Deceptive Trade Practices – What are They?

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:02
welcome everyone to the very last lesson in module four.
00:05
Up until this point, we have been discussing all things related to notice and transparency.
00:10
In this lesson, we will discuss deceptive trade practices, what they are and how they relate to the C C p A.
00:17
Let's jump right into it.
00:19
The learning goals and objectives for less than 4.4 will be to first review why notice and transparency are so important.
00:26
Why?
00:27
Because it helps prevent deceptive trade practices.
00:31
We will dissect that further here in a moment.
00:34
A secondary objective is for the very first time in the entire course,
00:38
I will be introducing to you concepts around C C. P. A. Enforcement.
00:43
I'm happy that we are getting to that stage in the course,
00:46
just as an FBI there is an entire module Module seven
00:51
dedicated to C C. P. A. Enforcement.
00:53
The good news is,
00:55
once we get to that module, you will not be seeing those materials for the first time.
01:00
There are privacy principles actually contained in the CCP, a recital section that are separate from the actual text of the CCP itself.
01:07
I hope that you have at this point already opened up the CCP a text,
01:12
you will notice that the 1st 10 to 20% of the page is occupied by what's called a recital section.
01:19
It's nothing more than a summary of the privacy principles that the advocates of the CCP A wanted to put out there as best practices and general concepts that they hoped businesses would adhere to
01:30
By the way
01:30
the GDP are and other privacy laws also have their own recital sections.
01:36
There is one recital in there that is particularly relevant to the notice and transparency conversation that we're having now.
01:42
If you'll allow me, I will read this to you and we will dissect it together.
01:47
One of the recitals reads as follows.
01:49
According to the California privacy advocates, They believe that people desire privacy and more control over their information.
01:57
California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information.
02:07
Now
02:07
here is the punch line.
02:09
It is possible for businesses both to respect consumers privacy
02:14
and provide a high level of transparency to their business practices.
02:17
I highly encourage you as you enter the workforce and get more involved in privacy to adopt the same attitude as well.
02:24
It is possible to provide a high level of transparency as toe how your company handles and protects personal information while also being able to fundamentally satisfy your other businesses. Practices.
02:38
Don't be convinced that transparency should be a problem or something that should be avoided.
02:44
You might have individuals at work who would prefer not to include that information in your privacy policy.
02:49
The CCP, a recital section as well as, for that matter, the GDP, our recital section as well. They all advocate for including MAWR information.
02:59
With that as a backdrop, I'd like to give some really world examples for deceptive trade practices that I have come across personally in the last two years.
03:07
I was frequently supporting a large multinational company, and reviewing their privacy policy
03:14
in the privacy policy was the following sentence.
03:15
We don't sell your personal information.
03:19
I had a feeling that wasn't true.
03:22
I asked the privacy officer there.
03:23
Do you actually not sell personal information?
03:27
The response was,
03:28
we sell everyone's information, not just yours.
03:30
The sentence continued that the privacy officer was just unable to convince the other stakeholders at their company that they needed to update their privacy policy
03:39
but that they agreed with me that it needed to be done. Eventually,
03:44
I shared with the privacy officer that that is a deceptive trade practice.
03:47
You cannot lie about something in your privacy policy.
03:52
If the California attorney general were to learn that you are putting objective falsehoods into your policy,
03:57
you could get fine for that.
03:59
We'll talk more about that in Module seven.
04:01
The privacy officer who was already agreeing with me anyway,
04:04
eventually was able to convince their stakeholders toe update their privacy policy to reflect riel world practices.
04:12
Number two ah, little bit less related to notice and transparency. But equally important,
04:17
I received a phone call saying, Oops, we had a small security incident, but we're not sure if it was a security breach.
04:26
Why?
04:28
Because it was just an employee who accidentally sent personal information to the wrong John Peterson. That's not his actual name.
04:35
Essentially, what happened is if you're ever sending an email,
04:39
the email address that was auto populated was sent to the wrong, and I do believe the first name was John
04:45
you are normally obliged to report data breaches.
04:48
This company was trying to convince itself that it did not need to do that because there wasn't an actual outside actor that had unlawfully entered the network. It was just an employee in a separate division who had made a mistake, which ended up resulting in personal information, falling into the wrong hands.
05:04
But they didn't do it as a security breach,
05:08
covering up your own tracks and deceptively hiding. The fact that personal information was now falling into the wrong hands is a deceptive trade practice.
05:16
We'll get to more of this in future modules.
05:19
That is something that the California attorney general will gladly find a company for.
05:26
Item number three.
05:28
This was a client that is in the video channel space
05:30
in their privacy policy was the following sentence.
05:33
We don't collect personal information of Children.
05:36
I also had a feeling that that wasn't true.
05:40
I asked the privacy officer the response was well, we might collect personal information of Children.
05:46
Truthfully, we don't know peoples ages. When they visit our website,
05:49
you cannot stick your hand in the sand and purposely avoid finding out the truth about your privacy practices and expect to not eventually be subject to some sort of enforcement action for engaging in a deceptive trade practice.
06:01
You must, unfortunately, investigate how information is handled
06:05
in this scenario. It turned out that yes, cookies and other data collection tools were collecting the personal information of Children because Children, as you well know, are freely able to access the Internet,
06:18
they cannot be unilaterally declaring that personal information of Children is never collected.
06:24
They do need to at least put some effort into trying to prevent that from happening.
06:28
We'll get to more of that in module six, where we discuss Children.
06:32
Item number four,
06:34
which I see more often than I would initially think
06:36
you cannot represent in a privacy policy that certain cyber or technical standards are being held when in reality,
06:44
whatever standard that your company might have adhere to has since gone stale.
06:48
The CSO, which was responsible for that, has since departed, and you're just leaving it there on your website because someone was responsible for it at one point, but is no more
06:59
information needs to always be updated
07:01
if a certain standard has not been objectively vetted for a while now,
07:05
you can't represent to the public that that standard is still being satisfied.
07:12
Some other collective? No nos.
07:14
I wasn't really sure where to put them, but I keep seeing this happen, so I'll share it with you.
07:18
Please, please, please. If you are collecting the information without explaining the actual reason for that information to be collected, you are engaging in a deceptive practice.
07:30
Please be fully open in your notices and explain why information is being collected.
07:33
You need to explain the purpose.
07:36
Also,
07:38
please avoid deploying cookies without providing proper notice. If there are any cookies on your website,
07:43
please make sure that there are notices that also populate. At the same time,
07:47
we'll get to more about cookies in a moment.
07:50
If you're ever satisfying a consumer request again, make sure you're looking at all the systems upon which information is held.
07:58
The last one the big one here,
08:00
please make sure that any mechanisms you have in place to ensure privacy compliance
08:05
actually work.
08:07
We will talk more about the do not sell link, but make sure that you do not selling actually works. I have come across situations where it's up there and it doesn't actually work.
08:16
Some golden rules in summary.
08:18
Just tell people what you're doing with their personal information.
08:20
Transparency is going to save the day nine times out of 10.
08:24
Hopefully here. We've given you some examples of deceptive trade practices to think on.
08:28
We will close out this conversation in module seven as we discussed some deceptive privacy practices and explain MAWR how the Attorney General is dedicated to stopping that
08:37
I'll see you in the next module Module five.
08:41
Take care.
Up Next
California Consumer Privacy Act (CCPA)

This course examines the privacy obligations that are established by the California Consumer Privacy Act (CCPA) and how students can help their employers implement changes to their organizations to remain compliant with this new law.

Instructed By