Don’t Ignore That Warning: Why Data Privacy Is Everyone’s Business

You may think a compromised password alert is just another digital nuisance—but according to data privacy expert Monifa Brooks, it’s the kind of red flag you should never ignore. A true unicorn in the tech space, Monifa is one of the few Black women regularly presenting at global data privacy conferences. Through her work with Garabyte, she’s on a mission to make privacy protection accessible, actionable, and inclusive for all. In this Q&A, she breaks down what the 23andMe breach means for everyday users, how to actually protect yourself online, and why even your cookie preferences matter more than you think. —Noa Nichol

You’ve called yourself “a unicorn in the room” at data privacy conferences. What has your experience been like as a Black woman in this very niche, high-stakes field?

Being one of the few Black women working in Canada’s data privacy landscape is both a privilege and a responsibility. I often enter spaces where my presence is an exception rather than the norm, and the absence of diverse voices is not only noticeable but also telling. While global partners in the U.S. and Europe have made strides toward greater representation, Canada still has considerable work to do in amplifying marginalized perspectives in the areas of privacy, technology, and governance.

For me, the phrase “a unicorn in the room” speaks to the intersection of rarity and resilience. It’s about more than visibility. It’s about creating a meaningful impact. I’ve learned that when we bring lived experience into data privacy conversations, we don’t just shift the narrative; we deepen it. We elevate the dialogue beyond compliance and risk into realms of equity, ethics, and community trust.

My goal is not just to take a seat at the table, but to expand it. I want emerging professionals to enter these spaces and see themselves represented, not just as observers, but as keynote speakers, thought leaders, and policy influencers. Inclusion shouldn’t be aspirational; it should be foundational.

We hear about data breaches almost daily—but the average person still isn’t sure what to do when they’re affected. What are the first three things you’d tell someone to do after a breach?

In the aftermath of a data breach, it’s critical to take immediate and informed action to protect yourself.

The first and most crucial step is to carefully review the notification issued by the organization responsible for safeguarding your information. That message should provide precise details about what occurred, what data was compromised, and the remedial actions the organization has implemented. It should also outline what supports are available to you, such as access to credit monitoring or identity protection services. If you are offered complimentary credit monitoring, take advantage of it. It’s a practical tool for detecting fraud and unauthorized activity early.

The second step is to prioritize the security of your digital credentials. Change your passwords for any accounts associated with the breach, paying special attention to financial, health, and communication platforms. Use strong, unique passwords for each account and avoid reusing previous credentials. If you haven’t already, consider using a password manager and enabling multi-factor authentication wherever possible.

The third step is a commitment to ongoing vigilance. Regularly monitor your bank accounts, email activity, and any other platforms that store personal data. Look for signs of suspicious behavior, such as unauthorized charges, login alerts, or unfamiliar correspondence. A breach doesn’t always result in immediate consequences, which means your attention over time is just as important as your response in the moment. This is where the credit monitoring and identity protection come in handy.

The 23&Me data breach exposed deeply personal data from millions of users. What made that breach especially concerning, and how can people using DNA or ancestry services better protect themselves?

DNA data is considered among the most sensitive categories of personal information. It’s permanent, deeply personal, and can reveal not just your identity, but family relationships, medical predispositions, and ancestral information. What made 23&Me’s breach so troubling is how this data can be weaponized, not just for fraud, but for discriminatory profiling or misinformation.

My advice: read privacy policies thoroughly, limit what you share, opt out of public databases or data-sharing features if you’re uncomfortable with the terms, and consider not using sites that don’t offer multi-factor authentication when sensitive data is being collected.

Remember: you can explore your roots without handing over your entire genetic blueprint.

Many people ignore those “your password was compromised” alerts. What’s actually happening behind the scenes, and why is it risky to keep using old or repeated passwords?

When you receive a notification that your password has been compromised, it’s not simply a suggestion; it’s a call to action. That alert typically means your credentials have been compromised in a confirmed data breach and may already be exposed on the dark web. What happens next isn’t visible to the average user. Cybercriminals deploy automated tools to rapidly test these stolen credentials across multiple platforms in a tactic known as credential stuffing. This was a key factor in the 23&Me breach, and it underscores the risk of reusing passwords across accounts.

Password security should be approached with the same consistency and care as personal hygiene. It’s foundational to maintaining digital health. Reusing weak or repeated passwords leaves the door open to cascading compromises, where a single breach can unravel access to banking, communication, health records, and more.

To reduce your exposure, I strongly recommend using a password manager to create and store strong, unique passwords for each of your accounts. And wherever possible, enable multi-factor authentication (MFA). This additional layer adds powerful protection, even if a password becomes compromised.

Cookies pop up everywhere—and most of us just click “accept all” out of habit. What’s really at stake when we accept website cookies without reading the options?

When used responsibly, cookies can enhance online experiences by enabling convenient features, such as remembering preferences or improving website functionality. However, it’s essential to recognize that many cookies, particularly those placed by third parties, serve more invasive purposes. These include tracking your behavior across sites, compiling detailed user profiles, and monitoring indicators of your interests, purchasing patterns, and even health-related activity. When users choose to “accept all,” they are often unknowingly consenting to an ecosystem of persistent surveillance and data commodification.

What’s truly at stake is your ability to control what personal information you share and with whom. My advice is to always pause before clicking through. Select “manage settings” whenever the option is available and opt out of non-essential cookies, especially those related to marketing and third-party analytics. This simple action, often requiring less than a minute, can significantly reduce your digital footprint and limit the extent to which your activity is tracked and monetized.

Digital literacy includes knowing where your data goes. Small, informed choices like this are part of reclaiming control in a deeply connected world.

