An antivirus is a tool that performs frequent checks on your device to rid your system of viruses, malware, and spyware. It is considered a tool that every cyber security-aware user should possess. However, considering the ever-evolving digital threats we face everyday, this cannot be the sole security software you have on your devices.
Facial recognition technology has undoubtedly brought convenience to our daily life. However, facial recognition protests have also been ignited. The clamors were for the right to remain anonymous in crowds and the freedom to protest without individuals being flagged or tracked down. For the government, it was a matter of surveillance for state security.
Use Cases of Facial Recognition
It is very apparent that the biometric application used to identify or verify an individual’s identity using their face has become rather commonplace in our daily activities. On social media, this technology is used for tagging people in photos and in mobile devices, a form of security. In countries like China and USA, some airports use this technology to check people in and to monitor the attentiveness of pupils in classes.
Bypassing Privacy Regulations
Due to the significant absence of stringent regulations so far, private and public parastatals in both authoritarian and democratic states have been using and abusing this technology in several use cases. There is yet to be a standard agreed upon in many societies as to the ethics pertaining to the use of facial recognition, thereby breeding doubts regarding compliance with the established laws and more so, the probability of whether or not the technology will survive the critics on its ethical use.
At first glance, the intended use of the recognition technology seems harmless – to verify identities against a presented face at national borders for identification and security. However, to identify a person by comparing their facial image against a pool of several other known individuals speaks to another level of intrusion.
Drivers of Facial Recognition Trend
There are two major drivers behind this technological trend.
The first driver is security. Countries are poised to aggressively protect their borders mostly from foreigners who might pose threats of crime and terrorism to them. Facial recognition helps provide such amount of security – scrutinizing each face and comparing it to a database of wanted individuals.
The second driver is convenience. In this regard, physical and mental efforts required to perform some tasks become automated. With facial recognition, people can easily gain access to anywhere or anything by a simple facial scan – no need to provide any form of ID or document. In mobile devices especially, users no longer have to remember their passwords. A quick glance at their camera would unlock their device and of course, this can only be done by the device owner.
Jumping the Hoops of Privacy Laws
The issues with this technology are almost in violation of the EU data protection rights or better still, are the exploitation of grey areas.
The first is the fact that according to the GDPR Art. 2(14), the data protection rule allows the use of biometric data for the confirmation of identity with that of the natural person. It however forbids the use of this data for unique identification purposes except under special conditions in Art. 9(2).
Secondly, the use of this technology which might tend to interference with human rights must be deemed necessary and this really begs the question, is there no better technology that can be used to achieve just what facial recognition technology does without breaking fundamental human rights?
Third, the methods by which data is being collected and used is tainted with obscurity. No one knows for sure who collects this data, how long they are kept, how to trace the origin, and many more. The use of this technology does not do well with accountability and transparency.
Living with Privacy Infringement
Given the aforementioned, the onus lies on all and sundry to clamor for clear and concise laws regarding the acquisition, use, and storage of data. It is pertinent that these laws touch every corner and leave no grey area that can be exploited by these private and public institutions. Asides this, it is essential that Internet users read privacy policies and understand the agreement before deciding to share their personal data with them. This would go a long way in reducing personal data exploitation.
On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe?s data protection convention, known as ?Convention 108?, was opened for signature. That was first legally binding international law in the field of data protection. Data Protection Day is now celebrated globally and is called Privacy Day outside Europe.
The Children?s Online Privacy Protection Act (COPPA) is a law created by the Federal Trade Commission to protect the privacy of children, specifically those under the age of 13. This legislation mainly requires parental consent for the collection or use of personal information of children and then outlines the responsibility of companies and websites in order to best protect these children.
The law was passed to address the growth of online marketing techniques that targeted children due to their lack of understanding of the potential negative outcomes of revealing their personal information online. In order to comply with COPPA and rightfully protect children?s personal information, companies are held to high standards in their practices. If your company falls under the scope of COPPA, the following steps will help you comply with this federal law.?
