When privacy policies make it into the news, it’s rarely because people are raving about them. Bad privacy policies are talked about, lambasted for being incomprehensible, unfriendly, and, frankly, unreadable. (Just take a look at The New York Times’ “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster” to see just how excruciatingly unreadable they can be.) 

In the worst cases, privacy policies make headlines when their data practices and privacy notices don’t align. (At the extreme end, Facebook paid a hefty fine due to privacy notice violations) 

Or maybe you’ve thought a lot about privacy policies. You care about your customers and staying in line with laws and now you can cross this off your to-do list. Compliance – achieved!

But compliance is more complex than that. It’s not a bag of popcorn that you pop in the microwave and in 2 minutes, *ding*, it’s done and ready. Compliance is like a sourdough starter. (Yes, even privacy consultants do pandemic baking!) You’ve got to pay attention to environmental conditions, make adjustments to keep it happy, and treat it like the living, breathing being that it is. 

So let’s get started.

CCPA Privacy Policy Requirements

The California Consumer Privacy Act (CCPA) became enforceable on July 1, 2020, and a major element of it is keeping your privacy policy and privacy notice up to date. Let’s talk about how we make that happen.

Privacy policies and notices are essential for communicating how your organization thinks about personal information and data security. They facilitate compliance. They define terms, how data is handled, and communicate this critical information. 

Privacy notices should be like snowflakes

No two should be alike. Every company is on its own mission when it comes to data. That website your customer just visited? It’s got its own mindset at work. 

It’s not an overstatement to say this is a great opportunity. Own your privacy notice! Your privacy notice is an opportunity to show your customers the specifics of your data collection plans. Transparency builds trust, after all. 

How to get your privacy notice right

Communicating with your customers is critical when it comes to your data collection, so let’s focus on how you get your privacy notice done so well, they thank you for putting it together. (Hey, a privacy consultant can dream, can’t she?) 

Putting it together well is a statement of your brand, your values, and a chance to connect with your customers. Some things to keep in mind:

  • Make sure your brand voice and tone extend to your privacy notice. Whether you’re no-nonsense, cheeky, approachable, or authoritative, make sure it carries over.
  • Use sections and hyperlink between them to increase readability and usability
  • Visual elements can be valuable – consider a graphic summary to deliver the content to your audience in a way they’ll quickly understand.

Getting it right means starting with a good privacy program. Learn more about what goes into one.

And remember, privacy regulations change over time. Although CCPA just became enforceable, there’s a new privacy regulation on the horizon – the California Privacy Rights Act (CPRA). This act will bring new requirements to bear on privacy practices and notice obligations will definitely be affected. What works today may need to change tomorrow. That’s why your business benefits from really integrating privacy into your brand values – it makes adapting to new conditions considerably easier when you have that infrastructure in place. 

Don’t make your customers look for it:

Keep these following line items in mind when determining if your privacy notice is ready to go:

  • How are your customers getting your privacy notice? You’ve got some options. You can make it available via a web form or cookie banner on your websites or a just-in-time pop up on your mobile app. 
  • However you choose to implement it, it needs to be available to users “at or before the point of collection.” That means no surprise notifications after the fact! 
  • Your privacy notice can’t just be “available.” It needs to be conspicuous. The standard location is the footer or within the hamburger menu on a mobile app. 
  • Make sure you include it for every personal data collected – this includes digital technologies like Facebook and Google Pixels. 

What does your notice need to tell people?

Under CCPA, there are some specific line items that you have to cover in order to be in compliance.

Privacy notice checklist

Let’s take a look at the content requirements for a CCPA compliant privacy notice. Your privacy notice has to include the following information. 

Categories of information

Your privacy notice should disclose how and when you collect the following information:

  • What categories of personal information your business has collected?
  • What categories of information have you sold?
  • What categories of personal information have you disclosed for business purposes?
  • What categories of third parties have received your customers’ personal information?

These disclosures should be relevant to the last twelve months of data collection. 

Individual rights

Your privacy notice needs to contain a description of your customer’s rights to disclosure, access, opting out and nondiscrimination. The biggest one is opting out – your notice should provide your customers the opportunity right then and there to opt out of the sale of their personal information. 

Contact methods

Consumer requests have to come in somehow! Your business needs to have two or more ways to allow your customers to contact you and exercise their CCPA rights. If your business is:

  • Online only: An email address, as well as a webform for “Do Not Sell.”
  • Physical only: A toll-free number and mailing address
  • Physical and online: Toll-free number and website. May also include mailing address, email address, or other. 

