Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating an Effective Application Privacy Policy

From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise?

This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches.

Topics include:

Privacy Concerns for Software Applications
Threats, Regulations, and Laws
Guidelines for Building Privacy Policy
Privacy Engineering Principles
Data Collection, Retention, and Consent

This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.

  • Login to see the comments

Creating an Effective Application Privacy Policy

  1. 1. 1
  2. 2. 2 Legal Requirements for a Privacy Policy • Online Privacy Act of 2003 • FTC recently ruled that Facebook deceived users by telling them their data was private while sharing it more broadly. • No fine for Facebook, only required to do 3rd party reviews for 20 years • Still a good idea to include a Privacy Policy to inform your users what you collect and how their data is used • Also required by most App Stores for Mobile.
  3. 3. 3 Legal Requirements for a Privacy Policy • Required if: • You collect data on your users directly • You use 3rd parties to collect data on your users • You are required by your App Store (iOS, Android, Windows, require) • You have users in the EU (GDPR), CA (CCPA), Australia, UK, Canada, Singapore, Malaysia… • You collect data on children (COPPA) or minors in CA • You collect data on students (SOPIPA) • It’s a good idea anyway • Err on the side of caution, regulations are moving quickly to require • It’s reassuring to your users
  4. 4. 4 Pending Privacy Legislation (as of Feb 6th) • New York City: requires a business to alert customers when using biometric identification technology. • New York State: require businesses that retain personal user information to make details of what is held available on demand, together with details of any third-party with which the data is shared. • North Carolina: the state Attorney General has indicated an intention to strengthen existing breach notifications, including ransomware attacks.
  5. 5. 5 Pending Privacy Legislation (as of Feb 6th) • Oregon: introduced the Health Information Property Act which increases the protections afforded by HIPAA • Utah: introduced HB 57 which provides privacy for digital communications. 3rd parties wanting access would require a warrant from a judge. • Virginia: introduced HB 2793 requiring “care and disposal of customer records”. • Washington: introduced Washington Privacy Act. Consumers will have the right to access personal data being held, can demand its deletion if it is no longer required for the purpose it was collected, restrict its use for direct marketing, and know and object to it being sold to third parties.
  6. 6. 6 Items to Include in a Privacy Policy • Speak with your legal department first • Gather information on: • Which regulations • Which demographics • Which locations • What data is collected • Which third parties • Duration of collection
  7. 7. 7 Items to Include 1. What data will be collected – identifying or anonymous 2. How data is collected – not too much detail 3. How this data is shared, affiliated, or sent to other sites 4. State that if compelled by law to disclose data, you will. 5. Give option of verifying, correcting, changing or removing personal registration information (required by GDPR) 6. Provide a way for people to opt out of future communication 7. State the policy will be updated periodically and how you will communicate such changes
  8. 8. 8 Cookie Policy • Required by GDPR, recommended elsewhere • GDPR requires • User to consent before loading JavaScript to collect tracking • Application creators to give an option to change cookie collection preferences • Four Tiers of Cookies • strictly necessary (ie. account login related cookies) • functionality (ie. remembering users choices) • tracking and performance (ie. Google Analytics) • targeting and advertising (ie. Google AdSense, Google AdWords)
  9. 9. 9 Mobile App Privacy Polices What to include (similar to web) • Identity: who is collecting the information as well as the company’s contact details • Types of Data: what categories of personal data the app will collect and process • Reason: why data processing is necessary and for what precise purpose the collection is being performed • Disclosures: whether the data in question will be disclosed to third parties • User Rights: what rights users have including the right to the withdrawal of consent and the deletion of data.
  10. 10. 10 Mobile App Store Requirements Required for Android Apps • It uses camera/mic • Is designed for families/children Required for iOS if • It’s made for kids • It offers automatically renewable in-app purchases • It offers free subscriptions • It allows for user registration • It accesses a user’s existing account • It collects user data • It’s otherwise required by law
  11. 11. 11 Notice vs. Consent • Notice simply notifies the user of how their data will be collected or used. • Consent requires the user to accept how their data is collected. • Difference in language and in functionality • You cannot load data collection code before consent if required
  12. 12. 12 Defining a Policy Early Can Save Time • Defining a privacy policy early can help guide development • Drives Privacy by Design • Limited Collection, Use, Retention • What data do we need to collect? • What data do we need to store?
  13. 13. 13 7 Principles of Privacy by Design 1. Proactive & Preventative 2. Privacy by Default 3. Privacy Embedded into Design 4. Full Functionality with Privacy in Mind 5. End to End Security 6. Visibility and Transparency 7. Respect for Privacy
  14. 14. 14 Proactive & Preventative • Be Proactive with your privacy decisions, not reactive • Anticipate and prevent data loss events • Don’t wait for an event to occur before having this conversation • Don’t “close the barn door after the horse has bolted”
  15. 15. 15 Privacy by Default • “Falling into a Pit of Success” • If a customer selects all default settings or does nothing at all they should be left in a secure state • If a user signs up, their data should be protected by default
  16. 16. 16 Privacy Embedded Into Design • Think about privacy early • Don’t try to add it on later • Privacy should be integral to the system without diminishing functionality • Integrate privacy in a holistic and creative way • Enable the functional goals of the application through the lens of privacy and data protection
  17. 17. 17 Full Functionality, Positive-Sum, Not Zero-Sum • Tradeoffs shouldn’t be made to accommodate privacy • Privacy vs. Security is a false dichotomy • All interests and objectives must be clearly documented • Find a solution that enables multi-functionality
  18. 18. 18 End to End Security • Consider security and privacy from start to finish • Information is secured and protected when it enters into the system • It is retained safely • It is destroyed safely • Remember the data lifecycle Capture Maintenance Synthesis UsagePublication Archival Purging
  19. 19. 19 Visibility and Transparency • Allow users and other involved parties to see how information moves through the system • Requires accountability, openness and compliance • Be transparent about your system and the level of privacy and security is provides
  20. 20. 20 Respect for User Privacy • Privacy should be a #1 concern • Beyond compliance, privacy is a fundamental goal • Once data is lost it cannot be protected again • Like trying to put toothpaste back in the tube
  21. 21. 21 What’s Wrong with This? https://citibank.com/myacct/95126314/summary
  22. 22. 22 Security Vulnerabilities Can Lead to Privacy Policy Violations • Classic example of an “Insecure Direct Object Reference” • Also the cause for the Panera Bread data breach of 2018 where as many as 37 million customer records were exposed.
  23. 23. 23 Summary • Privacy Policies should: • Inform what/how data is collected and shared • Give the user the ability to modify their data or opt out completely • Include effective date and frequency of update • Cookie Policies are required for many other regulations • Depending on regulation may require notice or consent • Privacy Policies should be managed and maintained by a central role in the Privacy Office
  24. 24. 24 Questions?
  25. 25. 25 Thank You! www.securityinnovation.com Everyone who attended today’s session will receive: • Webinar recording • Copy of the presentation Please join us February 28th for the finale of our Privacy in the SDL webinar series: Privacy: The New Software Development Dilemma

×