Thanks to cable TV and Christopher Guest’s hilarious Best In Show mockumentary, even cat people are familiar with the snobby, persnickety world of dog competitions. 

The Westminster Kennel Club Dog Show is the second-longest-running sporting event in the United States, second only to the Kentucky Derby. Every year since 1877, when a group of rich “sporting gentlemen” decided to put the tall tales they told each other in an NYC hotel bar about their canine companion’s hunting exploits to the test, the Westminster Dog Show has brought dog lovers together to celebrate man’s best friend.

What might surprise you, however, is that the show wasn’t originally focused on pampered purebreds. In fact, at the first show, there was a Miscellaneous Class that included, according to the Westminster Kennel Club site, a dog that was a “cross between a St. Bernard and a Russian Setter and a dog named Nellie, born with two legs only.”

So how did a dog show that basically started as a drunken bragfest turn come to represent perfection, and what does dog judging have to do with privacy? 

It all has to do with how dog shows are judged. Most people don’t realize that judges at these shows don’t judge the dogs against each other but rather against what the ideal dog of that breed should be based on standards that have evolved over time.

Just like the dog shows of the late 19th century, early consumer privacy programs were a hodgepodge of whatever businesses could (or would) pull together at the time. 

But just like the first dog show, which was so popular that “the streets outside were blocked with livery carriages . . . almost at the opening hour . . . until the close,” the fight for individual digital privacy rights caught on.

In the dog world, standards developed around what a labrador should look like and how tall a poodle should be. When it comes to privacy, laws like the European Union’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) established principles for collecting and managing user data.

One of the most effective practices to emerge from the privacy movement is the use of preference centers, dedicated pages on your website or in your app where users can tell you what they want you to do with their information.

Preference centers are like—to continue a metaphor—the herding dogs of the privacy world. They can help you corral all your data, gather all your consent needs for GDPR and other laws like CASL. Because of the very specific requirements for laws like GDPR, these softwares are a huge compliance help. 

What’s more, these softwares can also help you improve the quality of the data you collect from your users. These first-party data collection processes will become increasingly important as more privacy legislation comes online and as browsers eliminate the use of third-party cookies.

Preference centers are especially effective for helping manage email subscribers for your digital marketing campaigns. Here’s how you can develop preference center best practices that are Best in Show.

Get your pedigree paperwork in order

Dog show entrants have to provide proof they’re registered with the American Kennel Club. This paperwork often gives details about the dog’s pedigree going back at least three generations, breeder verification, and medical records, all of which are used to demonstrate the dog’s right to participate.

In privacy, AKC registration papers are a lot like a data inventory, also known as a data map. A data inventory gives you the ability to follow a single data record through the entirety of its journey through your system. It will show you:

  • What types of data you’re collecting and from whom
  • Why you’re collecting it
  • What you’re doing with it
  • Who you’re sharing it with or selling it to
  • Where and how long you’re storing it
  • Where it’s at risk of exposure

Data maps can also track and manage a user’s history of consent to the collection and use of their sensitive personal information.

You need to know all of this information to efficiently and effectively manage your preference center. After all, it won’t do you much good to let your users tell you how they want their information used if you can’t make sure you’re following through.

Explain the rules of the game

Like any competition, dog shows have strict rules that everyone, participants and judges alike, have to follow. These rules provide transparency and help reduce confusion about the results. 

When it comes to a privacy program, your company’s privacy policy is the rulebook everyone should use as operating instructions. A good privacy policy is easy to understand, and clearly explains your data collection and processing practices.

Your privacy policy should be front and center in any well-designed preference center.

Your users are the trainer, not you

From both a legal and a best practices standpoint, a preference center page has to have an unsubscribe option. One of the best ways to get people to opt in to receiving marketing materials is to allow subscribers to choose the types of emails they get from you. Some users may only want sale information, some may want to know when new products drop, and some may want your full newsletter.

The more diversified and specific content types are in email preferences centers, the more likely people are to join an email list.

This principle also applies to frequency options for email contact. One of the main reasons people unsubscribe from email marketing is because they get tired of their inbox being full of the can’t miss, don’t forget, best deal emails that seemingly show up all day, every day. You’re more likely to be given a user’s email address if you let them tell you how and how often they want to be contacted.

While historically email marketers have believed that more contact is better, allowing users to pick and choose the types of content they want and when they want it has the potential to improve engagement and decrease unsubscribe rates. 

Pick your event

Dog shows have multiple events, and entrants don’t have to participate in every event. Some dogs specialize in obedience, some in agility, and some are just really good at sitting still and looking pretty.

In addition to an unsubscribe button and content options, your preference center should give users the ability to select the channels you use to communicate with them. You can give them options for SMS or text messaging, email, regular mail, or phone calls based on the type of information being shared.

For example, a user may want sale information via text and email but want a phone call for recall information. 

Get the right tools for the job at hand

You wouldn’t train your dog on an agility course built for horses, and you shouldn’t build a preference center using outdated technology.

Recently, major corporations have started shifting from using customer relationship management platforms (CRM) to process their user data to using customer data platforms (CDP).

A CDP is like a fancier, upgraded CRM that creates a single source of truth by collecting and unifying the customer data you’ve collected (first-party data for the win!) into a complete user profile that includes both their consumer behaviors and their marketing preferences.Using a CDP, companies can run simultaneous micro-campaigns based on highly specific criteria while still maintaining compliance with privacy regulations.

You don’t need to use a CDP to have a preference center, though. It’s important to consider what you really are looking to accomplish. Do you need all the bells-and-whistles of a CDP? Or would a streamlined, standalone product accomplish your goals without the expense, commitment, and stress of a fully loaded solution? 

If the latter sounds, there are many effective stand-alone preference centers that can integrate with your various marketing platforms out there from companies like OneTrust, SalesForce, or Securiti, to consider. 

