Canada Dashboard Digest

Many will have already heard the relatively big news this week: A new bill, S-4, was introduced in the Senate that will amend PIPEDA if it passes. I'm surprised it didn't actually get more news considering the fanfare when the government tabled it.

There is some skepticism about whether or not the government is serious this time around because it has introduced somewhat similar bills in the past only to let them die a slow and painful death. This new bill was introduced in the Senate, and some are speculating that this may have been done to try and get the bill passed quickly.

For sure, these amendments are a long time coming. Many of them are what I call “common-sense fixes." For example, getting the English and French versions of the law to jive with one another a bit better. Other more meaningful fixes are those that mirror the Alberta and British Columbia provisions dealing with employee personal information and business transactions.

The folks at the OPC are probably happy with the proposed amendments that will allow them to enter into compliance agreements with organizations. Essentially, these agreements will allow the OPC to monitor organizations for up to a year after the completion of an investigation to ensure that all recommendations are satisfactorily implemented.

Lastly, I think the codification of a breach notification scheme is a good thing, too. I don’t think this new scheme will have a significant impact because previous guidance from the federal commissioner has been clear that they expect notification to take place even without the codification in the law. So, I think most organizations have already been operating with this scheme in mind. But, getting clarity in any law is always a good thing, so I suppose it is in this case, too.

As far as the “new penalties” go, I again don’t think there’s too much to worry about. Before any penalty could be levied, a matter would have to be referred for criminal prosecution—something that probably won’t happen except in the most egregious cases. This is a far cry from the administrative monetary penalties that can be levied in some European jurisdictions directly by the data protection authority.

So, all in all, pretty good news for privacy in Canada—for some—this week. And when we also read that CRA employees were fired for privacy violations, perhaps privacy is something this government is realizing is a priority issue that people care about.

Kris Klein
Managing Director
IAPP Canada

Top Canadian Privacy News

PRIVACY LAW—CANADA

Canada’s Grapple with Privacy and Freedom of Expression (April 30, 2013)

A recent Alberta Court of Appeal decision that the province’s privacy law is unconstitutional can be seen as potentially rippling through the country at large and setting up a clash between privacy and freedom of expression, as included in the charter passed in 1982. This clash between privacy and freedom of expression is particularly interesting because while freedom of expression is a “fundamental right” under the charter, there is no similar privacy right, except as listed in the legal rights of those dealing with the justice system. This exclusive for The Privacy Advisor examines how this will play out going forward.
Full Story

DATA PROTECTION

A Look at Acxiom’s Privacy Team (April 30, 2013)

With growing consumer awareness and regulatory scrutiny of so-called “data brokers,” companies such as Acxiom rely heavily on their privacy teams for company-wide success. In this exclusive, Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, tells The Privacy Advisor about the work she and her team of “privacy consultants” perform within the company and the role they play in shaping and launching Acxiom’s new products and services.
Full Story

ONLINE PRIVACY

Data Cache Delivers Predictive Analytics (April 30, 2013)

CNN reports on Google’s predictive search feature, Google Now, which uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development.
Full Story

DATA THEFT

50 Million Passwords Hacked (April 29, 2013)

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users, PC Magazine reports. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.”
Full Story

ONLINE PRIVACY—CANADA

Committee Calls for Voluntary OPC Guidelines (April 26, 2013)

The House of Commons Standing Committee on Access to Information and Privacy is not recommending the government give the Office of the Privacy Commissioner (OPC) power to fine companies for breaking federal privacy law, instead calling on the OPC to “establish guidelines to help social media and data management companies develop practices that fully comply” with the law. Postmedia News reports the committee voiced concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.” The guidelines would address how websites and data brokers “collect and use the personal information of Internet users”; however, “any direction provided under the proposed guidelines would only be voluntary,” the report states.
Full Story

DATA LOSS

Commish Concerned About Lack of Breach Reporting (April 26, 2013)

Postmedia News reports on Privacy Commissioner Jennifer Stoddart’s dissatisfaction about the number of data breaches occurring in the public sector and the lack of reporting to her office. Stoddart went on to say that of the 3,134 government data breaches over the last 10 years, only 403 had been reported to the Office of the Privacy Commissioner, suggesting that government departments are putting Canadians’ data in danger by not following reporting guidelines. “Our office feels federal organizations and Canadians would benefit from an instrument of greater weight to provide increased certainty such as enshrining such direction into law,” Stoddart told ITWorld Canada.
Full Story

BIOMETRICS

Immigration To Begin Collecting Biometrics (April 26, 2013)

Citizenship and Immigration Canada (CIC) will soon require foreign nationals from 30 locations including Saudi Arabia, Afghanistan and Pakistan applying for visas to provide biometric information such as fingerprints and iris scans, Slaw reports. The procedures are set to begin September 2, and upon collection, the biometrics will be checked against criminal and deportation records. Opponents say the measures will threaten privacy, while the CIC called the measures necessary, citing a "rise in global identity fraud" and technological innovations that "make it easy to steal, forge or alter identity documents."
Full Story

DATA LOSS

Two Health Breaches in One Week (April 26, 2013)

Following highly publicized incidents last year, CBC News reports on two breaches in one week at Eastern Health, Newfoundland and Labrador’s largest health authority. The report cites a release issued by Eastern Health on Thursday indicating the breach was accidental and occurred when an employee’s briefcase containing “one patient chart--and a notebook with limited personal health information of 62 other patients” was stolen from an unattended vehicle on April 17. One day earlier, a briefcase containing information on two patients was stolen from another employee's vehicle. Eastern Health’s CEO has apologized and the authority has identified all patients impacted and is contacting them, the report states.
Full Story

PERSONAL PRIVACY

Researcher: Internet of Things Is “Bit of a Wild West” (April 26, 2013)

The Globe and Mail reports on the growth of Internet-connected devices known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” Editor’s Note: Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, recently wrote about the Internet of Things in a Privacy Perspectives blog post.
Full Story

PRIVACY LAW

Privacy Officers Discuss the Path from Policy to Practice (April 25, 2013)

The EU’s proposed data protection regulation and the numerous amendments that have been proposed mean significant questions, as was highlighted during the IAPP Europe Data Protection Intensive breakout session, “Paving the Way from Policy to Practice.” Moderated by LexisNexis Privacy and Data Protection Senior Director Emma Butler, the session featured privacy officers from Proctor & Gamble, Siemens and Facebook outlining how they see the looming regulation affecting their operations and what they’re doing to prepare. This exclusive for The Privacy Advisor highlights their perspectives on “reading the tea leaves” of the thousands of pages of amendments still to be decided. Also at the intensive, Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group, suggested that if privacy regulators and consumers want transparency and accountability from corporations, companies need more than a stick: They need a carrot, too.   
Full Story

CYBERSECURITY

Data Breach Studies Highlight Risks (April 23, 2013)

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity.
Full Story

CLOUD COMPUTING

Clarifying Privacy in the Cloud (April 22, 2013)

The “cloud” is maybe the most buzzed-about Internet sensation of the past five years, but how does working in the cloud change your privacy thinking? Maybe not as much as you think, John Wunderlich, CIPP/C, head of privacy consultancy Wunderlich & Associates told The Privacy Advisor. “What’s old is new again…you’re outsourcing to a provider who has expertise that you don’t have.”
Full Story

DATA LOSS

OIPC Says IIROC Incident Was Preventable (April 19, 2013)

Ontario Information and Privacy Commissioner Ann Cavoukian has said the recent loss of financial data of 52,000 brokerage firm clients was preventable, ItWorldCanada reports. The incident could have been avoided, Cavoukian has said, if the Investment Industry Regulatory Organization (IIROC) had used security technologies in tandem with its in-place policies. She added, “What is so ironic is that it was the regulatory body that lost the financial information of 52,000 people.” Canada’s brokerage regulator, the Investment Industry Association of Canada, has sent IIROC a letter demanding to find out why the brokerage community was not informed of the breach sooner, according to The Globe and Mail.
Full Story