Have your contact methods well established and your team trained on how to respond is a big win for your business. There’s no clearer way to communicate to your customers that you value your relationship with them than by making things easy. 

How are you communicating this information?

Remember, you’ve got to get this information in front of your customer’s eyes AT OR BEFORE the point of collection. (I know, I already said this, but it’s really important!)

Another really important piece? The “Do Not Sell My Personal Information” piece. You’ve got to have a visible, easily identifiable button on your website with this title that links to a webpage that allows people to opt-out of the sale of their personal information. This link has to be available:

  • On your homepage
  • In your privacy policy
  • And in any California-specific description of consumers’ privacy rights

Here are some other points to remember

Privacy compliance is a lot of work. It’s complex. There are a lot of moving parts. It can feel like a puzzle where all the pieces keep changing shape. 

But it’s far from impossible. Especially when you have someone who can help you keep track of the pieces and who can remind you who’s going to be looking at this very puzzle later: your customers.  

How, you might ask, do you keep that in mind? Here are a few starting points:

Map your data

Data mapping – it’s not just for the General Data Protection Regulation (GDPR). Data mapping is a vital practice for any privacy-forward company. If you’ve already done data mapping for GDPR, great – you’ve got a head start, although you’ll still need to review and document if you’re selling data as per CCPA

If not, you’ll need to put together an inventory that documents your collection and sale and disclosure of personal information. 

Data mapping is multifunctional, but for our purposes today, you need it to be shipshape to build accurate privacy notice disclosures AND to provide accurate responses to your customer’s information requests.  

Stay up to date

Privacy notices are dynamic, living documents. It needs to be updated every twelve months to comply with CCPA and it needs to be current with what you’re doing with the data you’re collecting. 

That means, if you’ve shifted strategies and you’re collecting new categories of information, sharing/selling it with new vendors, or using it for different purposes, you’ve got to disclose these changes. 

And that’s not all. Got a new marketing campaign? Rolling out a new product feature? These totally normal business activities are relevant to your privacy notice. 

If you don’t, you risk violating your own notice and your mission to be transparent.

(Don’t forget, your privacy notice may live across multiple digital properties. Keep it updated at each location.)  

Make everything really easy to find and understand

You should make your privacy notice as easy to find as possible and your notice should be in a format that’s easy to read across all devices. As per CCPA accessibility rules, privacy notices and privacy policies be “reasonably accessible to consumers with disabilities,” and should be available to be printed out as a separate document. 

And (I know, I’ve said this already) it needs to be accessible where people will see if BEFORE information is collected and written in plain, straightforward language. No legalese or iambic pentameter, please.

Getting all the pieces of compliance can be challenging. Sometimes it takes a village to get your team trained, your policies in place, and help shift your business in a consumer privacy-oriented direction. But that’s what gets us up in the morning and excited for the day. Drop us a line and let us know how we can help you.

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.

These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant? 

Differences Between GDPR and CCPA: The Nutshell Version

Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:

  • Transparency in businesses practices dealing with personal data 
  • Security and control over personal information for consumers
  • Defining digital identifiers (cookies) as personal information  

One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.

Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)

On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:

  • Has a gross revenue of more than $25 million
  • Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
  • Derives 50% or more of annual revenues from selling consumers’ personal information.

Meet Your GDPR Cookie Banner Compliance Requirements

GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.  

A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.

But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place. 

Opt-in Cookie Consent

When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)  

How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment. 

More on Cookie Deployment

Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it? 

Third-Party Data Sharing

When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data. 

Link to the Website’s Cookie Policy. 

You’ve got a cookie policy. (Right?) Don’t be shy about sharing it with your website visitors – it’s part of your compliance journey. 

The most straightforward way to get people to your policy is by adding a link to your website’s cookie policy in your cookie banner. Your cookie policy should cover the details of how cookies are used on your site and include an exhaustive list of all the cookies you’ve put into place. 

Win Brownie (Err…, Cookie) Points

You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data. 

Meet Your CCPA Cookie Banner Compliance Requirements

The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases. 

Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR. 

However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.  

The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach. 

With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner. 

Information About Cookie Use

CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties. 

A Button to Accept Cookies

As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.) 

As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience. 

Do Not Sell Button

Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA 

(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.) 

To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page. 

