Welcome to Data Privacy Week 2024, brought to us once again courtesy of the National Cybersecurity Alliance (NCA).
Every year, the NCA hosts Data Privacy Week, which is dedicated to spreading awareness about online privacy and empowering individuals and businesses to safeguard a valuable resource: your personal data. Contrast is proud to be a Data Privacy Week champion for the third consecutive year.
Are you ready to Take Control of Your Data, that being this year’s theme? Are you prepared to become an Online Privacy Snob, ready to turn up your nose at businesses that give away your sensitive data without permission? Well, this is the week to dive in and take a few easy steps needed to take the reins on the runaway privacy train.
In this post, I’m sharing my take on the data privacy situation and what it means to “take control” of our data. Below, I’ve answered some questions that tend to come up with regards to securing our personal data. The most important thing to keep in mind:
You’re worth more than you know
Do people tend to undervalue their data?
Hugely. A common idea is that none of this data means anything to you, the individual, so it’s hard to assign value to it. But when you hear about the profits that companies such as Meta and Google make, the thing to realize is that they are monetizing you. If a company was making money off a physical product that you made without compensating you, you’d be angry. Should your data be different?
The National Cybersecurity Alliance recommends making informed decisions about sharing data with businesses or services by assessing these things:
- Is the service, app or game worth the amount or type of personal data they want in return?
- Can you control your data privacy and still use the service?
- Is the data requested even relevant for the app or service? Example: Why does a Solitaire game need to know all my contacts?
- If you haven’t used an app, service or account in several months, is it worth keeping around, knowing that it might be collecting and sharing your data?
These steps are important, but we also need regulatory frameworks and for companies to commit to fair and transparent dealings.
The regulatory landscape for privacy
Are there particular regulatory frameworks that would push the U.S. to the GDPR level?
The closest that the U.S. has ever come to having a general consumer protection privacy law came up in 2022: ADPPA, the American Data Privacy and Protection Act. It passed the House, but Congress didn’t take the time to formally consider it before the end of the 2023 calendar.
Time and again, we've seen that self regulation doesn't work. There are definitely companies out there that will voluntarily do the right thing. But frankly, there is too much money on the table to feel confident that every company is going to do the right thing with privacy every single time. We need that regulation in place, and a competent enforcement mechanism.
I’m actually a really big fan of the way the FTC [Federal Trade Commission] has been doing what they can to consistently protect consumer privacy. They don't really have laws to work with: They just have their own rule making. The FTC would be a very competent regulator for privacy if they were given the funding to do it properly, because as it is, there's so much going wrong. They'd be busy for years.
The dairy section of your pharmacy is spying on you
Where should somebody start when it comes to taking control of their data?
Spend a day thinking about your data footprint and go from there.
This doesn't have to be hard work. It can just be a thought exercise: Like, when you wake up in the morning, do you pick up your phone to see what time it is? Then, do you check your email? None of this is that concerning. But then I fire up Reddit and I have a little scroll and see what's going on. That is the first time I’m being tracked that day, and I'm still in bed.
Spend a day being mindful about how often you’re firing up particular apps on your phone. What websites are you visiting? What forms are you filling out? Are you going to the pharmacy that day? All of my local Walgreens have replaced their refrigerated doors with advertisements that track if someone is looking at them. I try not to walk down that aisle. That's an area where data is being collected about me walking into a store with CCTV.
The point is to get a sense of how broad data collection is. You can start thinking, well, what am I making a conscious choice about? What am I comfortable with, and where might I want to look into something else or make an objection to a company and say, "Hey, dentist office, you've started asking for this unnecessary information."
You can say, "I'm not willing to give that to you. Do I need to find another dentist?"
Since I started working in privacy, I look at forms and think, what do you need this for? Do I understand why you need this? Can I move forward without giving you this information?
With regard to those who write my data down on paper forms, I ask, “What do you do with the data once it’s been entered into your system? What systems are you using? Do you shred the hard copies?”
Some healthcare providers may have paper forms that they’ve never gotten around to changing: If that’s the case, you can gently push back by telling them you’re worried about identity theft. Others may say they need your personal data so they can track you down in case of billing problems; if so, you might suggest that they use your cellphone number to get in touch.
Is there any service or app that’s still worth sticking to, if you find you can’t control your data privacy and still use the service?
In my opinion, privacy is about choice, not control.
Here’s an example: There’s a lot of choice in the world today — like, when you go on Amazon. There are millions of products to choose from, and the choices can be overwhelming. In a lot of cases, companies want to recommend things that they think that you would like, and you see these recommendations on a large scale. They want to help you find the things that you want, and they do that with personalization, which is almost always based on your personal information. A company knows how old you are and where you live and what socioeconomic group you're in. And they determine that people who are like you like to buy these things, so they recommend the same things for you to buy. They know that there’s too much to choose from, and that you don't have time to weigh every single option, so they want to recommend things to you.