Best in Show is yours for the taking

No matter where your business is in its privacy journey, creating a preference center can put the blue ribbon within your grasp. Red Clover Advisors have years of experience helping companies build practical preference centers that work with their operations.

Contact us today to see how we do it.

The Four Corners of the Centennial State’s new privacy law

Colorado is home to the highest incorporated city in the US (Leadville), the highest paved road in North America (the road to Mt. Evans), and the highest car tunnel in the world (the Dwight Eisenhower Memorial Tunnel).

It’s also the home to the country’s third comprehensive consumer privacy law.

Another interesting fact? Colorado’s borders, along with those of Arizona, New Mexico, and Utah, are part of the Four Corners, the only geographic point in the United States shared by four separate states.

Let’s talk about the four corners of its new privacy law, the Colorado Privacy Act (CPA).

Corner 1: Who the CPA applies to

Before we get too far into the details of the CPA, it’s important to note that there are no federal laws governing the collection, use, or sharing of personal information online. That being said, here are the big players in consumer privacy law:

  • GDPR: The General Data Protection Regulation was passed by the European Union in 2016, has been in effect since 2018, and is the grandparent of modern digital privacy law.
  • CCPA: The California Consumer Privacy Act, in effect since January 1, 2020, was the US’s first comprehensive law focused on protecting consumers’ sensitive personal information.In November 2020, California voters approved the California Privacy Reform Act, which will expand upon the CCPA when it goes into effect in January 2023.
  • VCDPA: Passed by the Virginia General Assembly in early 2021, the Virginia Consumer Data Protection Act borrowed elements of both the GDPR and the CCPA while including some requirements specific to Virginia’s needs.

Now, let’s talk about Colorado.

Similar to both California and Virginia, Colorado’s privacy law applies to businesses that operate in, intentionally target products or services to, or collect data from residents of Colorado. Additionally, businesses must meet one of the following two conditions to be subject to the CPA:

  1. Control or process the personal data of at least 100,000 consumers per year OR
  2. Receive revenue or a discount on goods or services from the sale of personal data while controlling or processing the personal information of at least 25,000 consumers

A few other CPA definitions of note:

  • Consumer: A Colorado resident acting only in an individual or household context, which means employees are excluded
  • Sale of personal information: The “exchange of personal data for monetary or other valuable consideration,” potentially putting data sharing in the “sale” category

Data that is already subject to federal laws like the Gramm-Leach-Bliley Act (GLBA) or HIPAA is exempt from the CPA.

How the CPA differs from the CCPA & VCDPA

The CCPA only affects businesses that meet one of the following criteria:

  • Have an annual revenue of over $25M, OR
  • Buy, receive, sell or share the personal information of 50,000 or more California residents, OR
  • Derive 50% or more of annual revenue from selling consumer personal information.

Both the CCPA and the VCDPA stipulate companies have to derive 50% of gross annual revenue from selling data to trigger their eligibility.

There are no revenue thresholds for businesses under the CPA, meaning even small businesses that make very little money or receive few discounts for selling their collected data are subject. The CPA also does not exempt non-profit organizations from compliance.

Corner 2: CPA consumer rights

Many of the consumer protections included in the CPA are similar to those in other privacy laws. Consumers are given the right to:

  • Be informed when and what types of data are collected
  • Access the data that has been collected from them
  • Correct inaccuracies in the collected data
  • Delete their data from databases
  • Data portability (receiving copies of their data records in an easily transferable, user-friendly format)
  • Opt-out of behavioral advertising (targeted ads based on inferred user preferences)
  • Opt-out of having their data sold (which, under the CPA, could potentially mean shared)
  • Opt-out of automated profiling (a decision that produces a legal effect)
  • Appeal a company’s denial to take action on any other rights within a reasonable time

How the CPA differs from the CCPA & VCDPA

The biggest difference between the CPA and its California and Virginia counterparts is the requirement for businesses to offer consumers a universal opt-out mechanism that allows them to exercise all their opt-out options with a single click.

Exactly how that universal opt-out will work isn’t spelled out yet, but the Colorado AG is legally required to put out the technical requirements by July 1, 2023.

Corner 3: CPA business obligations

We know we sound like a bit of a broken record, but many of the requirements the CPA places on businesses are similar to those of other privacy laws. These duties include:

  • Transparency, in the form of a “reasonably accessible, clear, and meaningful privacy notice” that includes the categories of data collected and the people with whom data is shared
  • Specifying exact purposes for collection and processing of personal data
  • Minimal data collection practices
  • Avoiding secondary use
  • Implementation of reasonable security measures
  • Receiving consumer consent via a “clear affirmative act signifying consent is freely given” before processing certain categories of sensitive data
  • Conducting regular risk assessments
  • Not processing personal data in violation of a state or federal law that prohibits unlawful discimrination against consumers

Data controllers, who are responsible for determining how and why data is processed, are required to respond to consumer requests within 45 days, with an additional 45-day extension possible in some circumstances. 

How the CPA differs from the CCPA & VCDPA

The CPA and VCDPA are fairly similar when it comes to business obligations, but its regulations are closer to the California Privacy Rights Act (CPRA), the CCPA’s replacement starting in 2023.

The standards for what constitutes consumer consent under the CPA are more stringent than those in the CCPA. Colorado’s law also requires that controllers conduct a data protection or risk assessment if they process personal data that has a heightened risk, such as selling personal data or processing sensitive data.

Corner 4: CPA enforcement

Uniquely among US privacy laws, the CPA can be enforced by the state attorney general or by district attorneys. This broader administration capability spreads the load of overseeing compliance and will likely increase enforcement actions without requiring the creation of a new agency.

Another distinct provision in the CPA is the inclusion of a 60-day cure period that allows data controllers to remedy adverse findings and thus avoid action by the attorney general or district attorney. This provision only exists until 2025, giving companies two years to make sure they have all their ducks in a row.

