Did you know there’s an entire day dedicated to data privacy? Well, it’s an important subject, so it’s no wonder. Here’s the scoop!

Data Privacy Day is an international holiday that occurs annually on January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Israel, and dozens of European countries.

It began as a day focused on educating young people – mostly teens and young adults – about how to be safe online and keep their personal information safe with social networking platforms. Over the past four years with more elements of our lives being digitized, Data Privacy Day has expanded to include companies and consumers and the more general concerns with data privacy.

Data Privacy Laws

With the U.S. at the forefront of new data privacy laws being recently passed or under review in various state legislatures, data privacy is a popular subject as of late. This year’s theme for Data Privacy Day is also quite timely given the focus on the value of data as recognized by the California Consumer Privacy Act (CCPA) and General Data Protection Regulations (GDPR). The theme is: Personal information is like money. Value it. Protect it.

Today is a great day to remind your employees that data privacy is a key player in the way you conduct business. As part of CCPA compliance, your employees should already be trained in your privacy policies and how to handle customer individual rights claims, but today is a great day for extra attention and some refreshers.

Data Privacy Employee Training Tips

  1. On-going education. Don’t let today be the only time you talk about data privacy this year. Create a monthly or quarterly tip series on how to protect data, what relevant privacy laws like GDPR or CCPA mean to someone’s role and reminding employees how and when to conduct a privacy impact assessment or contact the privacy office.
  2. Test data privacy scenarios. Based on employee roles, present them with a data privacy scenario and see how they handle the issue. According to Shred-It’s State of the Industry report, nearly half (47%) of C-suite executives and 42% of small business owners report that human error or accidental loss by an employee is the cause of a data breach. Employees are both the strongest and weakest link in a privacy program. And, thanks to CCPA and other regulations, those breaches can result in penalties above and beyond real-life costs.
  3. Use signage as reminders. You can create attention-grabbing signage to put in the break room, on the elevator, in the bathrooms, or other frequented spots with tips and updates to your data privacy policies and practices. Be sure to change their locations and content to keep them fresh and employees engaged with the information you are sharing.
  4. Create a recognition system. Use this as an opportunity to recognize the employees who really understand and implement your company’s data privacy practices day in and day out. You can recognize a few people each month or quarter in a company-wide email. You can create an on-going system in which employees could earn 10 points for every week in which they do not commit any data privacy errors. After collecting 50 points, they could earn rewards like a $5 gift card for coffee. Make the amount of points work for your team, budget, and the recognition frequency you want to maintain energy around data privacy.
  5. Communicate effectively with employees. Data privacy regulations are fluid with more states joining the CCPA way of thinking. Keep your team up to date with any changes or additions to their practices. To be effective, this communication needs to align with the company culture. Maybe it is a short funny video or an online game or quiz, a short email from an executive or an article to an intranet. A mix of styles is important to have quality engagement.
  6. Bring in an expert. Your employees may get tired of hearing about data privacy from you or another superior, so change it up a little! Host a lunch and bring in a data privacy expert. Learning about the subject from someone new who has more credentials on the subject can re-excite people about data privacy. Plus, free lunch never hurts!

Make Everyday Data Privacy Day

It’s important to remember that data privacy policies and practices are not something you can just think about once and year and then forget about. Continually make this part of staff meetings and company-wide communications. Be sure you are on top of any updates and changes that are made in national data privacy regulations. And, above all, remember that data privacy should be a driver in your business strategies in 2020 and beyond.

If you’d like to discuss how to make data privacy an integrated part of your company’s day-to-day celebrations, please schedule a 20-minute complimentary consultation. We’d love to help you make everyday Data Privacy Day!

CCPA regulations are now official. It is important to achieve CCPA compliance, understand potential CCPA pitfalls, and how you can avoid making costly mistakes.

5 simple steps to CCPA compliance for small business owners.Running a small business can be stressful. Trust me, when I started Red Clover Advisors, I felt overwhelmed by day-to-day operational challenges, building our client base, and ensuring that we were providing top-notch advice and service. Regardless of your industry, being a small business owner means you wear a lot of hats and there are certain areas in which you just don’t have expertise.

Perhaps the CCPA regulations that take effect on January 1, 2020 are one of those items that have piled onto your stress list. Don’t worry! Here are five simple steps to CCPA compliance success for small business owners that I think will really help you navigate the process.

