Data Privacy Day is this weekend. Here are some tips and pointers individuals and businesses should keep in mind going forward.

1. Transparency is front and center for regulators in the United States and Europe, so if individuals and businesses collect information they should put a privacy notice on it. The notice can’t just be a list of things you collect and why. Rather, it needs to be process based and written in a way that normal people can understand. Individuals and businesses should review and revise their privacy notice.
2. Hoarding data is a bad habit. That is clear from GDPR, new US privacy laws and recent FTC decisions in CafePress and Drizly. Individuals and businesses can’t just collect and use any data they want and retain it indefinitely. They may only collect that which they need for their stated purposes and retain it only as long as necessary to fulfil those purposes. Individuals and businesses also have to tell people about it, so they know. It is vital individuals and businesses create and/or revise their data retention policies and schedules.
3. If individuals and businesses outsource any part of their data processing or otherwise share information with a third party, the new U.S. state privacy laws (and in particular CPRA) require that this be governed by a data processing agreement with specific provisions. Individuals and businesses should assess their data sharing, map out their providers and recipients and revise their agreements accordingly.
4. When discussing children’s data, many regulators are now concerned with all users who are under 18 — not just those under 13. The United Kingdom and California already issued a Children’s Age Appropriate Design Code, and a number of U.S. states have issued copycat bills. In addition to detailed, child friendly disclosure requirements, there are also limitations on collection and sharing, a need for parental controls, data protection impact assessments and friendly user interface design. Individuals and businesses should childproof their data collection and disclosures.
5. Is an individual or business using pixels on their websites, tracking movements or recording chats? Old causes of action like wiretapping, UDAP violations and VPPA are getting their 15 minutes in the sun with privacy rights violations. These lawsuits are popping up all around. Individuals and businesses should review their website trackers and how they disclose them. If necessary, they should get consent.
6. HIPAA covered entities and business associates must understand their use of tracking technologies. Ignorance is a poor defense. Be careful.
7. You don’t get a free pass from state data privacy laws just because you are subject to HIPAA. For example, employee-related health information such as that kept in an HR file may be subject to requirements under California, Colorado, Connecticut, Utah and Virginia law.
8. Telehealth providers must check their communication tools to see whether and how patient information is being collected. If the platform or technology schedules sessions, electronically records or transcribes a session, or stores (even audio-only) patient messages, it must comply with HIPAA, according to recent guidance from the U.S. Department of Health and Human Services.
9. If regulations governing the privacy of certain substance abuse disorder treatment providers (known as “Part 2” regulations) come into better alignment with HIPAA (as proposed this past November), providers will need to amend their Notices of Privacy Practices (NPPs) and patients will need to understand how their SUD treatment information will be shared going forward with other providers and health plans.
10. Health care providers, electronic health record companies and other businesses covered by the 21^st Century Cures Act should be careful when responding to requests to share information with health apps. It is a good idea to provide consumers clear disclaimers, particularly if the provider has concerns about the app’s privacy or security risks.
11. Given the rising prevalence of phishing attempts, individuals and businesses should trust no one. It is critical that companies create a culture that includes extensive communication and training regarding phishing detection. Specifically, individuals should:
    1. Slow down and question why you are receiving any particular email.
    2. Verify requests for data orally.
    3. Do not use telephone numbers in the email.
    4. Do not reply asking if it is really who they claim to be.
12. If possible, individuals and businesses should use multi-factor authentication while accessing secure websites or conducting business online.
    1. This requires individuals to use a code or click on a mobile device app to verify it is really them.
    2. The mobile device authentication option is actually safer than texts or calls.
    3. Individuals should beware if they receive multiple texts or calls to confirm a login (called “fatigue”). Do not give in and click just to make it stop.
    4. The easiest way to start is for individuals to review the security settings of their personal email account. Look for “2 step” or “MFA.”
13. Individuals and businesses should never use the same password for multiple sites. Instead, they should:
    1. Let their browser create a password.
    2. Use a password management tool (despite recent LastPass issue).
    3. Consider using “throw away” email addresses.
14. Individuals and businesses should make sure their software is up-to-date and that they are using an anti-virus software.
    1. Researchers and hackers are constantly finding vulnerabilities, and companies are constantly patching them.
    2. An attack from an unpatched software vulnerability can happen no matter how well an individual or business follows the rules.
15. Individuals and businesses should encourage family members to be vigilant and safe.
    1. Retired parents and the elderly are not receiving the same reminders and training as those with jobs. Schools also don’t always teach children about online safety.
    2. Family members know each other’s personal information and/or share an internet connection. Families are only as safe as their weakest link.

[View source.]