Parental consent is necessary if your site engages with users under the age of 13 who may share their real identity with other users. In order to provide this consent, parents must submit a signed consent form, make a monetary transaction, call a toll-free phone number, or show identification to the company. Make these options easily accessible for the parent on the company?s website or app. Clear displays of this compliance will ensure your company is following COPPA law.
COPPA mandates that organizations implement and maintain information security procedures in order to carry out its laws. Some steps towards these secure procedures include ensuring that third parties to whom children?s personal information is released also have the capacity to maintain the security and confidentiality of this information. Your company might have the means to protect this data but ensuring that the entities the information is shared with are also capable of this level of protection is vital.
If your company does not need to retain certain personal information, security procedures for properly disposing of this data are crucial. Personal information should only be retained for as long as reasonably necessary, and once said data is not needed, it should be properly disposed of. Unsecure disposals of information which are then attained by other entities could lead authorities back to your company, and ultimately your company may be deemed non-compliant with COPPA. If possible, minimize the amount of personal information collected to avoid problems like these.
Even if you have the parent?s consent, it is still important to recognize that they have ongoing rights to their children?s information. If a parent asks a company to do so, the company must allow them to review the personal information collected, provide them a way to revoke their consent, and delete their child?s personal information upon request. COPPA provides extensive protection for children and their parents and allows for revocation of consent no matter when or how the consent was originally provided. No data collected is as important as maintaining a good relationship with consumers and adhering to COPPA.
COPPA is intent on protecting children under the age of 13 and will certainly crack down on companies who do not implement or maintain procedures to comply with the law. These 4 steps will go a long way towards preventing your company from violating COPPA and towards helping you protect children.??
Along with the celebration of the New Year on January 1st, 2020 comes the implementation of the California Consumer Protection Act (CCPA). This date is approximately 10 weeks away, but preparation for these new privacy laws must begin now. In order to make sure your business is fully primed for this new landscape brought by the CCPA, here are the best practices when processing consumer data subject requests.
The CCPA lays out clear requirements of businesses for accessibility for the consumer, such as toll-free phone number and a ?Do Not Sell My Personal Information? link provided on the businesses? website. These two methods are designated for submitting disclosure requests. Follow the guidelines and do not add extra steps. Complicating this further could result in fines.
When processing the consumers? request, it is important to include all of the proper information. This involves, but is not limited to, who is responsible for collecting the data, reviewing it, removing the information that does not need to be disclosed, and fulfilling the request. This should be standard procedure recognized by the entire organization. This information then needs to be delivered precisely, followed by documentation of the company?s process. One can never be too organized and careful.
Starting on January 1st, 2020, businesses must provide their consumers with information relating to these new regulations. Prior to January 1st, companies should be ready with updated privacy notices that clearly state how the CCPA affects their information collection and their consumers? privacy. Once these notices are sent to consumers, formal documentation of these processes should be added on the company website. It does not hurt to be over prepared for these new procedures required by the CCPA.
When dealing with private data that is then shared with a consumer, all requirements under the CCPA must be met. This can include the category of the information, the specific pieces of personal data collected, the sources from which the data is collected, and the purpose of such data. The business must be transparent and honest, regardless of the possible reaction by the consumer. Furthermore, third parties with which the data is shared must be covered and the practices with which the company conducts the collection of the personal data stated.
Once a consumer data deletion is requested, the business must now log this into the company?s database and then to it?s service provider. The service provider must now be compliant with CCPA regulations during the business?s user data collection. The provider is also liable to civil penalties for noncompliance under the CCPA. In order to properly work alongside your service provider, notify them of your processes and procedures that will be implemented. Working hand-in-hand with the provider will assure that neither you nor them are held as noncompliant.
Review the company?s current security system and conduct exercises to simulate possible breaches. If the security withstands and is successful, maintain the current system. If there is any fault or mishap, implement new practices, software, hardware, etc. The CCPA may entice hackers, as there are new clear pathways to obtaining personal data. Consult with others in the industry to find the best way for storing, securing, and then accessing information collected. Regularly review the practices and make sure all employees are aware of the guidelines in order to close all possible loose ends.