  1. Data is king. If you do not know what customer data you have or understand its implications, it is nearly impossible to comply with the CCPA regulations. The key here is that under the CCPA, data you collect qualifies as personal information. You should start the data mapping process now, if you have not already. Here are some questions to consider when you undergo data mapping:
    • Where do you host your data (including with any third parties)?
    • For what purpose is the data you collect used?
    • Do you collect and sell data on children?
  1. Notify, notify, notify. You can no longer tell a customer once that you are collecting their information. Under the CCPA, you must provide four different notices and update them appropriately. These include, notice of collection of personal information, customer opt-out rights, financial incentive notice, and your business’ privacy policy. While the CCPA regulations may sound like legal jargon to you, it is important that your notices are consumer friendly. Here are some questions to consider when creating or reviewing your notices:
    • Are your notices easy for anyone to understand?
    • Do the notices detail the data you collect such as the sources of information or categories of personal information collected?
    • Do they provide information regarding what your business plans to do with the information collected?
    • Are they designed to grab a customer’s attention? What about individuals with disabilities?
    • Do you do business in another country or with those who speak a language other than English? If so, is each notice available in that language?
  1. Consumer-Centric. You need to have a plan for individual’s rights, which includes being accessible for consumer requests, verification of data, and opt-out options. Under the CCPA, you must explain what you plan to do with the data you collect and provide two ways for customers to contact you regarding said data. Here are some questions to consider when developing your plan:
    • Do you have methods for contact in place? For nearly all businesses, one of these methods must be a toll-free phone number; is it set up? Many businesses also opt for an electronic method; is this right for your business?
    • Do you have a system to ensure timely responses to consumer requests? This can be hard when you are juggling so many things, but it is very important to be aware of these time constraints and abide by them. Did you know that the CCPA regulations state you have to acknowledge most consumer requests within 10 days? And, that the data verification process has to be complete within 45 days?
    • Does your team know how to verify consumer information or what to do in cases that you cannot verify a consumer?
    • Do you have an opt-out policy and process in place? And, is it in the CCPA-approved format?
  1. Train your team.all know that customer service is important and would hate for this to happen, this training goes beyond getting a positive or negative review on social media. Under the CCPA regulations there are new requirements about documentation that anyone who handles consumer requests and data need to be aware of and have proper training regarding the specifics. Here are some questions to consider when creating a training manual:
    • Do your employees know they must keep a record the customer requests that your business is receiving?
    • Do they know these records must be maintained in a log or ticket format?>
    • Do they know that the information maintained in these records cannot be used for any other business purpose?
  1. Rinse and repeat. Once you have a plan in place and have mapped your data, it is important to keep in mind that this is not a one-time thing. Being responsible for consumer data and staying up to date on state and national regulations is the new norm, not something you can set up once and forget about. Here are some questions to consider as you look ahead:
    • How will you integrate the plan for new consumers and their data?
    • How will you keep up with adjustments to the regulations?
    • How will compliance be maintained on an ongoing basis?

We hope this was a helpful resource. But, if you still have questions, please schedule a free call with us. Red Clover Advisors would love to help you navigate this process and make your life a little less stressful.

privacy best practices

2019 has been quite a year for the privacy world.

The GDPR celebrated its first birthday with a slew of fines and investigations.

The Nevada privacy law (Senate Bill 220) passed and went into effect, as well as ones for Illinois and Maine. Vermont and South Carolina followed suit with minor updates to existing laws. And in all, 24 states considered enacting data privacy laws in 2019.

Not to mention with a deadline of Jan. 1, 2020, the California Consumer Protection Act (CCPA) has ushered in a slew of preparations of its own.

With all of these privacy regulations a part of business as usual in 2019 – and more coming down the pipeline – it’s important companies look at privacy best practices as more than just a nice-to-have. It could make or break your brand in the future.

Protecting consumer rights isn’t just the law anymore. It’s a way to prove your trustworthiness to consumers.

Because it’s such an important part of how brands will function and prosper in the future, we’re highlighting the ways big and small brands alike have embraced privacy best practices in 2019. Use these examples to shape your own strategy for privacy in 2020 and years to come. Read more

The CCPA field guide helps you understand individual rights under the new law.

Hailed by some to be a landmark law heralding the future of consumer privacy, the California Consumer Privacy Act (CCPA) will change the way we do business – across all industries – forever.

Nicknamed by some GDPR Lite because of how twin-like it is to the EU’s privacy law, the CCPA leverages a lot of the same strategies as GDPR. And just like its brother from across the pond, this U.S.-based, paradigm-shifting consumer privacy law is a gamechanger for everyone.

In fact, if your business is in the United States and collects information about California residents, the CCPA applies to you. 

Small businesses who think they’re off the hook are in for a shock. If you have a contact form on your website, collect resumes from candidates for job openings, or operate a brick-and-mortar location, the CCPA probably applies to you. 

Technically, the CCPA rules apply to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices

Even if you think the CCPA doesn’t pertain to your business, you’d be wise to implement the requirements anyway. Although it’s the first state law of its kind, it most certainly won’t be the last. Consumers are growing more and more concerned about their private information, and there may be no going back. 

The new individual rights requirements in the CCPA are so significant, the risk of non-compliance is an accident waiting to happen.

To help, we created this comprehensive field guide. It explains the CPPA individual rights requirements and provides step-by-step recommendations for implementation so U.S. businesses can comply with accuracy, timeliness, and confidence.

Read more

On October 10, 2019 the California Attorney General released a document of Proposed Regulations for the California Consumer Privacy Act

Privacy compliance is the new kid on the block.

The first regulation to shake things up was the GDPR. The CCPA followed not long after and now other states such as Illinois, Maine and Nevada are setting up house.

It won’t be long before most states have privacy laws, and smart companies are taking the hint.

In fact, most organizations realize managing security and privacy compliance today is a full time job. Large companies with even larger budgets are supporting the increasing security threats by hiring Chief Information Security Officers (CISOs). These roles have been around for a while and are becoming more and more frequent thanks to the rise of cyberthreats like malware, which increased 54 percent in 2018.

And for the mid-market and SMBs who need the same help – but don’t have the budget to pay for it –  Virtual Chief Information Security Officers (vCISOS) are the cost-effective answer. These top-tier security experts are paid on an as-needed basis.

What most people don’t know about vCISOS is that they’re only focused on protecting your data from bad characters and shady vendors. They aren’t responsible for privacy compliance, especially when it comes to the use and collection of data. 

This is a completely different side of privacy compliance vCISOS aren’t able to address. In fact, you’ll need a dedicated privacy compliance person for these tasks.

Enter the Fractional Privacy Officer.

Read more

The forewarned – and often dreaded – ripple effects of the GDPR are finally rolling in.

After the European law went into effect in May 2018, it kicked off a tidal wave of action. In fact, California enacted its California Consumer Privacy Act (CCPA) the same year and 24 states considered data privacy laws in 2019.

Vermont and South Carolina made minor updates to their laws. But Illinois, Maine and Nevada fully followed through on their promises to enact legislation, with the latter’s compliance deadline approaching rapidly.

But this is just the beginning

Read more
Facebook data privacy scandal

The recent Facebook data privacy scandal can teach businesses A LOT of important lessons about privacy.

Many feel Facebook got a slap on the wrist and didn’t learn its lesson after the Federal Trade Commission (FTC) penalized the social media giant $5 billion. 

The fine came as punishment for deceitful privacy practices in the Cambridge Analytica/Facebook scandal and other privacy breaches. Facebook settled a similar charge in 2011 with the FTC. It paid the fine, but went about doing pretty much the same thing: Breaking its privacy promises to users and to the FTC. 

Even though the fine is about 220 times larger than anything the FTC has imposed in similar cases, not everyone was impressed. The agency faced accusations of going light on Facebook. An irate FTC commissioner felt that this figure was so small that Facebook could still claim a profit on its crimes.

He was referring to Facebook’s stock that went up after news of the FTC’s record fine was announced.

The fine was only one part of the settlement that Facebook agreed to. The FTC “Order” also includes a new series of restrictions on the business to ensure compliance. These restrictions join a list of other procedures that provide privacy oversight. 

Here’s a complete list:

  • A dedicated privacy team that reviews new products
  • A separate board level privacy committee
  • Privacy audits
  • A privacy impact assessment for every new or updated product, service, or practice prior to implementation

In a statement the FTC wrote, “…if there are any deviations, they likely will be detected and remedied quickly.”

These restrictions provide companies with a blueprint of what the FTC will be looking for in privacy policies and procedures. With new privacy laws more common than not, companies would be wise to follow these best practices.