But how often do you go past the first page or two of results on Amazon? How often, when you search on Google, do you scroll beyond that first page of results? Someone’s making that choice for you about what you get to see, and when it works well, it's really helpful, because I don't want to scroll through everything on Amazon to find the thing I want to find. But when personalization isn't working for me, I want to turn it off and make my own choices. Even companies that try to do things well often overlook the balance. Big tech leaders get really caught up in the idea of “Let's learn everything we can about an individual. Then, we can tell them what they need.”
Some people really want that. And some people want access to everything available to them and to make their own choices.
In my opinion, privacy is about choice rather than control. If you're building a truly privacy compliant system, you should be offering people that choice to say, “Today, I want personalization.”
When it comes to accepting cookies — those small files of information that enable personalization — many people take the easiest way out by clicking "accept all." But while it’s easy, it’s not the best approach to limiting how sites collect your personal data. In fact, managing what you accept/reject isn’t hard at all: For instance, here’s how to do it in a Chrome browser.
Is the yearly finger-pointing shtick unfair?
Is it realistic to point to the end user and put all the responsibility for controlling data privacy on them?
The whole theme of Data Privacy Week is taking control of your data. And the steps that the NCA lists are important. But we also need regulatory frameworks and for companies to commit to fair and transparent dealings.
Saying “Take control of your data” is a really nice idea. But in my opinion, it is not completely realistic. You have to give your data to certain institutions to exist in the world. There’s a degree of data sharing involved with modern life. You don't have control over that, and I think that it is a bit of a misdirection to tell people that they're the ones who should be taking control of their data.
There's actually a really good example of this: A couple of months ago, 23andMe had a data breach: A hacker got a list of people with specific kinds of backgrounds that have experienced discrimination in the past and put that data up for sale. 23andMe then basically said that it was the users’ fault.
These companies have responsibility for the data that they're collecting, especially in this backward situation where 23andMe benefits so much from the data that they gather. But they also charge you: You have to pay them to give them your data. It’s so backwards to me.
I mean, there's obviously users’ individual responsibility to take steps to secure their data privacy, and that is important. But the part that gets overlooked is that it's very hard to be fully informed, and even to follow the advice of “don't reuse your passwords.”
When it comes to an individual consumer, the amount of things that I'm supposed to be an expert on is excessive. I'm supposed to be able to review a company's security posture, and I'm supposed to understand the risk of sharing my genetic data, and I'm supposed to understand the risk of connecting all of my financial accounts to a budgeting app. There isn't enough time for one person to know all of these things.
Data privacy responsibility needs to be in both hands, not just in individuals’ hands. We can't just say the individuals are the only people responsible for their data just in the same way that we can't expect companies to do everything for us. There needs to be a meeting in the middle.
Check out Contrast’s Trust Center!
In 2023, Contrast launched its Trust Center. This is a one-stop shop for customers, prospects and partners to understand everything Contrast has to offer regarding Privacy, Security and Compliance. Make sure to familiarize yourself with its contents – especially our privacy policy!
Which of the NCA’s tips do YOU regularly employ?
When it comes to the NCA’s tips for taking control of your data privacy, these are the ones I keep in mind the most:
- Know what you can’t control. For example, map apps need your location. The Internal Revenue Service (IRS) needs your Social Security number.
- Cultivate a data privacy habit. If you can’t control data privacy in an app, try another, similar app where you can.
- Check settings:
- Camera – off
- Microphone – off
- Location – off
- Sync contacts – off
- Delete apps you don’t use. Be ruthless.
The biggest mistake people make when it comes to control of their data
People can be afraid to push back. Don’t be. Ask “Why?”
How do we convince people to do these things with passwords, password managers, multifactor authentication (MFA), automatic updates or awareness around phishing messages?
Maintaining security and privacy feels really burdensome, so I understand why there’s resistance. Education continues to be the key, but it needs to be realistic.
The following are security measures, so somewhat outside of my wheelhouse. Nonetheless, they’re still worth reiterating:
Note that at Contrast, every day, we live and breathe privacy. We have extensive, regularly updated documentation on privacy matters. For example, we have internal guidelines for employees to help them determine:
- If an email is likely a phishing attempt;
- What to do with the email if they determine it is, in fact, phishing;
- Instructions on how to proceed if they:
- clicked a link,
- downloaded an attachment,
- entered credentials,
- opened an attachment,
- responded to the message;
- And how to get in touch with our Security team if they made any of those mistakes.
"Remember," we tell all Contrasters, "Contrast Co-Founder and Chief Technology Officer Jeff Williams will not ask you to verify your payroll information. CEO Rick Fitz won’t ask you to grab him a handful of gift cards — especially not at 2 a.m. Payroll won’t ask you to verify your coworkers’ Social Security numbers."
Educating ourselves and our employees, colleagues, family and friends on how to sidestep phishing attempts like those are a great step to taking control of your data.
From all of us at Contrast, we wish you a Happy Data Privacy Week, and good luck becoming a data privacy snob!
Read more: