Privacy compliance is a long road. Luckily, you don’t have to go it alone.

Privacy management software can help you set up a robust privacy program. But without a privacy expert, you will be driving blind.

If privacy laws had a relationship status, it would be “It’s complicated”

If you’re reading this article, chances are you know at least the basics outline of today’s data privacy landscape. Maybe you are already compliant with the European Union’s General Data Protection Regulation (GDPR), or maybe you’re in charge of managing a California Consumer Privacy Act (CCPA) compliance program. 

Maybe you are really on top of things and are heading up a project to be ready for the 2022 California Privacy Rights Act (CPRA) rollout.

But even if these acronyms don’t mean anything to you (yet), you recognize that companies need strong data privacy programs to stay competitive in the marketplace.

The California State Legislature and the EU General Assembly were the first governing bodies to pass modern, aggressive privacy laws, but they definitely won’t be the last. Right now, dozens of states are considering California-esque bills that will continue the trend of giving consumers more control over how their personal information is collected and used online well into the next decade. 

While the laws vary across jurisdictions, there are some common themes including:

  • Expanding the definition of what’s considered “sensitive personal information” beyond names, birthdays, and SSNs by adding things like your phone number, health information, sexual orientation, religion, political affiliation, etc.
  • Giving consumers a way to deny permission to have their sensitive personal information collected, shared, or sold
  • Requiring companies to provide transparent and understandable privacy and cookie notices at or before the time they collect personal data
  • Mandating companies take reasonable security measures to protect consumer data
  • Levying harsh civil, even criminal, fines and punishments for noncompliance or if data breaches result in consumers’ personal information being exposed

So if you’re here and reading this, you know enough to know you probably need help to manage it all.

The United States is a melting pot — and so are its privacy laws

Unlike the EU, which took a unilateral approach to defining privacy law for all member states—although it should be noted that member states do have unique laws pertaining to data privacy on top of them—the United States has adopted a sectoral approach to privacy, meaning that unless the data is part of a federal regulation like HIPAA, privacy and data protection laws are by and large driven by individual states.

Because so much of our nation’s economy and tech infrastructure comes out of California, most large corporations complied with CCPA regulations. This new best practice standard shifted consumer expectations, leading to a domino effect of mid-and small businesses following suit.

But other states are now working on their own laws, making internet privacy the wild west, with each town having a different sheriff.

And the digital world isn’t going anywhere anytime soon. In 2020, consumers dropped a cool $861.12 billion in e-commerce sales with U.S. merchants alone. The Internet of Things continues to drive technological advancements. 

Companies increasingly need a data privacy expert to guide them through the unmarked places on the map.

Enter Privacy as a Service (PaaS).

PaaS is your own personal privacy butler

Batman’s butler, Alfred Pennyworth, makes Batman’s life so much easier. Working quietly behind the scenes, Alfred keeps the Batmobile tuned up, the suits ready, and the gadgets loaded. He is the reason Batman can swoop down into the Batcave and rush out to save Gotham without thinking twice.

If you do business in multiple jurisdictions, have a complicated privacy program, or manage large amounts of personal data, PaaS (also known as Data Protection as a Service or DPaas) can be your Alfred.

PaaS is a software platform that offers products and services to help you operationalize your company’s privacy program. It can be a real lifesaver for companies that don’t have a dedicated privacy team.

Privacy management groups like OneTrust build solutions that use advanced machine learning to help you build a program that complies with whatever privacy regulations affect you while simultaneously helping you be smarter about your data collection. 

Assessments and mapping and permissions, oh my!

Here is what PaaS can do for you:

  • Conduct privacy impact/data protection impact assessments for automating privacy processes
  • Map your data and help you collect a data inventory (data inventories, required by many new legislations, make it possible for you to remove/correct consumer data more easily and accurately)
  • Identify and predict risk and other weak points in your processes
  • Create and deploy privacy notifications, cookie consent banners, etc. with the standard contractual clauses required by law
  • Establish least-privilege access permission structure
  • Manage app consent processes on mobile devices
  • Automate breach incident actions and notifications
  • Onboard vendors and mitigate the risks they pose
  • Establish compliance with laws and regulations across multiple jurisdictions

It’s important to note that, while as close as cousins, PaaS programs are not the same thing as cybersecurity. The best privacy programs integrate privacy solutions into their larger cybersecurity plan.

But Alfred can’t be Batman…

I rarely tell clients that investing in privacy management software is a bad idea. 

But I also rarely tell them it’s all they need.

Anyone who has tried to get Siri or Alexa to answer a nuanced question knows that machine learning and AI has its limitations. Privacy management software is critical for companies to set up automation that can help with the privacy process, but if you don’t have a privacy expert guiding you through the process, well, you might as well hand the Batmobile keys and the Batarang to Alfred and send him off to save Gotham from the Joker.

The Joker (hackers, data thieves, and general internet bad guys) will win.

But if you combine the technology from the Batcave (privacy management software) with the experience and knowledge of Batman (your privacy expert), then you are in good shape.

Let’s leave the Batcave and talk about what this would look like in the real world.

Data Inventories

Data inventories are a big part of privacy programs, but let’s face it—they can be a big undertaking. However, the right software can cut down on the legwork by finding and documenting data. 

This alone is hugely helpful, but it doesn’t cover all your bases. You still need to determine the legal basis for data collection for GDPR. Or if the data has been sold under the scope of CCPA. Or if you can even collect and use that data in the first place. 

These kinds of questions are why privacy professionals are a critical resource for businesses. They have technical expertise and industry insight that can help you get answers—and solutions—to these questions. 

Social Media 

Facebook, Instagram, Twitter, and LinkedIn have historically been free advertising channels for businesses. But events like the Facebook/Cambridge Analytical scandal have made consumers much less likely to share personal information online.

The GDPR and CCPA control what categories and types of personal data a business can store about its users, but not all of the ramifications are clear yet. 

For example, it’s totally normal for a social network to host digital advertising. If a user clicks a link in one of those ads, now the app and the advertiser have the consumer’s information. Was the consumer adequately notified before the advertiser started collecting data? Is the activity considered the sale of data under CCPA? How should that be disclosed to the consumer?

The same principle works in reverse. If you have buttons for users to share your blog post or infographic on their social media accounts, are you confident you don’t have any exposure regarding whatever data that app collects from them? 


The laws regarding privacy notices and cookie consent are constantly changing. Now that Apple and Google are eliminating third-party cookies, so are industry best practices. A privacy expert can help you maximize the functionality of your privacy management software so that your notifications are accurate and in line with industry standards so that you stay ahead of your competitors. If you do this, your privacy program can be a differentiating factor instead of just a cost center.

Individual rights requests

One of the most complicated parts of CCPA is the individual rights request provision. Under CCPA, consumers have the right to see what data you’ve collected about them and correct it if it’s wrong or delete it altogether.

A privacy management software can help you map the data so you can find it easily and quickly, but it can’t train your employees on how to execute a request. It can send notifications, but it can’t parse nuanced data to see if the request is valid. For that, you need a privacy expert. 

Privacy isn’t a one and done

Privacy is complex. So is software. And the implications of the wrong choice can be overwhelming! Don’t feel like you need to manage your company’s privacy program on your own.

Using a privacy management software can dramatically simplify your life, but if you don’t do it right, you’ll have a false sense of security. To have full confidence, you need to combine your PaaS program with the expert advice and knowledge of an expert. This expert doesn’t have to be a full-time employee. You can hire a consultant or cross-train another employee. 

Whatever you choose, remember to do regular checkups to make sure your program is keeping up with constantly changing legislation.

At Red Clover Advisors, we are experts in data privacy programs and training. If you need help picking a privacy management program, implementing the program you’ve picked, or maximizing your PaaS, drop us a line.

In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.” 

This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”

Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.

Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.

Because in today’s world, data=$$$$$.

All the bad actors

Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware. 

These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.

As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.

Ransomware — the internet’s highwayman

Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments. 

Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.

Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion. 

There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.

Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.

Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand. 

The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.

Double extortion ransomware

Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.

This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.

Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.

Protect yourself against highway robbery

The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses. 

Note: Keep Solar Winds in the back of your mind. We’ll come back to it.

Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up. 

Train your employees

There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.

The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:

  • What phishing emails look like 
  • Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
  • How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
  • What can happen if they download unapproved/not whitelisted software and/or apps
  • When it’s appropriate to give a program administrative permissions

Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards. 

The important thing in establishing a privacy culture is consistency and clarity from the top down.

Backup your data

Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout. 

Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.). 

One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.

One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”

Use robust security software

I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong. 

You need a comprehensive, behavior-based security solution.  Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.

By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.

Re-evaluate your permissions structure

Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago. 

There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks. 

Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.

Have a recovery plan

You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.” 

Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.

Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should: 

  • Identify the personnel needed to manage a breach
  • Include detailed documentation on your network infrastructure
  • Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
  • Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
  • Set clear recovery time objectives (RTO) and recovery point objectives (RPO)

You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change. 

The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.

Back to SolarWinds

Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations? 

They used employees across all levels of each organization.

Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.

SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.

Things to remember in a stickup

Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:

  • Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
  • Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
  • Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc. 
  • Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it. 
  • Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
  • Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data. 

Stand and deliver…yourself

When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.

And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices. 

We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.

The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you’re collecting personal information. This should include the aforementioned Don’t Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers’ personal information. 
  5. Protect minors’ rights via appropriate consents for collecting children’s information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it’s good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there’s not an imminent replacement. That means some fancy footwork may need to take place if you’re going to keep processing EU data. (But it’s worth getting that choreography down.)


When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 


  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA


  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like, MailChimp, and Apple craft engaging user experiences that speak directly to their customers’ privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.

Software as a service is vital for businesses, but so is privacy and data security. SaaS providers must deliver for their customers or risk a dangerous credibility gap, plus data breaches, fines, fees, and everything else that goes along with compliance failures.

Where does a SaaS start protecting their business and their customers? They start with these 10 steps.

SaaS privacy steps

1. Prioritize privacy in your business

Privacy won’t do you or your customers much good if it’s always last in line. Work with your decision-makers to implement privacy policies into your business values and practices: how and why you’re collecting data; what privacy and personal data means for your products; and how you talk about privacy with your customers and your employees. 

It’s never too late to start. And if you need help, a fractional privacy officer is just an email away (for the fraction of the cost of in-house specialists.)

2.  Limit the information you’re gathering

Let’s loop back to the whys of your data collection. Privacy regulations widely require you to minimize the data that you’re collecting by having a reason for collecting it in the first place. If you limit your collection, you decrease the risk of data loss and breaches; you decrease costs of storage and protection; and you increase the likelihood of customer trust. 

Another benefit to minimizing the data you collect? If you keep a streamlined data collection program, you’ll be able to keep up with regulatory changes more easily.

3. Encrypt your data

Always. In today’s remote working, online shopping, social media-ing world, you can’t not encrypt your data and expect to avoid repercussions. Encryption should happen throughout all parts of your technology to protect your business and your customers. 

But it’s more than protecting against data breaches (although yes, that’s a big reason.) It’s also about maintaining consumer confidence. Communicate your encryption practices to show them that you value their trust. 

And as a side note, not taking sufficient measures to protect data can land your business in regulatory hot water with CCPA and GDPR. These privacy acts don’t specifically require encryption, but it’s far easier to just encrypt your data than getting into legal debates. 

data privacy SaaS company

4. Data inventorying — it’s a good thing

A data inventory is a line item for GDPR, but it’s an important piece of your privacy practices even if you aren’t required to comply with any particular privacy regulation. A data inventory gives you an organized overview of what data you’ve collected, how you’ve been using, sharing, processing, and storing it. You can then use that overview to track your data flow, help manage vendor relationships, keep your privacy notices up-to-date, and support a streamlined data collecting process. 

5. Offer your customers transparency

You may know why you’re asking your customers for their data, but do they? Chances are, they’d like to know. That’s where transparency comes in. Thankfully, there’s lots of room to communicate with them because your customers are presented with lots of privacy touchpoints in their relationship with you. Don’t miss these opportunities to clarify:

  • Why you’re asking them for their personal information
  • How and why you’re going to use it
  • Who you’re going to share it with
  • And always, how it benefits them

Be as specific as possible — no one gets warm fuzzies from vague legalese. 

6. Get your employees privacy-ready

If you don’t train your employees to handle privacy issues, then you’ll quickly run into compliance problems. Your customers’ data is handled by your employees. But do they know what your privacy policies are? Do they know why they’re in place and what it means for their jobs? Employees need thorough training on any regulations that apply to your customers, your workplace, your business, and your industry. 

data privacy SaaS

7. Back it up in multiple locations

We like the ancient idiom: Don’t put all your data in one basket. This can limit damages in cases of data breaches, although it’s important to be diligent about your backup processes: you want your data to be current and useful across all locations. 

This goes for when a customer requests that their data is deleted — consistency is important for honoring these individual rights requests. 

8. Put individual rights into your policies

Speaking of individual rights, don’t assume that honoring them is a one-size-fits-all task. Each regulation defines and honors individual rights differently, so you need to use a targeted approach for upholding them. The best place to start? Start by getting familiar with what the rights are in the first place. The more well versed you are, the easier it will be to come up with appropriate solutions. 

9. Marketing teams should be a priority

Marketing is a multifaceted, ever-changing industry. To meet privacy goals, you need to know how marketing activities intersect with privacy regulations. This means looking at how your business approaches its website(s), apps, email and social media marketing, any point at which data is collected. 

A few key points to remember: 

  • Rules vary by channels and tools. An email operates under different laws than websites. 
  • Regulations vary from country to country. What you can do in the US is different than what you can do in Australia or Brazil. 
  • Whatever you do, make managing how they share information easy with a preference center.

10. Trust is a long-term project

A business needs the trust of its customers, employees, and stakeholders to thrive. Privacy is part of that trust. And honoring privacy is an investment in it.

Start by developing solutions that support trust. Don’t just tell people they can trust you — show them why.

What are your goals for privacy in your Saas? If they are just to tick off the boxes on a compliance checklist, that’s definitely something you can do — but is that the best solution? 

Ultimately, what will get you further? A quick-and-dirty compliance plan that you have to scramble to change each time regulations shift? Or a thoughtful long-term strategy that focuses on nurturing customer trust and growing your business through privacy practices?

Software as a service is an essential part of business operations, but just because it offers value doesn’t mean that you should take a shortcut with privacy practices. Starting with these basics, you can achieve your goals and exceed everyone’s expectations for privacy standards.




cybersecurity graphicI’ve got a proposal: let’s not talk about how turbulent 2020 has been. Instead, let’s talk about the ways that we can make the rest of the year better, safer, more manageable for everyone. Since it’s Cybersecurity Awareness Month, of course, we’re thinking about improvements in that context.  

Turbulent times, after all, have a way of getting us to reassess our priorities. But in cybersecurity, COVID-19 has hammered a few realities in more than others:

  • Are there cracks in your cybersecurity foundation? Now isn’t the time to paper over them — we need real fixes.
  • In a time of damaged public trust, businesses need to prioritize establishing trust with their consumers
  • Resilience is foundational to weathering any kind of difficult periods

Cybersecurity, of course, is a big umbrella. Some of the big sticking points right now, though, are ones that have been with us for a while. Consider these ongoing issues then take a look at our top ten ways to step up cybersecurity at the end of 2020. 

What we’ve seen in 2020

Data breaches: That friend who you definitely didn’t invite to the party

Data breaches aren’t new news. But they’ve been on the uptick for years now. It’s not pretty, but closing your eyes and wishing reality away never helped anyone. 

And it looks like businesses simply aren’t prepared to face these risks. 

These are just SOME of the statistics — there’s a lot of information to process. And if it’s a lot of cybersecurity professionals to process, imagine how it feels for non-IT employees at your business. 

Consider the number of people internally who are responsible — either in a malicious way or not — for data breaches. This number shows why it’s critical to:

  • Have rigorous training programs in place for all staff
  • Implement consistent internal measures to monitor for security risks among staff

CCPA right of action

The California Consumer Privacy Act (CCPA) — yes, it’s about privacy, but it’s got security provisions written into the legislation that make it imperative for cybersecurity professionals to pay attention. Among the most pressing issues: the right of action. 

Under CCPA, consumers have the right to legal action if their records are exposed in a data breach IF the company hasn’t taken “reasonable measures” to secure their data. While “reasonable measures” currently has a vague definition, there are some takeaways that can help protect your data.

  • Keep on top of your data assets
    • Know where personal information is located, what access permissions are, and any other risk factor. 
    • Is your data stale? Toss it to avoid unnecessary security threats.
  • Implement appropriate permission levels to limit access to sensitive data
  • Regularly review data and permissions

A common issue with CCPA compliance — really, any kind of compliance — is that we think once we’ve met the guidelines, we’re in the clear to infinity and beyond. 

That’s unfortunately not the case. It’s an ongoing process and one that requires close monitoring.

Remote work: More risk, more reward

It’s a mark of just how wild 2020 has been that one of the most major shifts in the US workforce took place and yet it feels like a mere footnote. But it shouldn’t be, at least for anyone dealing with cybersecurity. 

There are upsides to working from home these days — public health, childcare, work-life balance (maybe?) — but it presents undeniable security risks. Consider this:

8 Steps to Cybersecurity for 2020 and 2021

In an increasingly tech-centered and remote-working world, there are ample opportunities to do this in a way that makes cybersecurity a core business practice rather than applying it as a bandaid when things go sidewise. 

For customers

What’s important for your customers is important for your business. Here’s how to communicate, 

1. Best practices start with communication

Best practices can feel pretty opaque to those who aren’t fluent in cybersecurity-ese. To combat this, place strategic messaging about your security measures throughout your points of contact. 

For example, when your customers sign in, you should use multifactor authentication (MFA), but why are you using it? What should they expect and how does it benefit the customer? Weave this information into signup forms, pop-ups, or emails to your customers are clued in along the way.

2. Make beefy passwords standard

Speaking of MFA, it’s a great tool, but it only works in tandem with strong passwords. Require customers to set up passwords that are hard to crack. Characteristics of a strong password include:

  • Combination of capital and lowercase letters, numbers, and special characteristics
  • No obvious substitutions (like $ for s, ! for i)
  • 12 characters of longer 
  • Doesn’t contain recognizable or attributable words, names, dates, or numbers (like birthdays, phone numbers, etc.) 
  • Unique to your customer’s account with you (i.e., not reused)

Password practices can be made even more secure by encouraging or requiring customers to change passwords regularly and not allowing reuse of passwords.

3. Prioritize maintenance

Cue up the cybersecurity mom voice in your head: Is your site secure? Are you updating to the latest versions and keeping everything patched? Are you backing up your data regularly? 

If you are avoiding doing these basic cyber-housekeeping tasks, remember that when you ski them, you leave a window open for hackers to compromise your customers’ data. Yes, it’s tedious to schedule maintenance, updates, and reboots, but it takes a whole lot more time to deal with the aftermath of a cybermess.  

4. Stay ahead of the compliance curve

Compliance isn’t one of those static areas of business. (Is there such a thing anymore?) Bridge the gap between privacy, security, and your customers needs by investing in staying current on what’s new with regulations like California Consumer Privacy Act and the EU’s General Data Protection Regulation, but also up-and-coming regulations. 

For employees

1. Create workforce awareness and accountability 

Training. Training, training, training. We can’t stress this enough. One of the best things that you can do for your entire workplace is to develop company-wide training that helps everyone in cybersecurity and privacy issues by implementing company-wide training. 

Get them smart on everything from phishing to password security to data management and privacy and the WHY of it all and you’ll have a team that’s more prepared to keep your business and its data safe.

Pro move: Don’t just make this a standalone training. Incorporate cybersecurity continuously, from onboarding to holiday party protocol and make it relevant and engaging. (Whatever that looks like in the future.)

2. Working remotely, the secure way

Yes, it’s been seven months since everyone went home en masse but lots of us are still there. Your team might well be among them. Have you gotten your remote work cybersecurity details in place? This is a whole big topic, but some low-hanging fruit that you can achieve includes: 

  • Implementing good VPN practices 
  • Setting up Two-factor Authentication (It’s not just for customers!) 
  • Developing safe standard practices for file access and management 
  • AND training (see above)

Even if you had worked out cybersecurity strategies for remote work this summer, with the upcoming cold/flu/COVID season, it’s advisable to revisit it to make sure your plans are working for your business and its employees. (And not hackers.)

3. Protect personal devices

Personal devices are an extension of ourselves these days, always within arms reach. They’re indispensable for managing our lives both inside and outside of work. 

This expansive utility makes them a unique cybersecurity risk. Your employees are probably (definitely?) using them for work purposes, but how secure are they? (Spoiler: probably not very.)

The best practice is to have employees only use company-owned laptops and smartphones so you can control security measures. However, this isn’t always possible so make sure you have policies and practices in place for security measures like enabling strong passwords, app downloads, file access policies, and location services.

4. Test for vulnerabilities

Bringing in an outsider like an ethical hacker or security expert to test your system is a great way to get a better understanding of where your weaknesses are. Let’s be honest, it’s really difficult to see where your problem spots are when you’re looking at them every day. On the other hand, someone whose job it is to find problems will be pros at rooting out coding bugs, finding backdoors, and other potential security threats. 

Cybersecurity Awareness Month is a prime opportunity to expand awareness and improve upon your practices. However, it’s also not really a once-a-year event — cybersecurity should be taking place every day for your customers and your employees. 

Want to learn more about how you can support cybersecurity and privacy? We’d love to chat with you. Drop us a line!


Get your free guide on 8 Steps to Cybersecurity for 2020 and 2021

You’ve made sure you’re complying with GDPR. Everything is taken care of for CCPA. That’s great! 

Now what about CPRA?

Wait, you might be saying, you just said that – you mean CCPA. And I’m squared away, thank you very much.

Not the case. While the California Consumer Privacy Act has just become enforceable as of July 1, there’s another privacy rights act lining up for the November 2020 ballot. This new act aims to build off of the work accomplished by CCPA to increase transparency and control for consumers over their personal information.  

For consumers, the California Privacy Rights Act (CPRA) – affectionately referred to by some as CCPA 2.0 – represents an expansion of privacy rights. For businesses, it represents both a challenge to keep up with compliance requirements as well as an opportunity to create an exceptional customer experience.

How so? Awareness of privacy issues are on the rise. Your customers are going to increasingly expect transparency on how you’re handling their data. Your privacy plans and policies are a big part of building a relationship with them. 

Ultimately, compliance isn’t just important to stay in line with the law. It’s important to sustain your consumers’ relationship with your business.

Where Did CPRA Come From?

Who’s driving this policy train? Californians for Consumer Privacy, the nonprofit group that helped get CCPA on the 2018 ballot. 

Although CCPA had yet to become enforceable at that time, in September 2019, Californians for Consumer Privacy submitted a ballot initiative for a new, in-depth privacy act that would build off of CCPA: the California Privacy Rights Act (CPRA). 

By May 2020, they had gathered more than 900,000 signatures to qualify for the ballot and on June 24th, 2020, the California Secretary of State announced that CPRA was eligible for the November 2020 election.

It’s important to note that CPRA is being brought forth as a ballot initiative. If CPRA is enacted by voters as part of a ballot initiative, it will only be able to be amended through another ballot initiative, not through legislation. This gives voters a greater voice in privacy measures rather than relying on the legislative process to move the needle forward.  

What is CPRA? 

CPRA takes many of the ideas and concepts from CCPA and expands them for California residents, allowing them a greater degree of control over their personal information while implementing further requirements for businesses in regards to how they collect, use, and store that personal information. Some aspects of it even move the law closer to the General Data Protection Regulation (GDPR), such as new requirements on data retention, an expanded right to know and access personal information, and further definitions of sensitive data.

Much like CCPA, the impact of CPRA would be felt far beyond California’s state borders. Also similar to CCPA, it would apply to businesses and organizations that meet certain eligibility requirements and process California residents’ personal information – regardless of where the business or organization operates from.

But these are generalities. What are some of the important – and specific – additions and changes being made to CCPA within this legislation if it ends up being enacted?

Establishment of a California Privacy Protection Agency

This agency would oversee enforcement of CPRA rather than the California Attorney General, who is the sole arbiter of CCPA enforcement.  

Until the California Privacy Protection Agency is enacted, the Attorney General would have rulemaking authority to issue regulations on topics like identifying business purposes for the use of personal information, updating the definition of personal information, and more.

Sensitive Personal Information

Sensitive personal information is at the core of privacy issues. The CPRA would establish a further category of sensitive personal information under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information,” which is defined as not publicly available including:

  • Social security number
  • Driver’s license number
  • Passport number
  • Financial account information
  • Precise geolocation
  • Race and ethnicity
  • Religion
  • Union membership
  • Personal communications
  • Genetic data
  • Biometric and health information
  • Sexual orientation and sex life information

Sound familiar? Some of these items are reminiscent of GDPR and its categories of sensitive data – genetic data and biometric information, religion, race and ethnicity, sexual orientation and sex life information, and union membership are all held in common between the two regulations. 

As part of this new category of personal information, businesses have to offer transparent disclosures about what sensitive data they process. Those same businesses would be subject to greater restrictions in its use as well. 

Along with the expanded definition, CPRA would allow consumers more extensive rights around the use of their sensitive personal information. Among those rights would be the right to request to correct personal information held by a business if that information is inaccurate. 

This may sound like an odd provision to include in the law, since many businesses already provide this service to their customers as a courtesy. However, mandating a correction mechanism increases the stakes if you don’t. 

Think about it from the consumer’s perspective: It’s all about trust and relationships. When consumers give you their information, they’re trusting you with just that. THEIR information! 

They have a right to access and control it. By helping them exercise that right, your business actively demonstrates their rights and needs matter to you. Your relationship is a two-way street! 

Children’s Data

Protecting children’s privacy has been a major point for CCPA. CPRA takes it even further. Under CPRA, businesses and organizations that violate CCPA’s opt-in right will face triple the amount of fines. 