ONLINE PRIVACY

Survey: Two-Thirds Concerned About Privacy (April 19, 2013)

The findings of a survey conducted by the federal privacy commissioner shows a growing sense of helplessness over Canadians’ ability to protect their personal information, The Canadian Press reports. While two-thirds of the 1,513 respondents said they’re concerned about their privacy, more than half felt they didn’t know enough about new technologies to determine whether their privacy was at risk, the report states. The poll also reflected mid-range confidence in the government’s ability to protect data and a lack of concern about police drone usage.
Full Story

ONLINE PRIVACY

The Intersection of Privacy and Hate Speech (April 18, 2013)

With recent tragedies in Boston and overseas, Future of Privacy Forum Founder and Co-Chair Christopher Wolf asks, “What motivates people to burn with hate to such a degree that they take innocent lives?” In this latest installment of the IAPP’s Privacy Perspectives blog, Wolf, who also serves on the board of the Anti-Defamation League, explores the intersection of online privacy and hate speech and whether privacy should sometimes “take a backseat” in order to curtail hate speech.
Full Story

ONLINE PRIVACY—EU

If Google Cares About Cookie Consent, So Should You (April 17, 2013)

In light of news that Google has posted language about its cookie use on websites in the EU, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, writes, “This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon…the implications become huge” for several reasons.
Full Story

TRAVELERS’ PRIVACY—CANADA

Gov’t Updates Body Scanners (April 17, 2013)

Minister of State (Transport) Steven Fletcher has announced that the Canadian government is deploying software on Canada’s full body scanners to enhance passenger privacy, The Herald reports. The new Automatic Target Recognition software is now being updated to produce a computer generated stick figure rather than displaying an outline of the passenger’s body, the report states. “Our government is committed to ensuring the safety and security of all passengers traveling through Canadian airports,” Fletcher said.
Full Story

MOBILE PRIVACY

Google Releases Glass App Developer Guidelines (April 17, 2013)

The New York Times reports that Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

A Tragedy We Can’t Ignore (April 16, 2013)

While there are privacy issues inherent in any national tragedy, this installment in the IAPP’s Privacy Perspectives is not about privacy per-se, but about the recent tragedy marring the historic running of the Boston Marathon, how this event hit close to home here at the IAPP and our shared sadness for all those whose lives have been forever changed by this act of violence.
Full Story

DATA LOSS

93 Percent Knowingly Breach Company Data Policies (April 16, 2013)

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source, COMPUTERWORLD reports. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies.
Full Story

BEHAVIORAL TARGETING

Product Stops Third-Party Tracking (April 16, 2013)

The New York Times reports on a California start-up’s product allowing individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Tech Firms Unveil Ad-Blocking Tools (April 15, 2013)

Two tech companies have started offering ad-blocking tools for mobile users, AdAge reports. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines. DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.”
Full Story

PRIVACY

Getting More Privacy Pros Into HR (April 15, 2013)

In a recent column in The Globe and Mail, an employee poses a question to human resource experts about her company’s changing internal policy on criminal background checks and her discomfort with those changes. This IAPP Privacy Perspectives blog post explores how a privacy pro or department could both assuage employee concerns and help roll out difficult, but often necessary, company policies.
Full Story

ONLINE PRIVACY

The Right To Be Remembered? (April 12, 2013)

Google announced yesterday on its Public Policy Blog a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it.
Full Story

EMPLOYEE PRIVACY—CANADA & U.S.

