What to Expect for the U.S. Riding a New Wave of State Privacy Laws in 2025
The wave of new and updated U.S. state privacy laws is propelling the country towards stronger data protection standards as of January 2025. Evolving state laws are beginning to align with more seasoned privacy regulations of California and other jurisdictions worldwide, creating a unified and robust framework for data privacy.
Deceptive Design Patterns – Turning the Lights Out on Privacy
The Office of the Privacy Commissioner (OPC) and the Global Privacy Enforcement Network (GPEN) recently embarked on a sweep focusing on “Deceptive Design Patterns” (DDPs, also known as “Dark Patterns”) in websites and mobile apps, hunting for manipulative and deceptive designs that undermine users’ privacy.
Taming the AI Beast: A Risk-Based Guide to Smarter AI Governance
This article examines the EU AI Act, which introduces a risk-based regulatory framework for artificial intelligence (AI) by categorizing applications into four risk levels: unacceptable, high, limited, and minimal risk. It highlights the need to balance innovation and safety, particularly for high-risk systems that require stringent compliance measures. Additionally, the article discusses tiered regulations for general-purpose AI models based on their risks. Ultimately, the EU AI Act aims to create a secure environment for AI innovation while providing clear guidelines to protect users and adapt to evolving technologies.
Pack Your Digital Bag, Because Law 25’s Data Portability is Finally Here
Quebec's Law 25 now comes with the right to data portability. This article dives into what this right is and how to implement it in compliance with legislation. The article dives into 10 practical action items to get you started on your data portability journey.
Third-Party Cookies are Here to Stay (and Play) Inside Google’s Privacy Sandbox
Google’s plans to follow suit with other big browsers like Safari and Firefox and remove third-party cookies (TPCs) from Chrome has come to a crashing stop. The decision to move forward with keeping TPCs on their web browser is the culmination of many years of back-and-forth discussion on Google’s end (since the year 2020), however, they have ultimately decided to simply enhance their privacy settings without losing an advertising penny from their large pockets. Their solution – the Privacy Sandbox.
Use of AI in the Workplace
With the increased use of AI, particularly in the workplace, and legislation coming in (irrespective of whether legislation governs the use of AI right now), there is a risk to your business if you do not regulate how your employees use it.
Think Again: Breach Notification is Required
Breach notification plays out differently within various sectors in Ontario. From health legislation to municipal regulations, incident obligations can vary and sometimes operate in a gray area or piggyback off “best practice” approaches.
Hashing Isn’t a Magic Cloak: Why Data Remains Unmasked
Hashing is a popular tool in data analysis for businesses, known for its ability to convert personal data into an anonymous format. However, hashed data is not truly anonymized and can be vulnerable to attacks that may re-identify the original data. To ensure data privacy, it's important to use hashing alongside other methods like encryption and tokenization, and to understand privacy regulations and best practices. This approach provides a more robust way to safeguard sensitive information. Explore advanced techniques to protect your data assets while maintaining privacy and security.
Unlocking Retail Potential: The Power of Data Clean Rooms
Data clean rooms have emerged as a pivotal solution for retailers seeking to harness the power of data collaboration without compromising privacy. For retailers, the advantages are numerous: from gaining deeper insights into customer behaviour to enhancing targeted marketing strategies, data clean rooms offer a treasure trove of opportunities. However, the journey has its challenges. Retailers must navigate issues such as data integration complexities, compliance with privacy regulations, and the need for robust security measures. Choosing the right data clean room is crucial and involves evaluating factors such as scalability, ease of use, and the ability to integrate with existing systems. This article delves into the intricacies of data clean rooms, exploring their benefits, challenges, and key considerations for retailers aiming to leverage this innovative technology.
Non-profits and Privacy Laws - Yes, No, Maybe?
As a non-profit, you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. You may be exempt from several onerous pieces of legislation however non-profit organizations are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years there have been several cases in Ontario trying to determine this question.