Your “Do Not Sell” needs to include some specific information, as well. It needs to have:

  • A link to your website’s privacy policy
  • A button that allows them to opt-out of personalized ads

Let us reiterate: Your “Do Not Sell” button isn’t the same thing as or interchangeable with a cookie banner. Don’t treat it as such. It’s a separate function. However, it’s smart to use it alongside your cookie banner to help your website use cookies to process data in a CCPA-compliant manner.

Tying it all together

Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it. 

But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.  

If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.

Third-party agreements

You’re only as strong as your weakest link.

And most companies are blissfully unaware of their weakest link when it comes to compliance with new and forthcoming privacy regulations.

This hidden danger? Third-party agreements. Truth is, they can make or break your privacy rights implementation.

Third-party vendors are fast becoming the fashion of the day. The General Data Protection Regulation (GDPR) refers to them as processors. Under the California Consumer Privacy Act (CCPA), they include true third party services, as well as service providers.

Outsourcing specialized or less intensive tasks (think technology, marketing, and IT) to experienced outside resources seems like a no-brainer. In fact, it’s proven more efficient and cost-beneficial for most companies that use it.

Because of the increasing demand for third-party vendors, the risks they bring to the table also escalate dramatically. And the responsibility for managing that liability falls fully on the company to which the third-party vendor is contracted.

In other words, you.

Paying attention to what your third-party vendors are sending – and what those third parties are doing with that data – isn’t just a suggested best practice anymore. Regulatory oversight has expanded to make monitoring sensitive data and processes of third parties critical to a company’s operational success.

If you’re a business that doesn’t have vendor evaluation and monitoring processes in place, you’re not alone. Even if you have created these elements, chances are they’re completed and managed on Excel spreadsheets. Worse, you’re probably using a one-size-fits-all approach for analyzing every vendor.

This is a huge red flag.

Not all vendors are the same. A small consulting firm won’t pose the same risks as a large IT database company. Evaluating both of these vendors on the same scale, with the same criteria, is inefficient and ineffective. It’s essential to customize third-party evaluations based on each company’s size.

Proper third-party agreements protect your company from reputational damage and inadvertently violating laws. Because third-party agreements are an essential part of regulatory compliance and can’t be overlooked, all companies should follow a complete privacy checklist to execute them consistently and accurately.

#1 – Nail Down your Vendor List

Sure, you can probably reference a list of vendors, suppliers, distributors and contractors with whom you do business. But under most regulatory guidance, the definition of a third-party vendor is more nuanced than just a simple list.

Many companies don’t understand that it covers any business arrangement between an organization and another entity, by contract or otherwise.

Under this definition, a third-party agreement includes undocumented, verbal, and hand-shake contracts. These could have been established recently or many years ago by someone who doesn’t work at your company any longer. It doesn’t matter. These contract manufacturers, brokers, agents, and resellers all count as vendors and must be a part of your evaluation of third-party agreements.

To take it a step further, some third parties actually outsource some of their own projects to additional resources. If this comes as a shock, don’t worry. It’s standard practice for vendors to do this without the consent or knowledge of the company they’re working for. However, it’s an essential piece of managing third-party agreements.

Point is, you probably have more third-party agreements than you thought. Nailing down your vendor list – including their own subcontractors – is an essential first step for privacy compliance.

#2 – Review and Update Contracts

Cybersecurity tips for small businessesThe next step on the checklist is reviewing and updating your third-party agreements. You’ll have to read through each contract to make sure it adheres to best practices for cybersecurity, data security, and privacy rights. Doubtless you’ll have to update the verbiage in these contracts to reflect privacy standards and clearly lay out duties for each entity to follow.

In order to maintain a clear definition of responsibility for data, you must follow a process to make sure all your vendors are compliant.

The first step in this process is creating and updating an evergreen inventory of security and privacy updates and requirements. You can then use this database to perform a comparable scan of each of your vendor contracts. You’ll want to hone in on specific contract terms and data processing agreements (DPAs) within contracts.

If you’re wondering if your work completed under the GDPR requirements applies for the CCPA, it doesn’t. There are specific requirements for each regulation, so you’ll need separate inventories supporting each standard.

Once you’ve extracted the outdated language from each vendor contract, it’s time to update it with the correct text. Traditionally, this has been the responsibility of the legal team and focused on data security topics. Now the privacy team also needs to have a say because of the privacy risks and stipulations so prevalent in legislation. Individual rights is an especially important part of this, with amendments limiting the use of data only to a specific purpose. Third parties must agree to honor these individual rights requests on your company’s behalf.

If the privacy team doesn’t lay out how and where data should be managed and stored, the security team can’t protect it. Because of this, all new contract language should be pre-written and pre-approved by the legal, security, and privacy teams.