They will also have to get opt-in consent to sell or share data from any consumer under the age of 16. (Currently, under CCPA, parents must provide consent for children under the age of 13. For children between 13-16, the child themselves must provide consent.) (Currently, under CCPA, this applies to consumers under the age of 13.)  


CPRA would add new layers of transparency and data governance policies. One meaningful addition is that it would require businesses to notify consumers at or before the collection of data:

  • Whether information is sold or shared
  • Information on sensitive categories of personal information that are collected
  • How long consumer’s personal information is retained 

Moreover, CPRA would aim to prohibit keeping personal information for longer than is “reasonably necessary” for the specifically disclosed purposes of collection. It would also limit the collection, use, retention, and sharing of data to what is “reasonably necessary” to achieve those same disclosed purposes. 

It’s especially important for your business to take transparency requirements to heart. This isn’t just a legal need. It’s a customer experience need. Think of all the stories in the news about lack of transparency. It may not sink the boat immediately, but it significantly damages your customers’ ability to trust you. 

Data Breach Liability Provision

Data breaches are a significant – and increasing – worry for consumers. Almost half of surveyed consumers in a 2019 report by Ping Identity were more worried about data breaches than they were the previous year. But while they’re worried about it, they expect businesses to help safeguard them: 63% of consumers believe that a company holds responsibility for protecting their data. 

So it’s not surprising that a data breach liability provision was included in CPRA to expand on existing CCPA rules. The CCPA already grants consumers in California the right to bring legal action for damages resulting from a data breach. However, CPRA provides greater clarity by stating that breaches compromising a consumer’s email address and either their password or security question/answer can result in liability for the company.

This provision helps resolve the ambiguity in the current CCPA regarding a business’ duty to implement reasonable security and when a consumer’s right to legal action following a data breach might apply. 

Is your team smart on data breaches? How you handle it has a huge impact on how quickly you recover from one. A training program can make all the difference.

If it’s enacted, would CPRA apply to my business or organization?

If you’re already required to comply with CCPA, then the new terms of CPRA would apply to you. However, CPRA changes the scope of CCPA in some significant ways.

  • CPRA will extend the CCPA’s exemptions for workplace-related information until January 1, 2023 (i.e., for employees, job applicants and business-to-business contacts). If CPRA doesn’t pass, these CCPA exemptions will expire on January 1, 2021. 
  • Increases the threshold of businesses to for-profit entities that process 100,000+consumers or households, meaning that many small businesses would fall outside of the scope of the legislation. However, if enacted, this wouldn’t go into effect until 2023, meaning that these businesses would still need to comply with CCPA requirements.
  • Requires entities sharing common control and common branding that also share consumer personal information to be considered the same “business” 

What if CPRA passes in November? What comes next?

CPRA will be voted on by California residents in the General Election in November 2020. If it passes, eligible businesses and organizations will have until January 2023 to bring their data collection programs into compliance with the new law. 

Two years is a long time, though, in terms of data and security issues. As per CPRA, the California Privacy Protection Agency would be established during this time. Until it is established, CCPA would continue its regulatory work under the Office of the Attorney General.

There is still a lot of discussion to be had around CPRA as November inches closer and closer. But it shows a continued movement towards GDPR-type legislation in the US and increases the likelihood that other states will follow suit. For businesses, this indicates clearly: compliance (and transparency) is becoming more than a best practice. It’s becoming a business necessity. 

We know that new compliance requirements can be a challenge to juggle with existing ones. It can be even harder to make sure that they’re part of your consumer relationships. We’re here to help with that. Contact Red Clover Advisors today for a free consultation.

For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.

These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant? 

Differences Between GDPR and CCPA: The Nutshell Version

Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:

  • Transparency in businesses practices dealing with personal data 
  • Security and control over personal information for consumers
  • Defining digital identifiers (cookies) as personal information  

One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.

Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)

On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:

  • Has a gross revenue of more than $25 million
  • Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
  • Derives 50% or more of annual revenues from selling consumers’ personal information.

Meet Your GDPR Cookie Banner Compliance Requirements

GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.  

A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.

But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place. 

Opt-in Cookie Consent

When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)  

How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment. 

More on Cookie Deployment

Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it? 

Third-Party Data Sharing

When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data. 

Link to the Website’s Cookie Policy. 

You’ve got a cookie policy. (Right?) Don’t be shy about sharing it with your website visitors – it’s part of your compliance journey. 