For small business owners collecting emails for newsletters or promotions—what’s a major mistake you see them making when it comes to privacy laws like CASL?

One of the most common and costly missteps I see small businesses make when engaging with customers through email marketing is the failure to obtain proper and documented consent. Under Canada’s Anti-Spam Legislation (CASL), organizations must secure consent before sending any commercial electronic messages (CEMs). This consent may be express, such as when an individual opts in via a subscription form, or implied through an existing business relationship. However, the burden of proof lies entirely with the organization to demonstrate compliance. That means using transparent opt-in mechanisms and retaining clear records of how, when, and under what conditions each consent was obtained.

Equally important is including a fully functional unsubscribe option in every message. Omitting this is not just a technical oversight; it’s a violation that undermines user autonomy and exposes businesses to serious consequences. CASL enforcement carries steep penalties. Individuals may be fined up to $1 million, and companies may face fines of up to $10 million for non-compliance.

Beyond regulatory risk, adherence to CASL is about building trust and respect with your audience. Customers want to feel confident that their information is being managed responsibly and that they have control over how they’re contacted. They are far more likely to engage with businesses that avoid deceptive marketing tactics and demonstrate integrity in their outreach.

Most websites now have a privacy policy, but not all of them are actually compliant or helpful. What makes a good privacy policy, and why is it legally and ethically essential?

A privacy policy should be more than a legal document. It should be an accessible guide that clearly articulates how personal information is handled throughout its lifecycle. At its core, a privacy policy must be transparent, user-friendly, and easy to understand. Individuals should never need a legal expert to interpret what a company does with their personal information. The most effective policies clearly and confidently explain what personal information is collected, why it’s needed, how it’s protected, how it’s shared, how long it is retained, and how users can exercise their privacy rights.

This information should be easy to locate and organized, without requiring the reader to navigate multiple layers of documents or decipher opaque language. Compliance isn’t simply a checkbox. It reflects your organization’s values, integrity, and operational practices. Your privacy policy should offer a genuine, detailed account of how your company collects, uses, retains, shares, and ultimately disposes of personal data.

Generic or overly legalistic policies that obscure reality with jargon serve no one. They confuse users, hinder informed consent, and erode credibility. In contrast, a well-crafted privacy policy builds trust, clarity, and confidence, reinforcing your organization’s commitment to responsible data stewardship and compliance with privacy laws.

What are some of the biggest myths or misunderstandings you encounter about data privacy in your work?

People often tell me that because they’ve implemented a cybersecurity program (firewalls, anti-malware tools, secure servers), they assume they don’t need a dedicated privacy program. That’s a common but significant misunderstanding. Cybersecurity and privacy are interrelated, but they are not interchangeable.

Cybersecurity focuses on the technical protection of systems and networks, preventing unauthorized access, guarding against attacks, and securing infrastructure. It’s essential, but it’s only one layer of protection. Privacy, on the other hand, is about the responsible management of personal information, covering how it is collected, used, stored, shared, and ultimately disposed of. It considers legal obligations, ethical practices, and the expectations of individuals whose data is being managed, both online and offline.

For example, you might have antivirus software on your computer (security), but if you’re signing up for services that sell your data (privacy), you’re still vulnerable.

Privacy is about empowering individuals and organizations to make informed, respectful, and transparent choices about personal information. Security keeps malicious actors out, but privacy ensures governance and responsible processing of personal information.

You run Garabyte, which helps companies protect their users and stay compliant. What inspired you to launch the company—and what impact are you hoping to make through your work?

My business partner, Susie Hendrie, and I launched Garabyte because we saw a growing gap in how organizations approached privacy. Many want to do the right thing, but don’t know where to begin, especially in a regulatory landscape that is rapidly evolving and often challenging to navigate. Garabyte bridges that divide. At Garabyte, we believe that privacy isn’t a barrier to innovation, it’s a blueprint for building trust in an increasingly data-driven world. We empower organizations to meet privacy and data protection standards in a way that is transparent, user-friendly, and tailored to their specific business goals.

Our professional roots run deep. We honed our privacy expertise at one of Canada’s leading telecommunications companies, where we tackled some of the most complex and cutting-edge privacy challenges in the industry. That experience shaped our understanding of what meaningful privacy compliance looks like, not just on paper, but in practice. Now, through Garabyte, we bring those insights to a broad range of organizations, including but not limited to utilities, pension funds, not-for-profits, and ed-tech companies, helping to build or enhance privacy programs that are both legally sound and operationally feasible. Our goal is to demystify privacy, make compliance accessible, and help organizations build digital ecosystems where individuals feel safe, informed, and respected.

What’s one small change everyone can make today to improve their digital safety—whether they’re a business owner or just scrolling at home?

Enabling multi-factor authentication (MFA) is one of the most effective and accessible methods for protecting against unauthorized access. For organizations that manage login accounts for customers, employees, or platform users, MFA should be considered mandatory for any account connected to personal information, commercially sensitive data, or privileged system access. It adds an essential layer of verification beyond just a password, significantly reducing the risk of compromise, even if credentials are stolen. If you already have MFA enabled, I encourage you to take an extra step and launch privacy and security awareness training. You can implement all the safeguards in the world, but if you haven’t trained your employees, you remain vulnerable.

On the individual level, activating MFA across your accounts, such as email, banking, cloud storage, and social media, is a simple yet powerful step in safeguarding your digital presence. If your accounts already have MFA enabled, I encourage you to take an extra step and spend a few minutes reviewing your app permissions and browser extensions. Often, third-party tools and add-ons have access to your personal information without your explicit knowledge or consent. Pruning unnecessary or outdated permissions helps reduce exposure and enhances control.