The CPA does not include a private right of action, meaning consumers can’t sue a company as an individual if their personal data is exposed in a breach. This is also one of the only privacy laws without a clearly delineated fine schedule.

That’s not necessarily a good thing. Under the statute, violating the CPA is a deceptive trade practice punishable by up to $20,000 per violation. 

As happened in California, it’s likely that the law will be amended and updated before it becomes enforceable on July 1, 2023.

How it differs from the CCPA & VCDPA

Both the CCPA & the VCDPA stipulate that the state attorney general is the only party authorized to initiate actions against violators, and they both have a shorter cure period of only 30 days. The CCPA also contains a private right of action, whereas the VCDPA does not.

Unlike the Colorado law, the statutes in California and Virginia both have strict fine guidelines of up to $7,500 per violation.

How to get your company ready

If your company is CCPA- or GDPR-compliant, your data privacy program probably only needs a few tweaks to be ready for the CPA.

If you don’t have a strong privacy program, the good news is that you have two years before the CPA becomes effective. Starting today (or, okay, this month) will give you time to build an effective, agile program that can adapt to the regulatory updates or changes that will inevitably come your way.

Here are six steps you can take now. For more information, consult our downloadable guide to CPA Compliance.

  • Track a data record through your entire system

Called a data map or data inventory, this process will tell you if you are collecting data you don’t need, keeping it for too long, or storing it in ways that are not secure. 

  • Fix your security gaps

Strengthen your processes for installing software updates, setting passwords, granting access, use of work devices, etc. If your business collects personal data, it must establish and implement and maintain reasonable technical safeguards of data protection. Performing a cyber risk assessment will help identify areas to incre

  • Update your privacy policy

Your privacy policy should match your data practices, but it should also be easy for your customers to understand.

  • Train your employees

One wrong click by an employee can derail your entire privacy program. If you want your compliance efforts to succeed, you need to make privacy training part of your culture. In addition to full-day, company-wide trainings, talk about privacy principles in staff meetings, one-on-one coaching sessions, and team emails.

  • Tell your customers what you’re doing

Everyone will have to implement privacy programs eventually, but companies that do it proactively have a great opportunity to demonstrate their commitment to their customers and build trust with them.

  • Plan to manage individual data

Being ready for the CPA means being prepared to meet individual rights requirements. Individuals have the right to be informed when their personal data is collected, to correct inaccuracies in their personal data, and to delete their data from your database. They also need to have the option to receive a copy of their personal data in an easy-to-use format and to opt out of ad targeting and having sensitive data shared or sold.

One more bonus tip

Here’s one more tip for you: hire a privacy consultant like Red Clover Advisors.

We are experts who are passionate about making privacy easier to operationalize to save you time and help you build trust with your customers. We have a variety of programs that can meet your needs and your budget.

Contact us today and let us take the stress out of your CPA compliance program. 

From picking the color scheme to writing SEO copy to integrating your payment platforms, building a website or app is a huge project. After you’ve tested all your links, worked out the UX bugs, and built an interactive chat function, the last thing you want to do is think about a privacy policy.

Putting a privacy policy on your website or mobile app is like finishing the trim when painting your house—it’s not fun. No one wants to do it. 

But the job isn’t done without it. 

Do I legally need a privacy policy?

Whether or not you legally need a privacy policy depends on a number of factors.

If you operate in or collect data from customers who are residents of the European Union, your business is subject to the General Data Protection Regulation (GDPR). The GDPR, passed in 2016 and enacted in 2018, strictly regulates how companies collect, use, and share personally identifiable information collected from customers online. 

If your company only operates and sells to customers in the United States, data privacy law gets more complicated. Other than the Children’s Online Privacy Protection Rule (COPPA), which governs the online collection of data from minors under the age of 13, the US does not have a federal data privacy law. 

Instead, states are driving the privacy conversation for people living in the US. California, always happy to set trends for the country, passed the California Online Privacy Protection Act (CalOPPA) requiring websites and online services to post privacy policies almost 20 years ago in 2004. Since then, others including Delaware and Nevada, have followed suit. 

In addition to individual state statutes, it’s important to be mindful of Section 5 of the Federal Trade Commission Act. If you’re gathering user information and you use it for a purpose you didn’t disclose to the site visitor, you’d be in violation of the Act’s prohibition on deceptive marketing practices. 

California was also the first state to follow the EU when they passed the GDPR-lookalike California Privacy Protection Act (CPPA) in 2018. Since then, California has passed a second consumer privacy law that closed CCPA loopholes, and Nevada, Virginia, and Colorado have also approved comprehensive privacy legislation.

So if you operate in or collect personal information from consumers in those states, yes, legal requirements for your business mean you must put a privacy policy on your website.

Every business needs a privacy policy. Full stop. 

BUT! (There is definitely a but.) Exactly what a business’s privacy policy contains or how in-depth it needs to go varies. 

The United Nations named online privacy a fundamental human right in 2019, and at least 30 states currently have privacy bills proposed, in committee, or being studied by a task force. Legislative bodies aren’t the only groups focusing on protecting consumer privacy. Thanks to years of serious advocacy by consumer rights organizations, transparent privacy practices have also become a standard best practice for many industries. 

Major companies like Apple, Google, Mozilla, Microsoft,, Indeed, Netflix, and Fitbit have implemented privacy practices that extend beyond legal requirements for user data protection.

At this point, all businesses are required to have a privacy policy—it’s just a matter of how complex the policy needs to be in order to be compliant. And even if it takes a few years for your governor to sign a privacy bill, your customers already expect you to have a solid privacy program.

What needs to be in my privacy policy?

If you don’t know what happens to data after you collect it, you can’t write a good privacy policy. 

What you disclose about how you collect, use and share information in your privacy policy needs to exactly match the actual process and should align with your business activities. For example, do you include a customer’s email address in multiple databases? Do you share their phone number with third-party services or vendors? Do you ever sell personal data to partner companies?

