The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you’re collecting personal information. This should include the aforementioned Don’t Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers’ personal information. 
  5. Protect minors’ rights via appropriate consents for collecting children’s information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it’s good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there’s not an imminent replacement. That means some fancy footwork may need to take place if you’re going to keep processing EU data. (But it’s worth getting that choreography down.)

Brexit

When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 

For CCPA:

  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA

For GDPR:

  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like Monday.com, MailChimp, and Apple craft engaging user experiences that speak directly to their customers’ privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.