The most straightforward way to get people to your policy is by adding a link to your website’s cookie policy in your cookie banner. Your cookie policy should cover the details of how cookies are used on your site and include an exhaustive list of all the cookies you’ve put into place. 

Win Brownie (Err…, Cookie) Points

You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data. 

Meet Your CCPA Cookie Banner Compliance Requirements

The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases. 

Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR. 

However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.  

The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach. 

With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner. 

Information About Cookie Use

CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties. 

A Button to Accept Cookies

As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.) 

As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience. 

Do Not Sell Button

Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA 

(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.) 

To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page. 

Your “Do Not Sell” needs to include some specific information, as well. It needs to have:

  • A link to your website’s privacy policy
  • A button that allows them to opt-out of personalized ads

Let us reiterate: Your “Do Not Sell” button isn’t the same thing as or interchangeable with a cookie banner. Don’t treat it as such. It’s a separate function. However, it’s smart to use it alongside your cookie banner to help your website use cookies to process data in a CCPA-compliant manner.

Tying it all together

Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it. 

But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.  

If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.

The California Privacy Rights Act (CPRA) is intended to amend the California Consumer Privacy Act (CCPA) and ultimately to give consumers more control over their information. The Californians for Consumer Privacy coalition is working to obtain enough signatures to put CPRA on the November 2020 ballot. If successful, Californians would have the opportunity to vote this ballot initiative into law.  Should it pass, it will go into effect January 1, 2023.

CPRA at a glance:

  • Sensitive Information: Creates new rights allowing consumers to stop businesses using sensitive personal information (“SPI”). SPI includes SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation, email + password.
  • Children’s Datta: It will triple 2018’s CCPA fines for collecting and selling children’s private information. It will also require opt-in consent in order to sell info from consumers under the age of 16.
  • Geolocation: Prohibit businesses from tracking precise geolocation for most purposes, including advertising, to a location within roughly 250 acres.
  • Enforcement Arm: Establishes an enforcement arm called the California Privacy Protection Agency and institutes a 5 year statute of limitations for filing claims of violations of the Act.

Comparison of existing Privacy Laws GDPR & CCPA to CPRA.

Right to Know What Information a Business has Collected About You
Right to Say No to Sale of Your Info
Right to Delete Your Information
Data Security: Businesses Required to Keep Your Info Safe
Data Portability: Right to Access Your Information in Portable Format
Special Protections for Minors
Requires Easy “Do Not Sell My Info” Button for Consumers X
Provides Ability to Browser with No Pop-Ups or Sale of Your Information X X
Penalties if Email Plus Password Stolen Due to Negligence X
Right to Restrict Use of Sensitive Personal Information X
Right to Correct Your Data X
Storage Limitations: Right to Prevent Companies from Storing Info Longer than Necessary X
Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary X
Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile) X
Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer) X
Provides Transparency Around “Profiling” and “Automated Decision Making” X
Establishes California Privacy Protection Agency to Protect Consumers X
Restrictions on Onward Transfer to Protect Your Personal Information X
Requires High Risk Data Processors to Perform Regular Cybersecurity Audits X
Requires High Risk Data Processors to Preform Regular Risk Assessments X
Appoints Chief Auditor with Power to Audit Businesses’ Data Practices X
Protects California Privacy Law from being Weakened in Legislature X
Provides Transparency Around “Profiling” and “Automated Decision Making” X
Establishes California Privacy Protection Agency to Protect Consumers X
Restrictions on Onward Transfer to Protect Your Personal Information X
Requires High Risk Data Processors to Perform Regular Cybersecurity Audits X
Requires High Risk Data Processors to Preform Regular Risk Assessments X
Appoints Chief Auditor with Power to Audit Businesses’ Data Practices X
Protects California Privacy Law from being Weakened in Legislature N/A X


Businesses subject to CCPA would need to make some updates to their CCPA programs, including:

  • Update categories of personal information to include sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
  • Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a)
  • Provide a right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
  • Provide notice to consumers about the length of time each category of personal information will be retained and provide right to data minimization, as well as.
  • Be able to correct inaccurate personal information.
  • Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
  • Direct obligations on service providers to assist with CPRA compliance activities.
  • Definition of cross-context behavioral advertising and limitations exempts certain analytics functions but clearly now targets this activity to do-not-sell obligations so even if you are collecting data for analytics purposes only, you’d need to offer a “opt-out/do not sell” option in this context.
  • Expands the definition of “Business” to include a joint venture or partnership composed of businesses in which each business has at least a 40% interest.