The biggest mistake companies make with their privacy policies is using a cut-and-paste template from random internet websites or, even worse, a competitor’s site. Your privacy policy is a legal document. In the event of a data breach, you can be held liable if your practices don’t match your policy.

Privacy policy must-haves include but are not limited to (important note here: there are sometimes more requirements depending on which  law you have to adhere to):

  1. The types of information you’re collecting (names, addresses, phone numbers, email addresses, geolocation, etc.)
  2. Your reasons for collecting this information
  3. How the information is being collected (cookies, logs, surveys, forms, registrations, etc.)
  4. Who will have access to the information (vendors, marketing teams, partners, random people you plan on selling it to, etc.)
  5. Who you will share the information to (this can include third parties, legal requirements, a sale of the company, bankruptcy,)
  6. What type of digital identifiers or cookies may be on the site and the type of digital advertising or analytics the company engages in
  7.  What choices and individual rights users have
  8. What safeguards will be used to protect data (access limitations, cybersecurity programs, etc.)
  9. Other items may include if the company follows Do Not Track or Global Privacy Control, and International Transfer of Data
  10. Contact methods if users have concerns
  11. How users will be notified of changes to the privacy policy

What makes a good privacy policy?

You can include everything from our must-have list and still have a marginal privacy policy. If you really want to stand out, here are our top tips for a good privacy policy:

  • Complete a data inventory

A data inventory is required for GDPR compliance, but even if it isn’t mandated for your business, it’s definitely a best practice.

When you complete a data inventory, you track data records, from collection to deletion, on their entire journey through your system. This process helps you understand what you’re collecting and why, where you’re storing it and for how long, and who has access to it. Which, if you read over our privacy policy must-haves again, is information you need to know.

As a bonus, mapping your data also shows where your data is vulnerable to exposure, allowing you to strengthen your security measures and reduce your risk.

  • Keep it simple

It might make your lawyers cringe a little, but your privacy policy shouldn’t be pages of legal jargon no one can understand. Instead, use easy-to-understand language to give a straightforward explanation of the hows, whys, whos, and wheres of your data privacy program.

Another option to make it easy to understand: create a visual, easy-to-read summary section of the privacy policy. You should still have your typical long-form one, but think of this as the tl;dr for your privacy policy. 

  • Links/instructions for opting out or opting in

Depending on which privacy laws your company is subject to, you may have to allow consumers to opt-in (the most privacy-friendly option!) or opt-out (a good option) of having their data collected, processed, shared, or sold.  Most data privacy laws also give consumers the right to correct or delete certain categories of sensitive personal information from corporate databases.

Your privacy policy needs to spell out how consumers can take advantage of these rights. Many companies include a link to a webform to complete these or to a preference center

We’re masters with a privacy paintbrush

Red Clover Advisors believes passionately that privacy gives businesses a powerful way to connect with their customers and grow revenue.  Wherever you are on your site’s or app’s privacy journey, we can help you create everything from a simple privacy policy to a full-blown privacy program.

Give us a call to set up your consultation today.

From Odysseus to Wonder Woman, every hero has an origin story.

Whether they are about orphans or gods, unwilling champions or those born into greatness, origin stories are compelling narratives that position the protagonist in the world. They give the audience an understanding of who the main character is, why events are significant to them, and what motivates their actions. 

The data you collect about your consumers is the ultimate superhero for your business. Data, when harnessed properly, acts like Wonder Woman’s Lasso of Truth, giving you powerful information to inform your decision-making and guide your interactions with people depending on you for a service.

But just like Clark Kent had to travel to the Fortress of Solitude to fully understand what it meant to be Superman, you need to understand your data’s origin story to be able to maximize its potential.

What is data lineage and why is it important?

Data lineage is your data’s origin story.

To put it in today’s business terminology, data lineage is a big picture, full description of a data record. It includes the data type and size, the quality of the information included, the journey this information takes through your systems, how and why it changes as it travels, and how it’s used.

Understanding data lineage can help you establish and maintain compliance with the new, robust data privacy laws that are being passed every year, develop more accurate datasets, and give you contextual information about how your customer base is changing over time.

This may sound vague and buzzwordy, but there are real-world applications for designing efficient workflows, improving product management, creating effective marketing strategies, and building responsive customer service protocols that come from having a granular understanding of your data.

Also, and this is a big one, understanding and establishing a thorough data lineage is critical to building an agile, customer-centric privacy compliance program. 

Even if you don’t “get” the technical aspects of data lineage, knowing you need it is a big step in the right direction. If you are a small business or a non-technical person, there are affordable, easy ways to establish your data lineage, build a compliance program, and understand your risks.

Red Clover Advisors is the partner you need to simplify your data mapping and privacy programs. Drop us a line to find out how we can lighten your load while improving your performance.

Types of data lineage

Just like Bruce Wayne had multiple influences that turned him into Batman—his parents, the Joker, Alfred, etc.—there are different data lineage perspectives that make up what you probably think of as your “data.” 

These perspectives vary based on who is using the data and why. Knowing the differences between them will give you a more holistic view of your data program’s challenges and opportunities.

Business lineage

Business-focused departments like marketing, sales, finance, and operations need to be able to quickly find and analyze data to make important decisions related to industry and customer trends, product development, and advertising spend. The process of making all that happen is business lineage.

Business lineage is what most people think of when they think about data—it’s the information that powers a business intelligence (BI) program. Business teams need to be able to understand where the data is coming from and how it got there to ensure the resulting decisions are accurate and based on the correct data sets.

Technical lineage

Unsurprisingly, technical data lineage tracks the technical side of how data is collected and how it exists and travels through your systems. Technical lineage is responsible for detailing how your IT department handles privacy compliance, data sharing and transformation processes, and data joining (combining multiple data sets) protocols.

Good technical lineage tracking infrastructure allows you to identify vulnerabilities in your system and to determine how any changes to your processes will impact your data management capabilities.

