Category: CCPA/CPRA

Our favorite time of the year is finally here—and yes, we know the winter holidays have already come and gone. But as much we may love warming up with a cup of hot cocoa (topped off with unreasonable amounts of marshmallows, please!), there’s one day that holds a special place in our hearts: January 28th is World Data Privacy Day.

And while there aren’t any seasonal beverages to enjoy along with it, we think Data Privacy Day represents something fundamental: the right of every person to control their own personal data with the confidence that it won’t be shared, sold, or otherwise exposed without their consent. 

World Data Privacy Day: a short background

Observed annually worldwide, Data Privacy Day honors the signing of Convention 108 in 1981, the first international treaty to deal with privacy and data protection. 

1981 was a long time ago, though.  

Since then, generations of activists, lawmakers, and ordinary citizens have advocated long and hard for a future where an individual right to their private data doesn’t get lost in the crowd.

That’s why we like to look at January 28th as something like a Data Privacy New Year’s for our industry: it’s a chance to stop and acknowledge the progress we’ve made, celebrate our privacy accomplishments, and look ahead to the work that still needs to be done. 

Data privacy day? Let’s make it a week (or even a year)

This year, the National Security Alliance decided to expand its Data Privacy Day campaign to cover an entire week—to which we say, why not? After all, privacy is an ongoing issue, and there’s only so much work you can do in a day.

In fact, we’d like to propose an even more ambitious idea: what if we made 2022 a Data Privacy Year? Because as much as we love the 28th, the things you do on those other 364 days are more important. 

Three good reasons to make data privacy your New Year’s resolution

We know the ball dropped weeks ago (and some of us even managed to stay up long enough to see it), but that doesn’t mean it’s too late to make a few more resolutions. 

Our suggestion? You guessed it: making data privacy a priority. From legal compliance to business considerations to just straight up doing the right thing, here are a few good reasons to keep data privacy top of mind as you plan for your business’s future in 2022.

1. Regulatory compliance

Convention 108 was left all by its lonesome, and lax (or nonexistent) data privacy laws allowed dangerous privacy practices to thrive for a long while. Consumer’s private information was often collected and sold without their knowledge or consent, and insufficient data security measures led to high-profile breaches of private consumer data.

Thankfully, Convention 108 finally got help. If your company sells products or collects data from users, you’re probably already familiar with the EU’s General Data Protection Regulation (GDPR), adopted in 2016. This far-reaching privacy and data security law placed a wide range of restrictions on how organizations collect, store, and use consumer data—at least within the EU. 

Since then, several US states have joined the EU in creating consumer privacy regulations, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA)

More state laws are likely to follow, and for those who care about consumer privacy, that’s cause for celebration. But it also means that companies need to carefully monitor their regulatory compliance obligations. Failing to prioritize privacy issues in the coming years could put your company on the wrong side of the law if you ignore policy changes.

2. Privacy is what your consumers expect

Even if you put regulatory concerns aside, prioritizing data privacy is simply good business. Consumers are increasingly aware of how their private data is being collected and used, and most Americans now report concern over companies’ use of their personal information.

That gives your company an excellent opportunity to differentiate itself by putting privacy first. In fact, a whopping 97% of companies report one or more tangible benefits after investing in robust privacy policies, from more significant competitive advantages to lower data-breach losses to increased investor appeal. 

(And that’s not a bad way to start the year.)

3. It’s simply the right thing to do

No matter what your industry is or who your consumers are, your relationship with the people you serve is built on trust: trust in your professionalism, trust in the quality of your goods or services, and trust that your business will uphold its core values.

Data privacy efforts are one way to pay them back for that trust. Each of your consumers is a living, breathing human being who has a right to privacy and control of their personal data, and helping them protect that right is an excellent New Year’s resolution.

Seven resolutions for a privacy-first 2022

Look, we know that staying true to your resolutions is hard (raise your hand if you’ve already broken the ones you made on New Year’s Eve). 

But when it comes to data privacy, staying ahead of the trends is a year-round effort, and it helps to have a plan you can commit to. Here are seven goals to keep the privacy fire burning bright when Data Privacy Day is just a warm and fuzzy memory.

1. Start with awareness and empathy

Successful privacy efforts need to go deeper than policy—you also need to foster a culture that values your privacy plans. And one of the best ways to do that is to remember the people you serve.

Whenever you implement steps to keep your clients’ and customers’ data safe, you’re also protecting the legal and ethical rights of the people who trust you. Keeping an awareness of this responsibility top-of-mind can help you fuel your efforts with empathy, even when breaking your privacy resolutions is oh-so-tempting.

2. Train and educate your team

Setting goals is admirable, but implementing real and lasting change requires full-team buy-in and participation. If you want to create a company culture that values privacy, you’ll need to equip your team with the knowledge they need to put privacy first.

That involves clearly articulating your privacy goals to your team, providing them with opportunities to engage with your privacy policies, and making it as easy as possible for them to comply. Instituting company-wide use of privacy measures like VPNs, encryption, and two-factor identification can help you make privacy awareness the norm.

3. Plan for 2023 (and ’24, and ’25 . . .)

Another thing to reflect on as we enter a new year: didn’t that last one go by really fast?

There’s simply no stopping the future from rolling on in, and data privacy regulations are now evolving more quickly than ever before. By 2023, it’s estimated that current data privacy regulations will impact 65% of the world. 

That’s a lot of new privacy laws to keep up with. If you’re planning on staying ahead of new compliance demands, you’ll need to start future-proofing your privacy efforts today. And while you can’t perfectly predict the privacy demands of tomorrow, implementing a robust privacy program based on today’s best practices and current data protection laws will set you up for success as the years roll by.

4. Put the cookie jar down

Speaking of future-proofing, one of your priorities right now should be to move beyond reliance on third-party cookies. With data protection regulations like the GDPU banning the use of most third-party cookies without explicit uses consent, even major browsers are now dropping cookie support. 

Thankfully, the kind of cookies you eat is still on the table—and there are plenty of viable ways to move toward a cookieless future.

5. Build a robust preference center

As third-party cookies quickly become a thing of the past, the preference center is stepping up to become your new privacy best friend. Preference centers give your site’s users all the tools they need to opt-in or out of the collection or use of their data.

It’s a vital way to stay in compliance with privacy regulations and an easy way to build trust with your site’s users. 

6. Data mapping

One of the cardinal rules of responsible data collection: never collect or keep data you don’t need. 

But how do you get started if you don’t know what data you have? Enter data mapping, an irreplaceable tool for taking stock of the data you’re collecting, where it’s coming from, how (and how long) you’re storing it, and how it’s being used. 

Building one out should be a priority if you don’t have a data map yet. Thorough data mapping helps your company stay compliant and can serve as the first step toward effective preference centers.

7. Work with a privacy consultant

All of the above resolutions are well worth the effort, but when you’re navigating the increasingly complex world of privacy regulations, sometimes you just need some extra professional help.

Working with an experienced data privacy consultant is one of the best ways to ensure your efforts don’t go to waste. Letting privacy professionals take the lead this year can take the load off your shoulders while allowing for a more informed and comprehensive strategy.

Contact us if you’re ready to make 2022 your Data Privacy Year. We’d love to help you move your data privacy program forward.

Every action and adventure movie in the history of movies has a scene that looks like this:

IN SECRET LAIR — NIGHT

Hilariously funny computer-nerd sidekick with crushing social anxiety is talking with an uber-suave, secret super-agent about taking down moles in the government intent on destroying society as we know it.

Sidekick: Wait a second. Just wait. You’re saying we have to steal the bomb from the crazy secure military base? 

Secret super-agent: It’s the only way we can save the world. [smolder]

Sidekick: But that’s insane! Assuming we can even get past the ID checks at the entrance, there are five additional checkpoints between the front door and the vault where the bomb is stored. The final checkpoint requires a 25-digit passcode that is randomly changed every 30 minutes and retinal scans from four different people! 

[Sidekick begins pacing in front of a desk littered with random, techy-looking stuff]

IF, and that’s a big if, we make it through all that security, the vault is temperature- and pressure-controlled. Any unscheduled access triggers the alarm system and activates the laser-shooter/oxygen-deprivation/flame-throwing system. We will die if we can’t hack the system to schedule our currently unscheduled visit! Do you hear me?! DIE!

Secret super-agent: You can do it. I need you to do it. The world needs you to do it. [extra long smolder]

In that scene, the overworked and underpaid sidekick identifies factors that could interfere with successful operations. In other words, they’re conducting a risk assessment.

Luckily, running an excellent privacy program doesn’t usually involve saving the world. But that doesn’t mean you can get out of a thorough privacy risk assessment.

What is a privacy risk assessment?