Most importantly, all companies should have an established method for alerting stakeholders when vendors are subject to breaches or regulatory enforcement. The key to reviewing existing third-party agreements is to pinpoint high risk vendor relationships. When you’ve identified these organizations, you can put extra care around monitoring and preventing risks. This will ensure vendor accountability and compliance across the board.

#3 – Create a Third-Party Risk Management Process

Top 5 To Dos to Make Your Digital Strategy Privacy-FriendlyThe final task on your privacy checklist for evaluating third-party agreements is planning for the future. It’s not enough to ensure your existing vendors are up-to-snuff. You must also create a bulletproof plan for assessing, onboarding, and monitoring vendors you’ll add to your roster in the time ahead.

First, get your team on the same page. This means organizing cross-functional stakeholders from procurement, IT, finance and executives to whom the vendors will report – and privacy officers, of course – to help perform and review new third-party agreements. Next, identify the critical risk categories on which you’ll assess new third parties: strategic, reputational, operational, financial, compliance, security, and/or fraud.

Remember, you also have to make sure appropriate questions are asked to organizations based on their sizes. A simple way to determine evaluation criteria and scoring is through third-party questionnaires. These tools are lifesavers when it comes to evaluating vendors for compliance, security, and other risk factors. Non-profit privacy organizations offer high-quality questionnaires to their members. In addition, any third-party risk management software will normally include these questionnaires for free as a part of a subscription cost.

You may be surprised to learn the most important part of these evaluations is not the completion of them by the vendors in question. It’s critical the team assigned to review these questionnaires – and accept or deny the vendor – actually completes its responsibility, and does it in a timely manner. This cross-departmental group should weigh the scores based on risk impact so vendors can be categorized and prioritized in tiers.

The steps of this third-party risk management plan should be written down and kept on hand by anyone who deals with onboarding new vendors at your company. It should be followed to the letter to ensure all third-party agreements meet company and regulatory standards. And of course, ongoing training is essential. New and existing employees should complete rigorous training on the new third-party risk management process.

Conclusion: Get a Handle on Your Third-Party Agreements

Today’s consumers hold more power than ever before. If there’s an issue with how their data is being managed or used, they’re not going to point the finger at the third-party vendor responsible for the misdemeanor. They’re going to fully blame you – the vendor’s employer.

If you don’t want to get in trouble for something you didn’t do, completing due diligence with your third-party agreements is crucial.

The good news is, risk management software can help you complete this privacy checklist for evaluating third-party agreements in the least amount of time, effort and expense. It allows you to ditch the Excel spreadsheets and dusty digital files. Instead, you’ll be able to utilize a cost-effective, intuitive system that’s applicable to each new vendor.

Hiring a Fractional Privacy Officer (FPO) can also give you a leg up. This individual is adept at creating the review process, managing it from end-to-end, analyzing the assessments, and making it right inside the organization. If you’re interested in seeing how an FPO can exponentially benefit your vendor management process, we’ve got a team of experts who are well-versed in this high-risk area.

Reach out today to schedule a free consultation!

 

Schedule a free consult!

5 simple steps to CCPA compliance for small business owners.Running a small business can be stressful. Trust me, when I started Red Clover Advisors, I felt overwhelmed by day-to-day operational challenges, building our client base, and ensuring that we were providing top-notch advice and service. Regardless of your industry, being a small business owner means you wear a lot of hats and there are certain areas in which you just don’t have expertise.

Perhaps the CCPA regulations that take effect on January 1, 2020 are one of those items that have piled onto your stress list. Don’t worry! Here are five simple steps to CCPA compliance success for small business owners that I think will really help you navigate the process.

