On November 25, 2024, Ontario's Bill 194, also known as the Strengthening Cyber Security and Building Trust in the Public Sector Act, reached royal assent. The passing of this Bill marks a significant milestone in Ontario's efforts to enhance digital security and trust within the public sector.

The Office of the Privacy Commissioner (OPC) and the Global Privacy Enforcement Network (GPEN) recently embarked on a sweep focusing on “Deceptive Design Patterns” (DDPs, also known as “Dark Patterns”) in websites and mobile apps, hunting for manipulative and deceptive designs that undermine users’ privacy.

Whether you are a managed service provider (“MSP”) or a managed security service provider (“MSSP”), you are likely collecting, storing, reviewing, using, or disclosing personal information from your client. Most MSSPs need to comply with privacy legislation as both a regulatory and contractual requirement. This article serves to provide MSPs and MSSPs considerations towards becoming privacy compliant.

Last week, Bamboo hosted a Privacy & Retail Workshop with several national retailers in attendance. This workshop was a huge success! The discussions in the room focused on privacy implementation in retail and facilitated the exchange of lessons learned and how to grow a business alongside privacy compliance. What stood out most to the Bamboo team was the undeniable truth of the shared challenge every retailer faces on the journey to bolstering their company’s privacy posture – communication.

When it comes to securing our environments, the controls we have in place work in harmony to keep our kingdoms safe. A layered approach means that there are many different controls that serve the purpose of securing your environment, so that if one fails, another takes over. With layers comes complexity, and it’s important to not lose sight of fundamental controls that are almost “a given” in favour of the more detailed controls on our hosted environments.

At Bamboo we’re constantly aware of the push and pull nature between privacy and security, and often it comes to the fore in processes such as incident response or considerations around data lakes and operational data. In the last few weeks though, we’ve seen a great deal of discussion around Data Leak Prevention (DLP) and endpoint protection, and the clash it has against employee privacy – particularly when Bring Your Own Device (BYOD) is involved.

The privacy and security functions, respectively, often have tunnel vision and move in different directions causing the business to spin rather than move forward fast. It is time for privacy and security to form an alliance. When privacy and security cross-pollinate to form Governance, Privacy, and Security (GPS), they are better able to protect the business, protect data, and protect individuals.

In today's digital landscape, businesses face an ongoing struggle to strike the right balance between security and privacy. While robust security measures are essential to protect sensitive data and assets, maintaining customers’ and employees’ privacy is equally important to establish trust and comply with regulations. Privacy by Design (PbD) incorporates this as a principle (more on that in a future article), stating that it should not be a “zero sum” game; privacy and security should work together and not be in competition of one or the other.

What happens when you cannot see the forest for the trees? There are so many threats out there it’s hard to keep up with which ones directly (and materially) affect your business. Businesses can waste tremendous time and effort in addressing generic threats that do not directly relate to their business, simply because it seemed like a good idea (or someone in power heard about it at the last conference they attended).

Call centres are often the first point of contact between customers and businesses. Over the past few years, with advances in technology, including AI, call centres are collecting more personal information than before and using it in novel ways. This article explores how call centres may violate privacy and what they can do to reduce their risk of non-compliance.

Collecting geolocation information can be useful to your business, however, if not done properly, not only will you be non-compliant with privacy regulations, get fined, and find your company in a class-action lawsuit, but you will be classified as that “creepy stalker” that nobody wants to associate with. Read up on the latest cases involving geolocation data.

We have all heard about the privacy versus convenience dilemma. There is also a trade-off between security and convenience. More security controls add a layer of complexity (and dare we say inconvenience) to opening files, transmitting information, and sharing data with others, which does not always make for a seamless process or gain customer satisfaction.

Google is set to follow Apple in restricting cross-app tracking on its Android devices. Google’s Privacy Sandbox will lead to better ad privacy for users but will have a direct ad revenue impact on businesses. Having a trusted brand with a robust privacy program and a stellar value proposition can help businesses in this evolving landscape.

Apple’s decision to scan iPhones for child sexual abuse material (CSAM) may not have a positive impact as one would think.

In-house counsel designated as a Privacy Officer should seek assistance from privacy experts to help them succeed in their new role.

Operationalizing facial recognition and remaining privacy compliant

Embedding Privacy Into Machine Learning

Artificial Intelligence and Motor Vehicle Insurance Claims

Embedding Privacy into Online Gaming (Part 2)

Online Gaming Needs More Privacy (Part 1)