The CCPA will require an approved budget, processes, and tools in order for organizations to properly function under these new regulations. These 6 practices are vital steps for the well-being of your company moving forward!
On January 1st, 2020, the strictest privacy law ever passed in the United States will go into effect: the California Consumer Protection Act (CCPA). This law will establish broad privacy protections and allow consumer interaction with previously private personal data across the United States. Many have questions regarding the potential impact this new law will have on businesses, specifically as to whether these rules will have a positive impact on society. To have a meaningful impact, the CCPA must exude authority and be enforced strictly. Here is how the CCPA will show its teeth if you aren?t complying with the new law.
A 48-page research report released by California?s Department of Finance revealed the broad range of potential costs companies might face in order to become and remain compliant with the CCPA. Researchers estimated that total compliance costs for all companies under the scope of the law will range from $467 million to $16.5 billion between 2020 and 2030. Firms with fewer than 20 employees (the low end of the spectrum) may have to pay around $50,000 initially to become compliant. On the upper tier, companies with more than 500 employees would average around $2 million in initial costs. Large companies and small companies alike will feel the impact right from the beginning. The total sum of initial compliance payments would be equivalent to 1.8% of California?s GDP- a staggering percentage.
?While the CCPA is a California state piece of legislation as opposed to a federal one, the impact will be felt by companies across the nation and the globe.? The law will cover out-of-state merchants who sell to Californians or even display a website within the state.? Rather than create separate systems, lawyers are in consensus that companies will likely apply the CCPA rules nationwide. ?Even if these laws do not project across the country, however, it is estimated that 75% of California businesses earning less than $25 million per year would be impacted by this regulation.
Furthermore, as public opinion is now in favor of data protection laws, Congress could use the CCPA as a springboard for broader federal legislation. House Speaker and California Representative Nancy Pelosi has strongly advocated for these protections federally. So, while the law technically applies only to business within California, the CCPA could impact companies nationwide both in the short term and long term.
?Violations of the CCPA carry significant penalties for noncompliance, similarly to Europe?s privacy law, the GDRP.? Each transgression can cost companies up to $7,500, while consumers may sue firms for up to $750 if hacked.? These hacks raise a larger concern involving class action lawsuits allowed by a private right of action clause within the CCPA.? The provision for statutory damages resulting from a data breach will increase class action activity because of the breadth of possible claims from plaintiffs due to California?s broad data breach notification requirement, which is not limited to a risk-of-harm standard.? This will put companies who are subject to the CCPA at serious risk regarding class action lawsuits.
Furthermore, the CCPA will likely allow the plaintiff?s bar to bring Unfair Competition Law (UCL) claims, which prohibit businesses from engaging in unlawful, unfair, or fraudulent business practices. The UCL allows plaintiffs to borrow violations of other laws, such as the CCPA. Although the CCPA outlines in its first amendments of the data breach section that private right of action shall only be applied to data breaches, the UCL has proven successful in providing a pathway in order to use violations of other laws as leverage for claims. The jargon behind these laws may seem confusing or broad, but companies must be aware of the possible risks they face when tackling the CCPA. The GDPR has already issued fines up to 20 million pounds, and a similar storm seems to be barreling down upon businesses in America.
The California Consumer Protection Act will change the face of American privacy law as we know it.? If companies are not properly prepared or informed about the future they face, the wide-reaching costs which will result from the CCPA, both internally and externally, will be an eye-opener.? The Silicon Valley has fought this legislation with hundreds of millions of dollars based on what they foresee happening in the future.? Make sure your company is prepared to deal with the CCPA.
We have talked at length about GDPR implementation across the European Union in our previous posts. However data protection and privacy has been acknowledged as a concern across the world. Implementation of GDPR like laws is not just a global trend but a requirement to ensure international trade and e-commerce. Data protection laws in different countries may be named differently and may have different levels of stringency, but the basic principles remain the same and can be summarized as follows.