  1. Data is king. If you do not know what customer data you have or understand its implications, it is nearly impossible to comply with the CCPA regulations. The key here is that under the CCPA, data you collect qualifies as personal information. You should start the data mapping process now, if you have not already. Here are some questions to consider when you undergo data mapping:
    • Where do you host your data (including with any third parties)?
    • For what purpose is the data you collect used?
    • Do you collect and sell data on children?
  1. Notify, notify, notify. You can no longer tell a customer once that you are collecting their information. Under the CCPA, you must provide four different notices and update them appropriately. These include, notice of collection of personal information, customer opt-out rights, financial incentive notice, and your business’ privacy policy. While the CCPA regulations may sound like legal jargon to you, it is important that your notices are consumer friendly. Here are some questions to consider when creating or reviewing your notices:
    • Are your notices easy for anyone to understand?
    • Do the notices detail the data you collect such as the sources of information or categories of personal information collected?
    • Do they provide information regarding what your business plans to do with the information collected?
    • Are they designed to grab a customer’s attention? What about individuals with disabilities?
    • Do you do business in another country or with those who speak a language other than English? If so, is each notice available in that language?
  1. Consumer-Centric. You need to have a plan for individual’s rights, which includes being accessible for consumer requests, verification of data, and opt-out options. Under the CCPA, you must explain what you plan to do with the data you collect and provide two ways for customers to contact you regarding said data. Here are some questions to consider when developing your plan:
    • Do you have methods for contact in place? For nearly all businesses, one of these methods must be a toll-free phone number; is it set up? Many businesses also opt for an electronic method; is this right for your business?
    • Do you have a system to ensure timely responses to consumer requests? This can be hard when you are juggling so many things, but it is very important to be aware of these time constraints and abide by them. Did you know that the CCPA regulations state you have to acknowledge most consumer requests within 10 days? And, that the data verification process has to be complete within 45 days?
    • Does your team know how to verify consumer information or what to do in cases that you cannot verify a consumer?
    • Do you have an opt-out policy and process in place? And, is it in the CCPA-approved format?
  1. Train your team.all know that customer service is important and would hate for this to happen, this training goes beyond getting a positive or negative review on social media. Under the CCPA regulations there are new requirements about documentation that anyone who handles consumer requests and data need to be aware of and have proper training regarding the specifics. Here are some questions to consider when creating a training manual:
    • Do your employees know they must keep a record the customer requests that your business is receiving?
    • Do they know these records must be maintained in a log or ticket format?>
    • Do they know that the information maintained in these records cannot be used for any other business purpose?
  1. Rinse and repeat. Once you have a plan in place and have mapped your data, it is important to keep in mind that this is not a one-time thing. Being responsible for consumer data and staying up to date on state and national regulations is the new norm, not something you can set up once and forget about. Here are some questions to consider as you look ahead:
    • How will you integrate the plan for new consumers and their data?
    • How will you keep up with adjustments to the regulations?
    • How will compliance be maintained on an ongoing basis?

We hope this was a helpful resource. But, if you still have questions, please schedule a free call with us. Red Clover Advisors would love to help you navigate this process and make your life a little less stressful.

On October 10, 2019 the California Attorney General released a document of Proposed Regulations for the California Consumer Privacy Act

Learn about the changes GDPR has brought
Photo by April Pethybridge on Unsplash

The privacy world is recognizing a big birthday this year.

Europe’s General Data Protection Regulation (GDPR) officially hit its year-one milestone on May 25, 2019.

But you probably won’t be celebrating.

That’s because most companies still have a lot of work left to do when it comes to full compliance. And if you’re one of those companies, you probably don’t even know it.

Truth is, GDPR compliance isn’t a one-and-done activity. A common misconception is once the 2018 deadline hit, companies could wash their hands of the mandate.

Not so.

The GDPR is an active exercise, an ongoing execution of privacy best practices.

And when 71% of marketers believe lack of compliance could have a detrimental impact on their companies’ ability to conduct business, the implications are something to take seriously.

A MISTAKEN PERSPECTIVE

You may remember the onslaught of companies – perhaps your own included – rushing to get GDPR compliant processes in place before the deadline.

It was a chaotic time of window-dressing websites and creating cookie updates.

And it was followed by an eerie silence of privacy inaction.

There was a check-the-box mentality only fostered by the fact governing boards took seemingly no immediate action against non-compliant organizations.

Large companies who had doled out copious amounts of money for the update thought they were sitting pretty. Small companies who struggled to implement every iota of the regulation thought they were home free.

Somehow the reality of GDPR non-compliance fell off the radar: The consequences are severe.

From large corporations to small startups, regulators didn’t discriminate against the companies they held accountable for following the rule. Google paid $57 million for not properly disclosing data collection practices. CNIL hand slapped startup Teemo in October 2018 for not asking for consent when gathering geolocation data. And over 18 investigations are underway for big tech companies, including a potential $1.6 billion fine for Facebook.

Fact is, the people who created this privacy policy are bulldogs when it comes to enforcement. And that’s only going to become more the status quo as time passes.

This means the GDPR birthday should renew a sense of urgency for companies to improve existing compliance processes from 2018, or to finish implementing GDPR if they haven’t already.

Unlike other regulations, privacy laws are not a one-time or even once-a-year activity.

