S3E8: 'Recent FTC Enforcement: What Privacy Engineers Need to Know' with Heidi Saas (H.T. Saas)

In this week"s episode, I am joined by Heidi Saas, a privacy lawyer with a reputation for advocating for products and services built with privacy by design and against the abuse of personal data. In our conversation, she dives into recent FTC enforcement actions, analyzing five FTC actions and some enforcement sweeps by Colorado & Connecticut. Heidi shares her insights on the effect of the FTC enforcement actions and what privacy engineers need to know, emphasizing the need for data management practices to be transparent, accountable, and based on affirmative consent. We cover the role of privacy engineers in ensuring compliance with data privacy laws; why "browsing data" is "sensitive data;" the challenges companies face regarding data deletion; and the need for clear consent mechanisms, especially with the collection and use of location data. We also discuss the need to audit the privacy posture of products and services - which includes a requirement to document who made certain decisions - and how to prioritize risk analysis to proactively address risks to privacy. Topics Covered: Heidi’s journey into privacy law and advocacy for privacy by design and defaultHow the FTC brings enforcement actions, the effect of their settlements, and why privacy engineers should pay closer attentionCase 1: FTC v. InMarket Media - Heidi explains the implication of the decision: where data that are linked to a mobile advertising identifier (MAID) or an individual"s home are not considered de-identifiedCase 2: FTC v. X-Mode Social / OutLogic - Heidi explains the implication of the decision, focused on: affirmative express consent for location data collection; definition of a "data product assessment" and audit programs; and data retention & deletion requirementsCase 3: FTC v. Avast - Heidi explains the implication of the decision: "browsing data" is considered "sensitive data"Case 4: The People (CA) v. DoorDash - Heidi explains the implications of the decision, based on CalOPPA: where companies that share personal data with one another as part of a "marketing cooperative" are, in fact, selling of dataHeidi discusses recent State Enforcement Sweeps for privacy, specifically in Colorado and Connecticut and clarity around breach reporting timelinesThe need to prioritize independent third-party audits for privacyCase 5: FTC v. Kroger - Heidi explains why the FTC"s blocking of Kroger"s merger with Albertson"s was based on antitrust and privacy harms given the sheer amount of personal data that they processTools and resources for keeping up with FTC cases and connecting with your privacy community  Guest Info: Follow Heidi on LinkedInRead (book):  "Means of Control: How the Hidden Alliance of Tech and Government is Creating a New American Surveillance State" Privado.ai Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans. TRU Staffing Partners Top privacy talent - when you need it, where you need it. Shifting Privacy Left Media Where privacy engineers gather, share, & learn Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you. Copyright © 2022 - 2024 Principled LLC. All rights reserved.