Will the FACEBOOK data privacy scandal set a precedent?

Marc Groman,  a privacy professional on the International Association of Privacy Professionals (IAPP) Board, used to work at the FTC.  

In 2015, Groman wrote on the IAPP site that he felt even though “…(FTC) settlements do not act as binding precedent for other companies,” companies shouldn’t ignore best privacy practices if they want to avoid being investigated. 

He recommends companies take a look at the FTC’s casebook which lists at least 180 privacy and data security enforcement actions taken by the FTC.

As the de facto U.S. privacy and data security regulator, the FTC has asked the House Energy and Commerce subcommittee during a May meeting for more resources. It would use these resources to police violations and to increase authority to impose penalties.

Privacy Laws Just Keep Coming

At the May meeting, the FTC also asked Congress to create a national privacy law that would regulate how tech giants like Facebook and Google gather, store, and share the personal data of users.

While the commission and the rest of the world waits for Congress to pass a comprehensive privacy law, many individual states are clamping down hard to protect their residents

The number of states with these types of data security laws has doubled since 2016. 

  • Nevada and Maine have followed in California’s 2018 footsteps by passing new privacy protections for consumers. 
  • Vermont in 2018 enacted a law that requires businesses that collect and sell or license personal information to third parties to disclose to individuals which data is being collected and to permit them to opt out.
  • Maine passed a law placing restrictions on how Internet service providers share Mainers’ personal information.
  • Nevada passed an amendment to its online privacy law. Businesses have to offer consumers a right to opt-out of the sale of their personal information. It will take effect on October 1, 2019.
  • New York, Washington and Texas each introduced similar bills to CCPA.
  • Other states with tough privacy laws are Utah, Delaware and Illinois.
  • According to the National Conference of State Legislatures, more than 100 privacy bills are currently pending in the states. 

Privacy. It’s a public concern. Don’t ignore it.

Privacy naysayers believe that the public has thrown up its hands in light of all the data breaches.

But in the wake of the Facebook gaffe, the public’s concern over data privacy is increasing. Believe it or not, Americans are more concerned about it than job creation and health care.

Here are a surveys and studies that indicate the public does care about privacy:

  • The National Telecommunications and Information Administration revealed that 45% of households said that loss of personal data control made them uneasy about sharing personal information while doing online banking, shopping or discussing controversial or political matters on social networks.
  • Another study done by Deloitte Insights found that 70% of consumers would be more likely to buy from a company that was verified by a third party as having high data privacy standards.

Data is a company’s most strategic and valuable asset. Protect it.

Know your data: you can’t protect what you don’t know.

That means create a data inventory. This should include every piece of information stored or processed by your company, both electronically and/or hard copies.

Remember, you can’t comply with any law if you don’t know what data you have.

You should also make sure you know who has access to your collected data. And tell third-party organizations they will be monitored and held responsible for how they use the data.

Finally, complete a gap assessment to show you how likely you are to have an information breach. If you do this annually, you’ll be able to identify any business activities that are in non-compliance to privacy regulations. 

Be the company that respects personal data

Customers will know you respect them when they see how transparent you are.

Twenty-page terms and conditions statements with data usage hidden for a single app download don’t cut it anymore.

  • Don’t hide security and privacy settings behind complex menus or bury them in Terms and Conditions. It looks suspicious. And more importantly, it frustrates customers. 
  • Allow your customers the option of opting out anytime they feel uncomfortable.
  • Be open with customers on how their data can potentially be used.
  • Inform customers if you’re considering selling their data.
  • Get explicit customer consent when applicable.
  • Put the customers in control. Provide flexibility in the types of data they are able to share. 

Conclusion: Be Proactive

The Facebook scandal has been so troubling because it highlights a massive transparency issue.

The lesson is to be proactive. 

Reevaluate your data practices. Communicate them clearly and transparently to your customers. Stick to your word. You’ll come out stronger on the other side.  

Don’t look at privacy laws as burdens. 

Complying with regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), effective January 1, 2020, can actually help you mitigate risk and in the long run to increase your potential for a competitive advantage. 

Breaches cost more money than taking steps toward compliance.

If you’re having trouble navigating your way through the plethora of privacy-related laws and regulations we can help.  Schedule a consultation today

Schedule a consult with Red Clover Advisors.