They have to be reviewed constantly – we suggest at least quarterly – and updated on an ongoing basis.

Year two of the GDPR regulation is the perfect time to execute this culture of privacy normalcy.

THE PRIVACY SHAKE-UP

The GDPR of 2018 was only the beginning for privacy regulations.

Most experts are calling for the United States and Canada to pass down similar mandates in the next 5-10 years. The California Consumer Privacy Act (CCPA) is one state’s response to this outcry and will probably be followed soon by like-minded laws from other state governments.

Because of this long-term perspective, it’s important for companies to understand that the first year of the GDPR implementation only covered the fundamentals of privacy rights.

During 2019, regulators will articulate even more clearly their expectations.

They’ll detail what’s most important to have in place based on the next round of fines they intend to levy. And they may even addend the regulation to include research brought to light over the past 12 months.

This should underscore the fact companies shouldn’t wait to get their houses in order when it comes to privacy updates.

Privacy will eventually hold the same weight in an organization as the finance, HR, and legal departments.

Business executives and owners should view year two as an opportunity to overhaul their companies’ privacy processes, ensuring they take the front seat.

After all, the GDPR highlights the need for a sustainable process to review all existing vendors on a regular basis and vet all new processors against privacy, security, and requirements.

Data inventories are becoming commonplace.

Unfortunately, security and data breaches are, too.

The GDPR and future privacy laws aren’t just enforcing these rules as a show of power. Rather, they’re supporting company-consumer relationships for what is fast becoming a way of life.

NEXT STEPS FOR COMPLIANCE

61% of businesses from a Deloitte survey said they believe the GDPR has benefits beyond just implementation. Of those, 21% expect significant benefits, including competitive advantage, improved reputation, and business enablement.

These privacy officers get it.

Privacy regulations like the GDPR are an opportunity to build strong relationships with customers based on trust.

Trust is the building block of any successful, long-term relationship.

And when long-term relationships will get you more money consistently – it’s six times more expensive to win a new customer than retain an existing one – the GDPR starts to make a lot of sense.

B2B consumers are looking for compliant companies who care about their privacy. In fact, some customers will abandon companies who ignore privacy best practices.

B2C consumers are especially savvy when it comes to this. These people are especially tuned in to privacy no-nos such as emails sent without permission and missing website opt-ins.

It’s true: Being GDPR ready gives your company a competitive advantage.

If you didn’t start in 2018, you need to start now. If you implemented last year, you need to update and improve.

This will involve scrutinizing critical parts of the GDPR requirements such as those listed below. Adding these might be enough:

  1. Data inventories
  2. Vendor management
  3. Privacy notices, cookie consent, and marketing activities
  4. Security and data breaches

Companies aren’t just responsible for creating repeatable privacy processes for these four areas.

Training your team is critical to a successful privacy program. We’re talking every employee, not just your direct reports. Annual security meetings or courses don’t cut it anymore. Instead, implement company-wide communications, monthly tips, quarterly updates, in-person or online events, and contests.

Doing this ensures privacy is a shared team goal and something in which each person is significantly invested. Privacy compliance will simply become a regular part of doing business.

And your team won’t be surprised or unprepared for the next international, national or statewide privacy law.

Conclusion: The GDPR Compliance Challenge

There’s no doubt there are moving parts that require constant fine-tuning when it comes to GDPR and other privacy standards.

It’s crucial for a capable professional to manage these changes.

Yet this highlights one of the main challenges companies face when it comes to privacy law compliance: 43% bemoan lack of expert staff and 31% admit they have a limited understand of GDPR regulations.

While these challenges are overwhelming, they’re not impossible to solve.

And with GDPR compliance something you can’t afford to ignore, you have no choice but to find a way to overcome them.

The first step is education.

There are a litany of reliable resources online to help you understand the privacy law. You can check out our free GDPR Resource Library to get started.

The next step is assigning a point person.

If you don’t have a CISO or an appropriate person on your team to step into the role, it may be time to hire an outside resource. Even if you’re in the CISO role and feel over your head when it comes to GDPR planning and implementation, bringing in a third-party is a good idea.

With more than 20 years of experience, our team of privacy experts can step in to assess the situation. We’ll act as an extension of your team to create a game plan for tackling the GDPR. We can even serve as a fractional Privacy Officer to help over a longer period of time.

Whatever personnelle direction you go in, it’s important you start now. Year two of GDPR is not a time to rest on your laurels.

It’s a time to take action on a business-changing imperative. Get a free GDPR first-year audit or plan your second year goals – reach out today!