Directional view

Looking at your data from this point of view focuses on where your data comes from, where it goes, and what happens to it while it’s moving. Being able to track data this way makes it easier to identify the root of errors.

Impact view

The impact view of data shows you how all your pieces of data are interrelated and how your data security program impacts those relationships.

How data lineage impacts data privacy

If you’re like most business owners, technical lineage vs. business lineage and directional view vs. impact view may not mean much to you. That’s okay.

You don’t need to be able to set up your data lineage yourself, but you do need to understand why it’s important for customer service, compliance, and security. 

Customer Service

If you’re overwhelmed, we have good news for you. All of this not-flashy, super technical, confusing data lineage and privacy stuff presents a unique opportunity for you to prove to your customers that you care about them and deserve their trust.

Can you believe it? You can boost your reputation by doing something you legally have to do anyway!

Instead of viewing a privacy program as a drain on your resources, see it as a chance to show your users how important they are to you. Promote your efforts to protect their information. Give them options to control how you use their data and tell them you are doing it.

Use your data lineage efforts to prove to them that you are going beyond compliance because you respect them.


After the European Union passed the General Data Protection Regulation (GDPR), which established robust protections for consumers’ sensitive personal information, other government bodies followed suit.

Unlike the EU, the United States doesn’t have an overarching federal privacy law. Instead, the US employs a sectoral approach, which allows each state to pass its privacy laws.

Always happy to be first, California passed the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA). Nevada and Virginia have also passed comprehensive privacy laws, and multiple states have privacy legislation proposed. The California and Virginia legislation will go into effect on January 1st, 2023.

Almost all these laws require companies operating in or collecting information from residents within their borders to have a data inventory. Data inventories are the part of data lineage that allows you to quickly identify the records of individuals who want to remove or alter their stored personal information. 

These laws have substantial fines and sanction options for companies that don’t comply with the opt-out, right to deletion, and right to correction requirements.

If you don’t understand your data lineage on at least a basic level, it will be difficult to adequately and accurately build a data inventory.


The GDPR, CCPA, CPRA, and other similar laws include a mandate that companies employ reasonable security measures to protect the sensitive personal information they collect from customers.

One step further, modern privacy laws establish hefty fines and civil, even criminal, liabilities if a data breach exposes certain categories of consumer data.

Both business and technical data lineages face substantial and sometimes overlapping security risks. These risks include:

  • Weak permissions and access protocols
  • Overzealous data collection practices
  • Inadequate employee training
  • Excessive timelines for data storage
  • Vendors with poor privacy practices
  • Non-compliant privacy and cookie notices

Understanding data lineage through data mapping will expose the vulnerabilities in your system.

Improve your data quality with data lineage

It is easy for data to be degraded every time it is moved, interpreted, processed, or altered. Using data lineage to understand where your data is moving, who is interpreting it, how it is being processed, and what alterations are made make it much easier to complete a root-cause analysis when errors occur.

We know most people are not privacy experts. You don’t need to be. The experts at Red Clover Advisors excel at designing elegant, simple, and affordable data mapping solutions you need. 

Contact us today to get started.

New data privacy laws like the European Union’s General Data Protection Regulation (GDPR) require many companies to have a dedicated data privacy officer overseeing their data collection and processing program. 

Separate but related, the global shift towards cloud computing has increased the need for elite cybersecurity teams to build a cybersecurity program capable of withstanding continual assaults from hackers.

Unless you’re a giant, multinational corporation, the chances are good that once your privacy program is up and running, the work required may not justify the expense of two full-time positions. 

Enter the fractional executive.

Why hire a fractional executive? I hate fractions.

For most small and mid-sized businesses, there are a few people at the top-performing multiple executive functions. You may be the CEO and the CMO, and your number two may be the CFO may be the COO too. This setup can work, sometimes for a long time.

But what happens when your company goes through a period of rapid growth or faces new compliances challenges resulting from legislative changes? You need more support, but the cost of bringing on that expert backup is more than you can spend.

So, you toil on as the CEO/CMO/CFO/COO, dividing your attention into smaller and smaller fractions, struggling to give each critical business function the attention it needs. 

Instead of having fractions make your life harder, you can put them to work for you by hiring a fractional executive.

What is a fractional executive?

A fractional executive is a seasoned, experienced leader you can hire a few hours a week (or more) to help you with your most pressing business and/or operational needs. Most fractional executives have an extensive background in full-time, high-level management roles and the knowledge needed to make your processes more efficient and effective.

But the biggest advantage to hiring a fractional executive is that you get access to that experience and knowledge for a fraction of what hiring a full-time executive with the same credentials would cost. Add in benefits, the assistant you’d have to hire, the office furniture, the computer, the phone…you get the idea.

Virtual executive vs. fractional executive

People often use the terms virtual and fractional interchangeably when talking about this type of role. Post-Covid, this will become more and more common. For the purposes of this article, we are going to use the following definitions:

  • Virtual executive: An outsourced, off-site exec or team of execs who provide business and/or consulting services to a portfolio of clients
  • Fractional executive: An exec, either remote or onsite, who delivers in-depth strategic development and operational support to a select group of clients 

Privacy or security?

The balancing act between data privacy and data security is something privacy professionals like me spend a lot of time talking about (like I do in this article).

One place this debate plays out is in helping companies decide if they should hire a Chief Privacy Officer (CPO), a Chief Information Security Officer (CISO), or both.

What is a CPO?

A CPO’s primary responsibility is to set the parameters around a company’s data privacy program. Their job is privacy all day, every day. 

This means they work with leaders from across the organization to determine what kinds of data can be collected, how it can be used, who it can be shared with, the length of time it can be stored, and how it should be destroyed. They are also in charge of:

  • Developing training protocols and managing compliance with all applicable laws
  • Creating privacy policies for social media pages and websites
  • Setting data classification standards

One of a CPO’s biggest jobs is establishing the protocols for data subject access requests (DSARs), the process consumers use to exercise their right to know what types of data are being collected about them. The CPO is also responsible for overseeing privacy strategy, answering customer questions, ensuring compliance with the law, facilitating ongoing training, and making sure that all employees follow best practices in privacy compliance and security. 

