The Business of Data Conference Addresses Key Privacy, Data, and Cybersecurity Issues

This March, more than 200 brand professionals from 40 countries gathered in New York, New York, USA, for The Business of Data Conference. The event was dedicated to the critical issues facing brand owners today relating to privacy, data protection, and cybersecurity—shedding light on the regulatory landscape and offering insight on how to manage risk and ethical considerations. Below are some of the key issues that were discussed during the two-day conference.

Importantly, what constitutes protectable data was defined and reviewed at the outset of the conference during a discussion on how companies determine what they can protect and what they want to protect as proprietary information.. All panelists agreed that a comprehensive data audit is essential to confirm the personal information a company holds, including its trade secrets and other protectable assets.

In terms of data subject access rights (DSAR), brand owners face challenges in exercising and enforcing individual rights when offering services through online platforms and mobile devices. Meeting compliance demands of multiple jurisdictions requires knowledge of the laws in each country/state and the operationalization of the law. Panelists from leading brands explained the complexity of this task and how they set up their DSAR and privacy frameworks. Flavia Mitri (Uber, USA) described Uber’s transformation to a fluid DSAR capability to support compliance and brand equity needs across all countries in which it offers services. Uber created a global baseline that all countries must meet to address all needs uniformly. On the other hand, Sylvie de Oliveira (L’Oréal, France) spoke about L’Oréal’s localized model, addressing local laws by having a privacy professional on the ground in each country in which it distributes products to address country-specific requirements. In sum, performing a data audit and mapping makes clear the extent of your responsibilities and risk profile, as well as the best model to protect individual rights, company infrastructure, assets, and brand equity.

Implementation of the Digital Services Act (DSA), the landmark EU regulation, began in 2023 with broad territorial scope. It serves to protect consumers and brand owners in the fight against illegal content and the removal of counterfeit goods from online platforms. Full implementation is expected in 2024. This regulation impacts intermediary service providers with transparency in seller requirements, advanced takedown practices (trusted flaggers), dispute resolution, and obligations in the reduction of targeted advertising through platforms. The DSA raises the bar in non-action by the enactment of fines of 6 percent of annual revenue for companies that don’t comply—higher than the General Data Protection Regulation (GDPR) at 2 percent. Knowing this regulation is imperative when conducting business online.

Across the Atlantic, the increased enforcement of the California Rights and Enforcement Act (CPRA) has made it vital for all companies to review the consumers they reach, determine how and if they collect personal information (and if it is tied to consideration), and avoid the selling of personal information to third parties for the purpose of cross-contextual behavioral advertising, which is prohibited. Under the CPRA, brand owners should make sure they have the necessary opt-out mechanisms, choice links, and required privacy policy language.

An overview of the U.S. litigation landscape illustrates the broad basis of data privacy, cybersecurity, and adtech (advertising technology) claims. Data protection authorities (DPAs) in the EU and the California Attorney General are imposing serious fines. The same can be said for litigation throughout the United States. Practitioners need to understand the law and its application and implement proactive internal measures to mitigate risk. This includes the following:

• Making sure consumers accessing websites accept cookies;
• Requiring consent to use personal information;
• Acknowledging an enforceable online or mobile contract with a limitation of exposure by an indemnification clause; and
• Establishing an arbitration provision.

With regard to the environmental, social, and governance (ESG) framework and supply chain sustainability, brands need to have a contractual model that supports the demands of regulatory and commercial issues as ESG escalates. This is a real issue for all businesses with EU sustainability reporting standards and with new U. S. Securities and Exchange Commission guidelines coming.

In terms of cybersecurity, the National Cyber Director of the White House shared five pillars of U.S. policy for all institutions to follow:

1. Defend critical infrastructure;
2. Disrupt and dismantle threat actors;
3. Align market incentives to drive security and resilience;
4. Invest in a resilient future; and
5. Forge [international] partnerships to pursue shared cybersecurity goals.

The message: cybersecurity is a complex risk management exercise, not just a compliance concern. Regulations should be risk-based and require brands to adapt to evolving risks. Cybersecurity expert Jim Halpert (Office of the National Cyber Director, USA) agreed with the panelists that brands need to appreciate that cybersecurity is an enterprise risk and that the risks should be managed by key personnel and cross-functionally, with training of all personnel, and specialized training for those who handle personal information and/or IT systems. Cybersecurity requires continued management of access controls and incident response training and should involve extensive discussions at the chief executive officer and Board level.

The Business of Data Conference shed light on myriad issues all companies need to address today to protect brand equity, transact online without risk, and thrive in our ever-changing, data-driven world.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest.

© 2023 International Trademark Association