Nov. 30, 2022

FTC’s Drizly Case Shows Regulators Are Ready to Police Data’s Expiration Dates

First came privacy “nutrition labels” for apps on Apple’s platforms. Next, on January 1, 2023, companies subject to the CPRA will be required to label the expiration dates for categories of collected personal data. This task has been overshadowed by enforcement of global privacy controls and other 2023 state mandates, but a recent FTC consent agreement with Drizly, LLC warns that U.S.-based regulators expect companies to measurably limit how long they keep consumer data. This article discusses practical compliance strategies to address this new yardstick for data minimization – as well as the implications of the FTC’s groundbreaking penalization of Drizly’s CEO for data security failures. See “Show Me the Data: How to Conduct Audits for Data Minimization” (Nov. 18, 2020).

Understanding and Implementing Privacy Audits

A privacy audit is no longer simply a bunch of questions for the privacy officer and direct reports. Like a company’s privacy program, the audit reaches into many different parts of the organization to ensure the organization’s goals and promises of privacy and confidentiality are supported by its practices. This article explains the purpose of privacy audits, planning and logistics, and the common steps, distilling insights offered at a recent Privacy+Security Forum program. See our four-part series on a roadmap for building an efficient global privacy program: “Organizational Structure” (May 4, 2022); “Scope and Prioritization” (May 11, 2022); “Buy-In, Scalability and Outside Resources” (May 18, 2022); and “Maintenance” (Jun. 1, 2022). 

Navigating Evolving Social Media Risks

Elon Musk’s August 2018 tweet, “Am considering taking Tesla private at $420. Funding secured,” generated media attention, a surge in Tesla’s stock price … and an SEC enforcement action. The social media genie has been out of the bottle for at least a decade, and companies continue to struggle with how to manage it. We distill insights offered by Deluxe Corporation's regulatory counsel and CCO at a recent SCCE program on the evolving nature of social media risks, including those in the context of HR decisions and union activities. We also share her tips for devising policies. See “Not Just TikTok: How Companies Can Mitigate Risk of Employee Social Media Use” (Aug. 12, 2020).