What is a CISO?

CISOs oversee a broader scope of responsibilities than their privacy counterparts. A CISO manages the cybersecurity operations, including cyber intelligence, building out the IT security architecture, controlling identity and access management, and investigating data breaches or other security incidences.

Although some companies lump their responsibilities together, a CISO is not the same thing as a Chief Information Officer (CIO) or Chief Technology Officer (CTO). A CISO, CIO, and CTO may have similar jobs but, when done right, they focus their efforts on separate but equally important ways to achieve the same end goal: secure and accessible data.

A CISO will, for example:

  • Set standards for security, removable media, device use, and network access 
  • Determine and implement an acceptable use policy
  • Install, update, and monitor data loss/breach prevention software

What separates a CPO and a CISO?

Andreas Klug, the chief privacy officer at QVC Ladbrokes Coral, told 2020 PrivSec conference attendees that these functions have always been very separate, adding, “they all look after data, but they always sit in various parts of the business and are subject to different budgets to different reporting lines.”

A CPO can be, but isn’t always, a tech person. A CISO is always a tech person and can be, but often isn’t, a privacy expert. CPOs and CISOs both:

  • Are deeply invested in protecting consumer and company data from cyber attacks or a data breach
  • Can’t do their job well without first completing an in-depth risk assessment
  • Need to know everything about the data coming in and leaving the organization
  • Play a key role in managing vendor performance and compliance
  • Develop incident response procedures

The difference between the two roles is how they approach these similarities. Because they don’t have the same expertise but have the same goals, it’s incredibly important to have a CPO and a CISO partner on most privacy-related initiatives.

Take employee training, for example. A privacy executive would want to provide training on consumer privacy rights, what types of data are sensitive or protected, and how sensitive information can be used in marketing campaigns.

Training from a full-time CISO would have more information on avoiding phishing emails, the dangers of using a work device for personal business, and the risk posed by public WiFi networks.

Both types of training are critical to protecting consumer privacy. 

Employee education is just one example of how a CPO and CISO need to work together. While the CPO may set the classifications for what types of data can be collected and how it should be stored, it's the CISO who’s responsible for purchasing and setting up the technology that does it all. But the CPO needs to make sure whatever technology the CISO picks meets regulatory requirements.

It’s kind of a chicken and egg situation. Can’t really have one without the other.

Which one do I need?

It depends on where you are in your privacy journey. If you’re starting from scratch, you’ll probably need substantial support. If you already have a program going and just need to finetune it, maybe you can get away with less. 

The good news is that hiring a fractional CPO and a fractional CISO is a cost-effective way to get both.

At Red Clover Advisors, we can customize our fractional privacy officer program to give you as much (or as little) support as you need.

Get in touch with us today and let our gurus start your privacy program on the path to enlightenment.

Privacy compliance is a long road. Luckily, you don’t have to go it alone.

Privacy management software can help you set up a robust privacy program. But without a privacy expert, you will be driving blind.

If privacy laws had a relationship status, it would be “It’s complicated”

If you’re reading this article, chances are you know at least the basics outline of today’s data privacy landscape. Maybe you are already compliant with the European Union’s General Data Protection Regulation (GDPR), or maybe you’re in charge of managing a California Consumer Privacy Act (CCPA) compliance program. 

Maybe you are really on top of things and are heading up a project to be ready for the 2022 California Privacy Rights Act (CPRA) rollout.

But even if these acronyms don’t mean anything to you (yet), you recognize that companies need strong data privacy programs to stay competitive in the marketplace.

The California State Legislature and the EU General Assembly were the first governing bodies to pass modern, aggressive privacy laws, but they definitely won’t be the last. Right now, dozens of states are considering California-esque bills that will continue the trend of giving consumers more control over how their personal information is collected and used online well into the next decade. 

While the laws vary across jurisdictions, there are some common themes including:

  • Expanding the definition of what’s considered “sensitive personal information” beyond names, birthdays, and SSNs by adding things like your phone number, health information, sexual orientation, religion, political affiliation, etc.
  • Giving consumers a way to deny permission to have their sensitive personal information collected, shared, or sold
  • Requiring companies to provide transparent and understandable privacy and cookie notices at or before the time they collect personal data
  • Mandating companies take reasonable security measures to protect consumer data
  • Levying harsh civil, even criminal, fines and punishments for noncompliance or if data breaches result in consumers’ personal information being exposed

So if you’re here and reading this, you know enough to know you probably need help to manage it all.

The United States is a melting pot — and so are its privacy laws

Unlike the EU, which took a unilateral approach to defining privacy law for all member states—although it should be noted that member states do have unique laws pertaining to data privacy on top of them—the United States has adopted a sectoral approach to privacy, meaning that unless the data is part of a federal regulation like HIPAA, privacy and data protection laws are by and large driven by individual states.

Because so much of our nation’s economy and tech infrastructure comes out of California, most large corporations complied with CCPA regulations. This new best practice standard shifted consumer expectations, leading to a domino effect of mid-and small businesses following suit.

But other states are now working on their own laws, making internet privacy the wild west, with each town having a different sheriff.

And the digital world isn’t going anywhere anytime soon. In 2020, consumers dropped a cool $861.12 billion in e-commerce sales with U.S. merchants alone. The Internet of Things continues to drive technological advancements. 

Companies increasingly need a data privacy expert to guide them through the unmarked places on the map.

Enter Privacy as a Service (PaaS).

PaaS is your own personal privacy butler

Batman’s butler, Alfred Pennyworth, makes Batman’s life so much easier. Working quietly behind the scenes, Alfred keeps the Batmobile tuned up, the suits ready, and the gadgets loaded. He is the reason Batman can swoop down into the Batcave and rush out to save Gotham without thinking twice.