Experts Ponder Background Check Question (April 12, 2013)

In The Globe and Mail’s “Nine to Five” feature, two human resources experts weigh in on questions about policies requiring employees to undergo criminal background checks. One U.S.-based expert suggests “there are limits to what a company can request of its employees. Your employer must comply with applicable federal, provincial and local employment laws.” She notes, however, that such a policy may be completely legal. A Canada-based expert cautions, “These types of background checks will likely become standard across organizations providing services to others, such as professional consulting services, and within the financial industry.”
Full Story

CHILDREN’S PRIVACY—CANADA

Surveillance Use Sparks Concerns (April 12, 2013)

In its most recent blog, the Office of the Privacy Commissioner (OPC) considers “the prevalence of high-tech surveillance tools in the day-to-day lives of children” in the wake of an investigation into a complaint about a daycare offering webcam monitoring services to parents. “Specifically, we wondered how technical surveillance might affect kids’ feelings about privacy,” the OPC blog states, noting, “Some research suggested that persistent surveillance could even result in children not knowing how to establish their own privacy, or recognize the privacy of others.” The blog points out, however, that the question “is only beginning to be studied.”
Full Story

PRIVACY LAW—CANADA

Breach Notification Requirements Examined (April 12, 2013)

In this exclusive for The Privacy Advisor, PwC Data Protection & Privacy Practice Manager Ron De Jesus, CIPP/US, CIPP/C, CIPP/EU, CIPP/IT, examines Canada’s lack of federal privacy breach notification regulation. “Individual provinces have tackled breach notification in various forms,” he writes, noting, “The resulting legal landscape for notifying individuals or relevant privacy authorities following breaches of personal information is a patchwork at best.” De Jesus highlights the changes expected as federal and private-sector organizations subject to the federal Personal Information Protection and Electronic Documents Act “will soon be expected, under proposed amendments to the act by Bill C-12, to report ‘material’ breaches to the federal privacy commissioner.”
Full Story

ONLINE PRIVACY

Mozilla Readies Cookie Blocker, Announces “Nuanced” DNT (April 11, 2013)

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry,” COMPUTERWORLD reports. Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. Meanwhile, Firefox has announced its “more nuanced approach” to implementing its Do-Not-Track setting and efforts to provide additional user choice.
Full Story

DATA LOSS—CANADA

Revelations Continue in Student Loan Incident (April 11, 2013)

Information continues to trickle in, revealing the true import of the external hard drive loss that has exposed personal information about 583,000 Canadian student loan borrowers. This week, POSTMEDIA NEWS has discovered the drive also contained business plans and financial information about the Canada Student Loan program, along with “investigative reports” on applicants whose eligibility was questionable. Privacy Commissioner Jennifer Stoddart continues to investigate the data loss, which also includes a missing USB stick, and that inquiry has grown to include the Department of Justice.
Full Story

ONLINE PRIVACY

Privacy Focus Remains in Microsoft’s Ad Campaign (April 11, 2013)

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results,” The Boston Globe reports. The story suggests the ads, which one observer calls typical of an industry underdog, “say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new "Scroogled" ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states.
Full Story

BEHAVIORAL TARGETING

EBay To Open Data to Marketers (April 10, 2013)
EBay will now allow advertisers to target consumers based on what that consumer has bought, similar to Amazon. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But AdWeek reports eBay knows it risks alarming consumers and has protections in place so advertisers don't have direct access to personal information. Customers rightly “expect eBay not to tell anybody else who they are,” said a company spokesman.

MOBILE PRIVACY

Studies Say Mobile Apps View Too Much Data (April 10, 2013)

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data, PCWorld reports. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13 percent of apps disclose user phone numbers without the user’s consent.
Full Story

DATA PROTECTION

Exploring High-Level Talks and Risks for Privacy Officers (April 10, 2013)

In this recent IAPP Privacy Perspectives blog post, Profs. Dierdre Mulligan and Kenneth Bamberger discuss their research in which they interviewed hundreds of leading privacy officers, regulators and privacy pros. They explore “a caution raised by privacy officers in both the public and private sector regarding particular risks created by attempts to ensure that privacy is part of high-level deliberations within a corporation—risks that must be managed in developing policy.” Editor’s Note: Bamberger will be a speaker at the breakout session Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management at the IAPP Data Protection Intensive in London, UK.
Full Story