A privacy risk assessment is a tool companies use to protect the personal information (also called PII—think name, address, SSN, race, financial information, biometric identifiers, specific geolocation, etc.) of natural persons from inappropriate use by a company, use that creates great risk for the individual's rights or freedoms, or exposure in a data breach. They can help identify, monitor, and resolve issues that put their internal and customer data at risk of exposure in a data breach. 

While security against data breaches is essential, privacy risk assessments also consider your privacy practices in the scope of relevant privacy laws, current consumer expectations, and the risks to individuals. In short, they take the pulse of your privacy program. 

What’s more, a privacy risk assessment isn’t a one-off exercise, but according to the European Commission, a living, flexible tool that can help you safeguard your business and customers. 

These risk assessments go by several names—data protection impact assessments (DPIA is the GDPR term) or privacy impact assessments (PIA)—but their ultimate function is to reduce privacy risk factors and improve data management practices by providing a holistic view of the opportunities and challenges facing your company.

Why does my company need a privacy risk assessment?

PIAs aren’t just good risk management. They’re also a statutory requirement.

The European Union set the standard for regular risk assessments when it passed the General Data Protection Regulation in 2016. Nearly all data protection regulations passed since then have similar requirements and establish heavy fines for noncompliance.

Unlike many other countries, the United States doesn’t have a federal data privacy law. Instead, the US government has opted to take a sectoral approach that gives states the burden of protecting consumers’ personal information. Legislation like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA) make it clear that moving forward, companies are going to be responsible for safeguarding the personal data they collect.

Regardless of your legal obligations, though, privacy rights will be a significant issue for consumers for the foreseeable future. Almost across the board, consumers have proven they’ll walk away from a company if they have concerns about privacy practices.

If you aren’t actively trying to manage your privacy risks, it’s going to cost you in the long run.

What are the steps in a privacy risk assessment?

Saying that you’re going to conduct a privacy risk assessment is kind of like saying you’re going to make cookies—there are a lot of techniques you can use and types you can make. But there are fundamental principles that work across the board.

To conduct a privacy risk assessment, you need to:

  1. Set the scope
  2. Establish responsibilities
  3. Map your data
  4. Adjust processes
  5. Notify stakeholders of changes

Set the scope

Not every PIA has to be organization-wide. If you’re changing a single process in your direct marketing program, you may not necessarily need to examine how your customer service department accesses your customers’ personal data. 

The scope of your PIA will be determined by the interaction between proposed changes and the privacy laws you need to comply with.

Under the GDPR, for example, a DPIA is required if you’re going to implement new technology, if you’re tracking the location or behavior of individual users, if you’re systematically monitoring a publicly accessible place on a large scale, if your data processing will be used in automated decision-making with legal ramifications, or if you’re processing data from children.

You’ll notice those examples don’t specifically name advertising or internal data processing as a trigger for a DPIA. And there are some exceptions in the law if you’ve recently conducted a DPIA for a reasonably similar situation. 

Looking for further guidance on when to conduct a PIA? Both the ICO and CNIL provide guidance on steps to take. 

Setting parameters for your DPIA will help you be as thorough as possible while also helping control your costs and timelines. 

Establish responsibilities

Let’s go back to the bomb-stealing action movie from the intro. Sometime after the “risk assessment” scene, there will be another scene where the heist crew will sit and go over their plan in minute detail, with every person listing off their responsibilities. 

You should do the same thing when prepping for a PIA. Every person involved in the process should clearly understand their role, how the chain of command works, and the deadlines.

It’s the same concept the American Red Cross uses when teaching people first aid (“You in the blue shirt! You call 911!”). Clear performance expectations eliminate confusion and improve performance, making the process more efficient.

Map your data

This step is the big one. If you get nothing else from this article, remember this:

YOU NEED TO KNOW YOUR DATA.

But getting to know your data doesn’t magically happen. You have to take the time to get your know your data. Buy it a cup of coffee. Ask it about its family. 

Just kidding. That’d create even more data. 

In all seriousness, you can get to know your data simply by creating a data map.   

We’ve written extensively about data maps, sometimes called data inventories, but at its core, data mapping explains what happens to every data record in your system. It will tell you:

  • What data you’re collecting
  • Who you’re collecting it from
  • Why you’re collecting it
  • Who has access to it (including third-party vendors)
  • Who you’re sharing it with or selling it to
  • How you’re using it
  • Where and how long you’re storing it 
  • Where it’s at risk for exposure

Basically, a data map is the fastest, best way to understand and identify privacy risks in your data management program. In theory, this should be information you know already. In practice, companies rarely completely understand what their data collection and management practices look like. 

Unlike the GDPR, US privacy laws don’t technically require companies to have a data inventory. But it’s hard to see how you could build an efficient compliance program without one. 

Analyze and review

Once you’ve made a data inventory analysis of how the proposed changes will potentially affect the privacy of data subjects, you should have all the information necessary to address potential risks and be ready to implement the new technology or process. Feeling lost during the analysis and review? You should be looking to answer questions like:

  • Where are the weaknesses in our program?
  • How will changes or updates impact privacy operations?
  • Will we need to update privacy notices need to change?
  • Do we have the correct consents in place?
  • Should contracts be drafted or updated?

Make the appropriate changes

Now comes the fun part—making the privacy changes that are going to move your business forward, build better relationships with customers, and stay compliant with all relevant laws.  

To make the changes you identified as critical through your privacy risk assessment, make sure you keep communication clear and consistent between team members, departments, and relevant stakeholders. Clear internal communications help fully integrate changes into your operations—and if you want to be super on top of it, make your updated privacy practices part of a privacy training initiative. 

When it comes to external communications, it’s also important to have a plan to notify customers of any substantive changes to your privacy policies or practices.

Take it one bite at a time

It’s always easier to manage large programs in small chunks, and privacy is no different. A big-picture strategy is vital in establishing a culture of privacy and managing priorities. Still, privacy risk assessments are much more effective if they’re a regularly utilized tool and not an occasional strategy.

If you need help designing productive privacy risk assessment processes, let us help. We can be the sidekick that supports your efforts, or we can be the super-agent that creates a functional plan.

Either way, Red Clover Advisors is passionate about practical, pragmatic privacy solutions. Call us today to schedule a consultation.

There is a lot of *aaS-es in the world of cloud-based computing.

No, no. 

That’s not what we meant.

We’re talking about Xas-a-service options.

First, there was SaaS, or Software as a Service. Originating in the 1960s as terminal keyboards networked to a mainframe computer in a hub-and-spoke system, SaaS has been in continuous evolution as personal computers became less expensive and more popular. Businesses needed a way to preserve hard drive and server space while simultaneously making huge amounts of data and complex programs universally accessible to employees.

The rise of cloud-based computing meant SaaS became the norm for, well, everything. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) evolved to allow for new application design capabilities and meet the demand for virtual data centers.

But SaaS and PaaS aren’t the only players here. 

The rush of eCommerce, social media, and digital marketing, advertising, communications in the 2000s and 2010s was transformative for our work and personal lives. We connected, communicated, and consumed in totally new ways, all of which generated massive amounts of data—without much oversight. 

It was a bit exhilarating for those who love working with data. But it was a lot concerning for those whose minds were on the privacy implications for all that data. 

Enter privacy regulations. 

These unregulated information collection and sale practices came to a screeching halt in 2016 when the European Union passed the General Data Protection Regulation, the world’s first comprehensive data privacy law. 

The GDPR dramatically changed how businesses obtain consent to collect and process user information, leading governments around the world to follow suit and pass data privacy laws of their own. 

In the United States, the California Consumer Privacy Act, or CCPA, was the first digital privacy law enacted to protect American consumers. Colorado and Virginia have passed similar laws, and numerous states have bills ready for the 2022 legislative session. These laws have been led, in part, by vigorous consumer privacy advocates, who have pushed for greater privacy protections and greater transparency from businesses. 

This seismic shift in how we view digital privacy, combined with new obligations for website owners, has created a new kind of *aaS—data privacy as a service, or DPaaS.

And businesses are working hard to catch up with both privacy laws and consumer expectations. 

What is DPaaS?

By definition, DPaaS is the outsourcing of a business’s privacy functions. 

So DPaaS helps with “privacy”…but what does that mean? 

It means a lot of things. Keeping your data collection practices in a state of ongoing compliance. Tracking your risk assessment across internal teams, external partners, and third-party vendors to reduce risks of data breaches. Helping scale privacy processes. 

DPaaS technology can utilize SaaS and PaaS solutions that:

  • Launch privacy notices at the right time
  • Manage cookie notification and consent processes
  • Identify cybersecurity risks
  • Assist in fulfilling data subject access requests (DSARs) or individual rights requests
  • Automate notifications and containment measures after a breach is detected
  • Enable compliance with multiple regulations across regional jurisdictions
  • Provide data backup, storage, or disaster-recovery services

Non-tech DPaaS solutions, on the other hand, can come through fractional privacy officers who provide experienced guidance on things like data inventories, vendor management, risk assessments, employee training, and overall privacy strategy. 

FPOs don’t just help with the meat-and-potatoes of privacy practices, though—they help you figure out how to implement DPaaS tech in a way that’s effective and sustainable for your company.

DPaaS vs. cybersecurity

We can’t get too much further in the DPaaS discussion without pointing out the differences between DPaaS solutions and cybersecurity measures.

Data privacy and data protection are a chicken and egg situation. They’re closely related, and you can’t have one without the other, but they aren’t the same thing.

Where data protection/cybersecurity is all about protecting data from unauthorized users, data privacy focuses on figuring out who can access data, when they can access it, and what they can do with it. 

Think of it this way:

  • Cybersecurity (aka data protection) stops a hacker or unauthorized user from getting access to a user’s personal information.
  • Data privacy is about how a business collects, uses, or shares an individual’s personal information, as well as how a business communicates its policies and the choices it makes available to customers.  

A good cybersecurity program will be built around privacy obligations (i.e. least access privilege, network policies, etc.), but a good privacy program will also strengthen cybersecurity measures.

DPaaS for consumers

While privacy compliance is driving the development of  DPaaS right now, this increased focus on protecting privacy on an individual level is leading to the creation of privacy management apps and products for consumers. 

Crunchbase says that at least 207 privacy startups have raised over $3.5B in funding, and many of these companies are determined to make it easier for normal people to navigate the internet’s complex privacy landscape.

Some of these up-and-coming products let users figure out which businesses have collected and stored their sensitive personal information, while others help people track how businesses are using data they’ve willingly shared. 

No matter what the tool does, there’s no question that consumers are becoming exponentially more privacy-savvy. That savvy, combined with consumers’ increased expectations for personal control of their own information, gives businesses plenty of non-compliance reasons to get their privacy ducks in a row.

Benefits of DPaaS for benefits

Getting ahead of privacy is important. We’ve said it before—and we’ll definitely say it again. But there are lots of ways to build a privacy-first mindset in your business. Why should you consider DPaaS?

Decrease the risk of data breaches 

This reason, let’s be honest, is an important one for businesses. Data breaches are a problem. Data breaches in 2021 topped the already-record-breaking year of 2020—by 17%—and the year's not quite done yet. 

DPaaS solutions can identify and contain risks and reduce some of the human error that inevitably occurs, well, in any task that’s handled by people. 

Privacy improves your brand value—and customer relationships

Taking a transparent, consumer-friendly stand on privacy builds trust with your customers. When you make a clear, unambiguous commitment to protecting your customers' personal information and then take action to make that commitment real, your customers will trust you over competitors. Now, you can do this without DPaaS services…but….

DPaaS streamlines your privacy practices

Privacy operations can get pretty unwieldy. 

But with the right tools? You can build better—more up-to-date, actionable—data collections. You can automate privacy functions. You can manage data privacy requests from customers with ease. You can scale your operations smoothly.  

At least that’s the goal!

Is DPaaS right for you?

DPaaS, in theory, can help bridge the gap between where you want to be, privacy-wise, and where you are currently. 

According to IAPP, the world’s largest and most comprehensive privacy community, there has been a 17% increase in the number of companies exclusively dealing in enterprise privacy tech solutions.

But just because privacy solutions are technically available doesn’t mean that all businesses have the resources to implement them. DPaaS tools require knowledge of how privacy regulations work. 

What we’re really saying is that privacy solutions don’t necessarily equate to answers. In fact, products on their own are just one factor in the equation. The other factor is how you use them—or who you have to use them. 

Isn’t it ironic: Privacy is a team activity

Privacy expertise can be costly. It can be time-consuming to try to wrap your head around the newest privacy laws, only to have regulations shift on you at the last minute. (Yes, we’re looking at you, CCPA/CPRA!) 

But here’s the thing: when you incorporate DPaaS tech solutions with someone like a fractional privacy officer—the type of person who lives, eats, and breathes data privacy—you can get great results without spending hours trying to translate your jargon-filled privacy policy into something readable or deciphering the data inventory that your erstwhile head of legal wrote for your business. 

If you need help designing a compliant, consumer-friendly privacy program for your company, let us show you what Red Clover Advisors can do.

Until the mid-2010s, there were almost no comprehensive laws protecting digital privacy for anyone except children, and even those laws were few and far between.

This lack of government oversight gave industries almost no motivation to create best practices governing what types of data could be collected or how it could be used. While there were a few outliers, businesses generally assumed more was, well, more, and often collected more consumer data than they needed or could protect.

The rise of e-commerce and ad targeting technologies made consumer data the most valuable currency of the modern economy. And if history has taught us anything, it’s that bad guys can’t resist the currency du jour. Like pirates who hoarded treasure and outlaws who robbed trains, hackers started attacking everyone from major international corporations to regional companies to neighborhood businesses.

Add on top of that the misuse and sharing of data, and it’s easy to see why it became critical to put in place modern era privacy laws. 

The birth of digital privacy law

This surge of consumer outrage and government activism resulted in the first comprehensive privacy regulation, the European Union’s General Data Protection Regulation (GDPR). Passed in 2016 and effective in 2018, it completely changed the data privacy landscape for companies that operate in or collect information from residents of the EU.

The GDPR established regulatory obligations for all member countries, but so far the United States has opted for a sectoral approach, with laws for different sectors such as health (HIPPA), finance (GLBA) and email (CAN-SPAM). With no national framework, there has instead been a morph into a patchwork approach on a state-by-state basis.

With the California Consumer Privacy Act (CCPA), California was the first state in the U.S. to pass a comprehensive data privacy law. Virginia and Colorado followed suit this year, and a record number of state-level data privacy bills were introduced in 2021 legislative sessions.

What is consent?

Very little in privacy is straightforward, and that’s especially true when it comes to consent. Getting consent to collect an individual’s information doesn’t necessarily give a company the right to use or sell that information—unless that’s been clearly specified to the individual that’s how the data is going to be used. 

Building an effective consumer privacy program requires obtaining consent for the collecting, processing, selling or sharing, and storing of individuals’ personal data as well as for when and how you contact them.

Most countries require opt-in consent, but U.S. laws are more commonly centered on an opt-out model.

Yes, please! (How opt-in consent works)

Opt-in consent, the strictest of all consent requirements, is considered the gold standard of digital privacy best practices because it puts the burden of managing consent squarely on data processors. Additionally, opt-in policies institutionalize and standardize privacy practices, giving all users fundamental protections online.

Under opt-in laws, a user must take clear, affirmative action consenting to the collection or data processing of their information. This obligation can be satisfied in several ways, including:

  • Giving users the opportunity to consent to the processing of their personal information, using clear and plain language
  • Placing unmarked checkboxes on your website so users can choose whether their data is processed or sold (Note: because they don’t require users to actively agree to anything, pre-ticked checkboxes don’t meet the requirements of opt-in laws)
  • Using a cookie consent manager that allows users to accept or deny consent for specific categories of cookies

Most privacy laws with opt-in consent also stipulate that individuals who opt-in have a permanent and easily accessible way to withdraw their consent at any time. 

No, thank you. (What opt-out consent looks like)

Unlike opt-in frameworks, opt-out consent requirements make individual users responsible for protecting their personal information and managing how companies use it.

Opt-out systems default to giving companies the right to collect and process personal information as long as they have both notified users of their privacy practices and given them opt-out options.

In practice, this looks like those pre-ticked boxes that say “Yes! I agree to receive information about XYZ’s new cat-cleaning products, as well as emails from all of their partner companies.” Unless a customer removes the checkmark, the company and its vendors can pretty much do whatever they want with the data, from sending marketing emails every five minutes to selling your email addresses to the highest bidder.

Consent isn’t as black and white as it seems

Here’s the tricky part: consent is absolute, but it’s also layered. Consenting to cookies isn’t the same as consenting to receiving marketing emails, and consenting to either isn’t the same as consenting to the sale of personal data. 

The type of consent needed depends on the governing regulations, but there are five general categories of consent:

  • Notice only (e.g. simply notifying users that tracking cookies are active on your site)
  • Implied consent (aka soft opt-in, meaning users are notified about privacy practices but continue using the site/make a purchase without activating any opt-out options)
  • Explicit consent (user gives clear, unambiguous consent for their data to be used in a certain way)
  • Mixed consent (exactly what it sounds like: this model employs notice only, implied, and explicit consent options depending on the function, i.e., notice only for strictly necessary cookies, implied consent for performance cookies, and explicit consent for advertising cookies)
  • Do not track/sell/share Under a pre-existing California law, websites need to disclose if they honor a browser’s “do not track” feature. If you sell data or share it with a third party, that could be considered a sale under California law—meaning you need to give individuals the option to opt out. To make it easier, there are ad industry self-regulatory frameworks that allow users to opt out of advertising and analytics, like aboutads.info.

The secret sauce that fixes everything

Whether your business needs to implement opt-in or opt-out consent policies, you must understand the type of consent needed to set cookies on your website, send marketing emails, process data, and sell data

As privacy consultants who excel at helping businesses develop compliant but practical consent solutions, we know that both opt-in and opt-out processes have enough in common that the steps for setting up both are basically the same.

According to OneTrust and our years of experience, these steps are:

  • Know your obligations

Not only do you need to understand which privacy regulations your business is subject
to on a local, national, and even global level, but you also need to be aware of industry
regulations (think HIPAA or the Gramm-Leach-Bliley Act) and vendor or customer
contracts.

  • Understand your risks

Conducting a risk analysis will show you where your data is at risk. Poor vendor
cybersecurity practices, lax internal permissions protocols, overaggressive data
collection processes, or non-compliant marketing programs all expose your business to
possible fines, breaches, and reputational damage.

  • Map your data

A data map, also known as a data inventory, documents the flow of data as it travels through your company. Several privacy laws mandate that businesses have a lawful basis for collecting information, and a data inventory will tell you what you’re collecting and from whom, why and how you’re collecting it, and where and how long you’re storing it.

Mapping your data is the best, fastest way to understand your data at a granular level,
which makes getting compliant much, much easier.

  • Create a privacy-first culture

An opt-in or opt-out program won’t work if the people at your company—from the CEO to
front-line employees—don't understand and believe in it. A privacy-first culture means
every department plays a role in your privacy program and that privacy
training is a regular part of staff meetings, company newsletters, and marketing
outreach.

  • Set up individual rights requests processes

Virtually all privacy laws give individuals the right to change their opt-in/opt-out status,
correct inaccurate information that’s been collected, or delete their information from a
company’s database through a process known as an individual rights request.

It’s important to have efficient processes and clear lines of communication set up
company-wide so you can meet the strictly mandated timelines for responding to and
resolving a user’s request.

Consider building a preference center

A preference center is a page on your website or in your app that allows users to opt-in or opt-out of marketing communications, the sharing or sale of personal information, and even cookies quickly and easily. It’s one of the easiest ways to quickly get compliant.

Opt-in to our consulting services

At Red Clover Advisors, we have the experience and knowledge necessary to help you achieve your brand’s goals of becoming a privacy-friendly company that is compliant with privacy regulations and best practices. Give us a call today to see what we can do for you.

Hint: privacy is the right thing. 

Do the right thing as marketers to build trust.
Jon Dick, VP Marketing, Hubspot

For marketers, privacy can be a four-letter word. After all, your entire job is to get your message in front of as many people in your target audience as possible. 

But as people who specialize in creating and capitalizing on trends, most marketers also realize privacy is a trend with long-term staying power.

To be a successful marketing agency in this new privacy era, digital marketers have to understand the value consumers place on their privacy and understand an ever-growing body of privacy legislation. 

Consumers care about privacy. A lot.

Almost 92% of Americans are concerned about their privacy when they use the internet. The same number of people think companies need to be proactive about protecting the consumer data they collect. 

Most importantly, 87% of consumers think data privacy is a human right.

Driven in large part by the Facebook-Cambridge Analytica scandal and dramatic increases in major data breaches that have exposed millions of sensitive data records, consumers have started demanding increased transparency about the privacy practices of both their favorite companies and of the billion-dollar data brokerage industry.

In 2019, Cisco found that nearly one-third of consumers are willing to change how they shop online and who they shop with to protect their privacy. 

Businesses that ignore this groundswell of consumer support for privacy risk revenue and reputational losses. As a marketing agency, figuring out how to balance communicating privacy as a brand value with promotional messaging is crucial to your future success.

Governments care about privacy too

In 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect and changed consumer privacy forever. 

The world’s first comprehensive consumer privacy law, the GDPR, strictly regulated how companies that operate in or collect personal information from residents of the EU can collect, process, share, and store their collected data.

The United States doesn’t have a comparable federal privacy law, but multiple states (California, Virginia, and Colorado) have passed comprehensive consumer privacy laws that are in some degree similar to the GDPR, and more laws are being passed every year. 

Even though best practices are still being established, regulations are just going to keep coming.

Privacy compliance checklist

Almost every type of marketing is impacted by privacy regulations. But don’t let that scare you! Successful, privacy-compliant marketing is doable. Here’s how.

1. Probe your privacy policies

When we say “your,” we mean your agency policy and your client’s policy. 

Why?

Most new privacy laws require compliance from both data controllers (the entity collecting data) and data processors (the entity using the data, usually a vendor). Because data controllers can be held liable for data exposed in breaches of their non-compliant vendors, most companies won’t even work with vendors that haven’t updated their privacy policy.

As a marketing agency, you can be a data controller or a data processor. Sometimes you might be both, which means your privacy policy needs to be rock solid.

A few of the key points that your updated privacy policy should detail include:

  1. What personal data (name, address, phone number, email, location, etc.) you collect 
  2. Why (e.g. email marketing campaigns) and how (contact forms, cookies, weblogs, etc.) you collect the information you do, with whom you share it, and if you sell it as defined by the applicable law such as CCPA
  3. Who has access to the information you collect
  4. What choices the individual has and how the individual can make an individual rights request
  5. What data security measures you are using
  6. How you will tell your users about updates to your privacy policy 
  7. How and how quickly you will tell users about a breach

Once you know your privacy policy is up to regulatory snuff, you need to make sure it also matches up with your clients’ policies. 

If you have non-compliant clients, you can push them to create a new policy. Trust us, they will thank you for saving them from fines and injunctions.

And clients who already have an established privacy program will trust you more if you can prove privacy is as important to you as it is to them.

2. Cooperate and collaborate

To succeed in digital marketing, you have to be good at multitasking and at building relationships. These abilities can be a huge asset when it comes to privacy compliance.

Because your agency can be both a controller and a processor working across multiple systems, establishing strong, collaborative relationships with both your own IT and legal teams as well as your client’s IT and legal teams is critical to developing processes that actually work and do so smoothly for everyone.

3. Organize operations for opting-in or opting-out

Like the invention of caller id, consumers love opt-in and opt-out regulations. 

Marketers…not so much. But it’s not as bad as it looks from the outside.

GDPR = opt-in

The GDPR is built on an opt-in foundation. To achieve GDPR compliance, companies cannot collect any personal information from a consumer, share collected consumer information, or contact consumers without acquiring explicit consent. 

For marketers, this means that even if you have a huge email list with thousands of verified email addresses, with very few exceptions you can’t send emails to that list until you’ve verified the recipients have agreed to receive your emails.

CCPA/VCDPA/CPA = opt-out

By contrast, most US laws are based on allowing consumers to opt out of the collection, processing, sharing, or sale of their personal data. Under the new VCDPA and CPA laws, individuals need to opt-in to the use of their sensitive data. They can also opt out of receiving any marketing communication from you.

Opt-in to opt-in

Understandably, many marketers would prefer an opt-out system. Opt-out requires more engagement from users, which means you’ll probably be able to keep more data and continue contacting more people. 

While opt-in takes more work for you upfront and might initially shorten your email list, opt-in is the better, um, option long-term. 

Giving users the ability to choose the frequency and type of communication they receive from you and then honoring their choices will build more trust and loyalty with your target audience than any marketing campaign ever could.

If your users trust you, they’re far more likely to give you accurate information (no more fake email addresses!) and are also more likely to read whatever you send them. So instead of spending time trying to figure all that out, your marketing team can now spend their time nailing the message.

Basically, the more you let consumers ask to be left alone, the more effective your time together will be.

4. Vet your vendors

As an agency, you are a vendor. But, depending on your size, you might have vendors that help with things like production or analytics. 

You need to vet those vendors the same way your client vetted you. Read their privacy policy. Ask about how they protect the customer data you share with them. If there’s a mismatch, ask them to fix it or find a new vendor.

5. Analyze your access

As a vendor, one of the best ways to protect yourself is to make sure your relationship with your client is based on the principle of least privilege.

Under least privilege, your agency will only be given access to data that is key to your marketing work, which dramatically reduces the risk that data collected by your client will be exposed through a breach of your systems.

In addition to reducing your access to your client’s databases, make sure teams within your agency don’t have access to more sensitive consumer information than they need to do their job.

6. Scrutinize the social

Social media marketing is a fundamental part of every modern marketing campaign, and as such, has all the privacy challenges of regular digital marketing. But because social media is based on sharing and collecting information, there are special privacy considerations that must be addressed.

To be compliant with GDPR requirements, marketing agencies cannot use social media to manage remarketing campaigns unless users have explicitly consented to having their data processed. For example, in order for your business to remarket to an individual on Facebook, that individual would need to have consented to cookie placement. 

These expanded permissions structures are not necessarily difficult to create, but you need to make sure your agency fully understands the privacy laws your clients are subject to so you can help keep them compliant.

Privacy can be a powerful marketing tool

Privacy laws won’t end digital marketing, but agencies will have to innovate to come through this era of constantly changing guidelines and evolving best practices to survive. 

If your agency needs help designing and implementing privacy-centered processes, or if you want a partner that can help your clients up their privacy game, let's talk.

Ecommerce is big business. Really big business. Across the entire world.

In 2020, retail sales in the US declined 10.5% while ecommerce sales grew 18%

Another statistic? 

Over 2.14 billion people are expected to spend $4.2 trillion purchasing goods or services online this year. 

As an ecommerce business owner, you probably know a lot about product lifecycles, inventory management, drop shipping, order fulfillment. But how much do you know about consumer data privacy law?

Privacy, please 

There is a lot of money in ecommerce, and the sensitive personal information ecommerce companies collect about their users is worth even more than their products. 

Where there’s money, there are bad actors—it’s not only bad actors that consumers worry about. These sites gather and process a lot of data, and it’s important that individuals feel trust in how that data is handled.

The massive uptick in ecommerce has resulted in a massive uptick in the number of cyberattacks as well. Since 2015, approximately 45% of Americans have had their sensitive data exposed in a data breach. Partially driven by COVID-related surges in online shopping, 37 billion records were compromised in 2020, a 141% increase over the previous year and the highest volume since 2005.

And according to the University of Maryland, a hacker attack happens every 39 seconds.

Hackers are modern-day pickpockets. Like the Artful Dodger character in Charles Dickens’ Oliver Twist, hackers are drawn to crowds of distracted shoppers with (virtual) money in their pockets and identity cards (sensitive personal information) in their wallets (online accounts). 

Also like pickpockets, hackers try to steal all your information without anyone noticing. On average, it takes 266 days to find and fix a breach. Sometimes it takes longer, even years. 

Because they are so expensive both financially and reputationally, it’s in your best interests to do all you can to prevent and limit breaches.

Consumer privacy rights advocacy is gaining ground

In response to the growth of a data black market and the increasingly negative effects of identity theft, consumer privacy advocates have spent the past decade successfully lobbying governments for comprehensive privacy regulations governing the collection, use, and sharing of consumers’ sensitive personal data.

The first of these laws, the General Data Protection Regulation (GDPR), was passed by the European Union in 2016 and went into effect in 2018. GDPR requirements strictly govern the collection and processing of personal data for organizations that operate in or collect information from citizens of the EU.

The GDPR isn’t the only privacy law out there. Many other countries have passed or are considering passing similar regulations. 

The United States doesn’t have a federal comprehensive privacy law, instead opting for a fractional approach that relies on states passing their own laws. California, Virginia, and Colorado currently have privacy laws on their books, and more than 30 states have data protection laws proposed or in the committee process.

But the GDPR, the grand elder statesman of consumer privacy protections, is still the most aggressive and comprehensive. Even if your e-commerce business isn’t subject to GDPR compliance, implementing processes that are GDPR compliant will ensure you are using privacy best practices and will increase your ability to adapt quickly to whatever new regulations come your way.

If your site is active in the U.S. only, the CCPA is the most comprehensive general data privacy bill to which it is currently subject, which mandates that businesses act with transparency about how they collect, use, and disclose personal information.

Additionally, because of these laws, consumers are increasingly becoming accustomed to seeing privacy notices, cookie banners, and opt-ins. Even if your company is too small to technically be subject to these laws, consumer expectations are changing. They are more used to cookie banners, privacy notices, and opt-ins and expect companies to have clearly articulated privacy policies that are communicated upfront. 

Privacy compliance checklist

Establishing good privacy practices can be overwhelming, but it doesn’t have to be hard. The recommendations below are common-sense steps to make your e-commerce company a privacy-friendly one. 

1. Improve your data security practices for both transactions and data collection

Whether your company is collecting data or acting as a data processor, you need to make sure the data that passes through your system, including data you share with vendors, is secure.

For example, since a user’s email address and password are protected categories of data, you should have SSL certificates on your site to encrypt data transfers, payment details, and user login information. And, hopefully, this goes without saying, but patches and software updates should be installed immediately.

Additionally, security measures like two-factor authentication for both customers and employees make it much harder for brute force and password guessing attacks to succeed.

Internally, you should implement the principle of least privilege, which gives employees access only to the minimum amount of data needed to fulfill their responsibilities. Least privilege can mitigate the damage from phishing attacks, negligent network access practices, and malicious internal actors.

2. Complete a data inventory

Also known as a data map, a data inventory tracks every data record through your system, start to finish. This process allows you to fully understand what data you’re collecting from your customers, why you’re collecting it, and what you’re doing with it—information that is critical to creating an accurate privacy policy, managing individual rights requests, and complying with various privacy laws.

 

Data inventories also help you see where your data is vulnerable to exposure. Whether due to poor cybersecurity or bad data collection practices (i.e. collecting too much data and storing it for too long), data inventories also help you see where your data is vulnerable to exposure.

3. Update your privacy policy

For a long time, companies could get away with posting generic privacy policies created from templates of incomprehensible legal jargon.

That is not the case anymore.

Every privacy law out there requires companies to update their privacy policies and post them in highly accessible parts of their website. These policies need to clearly and simply explain your actual data collection and processing practices (which you will know if you complete a data inventory) and include information about how users consent to data collection and processing.

Additionally, most privacy regulations require companies to give each individual the ability to correct or delete any of their personal information. Your privacy policy should detail how consumers can complete a data subject access request (DSAR, called an individual rights request in the US) to achieve those outcomes.

4. Set up and practice an incident response plan

The sad truth is that even the very best data privacy program can be hacked. The best way to limit the damage a hack can inflict on your company is to have an aggressive response plan.

To be effective, a breach response plan needs to be both aware of compliance obligations and informed by the needs of every department in your organization. The GDPR requires companies to report notifiable breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery.

Seventy-two hours is not a lot of time to compile everything needed for reporting a breach. Additionally, subject to your privacy policy, your business has obligations to notify consumers if their data has been exposed.

Managing all of those notifications and reporting requirements while simultaneously trying to re-secure data and communicate with stakeholders is very difficult to do if everyone doesn’t understand what they will be expected to do in the event of a breach.

5. Review your email marketing plan and cookie consent banners

Make sure that your email marketing campaigns comply with all privacy regulations and best practices. If your users trust you, they’re far more likely to give you accurate information and remain on your email list.

You should also make sure that your cookie consent banners are updated and accurate.

6. Make sure your website is PCI DSS compliant

Payment Card Industry Data Security Standard (PCI DSS) compliance isn’t just a technical solution. Everything from card readers to payment gateways is subject to these standards.

The good news is that if you accept payment through major processors like PayPal, Square, or Stripe, chances are good your site is already PCI DSS compliant.

But since any business that is processing, storing, or transmitting credit card details needs to make sure their processes protect customers from identity theft by carefully following PCI guidelines for transaction security, it’s smart to double-check.

Need help?

If you owned a brick-and-mortar store, you wouldn’t wait to install locks on the doors, cameras over the windows, and alarms in the building.

As an e-commerce business, the internet is your store. Don’t put building a privacy program that is compliant, easy for customers to understand, and works for your business on the back burner.

Facing privacy challenges head-on will provide added value to your customers, reduce your operational risk, and mark you as a leader in your industry. 

At Red Clover Advisors, we are privacy nerds. We specialize in helping businesses of all sizes harness the power of data privacy to exceed customer expectations and stand out from their competitors. We offer everything from fractional privacy executive services to risk assessments to strategy design, all at an affordable price.

No matter where you are in your privacy journey, we can make you better without breaking the bank. 

Interested in learning what we’d recommend for your company? Schedule a consultation with us today.

Whether you work alone or for a big firm, as a certified public accountant, you know privacy is important. But with new privacy laws being passed every year, it’s about to be more important than ever.

While laws protecting consumers’ sensitive personal data online are less than a decade old, governments have been passing laws protecting financial information for decades—because everyone wants to protect their money. In fact, there’s even an IRS rule about protecting taxpayer data that applies to CPAs.

One of the big laws, the Gramm-Leach-Bliley Act, passed in 1999, removed restrictions created during the Great Depression that barred financial institutions from combining banking, investment, and insurance services together. But it also created regulations to make the collection and disclosure of private financial information between these groups safer and more transparent.

The full picture of data privacy

When it comes to privacy, CPA firms are often ahead of the curve. Because they’re handling their clients’ financial information all day every day, they understand that data is as valuable a currency as actual currency. What they often fail to understand, however, is that it’s not only sensitive personal data that is subject to privacy compliance regulations. Instead, all data (including HR data and marketing data), needs to be handled in accordance with current privacy regulations. 

New consumer privacy laws like the European Union’s General Data Protection Regulation (GDPR)  and the California Consumer Privacy Act (CCPA) have changed the game dramatically. Because different jurisdictions have different regulations, this also means that firms have to comply with privacy laws depending on where their clients are. Firms that have clients in the EU have to deal with GDPR, while those in California have to deal with the CCPA.  

Additionally, if all clients are in the U.S. but the employees of the clients live elsewhere, a firm could be subject to the regulations of the regions where their client’s employees live. In other words, vendor due diligence requires companies to vet firms and the CPA firm could lose the business if they can't comply—and that includes both marketing and HR data, too.

Applicable to both CPA firms and their clients, these new laws provide both significant challenges and opportunities that smart CPAs can leverage to increase their credibility with clients and grow revenue by providing new services.

Accountants take everything seriously (as they should)

Privacy concerns are so important to CPA firms that the American Institute of Public Accountants (AICPA) created their Generally Accepted Privacy Principles (GAPP), a play on the standardized Generally Accepted Accounting Principles (GAAP), in 2009.

To account for the changes in technology and legal considerations surrounding consumer privacy, the AICPA Privacy Task Force revised the GAPP in 2020 and developed a new Privacy Management Framework (PMF) that helps CPA firms address the business activities that involve collecting, creating, using, storing and transmitting personal information of individuals.”

The PMF breaks privacy management into nine categories, each of which requires a strategy and execution plan:

  • Management
  • Agreement, notice, and communication
  • Data collection and creation
  • Data use, retention, and disposal
  • Data access
  • Disclosure of data to third parties
  • Data security for privacy
  • Data integrity and quality
  • Monitoring and enforcement of privacy program

Opening the curtain on privacy regulations

When the GDPR was passed in 2016, it was the first major consumer data privacy law in the world.

It wasn’t alone for long.

Since then, California has passed not one but two data privacy laws, with Virginia and Colorado following close behind. Multiple states have bills proposed, and other countries do too. 

Consumer privacy protections are here to stay. While these laws have some significant differences, there are basic principles they all share, including:

  • Consumers have the right to know what information companies are collecting about them, why it’s being collected, what is being done with it, and who it’s being shared with.
  • Consumers have the right to correct and delete their information from a business’s databases.
  • Consumers have the right to stop the sale or sharing of their personal information with third parties.
  • Businesses are required to provide users with transparent privacy policies that explicitly detail their data collection and usage practices.
  • Businesses must protect the consumer data they collect using reasonable security measures.
  • If businesses share their users’ data with a third-party vendor, they must ensure that vendor is also compliant with regulatory requirements governing data processors.

CPA can also mean “crushing privacy accountability”

Unlike the privacy laws CPA firms are used to working under, laws like the GDPR and the CCPA are targeted towards protecting consumer information that is collected online. 

This means that some of the information you are now responsible for may not belong to your actual clients, and it won’t be just financial data. If you collect or store information about site visitors, if you are collecting email addresses for marketing purposes, or if you are privy to information about your clients’ clients, all of that data is subject to the same laws around privacy compliance as the data you use for your services is.

But here’s the silver lining: as CPAs, you probably have significantly more experience complying with privacy regulations than many of your clients do. If you put the time and effort into building a strong privacy program, not only will you be compliant, but you will also be able to help your clients do the same thing.

Whether you provide advice as a value-added service or by adding value to your fee services, having expertise in privacy compliance can make you invaluable to your clients.

Set a good example

Before you can embed yourself into your clients’ privacy operations though, you need to make sure yours are up to snuff.

Here are a few steps you can take today to put yourself on the right track.

  1. Hire a fractional privacy officer.

We know, we know. We told you we’d give you steps you can take. But hear us out.

To your clients, you’re the expert sounding board. We can be your expert sounding board. Red Clover Advisors can provide you with executive-level privacy strategy development, compliance roadmaps, and data management plans without you having to pay executive-level prices. Hiring RCA will allow you to ramp up your privacy program quickly and efficiently.

  1. Map your data

Mapping data, also called a data inventory, involves following your data records’ journey through your system, from collection to processing to storage to deletion.

Completing this exercise will tell you if you are:

  • Collecting too much data and storing it for too long
  • Getting bad data from users
  • Using security programs or vendors that put your data at risk for exposure

It will also identify which data falls under the privacy laws that your firm is required to comply with, as well as what needs to be included in your privacy notice.

  1. Check your cookie recipe

Your website probably has cookies, and it may not have the right banner in place to indicate this. But with all major internet browsers banning the use of third-party cookies, it’s time to start building up your system’s first-party cookies. You’ll get better data from them, anyway.

Also, most privacy laws have requirements about how and when you notify users about your cookies, and many have stipulations for opting-out or opting-in to cookie tracking.

  1. Update your privacy policy 

We always recommend our clients get rid of privacy policies that read like something out of a law journal in favor of a brief, user-friendly description of the whys and hows and whos of their data collection and processing program. This open, transparent, and friendly approach to privacy will not only improve the user experience, but it will also mark you as a privacy-forward company.

  1. Train your team

Your employees aren’t going to be able to execute your own privacy program, let alone
help your clients build theirs, if they don’t understand what they’re doing and why. A
majority of data breaches are caused by human error and training is your best bet at
preventing simple mistakes from turning into costly headaches.

It’s going to matter to your clients

Because privacy laws hold companies responsible for data breaches through their vendors, it’s becoming common for businesses to select a CPA firm based on their privacy practices. Businesses will go through their due diligence processes and won’t hire a firm if they can’t comply with privacy laws or don’t have strong privacy and security practices.

Additionally, insurers are beginning to deny coverage to companies that don’t have adequate data privacy programs in place.

And most businesses aren’t ready. 

In December 2019, a month before the CCPA became effective, as many as 91% of companies hadn’t finished the compliance work they needed to do, and 34% had just barely started. With new privacy laws passing every year and old ones being constantly updated, it’s safe to say you have clients who need help.

As someone they already trust, your CPA firm has a real opportunity to solidify and grow your place in their processes by providing education, assessing the range and quality of their data privacy controls, and conducting security reviews.

And we can help you. If you want more information about how Red Clover Advisors can help you build a privacy program that helps your clients build theirs, call us today.

In a Latrobe, PA drugstore in 1904, apprentice pharmacist David “Doc” Strickler was challenged by a customer at the soda counter to make something “different.” Ice cream sundaes had been part of American cuisine for over a decade, but bananas had only recently become both affordable and widely available.

Looking at the bananas on his counter, the 23-year-old college student sliced the banana in half and topped it with chocolate ice cream covered in chocolate syrup, strawberry ice cream covered in strawberry syrup, and vanilla ice cream covered in pineapple syrup.

In a nod to the ever-popular sundae, he topped the whole thing with whipped cream, nuts, and maraschino cherries.

And the banana split was born.

But how is a banana split like a data privacy program?

We know. Going from the history of one of America’s most famous desserts to data privacy is a big leap. But stick with us and you’ll see what we mean.

Just like a banana split came out of years of incremental improvements in both ice cream making and freezer technologies in general, today’s data privacy landscape is heavily influenced by decades of technological advancements and consumer privacy rights advocacy.

And, just like a banana split has multiple layers that have to be assembled in a certain order, building an efficient, effective data privacy program requires a strong foundation based on methodical, step-by-step processes.

At Red Clover Advisors, we have the secret recipe you need to build a leading privacy program that will change the way your customers, your employees, and your industry view your company.

So put on your apron, grab an ice cream scoop, and let’s get started.

Step 1: Find your dish (or applicable privacy law)

Obviously, one of the things that sets banana splits apart from traditional ice cream sundaes is the inclusion of, well, bananas. Sundaes were usually made in the same funnel-shaped glasses as ice cream sodas, but those glasses weren’t designed to hold bananas (or multiple flavors of ice cream and syrups, for that matter). After the boat-shaped dish we associate with banana splits became common at soda fountains across the country, the ice cream game changed forever.

Just like the banana boat neatly contains the banana halves and catches all those tasty drips, privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) set the parameters for what your privacy program needs to be. (Hint: depending on your business, you might be subject to more than one regulation).

While we recommend building a program that goes beyond compliance and is capable of quickly adapting to regulatory changes, knowing which regulation(s) apply to your business is critical to ensuring you have the right functionalities built in from the beginning.

If you try adding the banana after you’ve scooped the ice cream, poured the syrup, and sprayed the whipped cream, you’ll end up with a mess that only partially resembles a true banana split. If you try to cram this concoction into a bowl that isn’t the right size, you’ll have an even bigger mess. And if you try to cram your existing privacy practices into compliance with data privacy laws retroactively, you’ll get about the same result.

Step 2: Slice your banana (or build your data map)

You can’t have a banana split without a banana, and you can’t build a data privacy program if you don’t know what data you are collecting, why you’re collecting it, who you’re sharing it with, and where you’re storing it.

A data map, also known as a data inventory, gives you all those answers and more. The data inventory process helps you understand exactly what happens to every data record that travels through your system. It also will show you exactly where your data is vulnerable to exposure, which is key to establishing the “reasonable security measures” required by most privacy laws.

Step 3: Scoop your first flavor (or, build your reasonable security measures)

Traditional banana splits have just three ice cream flavors: chocolate, strawberry, and vanilla.

We are going to make the “reasonable security measures” the chocolate scoop because its depth of flavor and decadence anchors the lighter, fruitier flavors, just like your cyber and information security anchors your privacy program.

Under newer privacy laws, companies that don’t take reasonable security measures can be held civilly (even criminally, in some cases) liable if a consumer’s personally identifiable information is exposed in a data breach. Protecting your data with multiple layers of security by checking up on your permission structures, acceptable use policies, internal password and network access practices, and IT protocols for staying on top of updates, patches, and licensing requirements will form the foundation of your breach prevention and response plans.

Step 4: Scoop your second flavor (or establish your data subject access request [DSAR] processes)

Nearly every privacy law requires you to give users a way to easily know about, correct, and delete the sensitive personal information you’ve collected from them. Also known as individual rights requests, a DSAR is how individual consumers execute that right.

DSARs (or individual rights requests) are limited in scope with specific requirements depending on the relevant laws. To achieve compliance, you will need an internal playbook that has been documented, tested, and reviewed, and your team needs to be trained on how to use it in order to respond appropriately to consumers within strict, statutory timelines.

Step 5: Scoop your third flavor (or write your company’s privacy policy)

Too often, companies put out a privacy policy full of what they (or their lawyers) think it should say rather than writing a document that accurately reflects their data privacy practices. Waiting to write the policy until you know what your regulatory obligations are, understanding what happens to your data, having created a thorough infosec plan, and having established your DSAR processes means your privacy policy will match your data collection and use practices.

One more hint: ditch the four pages of dense legalese. Make your policy easy for your customers to understand. They’ll thank you.

Step 6: Pour your first syrup (or complete a risk assessment)

You can never fully eliminate your data’s exposure risk, but a thorough privacy impact assessment will reveal vulnerabilities and significantly reduce a hacker’s windows of opportunity.

Step 7: Pour your second syrup (or test all your systems)

Once you’ve fixed whatever problems were uncovered by the risk assessment, testing your systems and processes before go-live will allow you to troubleshoot problems and avoid downtime so you can continue providing great and safe service to your customers. It’s also important to have regularly scheduled updates to your systems to ensure that all risks are mitigated.

Step 8: Pour your final syrup (or create an incident response plan)

A cross-functional incident response plan with input from all business-critical teams goes a long way in containing and limiting the impact a breach has on your data, reputation, and revenue—and once you have a plan, it’s critical to have it documented, printed, and reviewed or practiced annually.

Adverse events are usually much less adverse if everyone knows what they are supposed to do and trusts that everyone else knows and will complete their jobs too.

Step 9: Sprinkle the cookie crumbles (or evaluate and update your cookie practices and notifications)

Okay, technically this layer is supposed to be chopped nuts. But the pun was too good to skip, so we made it cookie crumbles instead.

To stay current with best practices and comply with current privacy laws, you need to make sure you know what cookies are on your site and what data they are collecting. And thanks to Apple, Google, and Mozilla, you should also be phasing out your third-party cookies. Then you can be confident your cookie banners are up-to-date and launching at the right time.

Step 10: Spray three whipped cream swirls (or training, training, training)

The fact that we’ve given three banana split elements the same part of a data privacy program should tell you how important it is.

Your data privacy program is only as strong as your employees’ understanding of it. Whether it’s five minutes in a staff meeting or a full-day symposium, consistent emphasis on the importance of every action from every employee to data privacy is key to building a company culture that respects and honors customers.

Step 11: Put the cherry on top (or sell it!)

Getting credit from your customers for being a forward-thinking, consumer-focused company is the sweet reward at the end of the long, privacy-program-building road. But you won’t get props if you don’t tell people what you’re doing. Turn your marketing team loose to sell your privacy program as the great value-add it is.

Enjoy a sweet treat

RCA excels at creating privacy-focused data strategy and digital marketing plans. We can help you build your privacy strategy and ensure your ongoing success. Contact us today to get started building your own data privacy banana split.

When you go on a road trip, you need to know where you’re going and how you’re going to get there. When you are building a data privacy and security program, you need to know the same things.

How to Plan Your Data Mapping Road Trip

Anyone who has used a map to plan a road trip knows there is more than one route to get you where you’re going. Some ways are faster than others, some have better views, and some are just a bad idea (driving from Iowa to Disneyland only on country roads under construction will still get you there, but probably not without a few flat tires along the way).

Building and managing compliant data privacy programs with proven best practices, or “good roads,” can save you time and money, reduce your risk of a data breach, and increase your customers’ trust in your commitment to them.

When it comes to data privacy, you need a data map.

Why you need a data map

New consumer privacy rights laws have created an urgent need for companies to understand how and why they are using the data they collect from their customers. 

The European Union’s General Data Protection Regulation (GDPR) mandates that businesses have a legal basis to collect and store sensitive consumer personal information. 

The United States employs a sectoral, or state-by-state approach to privacy legislation, and the state laws adopted so far mimic the provisions of the GDPR. The California Privacy Rights Act (CPRA), which will be operative beginning January 1, 2023, and the Virginia Consumer Data Protection Act (VCDPA) are moving US legal standards towards requiring a business purpose for the storage of consumer data.

A data map can help you make sure you are complying with all those requirements.

Packing the car

Packing the car for a road trip is an art as much as it is a science. You have to pack what you need for where you’re going, but you also have to prepare for what might come up while you’re getting there. 

That means packing snacks, bags in case someone gets carsick, games to alleviate boredom, music to keep you awake, earplugs to block out fighting kids, and ibuprofen for when the earplugs don’t work. 

Building the infrastructure and processes for your data privacy program is like packing your car for a road trip. You need to know where you’re headed (compliance!) and what you need to get there (a granular understanding of your data).

You need to know:

  1. What data elements, or types of data (name, address, phone number, username, password, financial data, location), you are collecting.
  2. Where the data came from (phone contact, online forms, messaging interfaces, etc.)
  3. Where, how, and how long you are storing your data (In-house? On a vendor server? In the cloud?)
  4. How each data element is used (in-house analytics? Customer outreach? Third-party applications like shipping management?)

How to build a packing checklist for your data

Data records play a key role across multiple business functions, so the best way to get a granular understanding of your data is to have a cross-functional team spend a day being a data record.

Working with IT, marketing, customer service, and operations teams, track a single piece of data through your entire system. Figure out all the places you are collecting data, all the types of data you are collecting, where it goes once it enters your system, who has access to it, and where it is vulnerable to breaches or corruption.

Small businesses may be able to track all this information in a spreadsheet, whereas mid-sized companies and larger companies probably need to automate the process using a software platform. But tracking this data is only half the battle.

You also need to know the rules for using it.

Rules for the road

Just like seat belt laws and speed limits, the laws that govern data privacy vary by region and sometimes by industry. But there are basic rules that provide good markers for you to follow.

Rule 1: Go backward to go forward

One of the most common mistakes people make when building a data privacy program is to silo updating their privacy and cookie notices from their data mapping process.

It’s much better to start with data mapping—you need this knowledge in place before you can develop your privacy notice. 

When you know everything there is to know about your data and what you’re doing with it, creating a privacy policy to explain it all is a piece of cake.

And here is one more piece of advice: don’t create a privacy policy that is only four pages of legal speak. Although your situation might require a lengthy (and not particularly reader-friendly) privacy notice, that doesn’t mean you can’t also create a short, visually engaging summary containing icons and infographics to help your reader digest the information.

Rule 2: Don’t use cookie-cutter solutions

Nearly all data privacy laws around the world make it risky for companies to collect more data than they need and to store it for longer than they need to because these laws give consumers the right to, for example:

  • Know what information companies have collected about them
  • Correct collected data that is inaccurate
  • Delete data from a company’s database
  • Opt-out of having their data shared and/or sold

These laws also require companies to take “reasonable security measures” to protect their data. 

There are two main problems with using a spreadsheet or an off-the-shelf software solution to handle the management of your data. One is that these solutions don’t take your company’s unique challenges into account, and the other is that implementing any tracking tool requires an understanding of privacy laws and risks.

One example—privacy laws don’t really specify what “reasonable security measures” look like, and there are different fines and penalties associated with which types of data are exposed if your reasonable security measures get hacked.

But if your business and the email marketing company are using the same software solution, they may recommend the same security measures. Even scarier, if you’re only using Google Sheets, you’re on your own to figure out what a reasonable security measure looks like.

Hiring a privacy consultant or fractional privacy officer who is an expert in identifying and resolving privacy risks can protect you from mistakes your DIY or off-the-shelf program might not catch.

Rule 3: Don’t make a map and then not use it

What’s the point of asking Siri for directions if you don’t listen to the answer?

As we mentioned earlier, data privacy isn’t the responsibility of just IT or just marketing or just customer service or just legal. 

Data privacy is the responsibility of every single person in your organization.

Another common mistake companies make in putting their data management program together is to let one team develop the data collection and storage protocols while a totally separate team develops the processes consumers use to file individual rights requests or data subject access requests (DSARs).

If these teams aren’t talking to each other, your consumer-facing protocols may not match up with your internal systems. Even though you were trying to do the right thing in creating these processes, isolating the two development processes creates a mismatch that will make more work for you, expose your data to a higher risk of exposure, and confuse your customers.

Just like with a road trip, the map comes first. Once your data map is finished, your whole team will be able to see the best route for employees and customers to take when interacting with your data assets.

Rule 4: Don’t forget to change your oil

No one wants to be that person stuck on the side of the road, holding up the hood of the car and staring down at a smoking engine while screaming kids standing in the tumbleweeds throw Goldfish crackers at each other.

Your car needs regular maintenance to be able to perform, both on trips to the grocery store and trips across the country.

A data privacy program is like a car—it needs regular checkups to run smoothly.

If you can update your privacy plans once a year, it will be exponentially easier to stay compliant with changing laws and best practices. 

We can be your privacy mechanic

At Red Clover Advisors, we believe in the power of data privacy to manage to build trust, give more value than you take, and create great experiences. If you need help drawing or following your data map, we can help. Give us a call today to get started.

 

By now, you’ve likely heard talk about how important good data privacy practices are in today’s business environment. But it can be a lot of work to keep up with all the legislative changes guiding data security and management when you are also trying to grow your business, launch new products or services, or overhaul your customer service program.

But don’t worry—it is possible. The easiest way to start with a data privacy program is to stop treating data privacy as a separate cost and instead include privacy in everything you are already doing. 

Changing your CRM? Hire a consultant to help find the vulnerabilities in the program and train your employees on privacy-friendly practices. Launching a new product? Get an expert to perform a privacy impact assessment.

In fact, if you set up your data management properly, it should easily fit into your Environmental, Social, Governance (ESG) efforts, and there are many reasons to embrace ESG efforts. In fact, research shows that both consumers and investors are increasingly gravitating towards socially responsible businesses. This means that ethical trade and labor practices, sustainability, and the ethical handling of consumer data can play an important role in attracting new customers to your business.

Let us take privacy planning off your plate. Contact the privacy experts at Red Clover Advisors today, and we’ll show you how easy and affordable privacy can be.

What is ESG, and why do you need it?

One of the buzziest of new buzzwords, ESG is defined by Investopedia as the operational standards socially conscious investors use to screen potential investment into a company.

Basically, ESG performance helps people find investment opportunities in companies with shared values.

ESG investing vs. ESG programs vs. CSR programs

ESG can refer to either an investment practice or a corporate program.

ESG investing is a more focused form of sustainable investing, while ESG programs are the practices companies implement to attract and retain ESG investors.

ESG programs can be thought of as the next step in the evolution of corporate social responsibility (CSR). CSR programs tend to focus on qualitative issues and policies, while ESG programs quantify a company’s impact on the environment, the value of relationships it builds in its community, and the controls it has in place to ensure ethical operation.

How does ESG relate to data privacy?

Even though privacy has not historically been considered an ESG issue, an increased focus on responsible data management has started a trend of including privacy-related disclosures in sustainability reports. This is especially true since the Global Reporting Initiative added a privacy standard. In fact, over the past five years, there has been a 920% increase in corporate commentary on data privacy issues.

The Facebook-Cambridge Analytica scandal, in which Facebook sold the personal data of nearly 87 million users to political operatives without user knowledge, dramatically changed the data privacy landscape. For the first time, the general public became aware of how fast and loose some companies were playing it with customer information.

The United States doesn’t have a federal law to mitigate data privacy risks, but after the GDPR was passed, the State of California set the US standard for data privacy by passing the California Consumer Privacy Act (CCPA).  Soon after, Nevada and Virginia passed similar laws, and many more states have privacy legislation under consideration right now.

Historically, if data privacy has been included in ESG reporting, it has been under the S, or social category. With new, more aggressive privacy laws being passed every year, however, data privacy will likely be part of the G, or governance, and even the E, or environmental, reporting as well. 

Social

It seems obvious that corporations have a social obligation to protect the personal data of their employees and customers. Data breaches, which are increasingly frequent occurrences, have a significant impact on both corporate reputation and consumer confidence. 

The United Nations added the right to privacy to its Universal Declaration of Human Rights. The EU passed the aggressive General Data Privacy Regulation (GDPR) in 2018, and other governments quickly followed suit. Consumers around the world are demanding increased control over how their sensitive personal information is collected and used.

All of these factors combined make it clear that data security and privacy will be key to the social piece of ESG programming long term.

Governance

After the COVID-19 pandemic made remote work more common, it’s more important than ever for companies to take a proactive approach to building secure data management systems.

A failure to comply with strict regulations governing how consumer data is collected, used, processed, stored, and shared shows investors that company executives are dangerously unfocused on regulatory, political, and cultural trends. 

Aside from reputational damage, outdated data management practices expose companies to robust enforcement actions that range from steep fines, devaluations, and sanctions to criminal or civil liabilities for non-compliance or exposure of sensitive personal data.

ESG rankings have proven that companies with below-average performance on governance standards are more likely to take on unnecessary risk through mismanagement. Data breaches resulting from poor or nonexistent privacy programs are textbook examples of this kind of risk. 

Problematic data privacy practices may also lead investors to question a company’s accounting, labor, and environmental protocols.

Environmental

While data privacy’s inclusion in environmental ESG concerns is a new development, companies are starting to look for energy-saving ways to build and operate their data centers and server farms. It’s also becoming more common for employers to allow full or partial work-from-home positions to reduce pollution from employees commuting every day.

As data management technology continues to improve, it’s probable that companies will have more environmentally friendly options for their privacy practices.

Red Clover Advisors excels at helping clients build robust data management programs that go beyond compliance. Contact us today for a consultation.

Why ESG matters

Sustainable investing used to be a Dudley Do-Right approach to business based on avoiding backing corporations engaged in environmentally and ethically questionable practices. 

By contrast, ESG investment actively seeks to build up organizations that make responsible and transparent environmental, social, and governance practices part of their business models. Investors reason that if a company’s leadership team is involved enough with all their operational practices to make sure they meet ESG criteria, that company is likely to be a well-managed organization.

According to BlackRock, the world’s largest asset manager, there is currently a “profound, long-term structural shift in global investor preferences toward sustainability that is not fully priced into the market.” 

In 2017, The Economist published an article called, “The world’s most valuable resource is no longer oil, but data.” Because data is so valuable in today’s economy, it makes sense that governments and industries are trying to figure out how to regulate its use. 

It also makes sense that most businesses find this shift overwhelming. After all, you didn’t go to school to be a privacy compliance expert. 

Think of it this way—if the HVAC system in your office completely died in the middle of a heatwave, you probably wouldn’t try to fix the whole thing by yourself. You’d call a certified technician who could fix it at a reasonable price in a reasonable timeframe. 

If your feelings of dread are stopping you from starting or updating your privacy practices, consider hiring a privacy compliance expert to help you. 

Risks and opportunities within the privacy-ESG framework

According to OneTrust, a widely used technology platform that operationalizes privacy, security, data governance, and compliance programs, even tracking ESG initiatives can present a privacy risk if not done properly. In fact, OneTrust feels so strongly about this that they’ve acquired OneTrust ESG to help companies manage their ESG programs, bringing over 750 companies (including Airbnb, Time Warner, and Under Armour) on board. 

Because ESG initiatives are implemented across an organization and involve many stakeholders, it is critical to establish aggressive permission structures, clear role responsibilities, and transparent data collection and processing practices.

But including privacy initiatives in your ESG programs can be a great way to differentiate your company, earn free publicity for doing something you have to do anyway, and build trust with your consumers.

For example, Mastercard has embraced an ESG framework that treats data privacy as a sustainability issue. Their Audit Committee, which is tasked with identifying and reporting on business risks and opportunities, handles matters of ethics and compliance, including data use practices.

The sooner you start, the sooner you’ll be done

At Red Clover Advisors we believe passionately in the power of data privacy to build trust, give more value than you take, and create great experiences for your customers. We’ve helped hundreds of companies create privacy programs, achieve GDPR, CCPA, and US privacy law compliance, and establish a privacy and data strategy their customers can count on.

Get in touch today to learn how a great privacy program can make your ESG program more effective.