If you do business in multiple jurisdictions, have a complicated privacy program, or manage large amounts of personal data, PaaS (also known as Data Protection as a Service or DPaas) can be your Alfred.

PaaS is a software platform that offers products and services to help you operationalize your company’s privacy program. It can be a real lifesaver for companies that don’t have a dedicated privacy team.

Privacy management groups like OneTrust build solutions that use advanced machine learning to help you build a program that complies with whatever privacy regulations affect you while simultaneously helping you be smarter about your data collection. 

Assessments and mapping and permissions, oh my!

Here is what PaaS can do for you:

  • Conduct privacy impact/data protection impact assessments for automating privacy processes
  • Map your data and help you collect a data inventory (data inventories, required by many new legislations, make it possible for you to remove/correct consumer data more easily and accurately)
  • Identify and predict risk and other weak points in your processes
  • Create and deploy privacy notifications, cookie consent banners, etc. with the standard contractual clauses required by law
  • Establish least-privilege access permission structure
  • Manage app consent processes on mobile devices
  • Automate breach incident actions and notifications
  • Onboard vendors and mitigate the risks they pose
  • Establish compliance with laws and regulations across multiple jurisdictions

It’s important to note that, while as close as cousins, PaaS programs are not the same thing as cybersecurity. The best privacy programs integrate privacy solutions into their larger cybersecurity plan.

But Alfred can’t be Batman…

I rarely tell clients that investing in privacy management software is a bad idea. 

But I also rarely tell them it’s all they need.

Anyone who has tried to get Siri or Alexa to answer a nuanced question knows that machine learning and AI has its limitations. Privacy management software is critical for companies to set up automation that can help with the privacy process, but if you don’t have a privacy expert guiding you through the process, well, you might as well hand the Batmobile keys and the Batarang to Alfred and send him off to save Gotham from the Joker.

The Joker (hackers, data thieves, and general internet bad guys) will win.

But if you combine the technology from the Batcave (privacy management software) with the experience and knowledge of Batman (your privacy expert), then you are in good shape.

Let’s leave the Batcave and talk about what this would look like in the real world.

Data Inventories

Data inventories are a big part of privacy programs, but let’s face it—they can be a big undertaking. However, the right software can cut down on the legwork by finding and documenting data. 

This alone is hugely helpful, but it doesn’t cover all your bases. You still need to determine the legal basis for data collection for GDPR. Or if the data has been sold under the scope of CCPA. Or if you can even collect and use that data in the first place. 

These kinds of questions are why privacy professionals are a critical resource for businesses. They have technical expertise and industry insight that can help you get answers—and solutions—to these questions. 

Social Media 

Facebook, Instagram, Twitter, and LinkedIn have historically been free advertising channels for businesses. But events like the Facebook/Cambridge Analytical scandal have made consumers much less likely to share personal information online.

The GDPR and CCPA control what categories and types of personal data a business can store about its users, but not all of the ramifications are clear yet. 

For example, it’s totally normal for a social network to host digital advertising. If a user clicks a link in one of those ads, now the app and the advertiser have the consumer’s information. Was the consumer adequately notified before the advertiser started collecting data? Is the activity considered the sale of data under CCPA? How should that be disclosed to the consumer?

The same principle works in reverse. If you have buttons for users to share your blog post or infographic on their social media accounts, are you confident you don’t have any exposure regarding whatever data that app collects from them? 


The laws regarding privacy notices and cookie consent are constantly changing. Now that Apple and Google are eliminating third-party cookies, so are industry best practices. A privacy expert can help you maximize the functionality of your privacy management software so that your notifications are accurate and in line with industry standards so that you stay ahead of your competitors. If you do this, your privacy program can be a differentiating factor instead of just a cost center.

Individual rights requests

One of the most complicated parts of CCPA is the individual rights request provision. Under CCPA, consumers have the right to see what data you’ve collected about them and correct it if it’s wrong or delete it altogether.

A privacy management software can help you map the data so you can find it easily and quickly, but it can’t train your employees on how to execute a request. It can send notifications, but it can’t parse nuanced data to see if the request is valid. For that, you need a privacy expert. 

Privacy isn’t a one and done

Privacy is complex. So is software. And the implications of the wrong choice can be overwhelming! Don’t feel like you need to manage your company’s privacy program on your own.

Using a privacy management software can dramatically simplify your life, but if you don’t do it right, you’ll have a false sense of security. To have full confidence, you need to combine your PaaS program with the expert advice and knowledge of an expert. This expert doesn’t have to be a full-time employee. You can hire a consultant or cross-train another employee. 

Whatever you choose, remember to do regular checkups to make sure your program is keeping up with constantly changing legislation.

At Red Clover Advisors, we are experts in data privacy programs and training. If you need help picking a privacy management program, implementing the program you’ve picked, or maximizing your PaaS, drop us a line.

In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.” 

This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”

Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.

Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.

Because in today’s world, data=$$$$$.

All the bad actors

Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware. 

These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.

As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.

Ransomware — the internet’s highwayman

Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments. 

Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.

Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion. 

There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.

Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.

Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand. 

The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.

Double extortion ransomware

Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.

This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.

Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.

Protect yourself against highway robbery

The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses. 

Note: Keep Solar Winds in the back of your mind. We’ll come back to it.

Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up. 

Train your employees

There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.

The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:

  • What phishing emails look like 
  • Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
  • How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
  • What can happen if they download unapproved/not whitelisted software and/or apps
  • When it’s appropriate to give a program administrative permissions

Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards. 

The important thing in establishing a privacy culture is consistency and clarity from the top down.

Backup your data

Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout. 

Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.). 

One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.

One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”

Use robust security software

I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong. 

You need a comprehensive, behavior-based security solution.  Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.

By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.

Re-evaluate your permissions structure

Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago. 

There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks. 

Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.

