Every time a user opens an app on their device, it seems they are being asked to provide both information necessary to engage with the app and far too often additional information that falls into the nice-to-have or marketing niche. Having CISOs participating in the discussions on what data is necessary for an app to function is table stakes. They should have a say in how that data is parsed to determine how it must be protected to remain in compliance with privacy laws. In addition, CISOs have a role to play in assisting the workforce in remaining safe online as well as protecting their (and the company\u2019s) privacy.The risks of data over-collectionDuring a recent conversation with Rob Shavell, founder of DeleteMe, he commented how data over-collection by companies is a rampant problem. The data brokers take what you give them and what they scrape and package and sell it. He notes, \u201cEmployers are now helping employees protect their PII [personal identifiable information] as it is in the company\u2019s interest to do so.\u201dSpeaking to what steps CISOs may take, Shavell suggests that they focus on data-collection compliance points and data tagging. In this manner, process and procedure evolve so \u201cdata is kept as long as necessary so if an individual wants their PII deleted, it is feasible to do so.\u201c (Data privacy in the European Union in the form of General Data Protection Regulation [GDPR] includes the \u201cright to be forgotten\u201d requiring companies to delete an individual\u2019s information on demand.)TikTok the glaring example of data over-collectionOne example of an app that causes one to raise an eyebrow would be TikTok. Shavell comments on how \u201cTikTok comes across as a benign app used by kids, teens and adults. Every video interaction is cataloged. Teens become adults.\u201d He continued how over the course of time it is probable that this corpora of \u201clife path data\u201d will be used for predictive analysis to chart future course for individuals.A recent Gizmodo article dissected a study by Internet 2.0, an Australian cybersecurity firm, titled It\u2019s Their Word Against Their Source Code \u2013 TikTok Report. Their research showed that the app does indeed connect to China and requests \u201calmost complete access to the contents of the phone while the app is in use. That data includes calendar, contact lists and photos.\u201d Robert Potter, co-CSO of Internet 2.0, told Gizmodo, \u201cWhen the app is in use, it has the ability to scan the entire hard drive, access the contact lists, as well as see all other apps that have been installed on the device.\u201d He noted that this was \u201csignificantly more\u201d than what am app like TikTok needs access to.Gizmodo was told by TikTok that the data collection conducted is \u201cIn line with industry practices. We collect information that users choose to provide to us and information that helps the app function, operate securely and improve the user experience.\u201dOn September 26, the UK Information Commissioner's Office issued a provisional finding concerning TikTok, which carries with it a substantive multimillion-dollar fine. "The ICO investigation found the company may have:Processed the data of children under the age of 13 without appropriate parental consent,Failed to provide proper information to its users in a concise, transparent and easily understood way, andProcessed special category data, without legal grounds to do so."Information Commissioner John Edwards said: "We all want children to be able to learn and experience the digital world, but with proper data privacy protections. Companies providing digital services have a legal duty to put those protections in place, but our provisional view is that TikTok fell short of meeting that requirement."ADPPA is on the horizonIn late-June 2022, the American Data Privacy and Protection Act (ADPPA) was introduced within the House Energy and Commerce committee and exited committee on July 22. While it is not a panacea, indeed the state of California notes that if passed as written it will weaken some of the actions taken in California to protect the privacy of individuals, it is a step forward. Given the likelihood that it will take some time to wend its way through congress, there is no need for CISOs to wait to address some of the recommendations contained within the bill, as they make imminent sense from a data protection and privacy perspective.Violet Sullivan, cybersecurity and privacy attorney who serves as the vice of client engagement at Redpoint Cybersecurity, shares, \u201cDigital transformation has created a very available method of surveillance tracking.\u201d She continues how this piece of bipartisan legislation has great potential to be our first real federal privacy legislation.The bill includes the areas suggested by Shavell to include the right to delete, right to access and correct, need for companies to designate those responsible for the protection of the data (CISOs take note), and duty of loyalty. Sullivan explains, \u201cDuty of loyalty in theory would require organizations to act in the best interest of the individual when processing data and designing services.\u201d She adds, \u201cWhat this means for cybersecurity on the technical side \u2013 multi-factor authentication, network management, access control, vulnerability assessments, data retention and incident response process and procedures.\u201dIn sum, CISOs should be pushing to ensure that data collected is data protected.