their data was private
while sharing it more broadly.
• No fine for Facebook, only required to do 3rd
party reviews for 20 years
• Still a good idea to include a Privacy Policy to inform your users what
you collect and how their data is used
• Also required by most App Stores for Mobile.

3.
3
Legal Requirements for a Privacy Policy
• Required if:
• You collect data on your users directly
• You use 3rd parties to collect data on your users
• You are required by your App Store (iOS, Android, Windows, require)
• You have users in the EU (GDPR), CA (CCPA), Australia, UK, Canada, Singapore,
Malaysia…
• You collect data on children (COPPA) or minors in CA
• You collect data on students (SOPIPA)
• It’s a good idea anyway
• Err on the side of caution, regulations are moving quickly to require
• It’s reassuring to your users

4.
4
Pending Privacy Legislation (as of Feb 6th)
• New York City: requires a business to alert customers when using
biometric identification technology.
• New York State: require businesses that retain personal user
information to make details of what is held available on demand,
together with details of any third-party with which the data is shared.
• North Carolina: the state Attorney General has indicated an intention
to strengthen existing breach notifications, including ransomware
attacks.

5.
5
Pending Privacy Legislation (as of Feb 6th)
• Oregon: introduced the Health Information Property Act which increases
the protections afforded by HIPAA
• Utah: introduced HB 57 which provides privacy for digital communications.
3rd parties wanting access would require a warrant from a judge.
• Virginia: introduced HB 2793 requiring “care and disposal of customer
records”.
• Washington: introduced Washington Privacy Act. Consumers will have the
right to access personal data being held, can demand its deletion if it is no
longer required for the purpose it was collected, restrict its use for direct
marketing, and know and object to it being sold to third parties.

6.
6
Items to Include in a Privacy Policy
• Speak with your legal department first
• Gather information on:
• Which regulations
• Which demographics
• Which locations
• What data is collected
• Which third parties
• Duration of collection

7.
7
Items to Include
1. What data will be collected – identifying or anonymous
2. How data is collected – not too much detail
3. How this data is shared, affiliated, or sent to other sites
4. State that if compelled by law to disclose data, you will.
5. Give option of verifying, correcting, changing or removing personal
registration information (required by GDPR)
6. Provide a way for people to opt out of future communication
7. State the policy will be updated periodically and how you will
communicate such changes

8.
8
Cookie Policy
• Required by GDPR, recommended elsewhere
• GDPR requires
• User to consent before loading JavaScript to collect tracking
• Application creators to give an option to change cookie collection preferences
• Four Tiers of Cookies
• strictly necessary (ie. account login related cookies)
• functionality (ie. remembering users choices)
• tracking and performance (ie. Google Analytics)
• targeting and advertising (ie. Google AdSense, Google AdWords)

9.
9
Mobile App Privacy Polices
What to include (similar to web)
• Identity: who is collecting the information as well as the company’s contact
details
• Types of Data: what categories of personal data the app will collect and
process
• Reason: why data processing is necessary and for what precise purpose the
collection is being performed
• Disclosures: whether the data in question will be disclosed to third parties
• User Rights: what rights users have including the right to the withdrawal of
consent and the deletion of data.

10.
10
Mobile App Store Requirements
Required for Android Apps
• It uses camera/mic
• Is designed for families/children
Required for iOS if
• It’s made for kids
• It offers automatically renewable in-app purchases
• It offers free subscriptions
• It allows for user registration
• It accesses a user’s existing account
• It collects user data
• It’s otherwise required by law

11.
11
Notice vs. Consent
• Notice simply notifies the user of how their data will be collected or
used.
• Consent requires the user to accept how their data is collected.
• Difference in language and in functionality
• You cannot load data collection code before consent if required

12.
12
Defining a Policy Early Can Save Time
• Defining a privacy policy early can help guide development
• Drives Privacy by Design
• Limited Collection, Use, Retention
• What data do we need to collect?
• What data do we need to store?

13.
13
7 Principles of Privacy by Design
1. Proactive & Preventative
2. Privacy by Default
3. Privacy Embedded into Design
4. Full Functionality with Privacy in Mind
5. End to End Security
6. Visibility and Transparency
7. Respect for Privacy

14.
14
Proactive & Preventative
• Be Proactive with your privacy decisions, not reactive
• Anticipate and prevent data loss events
• Don’t wait for an event to occur before having this conversation
• Don’t “close the barn door after the
horse has bolted”

15.
15
Privacy by Default
• “Falling into a Pit of Success”
• If a customer selects all default
settings or does nothing at all they
should be left in a secure state
• If a user signs up, their data should be protected by default

16.
16
Privacy Embedded Into Design
• Think about privacy early
• Don’t try to add it on later
• Privacy should be integral to the system without diminishing
functionality
• Integrate privacy in a holistic and creative way
• Enable the functional goals of the application through the lens of
privacy and data protection

17.
17
Full Functionality, Positive-Sum, Not Zero-Sum
• Tradeoffs shouldn’t be made to accommodate privacy
• Privacy vs. Security is a false dichotomy
• All interests and objectives must be clearly documented
• Find a solution that enables multi-functionality

18.
18
End to End Security
• Consider security and privacy from start to finish
• Information is secured and protected when it
enters into the system
• It is retained safely
• It is destroyed safely
• Remember the data lifecycle
Capture
Maintenance
Synthesis
UsagePublication
Archival
Purging

19.
19
Visibility and Transparency
• Allow users and other involved parties to see how information moves
through the system
• Requires accountability, openness and compliance
• Be transparent about your system and the level of privacy and
security is provides

20.
20
Respect for User Privacy
• Privacy should be a #1 concern
• Beyond compliance, privacy is a fundamental goal
• Once data is lost it cannot be protected again
• Like trying to put toothpaste back in the tube

21.
21
What’s Wrong with This?
https://citibank.com/myacct/95126314/summary

22.
22
Security Vulnerabilities Can Lead to Privacy Policy
Violations
• Classic example of an “Insecure Direct Object Reference”
• Also the cause for the Panera Bread data breach of 2018 where
as many as 37 million customer records were exposed.

23.
23
Summary
• Privacy Policies should:
• Inform what/how data is collected and shared
• Give the user the ability to modify their data or opt out completely
• Include effective date and frequency of update
• Cookie Policies are required for many other regulations
• Depending on regulation may require notice or consent
• Privacy Policies should be managed and maintained by a central role
in the Privacy Office

24.
24
Questions?

25.
25
Thank You!
www.securityinnovation.com
Everyone who attended today’s session will receive:
• Webinar recording
• Copy of the presentation
Please join us February 28th for the finale of our Privacy in the SDL
webinar series: Privacy: The New Software Development Dilemma