Have a recovery plan

You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.” 

Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.

Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should: 

  • Identify the personnel needed to manage a breach
  • Include detailed documentation on your network infrastructure
  • Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
  • Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
  • Set clear recovery time objectives (RTO) and recovery point objectives (RPO)

You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change. 

The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.

Back to SolarWinds

Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations? 

They used employees across all levels of each organization.

Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.

SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.

Things to remember in a stickup

Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:

  • Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
  • Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
  • Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc. 
  • Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it. 
  • Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
  • Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data. 

Stand and deliver…yourself

When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.

And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices. 

We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.

The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you're collecting personal information. This should include the aforementioned Don't Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers' personal information. 
  5. Protect minors' rights via appropriate consents for collecting children's information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it's good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there's not an imminent replacement. That means some fancy footwork may need to take place if you're going to keep processing EU data. (But it's worth getting that choreography down.)


When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 


  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA


  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like, MailChimp, and Apple craft engaging user experiences that speak directly to their customers' privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.

Software as a service is vital for businesses, but so is privacy and data security. SaaS providers must deliver for their customers or risk a dangerous credibility gap, plus data breaches, fines, fees, and everything else that goes along with compliance failures.

Where does a SaaS start protecting their business and their customers? They start with these 10 steps.

SaaS privacy steps

1. Prioritize privacy in your business

Privacy won’t do you or your customers much good if it’s always last in line. Work with your decision-makers to implement privacy policies into your business values and practices: how and why you’re collecting data; what privacy and personal data means for your products; and how you talk about privacy with your customers and your employees. 

It’s never too late to start. And if you need help, a fractional privacy officer is just an email away (for the fraction of the cost of in-house specialists.)

2.  Limit the information you’re gathering

Let’s loop back to the whys of your data collection. Privacy regulations widely require you to minimize the data that you’re collecting by having a reason for collecting it in the first place. If you limit your collection, you decrease the risk of data loss and breaches; you decrease costs of storage and protection; and you increase the likelihood of customer trust. 

Another benefit to minimizing the data you collect? If you keep a streamlined data collection program, you’ll be able to keep up with regulatory changes more easily.

3. Encrypt your data

Always. In today’s remote working, online shopping, social media-ing world, you can’t not encrypt your data and expect to avoid repercussions. Encryption should happen throughout all parts of your technology to protect your business and your customers. 

But it's more than protecting against data breaches (although yes, that's a big reason.) It's also about maintaining consumer confidence. Communicate your encryption practices to show them that you value their trust. 

And as a side note, not taking sufficient measures to protect data can land your business in regulatory hot water with CCPA and GDPR. These privacy acts don’t specifically require encryption, but it’s far easier to just encrypt your data than getting into legal debates. 

data privacy SaaS company

4. Data inventorying — it’s a good thing

A data inventory is a line item for GDPR, but it’s an important piece of your privacy practices even if you aren’t required to comply with any particular privacy regulation. A data inventory gives you an organized overview of what data you’ve collected, how you’ve been using, sharing, processing, and storing it. You can then use that overview to track your data flow, help manage vendor relationships, keep your privacy notices up-to-date, and support a streamlined data collecting process. 

5. Offer your customers transparency

You may know why you’re asking your customers for their data, but do they? Chances are, they’d like to know. That’s where transparency comes in. Thankfully, there’s lots of room to communicate with them because your customers are presented with lots of privacy touchpoints in their relationship with you. Don’t miss these opportunities to clarify:

  • Why you’re asking them for their personal information
  • How and why you’re going to use it
  • Who you’re going to share it with
  • And always, how it benefits them

Be as specific as possible — no one gets warm fuzzies from vague legalese. 

6. Get your employees privacy-ready

If you don’t train your employees to handle privacy issues, then you’ll quickly run into compliance problems. Your customers' data is handled by your employees. But do they know what your privacy policies are? Do they know why they're in place and what it means for their jobs? Employees need thorough training on any regulations that apply to your customers, your workplace, your business, and your industry. 

data privacy SaaS

7. Back it up in multiple locations

We like the ancient idiom: Don’t put all your data in one basket. This can limit damages in cases of data breaches, although it's important to be diligent about your backup processes: you want your data to be current and useful across all locations. 

This goes for when a customer requests that their data is deleted — consistency is important for honoring these individual rights requests. 

8. Put individual rights into your policies

Speaking of individual rights, don’t assume that honoring them is a one-size-fits-all task. Each regulation defines and honors individual rights differently, so you need to use a targeted approach for upholding them. The best place to start? Start by getting familiar with what the rights are in the first place. The more well versed you are, the easier it will be to come up with appropriate solutions. 

9. Marketing teams should be a priority

Marketing is a multifaceted, ever-changing industry. To meet privacy goals, you need to know how marketing activities intersect with privacy regulations. This means looking at how your business approaches its website(s), apps, email and social media marketing, any point at which data is collected. 

A few key points to remember: 

  • Rules vary by channels and tools. An email operates under different laws than websites. 
  • Regulations vary from country to country. What you can do in the US is different than what you can do in Australia or Brazil. 
  • Whatever you do, make managing how they share information easy with a preference center.

10. Trust is a long-term project

A business needs the trust of its customers, employees, and stakeholders to thrive. Privacy is part of that trust. And honoring privacy is an investment in it.

Start by developing solutions that support trust. Don’t just tell people they can trust you — show them why.

What are your goals for privacy in your Saas? If they are just to tick off the boxes on a compliance checklist, that’s definitely something you can do — but is that the best solution? 

Ultimately, what will get you further? A quick-and-dirty compliance plan that you have to scramble to change each time regulations shift? Or a thoughtful long-term strategy that focuses on nurturing customer trust and growing your business through privacy practices?

Software as a service is an essential part of business operations, but just because it offers value doesn’t mean that you should take a shortcut with privacy practices. Starting with these basics, you can achieve your goals and exceed everyone’s expectations for privacy standards.