DATA PROTECTION

Questions Linger on Data Ownership (April 8, 2013)

GigaOM reports on a recent discussion among experts on the topic of data collection and sharing. “What does it mean to own data?...Does it mean I can do with it whatever I want to do with it?” The question was posed by Andreas Weigend, a lecturer at Stanford University and formerly a chief scientist at Amazon.com. GigaOM’s Jordan Novet said the recent panel discussion in San Francisco elicited questions on whether companies should increase the amount of data they share and whether consumers care enough about their data to want to know what companies collect. Editor’s note: Andreas Weigend will be a keynote speaker at the IAPP’s Data Protection Intensive in London, April 23-25.
Full Story

MOBILE PRIVACY

Facebook Feature Maps User Moves (April 5, 2013)

Forbes reports on Facebook’s latest mobile release, a “digital skin that you will slide your phone into” which will turn the phone into a “slideshow version of the Facebook news feed.” The feature, called “Home,” means Facebook may be able to consistently collect users’ location information—an attractive situation for advertisers, the report states. GigaOM’s Om Malik noted the privacy issues involved, including that Facebook may be able to deduce a user’s home address by monitoring where the phone most often idles. Facebook says the feature will have the same privacy policy as the rest of the site.
Full Story

PERSONAL PRIVACY

Technology Raising Privacy Anxiety, Poll Suggests (April 5, 2013)

A new poll commissioned by the Office of the Privacy Commissioner of Canada (OPC) reveals that a “significant number of Canadians do not feel they understand the privacy risks posed by new technologies and are not confident in their ability to protect their personal information,” according to an OPC press release. The Survey of Canadians on Privacy-Related Issues queried 1,513 Canadian residents and found 55 percent are “very” concerned about posting their location, and a majority said they have not installed--or have uninstalled--an app based on privacy concerns. Privacy Commissioner Jennifer Stoddart said, “Canadians are beginning to realize that the various pieces of information they share online can reveal a lot about them and can be used in ways they never intended.”
Full Story

PRIVACY LAW

“Class-Action Landscape” May Be Changing (April 5, 2013)

In an exclusive for The Privacy Advisor, John Jager, CIPP/US, CIPP/C, CIPP/G, writes that while “Canadians have long prided themselves in being more restrained in legal matters than our southern neighbour” when it comes to class-action lawsuits following data breaches, “the Canadian landscape may be changing…” Jager explores recent cases, including incidents at Elections Ontario and the Canada Student Loans Program, as examples of Canadians “becoming more aggressive in taking action against organizations which experience such security breaches.”
Full Story

ONLINE PRIVACY

Euro Task Force Initiates Google Enforcement Measures (April 3, 2013)
A taskforce of data protection agencies has begun follow-up measures against Google, alleging the company failed to fix flaws in a new privacy policy, The Washington Post reports. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. (Registration may be required to access this story.)

DATA PROTECTION

Thinking Accountability? Here’s One Suggestion (April 3, 2013)

“Over the past 10 years, the components of an accountable privacy program have evolved through a combination of privacy professional best practices,” scholarship and regulatory action, writes Intel Global Privacy Officer David Hoffman, CIPP/US, in the latest IAPP Privacy Perspectives blog post. With a waning notice-and-consent model still in the marketplace, Hoffman suggests that consumer education is a major component toward the accountability model. “There is no better network poised to navigate privacy cultures and raise the collective consciousness of privacy than privacy professionals,” Hoffman writes, providing a number of suggestions for privacy pros.
Full Story

ONLINE PRIVACY

Google Privacy Chief Stepping Down (April 2, 2013)

Google’s first director of privacy plans to retire, Forbes reports. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals.
Full Story

ONLINE PRIVACY

Why Consumer Privacy Decisions Aren’t Always Rational (April 1, 2013)
The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” (Registration may be required to access this story.)