Lawyer Shares Tips for Mitigating CIPA, VPPA Litigation Risk
NEW YORK CITY -- U.S. data privacy regulation is “constantly evolving,” said Daniel Rosenzweig, a privacy attorney and founder of DBR Data Privacy Solutions. Regulators are focused on whether companies are operationalizing legal requirements and honoring their public statements, he told the Interactive Advertising Bureau's Signal Shift event Thursday.
Sign up for a free preview to unlock the rest of this article
“Do what you say. Say what you do,” said Rosenzweig, cautioning, it’s “harder than it sounds.”
Besides regulators, companies are dealing with a large amount of litigation from plaintiffs pursuing claims under two old laws: the California Invasion of Privacy Act (CIPA) and the federal Video Privacy Protection Act (VPPA). Plaintiffs have found “creative” interpretations of CIPA, a wiretapping law, and VPPA, which targets videotape rental stores.
To mitigate CIPA risk, Rosenzweig recommended presenting users with a notice and consent mechanism regarding the website or mobile app's use of certain technologies, with links to applicable disclosures like terms of service or the privacy policy, he said.
On VPPA, the privacy attorney advised obfuscating or removing personal or video data where possible so that they are not transmitted to a third party in combination.
Rosenzweig said a good data privacy hygiene framework includes defining business objectives, identifying data a business needs to collect and disclose, determining data subjects, including who and where, and assessing risk tolerance. Companies should know privacy legal terms and understand consumers’ expectations, he added.