How to Improve Data Privacy Programs

This month's Connecticut AG privacy report and court ruling allowing CCPA regs to become enforceable show areas where privacy programs may need attention.     The Office of the Connecticut Attorney General reported that it has open investigations for: (1) privacy policy deficiencies; (2) confusing, burdensome, and ineffective data subject rights processes; (3) consent practices for sensitive data; (4) teens' data and #TargetedAdvertising; and (5) #DataBroker compliance with deletion rights. It also revealed it added additional staff for privacy enforcement.    A court unblocked the California Privacy Protection Agency #CCPA regulations which have detailed requirements in areas including: (1) collection and use limits; (2) the right to limit use of sensitive data; (3) rights fulfillment and request processes; (4) reporting rights metrics; and (5) required contract terms with service providers and third parties.   To confirm your privacy program is set to address these developments, check in on these six areas:   1️⃣ Data subject right request processes 🔸Describe and make them available to CT residents 🔸Scrub request processes for ease of use and clear descriptions 🔸Check that all links are functional 🔸Review opt-out rights for "sales" and targeted advertising for new symmetry and #DarkPatterns regs 🔸Make sure any cookie banner and consent tool is tailored to US rights, including consistently describing opt-out of sale/targeted advertising rights in notices and related banners/tools   2️⃣ Data subject right fulfillment processes 🔸Validate processes for sending deletion requests to service providers and third parties 🔸Make adjustments for the CA required steps for the right to correct 🔸Test that opt-out preference signals are being received and associated with customer records for "sales" and targeted advertising per the CA regs 🔸Re-examine prior risk-based decisions to de-scope any of these required steps   3️⃣ Sensitive data rights 🔸Confirm compliant opt-in consent processes before #SensitiveData is collected or processed 🔸Affirm whether you have to offer the right to limit uses of sensitive data under the new CA regs 🔸If required, confirm the "Limit the Use of My Sensitive Personal Information" link is on your website   4️⃣ Privacy notices 🔸Clearly disclose the rights available to CT residents 🔸Describe appeal rights for data subject rights 🔸Disclose the new CA-required metric types about data subject rights 🔸If your notices still describe #privacy rights and protections on a state/jurisdiction basis, consider whether that still makes sense   5️⃣ Privacy assessment processes 🔸Consider specific collection and use restrictions in the #CCPA regs 🔸Look for all sensitive personal data types 🔸Confirm sensitive data opt-ins are obtained & address use limitation rights   6️⃣ Contracting processes 🔸Validate contract processes address the specific CA-required provisions 🔸Have an appropriate plan for updating legacy contracts

How To Handle Sensitive Information in your next AI Project It's crucial to handle sensitive user information with care. Whether it's personal data, financial details, or health information, understanding how to protect and manage it is essential to maintain trust and comply with privacy regulations. Here are 5 best practices to follow: 1. Identify and Classify Sensitive Data Start by identifying the types of sensitive data your application handles, such as personally identifiable information (PII), sensitive personal information (SPI), and confidential data. Understand the specific legal requirements and privacy regulations that apply, such as GDPR or the California Consumer Privacy Act. 2. Minimize Data Exposure Only share the necessary information with AI endpoints. For PII, such as names, addresses, or social security numbers, consider redacting this information before making API calls, especially if the data could be linked to sensitive applications, like healthcare or financial services. 3. Avoid Sharing Highly Sensitive Information Never pass sensitive personal information, such as credit card numbers, passwords, or bank account details, through AI endpoints. Instead, use secure, dedicated channels for handling and processing such data to avoid unintended exposure or misuse. 4. Implement Data Anonymization When dealing with confidential information, like health conditions or legal matters, ensure that the data cannot be traced back to an individual. Anonymize the data before using it with AI services to maintain user privacy and comply with legal standards. 5. Regularly Review and Update Privacy Practices Data privacy is a dynamic field with evolving laws and best practices. To ensure continued compliance and protection of user data, regularly review your data handling processes, stay updated on relevant regulations, and adjust your practices as needed. Remember, safeguarding sensitive information is not just about compliance — it's about earning and keeping the trust of your users.

So you have a privacy policy and a cookie banner.....do you have a privacy program? If that is what you are basing it off---probably not. Here are my thoughts on elements of mature privacy program: 1) You have a good catalog of all personal data. You know where it resides. You have properly classified all personal data with different data classifications based on level of sensitivity. You have tagged all data with this data classification and have it properly mapped and automated with your data retention schedule. You should also be able to respond to DSAR's in an automated fashion, since all of your data is properly classified. 2) You have implemented a strong culture of Privacy by Design within your organization. Your engineers know to properly practice data minimization in their designs. They regularly consult with the privacy team in the design process for technical privacy reviews. 3) You have a strong community of privacy champions within your organization. These are folks that are outside of the privacy function, but have received training from the privacy team. They can advocate for privacy from the inside of the engineering or product team. 4) You have clear guidelines and documentation around your privacy practices. Messaging around privacy can easily get lost in translation. You need to establish clear guidelines for things around data classification/data retention, and overall data governance. Your entire organization needs to be made aware of this documentation and the overall impact of privacy. 5) You need to have positive proactive compliance monitoring. Do you audit yourself to ensure that privacy impacting designs were reviewed from a privacy perspective? Are you documenting clearly recommendations from the privacy team? Those are just some thoughts on the top of my mind. Even the most mature privacy organizations may not be doing all of these things, but I think these are some good guideposts. What are some of your thoughts about what you look for?

Privacy programs that scale are not built around static compliance tasks. They are built to produce evidence by design, grounded in principles that drive consistent decision-making. That evidence is what creates confidence in data practices as regulatory requirements become more operationally specific. The latest CCPA regulations illustrate why this matters. The updated regulations, effective January 1, 2026, are not incremental. Programs built as one-time or check-the-box implementations will find it more difficult to adapt over time, while programs grounded in principles, controls, and continuous regulatory awareness are better positioned to manage change without reactivity becoming the default operating model. If you joined my recent Fireside Chat, these themes will sound familiar. Below are several updates and what they mean for evolving privacy programs. Part 1: Sensitive Personal Information Definition Expanded Personal information of consumers under 16 is now classified as Sensitive Personal Information where the business has actual knowledge of the consumer’s age. Willful disregard of a consumer’s age is deemed actual knowledge. Operational: Update your Privacy Risk Assessments policy and process, Right to Limit processing workflows (including downstream), and update data classification logic and practices. Opt-Out Confirmation will be Mandatory Providing confirmation that an opt-out request has been honored will no longer be optional, including for requests submitted through Global Privacy Control (GPC). Examples include displaying “Opt-Out Request Honored” on a website or using toggles or radio buttons in consumer privacy settings to reflect opt-out status. Operational: Test GPC functionality and review consent manager and cookie banner configurations. Right to Know Scope Expanded Currently, businesses must provide a method for consumers to submit a right to know request. Under the updated regulations, if a business retains personal information for longer than 12 months, that method must allow consumers to request access to personal information collected prior to the 12-month period preceding the request, going back as far as January 1, 2022. Consumers may be given the option to specify a date range for their request or request all personal information the business has collected about them. Operational: Review record retention policies, data maps, understand where you store collection dates, and update data subject rights intake forms and procedures. In upcoming posts, I’ll continue examining the remaining requirements and what they mean in practice.

Lots of chatter on the #CCPA's new regulations that came into effect on Jan. 1 - great way to kick off the new year, right? 😉 The good news is that the new risk assessment requirements are straightforward and likely not a huge lift at all for a mature #privacy program that should already have a #PIA process in place. So thought I'd share 5 operational tasks I'd prioritize to address the new regs, based purely on past privacy program-building experience (i.e., I promise I had zero ChatGPT help 😅 ): 1. 𝗥𝗲𝗳𝗿𝗲𝘀𝗵 𝘆𝗼𝘂𝗿 𝗲𝘅𝗶𝘀𝘁𝗶𝗻𝗴 𝗣𝗜𝗔 𝗽𝗿𝗼𝗰𝗲𝘀𝘀: check the deltas between what you've been doing today vs. what the regs specifically require, like updating your list of activities that trigger full PIAs to include activities that, per the regs, pose "significant risk." 2. 𝗥𝗲𝘃𝗶𝘀𝗶𝘁 𝗣𝗜𝗔 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴: involving the stakeholders that actually process personal information (think product managers, marketing, or other data-utilizing teams) is now a de-facto requirement, so now's a good time to ensure they know how to complete one. And some ways to attest that you did in fact involve relevant stakeholders include*: - Tagging the appropriate team members who should be filling-in specific sections of the assessment - Identifying and documenting where information was sourced in PIA responses. *You'll need to identify these individuals anyway in the "risk assessment report" which I assume is the same as the actual risk assessment. 3. 𝗔𝘃𝗼𝗶𝗱 𝗴𝗲𝗻𝗲𝗿𝗶𝗰 𝘁𝗲𝗿𝗺𝘀 𝘄𝗵𝗲𝗻 𝗱𝗲𝘀𝗰𝗿𝗶𝗯𝗶𝗻𝗴 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗶𝗻𝗴 𝗽𝘂𝗿𝗽𝗼𝘀𝗲𝘀: using terms like "to improve our services" won't cut it anymore, so make sure you're being specific (a good opportunity to rely on your stakeholders!). 4. 𝗨𝗽𝗱𝗮𝘁𝗲 𝗽𝗿𝗼𝗰𝗲𝘀𝘀𝗲𝘀 𝘄𝗶𝘁𝗵 𝗖𝗖𝗣𝗔-𝘀𝗽𝗲𝗰𝗶𝗳𝗶𝗰 𝘁𝗶𝗺𝗲𝗹𝗶𝗻𝗲𝘀: set reminders for reviewing and updating assessments (every 3 years), when there are material changes (you'll have 45 days), and retaining assessments (for as long as the activity proceeds or 5 years after you've completed the assessment). 5. 𝗘𝗻𝗴𝗮𝗴𝗲 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗹𝗲𝗮𝗱𝗲𝗿𝘀 𝗼𝗻 𝗶𝗺𝗽𝗮𝗰𝘁: most importantly, walk your executive team through not only how these net new assessment requirements impact the business, but the importance of ensuring attestations are true and correct (or risk penalty of perjury). 👀 Let me know if you agree or have any other critical operational considerations to share! #CCPA

The traditional approach to data security, focusing primarily on post-production measures, is no longer sufficient. To effectively protect sensitive information, organizations must adopt a "shift-left" strategy, integrating data security into the development process from the outset. Why is early intervention important? 1. By identifying and addressing data security issues early in the development lifecycle, organizations can significantly reduce the risk of data breaches. 2. Addressing vulnerabilities during development is generally less expensive than remediating them in production. 3. Empowering developers with the tools and knowledge to protect data can streamline their workflow and increase efficiency. Our code analyzer is designed to be a cornerstone of a "shift-left" strategy for data security. By identifying sensitive data early in the development process, developers can prevent data breaches and ensure compliance with data privacy regulations. Along with this there are many benefits of “shifting left”: → Faster time to market → Enhanced data protection → Improved developer satisfaction By adopting a "shift-left" mentality and leveraging tools like Piiano's static code analyzer, organizations can create a more secure and resilient data ecosystem. What are your thoughts on the "shift-left" approach?