MSP’s Journey Towards Privacy Compliance
Whether you are a managed service provider (“MSP”) or a managed security service provider (“MSSP”), you are likely collecting, storing, reviewing, using, or disclosing personal information from your client. Most MSSPs need to comply with privacy legislation as both a regulatory and contractual requirement. This article serves to provide MSPs and MSSPs considerations towards becoming privacy compliant.
The Art of Selling Privacy
Last week, Bamboo hosted a Privacy & Retail Workshop with several national retailers in attendance. This workshop was a huge success! The discussions in the room focused on privacy implementation in retail and facilitated the exchange of lessons learned and how to grow a business alongside privacy compliance. What stood out most to the Bamboo team was the undeniable truth of the shared challenge every retailer faces on the journey to bolstering their company’s privacy posture – communication.
Seeing the Forest from the Trees: Don’t Neglect the Fundamentals
When it comes to securing our environments, the controls we have in place work in harmony to keep our kingdoms safe. A layered approach means that there are many different controls that serve the purpose of securing your environment, so that if one fails, another takes over. With layers comes complexity, and it’s important to not lose sight of fundamental controls that are almost “a given” in favour of the more detailed controls on our hosted environments.
The Eternal Push and Pull: Striking a Balance between Endpoint Protection and Employee Privacy
At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.
Privacy Complaint: Naming & Shaming
The article discusses the implications of someone filing a privacy complaint with the Office of the Privacy Commissioner of Canada (OPC) and the motivation of naming and shaming companies. It highlights that even if a complaint seems frivolous, it can lead to thorough investigations by the OPC, potentially uncovering compliance gaps within a company's privacy program. The article emphasizes the importance of proactive preparation for businesses, including maintaining updated policies, designating a Privacy Officer, and viewing every decision through the lens of potential regulatory scrutiny. It warns that regardless of the company's size or industry, a single complaint can have significant financial, operational, and reputational consequences, stressing the necessity for vigilance in addressing privacy concerns in the digital age.
Retail Loss Prevention and In-Store Privacy: A Guide
In recent years, Canada has experienced a concerning surge in shoplifting incidents, a trend potentially exacerbated by economic factors such as inflation. As the guardians of a retailer's assets, loss prevention personnel find themselves on the frontline in addressing this growing challenge. However, in the pursuit of securing business interests, it is imperative to recognize the delicate dance between protecting assets and upholding privacy rights.
Phish in a Barrel: How Sensitive Data is Vulnerable to Email Breaches
As an immigrant to Canada, I have seen the process and the documentation required to get here. My entire life condensed into a folder to be submitted to a consultant, who will in turn validate everything, and then submit it all to the IRCC (Immigration, Refugees and Citizenship Canada). This translates to a lot of deeply personal information put into the trust of a third-party, and this article goes into how quickly a phishing attack on any business can put sensitive information at risk.
Refined Guidance on Valid Consent
The criteria for obtaining lawful consent was discussed in depth in our Law 25 Consent White Paper released late 2023. The CAI published its final consent guidelines (Guidelines 2023-1-Consent: Validity Criteria (“Consent Guidelines”)) providing us with a clearer picture and refined guidance on what is required for consent to be valid.
Wonder Twin Powers: The (Super)Power of Addressing Privacy and Security Together
In a world where data breaches and privacy concerns are constantly in the headlines, it’s more crucial than ever for businesses to prioritize and navigate both privacy and security. While these concepts are often treated as separate entities, tackling them together can yield significant benefits for organizations.
Integrative Thinking - The Cross-Pollination of Privacy and Security
The privacy and security functions, respectively, often have tunnel vision and move in different directions causing the business to spin rather than move forward fast. It is time for privacy and security to form an alliance. When privacy and security cross-pollinate to form Governance, Privacy, and Security (GPS), they are better able to protect the business, protect data, and protect individuals.