The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

Brexit, personal data, and the GDPR.Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens’ data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

COVID-19 remote work policyCOVID-19 is rapidly increasing the number of remote employees around the world.

For companies that already have a remote workforce, it’s just another day out of the office. But for a lot of businesses, this is new territory.

It’s hard enough to keep data secure when your employees are all in one place. Here are some tips and best practices to consider as you navigate the ever-changing situation regarding COVID-19.

Data Security and Remote Working Tips

#1: Talk to your employees.

Before you deploy your workforce to work remotely, hold a training. If they’re already at home working, host a digital training session.

Train your employees about cyber security. Be sure they know how to recognize hacking and phishing attempts that can put your company’s data at risk. Use this time to remind your team of best practices.

This includes:

  • Don’t use public WiFi without using a VPN. Check out our top 10 security tips for SMBs.
  • Pay attention to who’s around when working offsite. Be sure others can’t see your screen or watch you enter a password.
  • Don’t use personal devices for work.

#2: Maintain a team atmosphere.

While your team is working remotely, bring them together via a digital platform to give them timely updates and reminders. This will help keep data security top of mind and energy focused on work.

#3: Address software concerns.

Be sure your employees’ devices are as secure as possible with the proper software, firewalls, and connection securities required by your industry. You may also want to consider two-factor authentication for employee devices.

#4: Enable remote connections.

If your team can directly connect to the business network, there are fewer chances of a data security hack. Be sure your company has a process for this and your team knows how to use it. Things like VPN and intranets are helpful.

#5: Have a shut-down process.

You need to have a policy in place for when an employee thinks or knows his or her account has been compromised. Ensuring your team knows this protocol will allow them to act swiftly and limit data privacy and security concerns.

COVID-19: Reminding Us Why We Need a Business Continuity Plan

Another item to consider in the wake of COVID-19 is your Business Continuity Plan.

It’s one of those things people often don’t think about until it’s too late. If you aren’t familiar with the term, a Business Continuity Plan is a process that helps you create a system of prevention and recovery from potential threats to a company.

The plan ensures personnel and assets are protected and able to function quickly in the event of a disaster – in this case, COVID-19.

If you don’t have one in place, here’s a simple roadmap to get started and help prevent major downtime for your organization:

  1. Identify the scope of the plan.
  2. Identify key business areas to address in the plan.
  3. Identify critical functions of your company and team members.
  4. Determine the acceptable amount of downtime for each critical function.
  5. Identify crossover between business areas and functions.
  6. Create a plan to maintain operations.

While a strategic version of a Business Continuity Plan may be a long-term project for your company, now is as good a time as any to get started.

To save time, assign one piece of the plan to a few leadership team members and then come together to ensure it’s cohesive. It’s also important to train employees on their various roles and timelines should this plan need to be implemented.

If you don’t have a Business Continuity Plan, it can be difficult and, in some cases, nearly impossible to get your team and systems mobilized in the midst of a crisis. This can damage your reputation in the marketplace and cost you real money while trying to regain operations.

Additionally, the law requires nearly all businesses to have this sort of plan for emergencies. So if you don’t have one, you’re in violation of the law. And if you’re audited, you’ll be fined.

We all need a little push sometimes to take the time to do things we know need to happen but haven’t yet made a priority. Why not use this as your reason to create official policies and procedures regarding remote working and data security, as well as Business Continuity Planning?

As we all continue to navigate the balance between normalcy and safety during this pandemic, remember to keep data privacy top of mind for yourself and your employees.

If you want to talk about how remote working could impact your businesses functionality when it comes to data privacy, or if it’s time to dust off – or create – your Business Continuity Plan, contact Red Clover Advisors today.

Complete 2020 Privacy Compliance Checklist

Privacy compliance is no piece of cake.

In 2019 alone, the business world saw a shakeup brought on by  a slew of new state laws and year one of the General Data Protection Regulation (GDPR) implementation. 

And the companies that came out on top had a few things in common: transparent messaging to consumers, a privacy-centric re-brand, and tricked out privacy policies that used eye-catching marketing tactics. 

We know what it took to win at privacy in 2019. But what will privacy best practices look like in 2020 and how can brands – both big and small – get it right?

To answer that question, we’ve created an authoritative guide on what to expect in the year to come and a complete 2020 privacy compliance checklist to keep you on track.

Read more

The 411 on the CCPA.

What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year? 

That GDPR took longer than expected. 

Hopefully, they learned key lessons. They can leverage these as they face the challenges of the fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.

That’s right. Their work is not done.

Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data. 

The question on everyone’s mind is how the two privacy laws differ.

Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.  

Regarding the collection and sale of personal information, GDPR only allows companies to ask consumers to “opt-in”  while California’s law enables consumers to opt-out.  Arguably, 

It’s the most important right the California Consumer Privacy Act provides to California residents. 

“Sale” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.”  It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.

The California Consumer Privacy Act is top-of-mind for businesses nationally and globally.

California is the fifth-largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.

  1. May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
  2. September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
  3. October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
  4. January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
  5. On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.

Robust aptly describes the GDPR compliance process.  “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.

Back-up to the beginning for perspective.

In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018. 

Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn’t have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.  

So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.

Words matter in the CCPA.

We’ve already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.

The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
  • Controls or is controlled by an entity meeting the above criteria and shares common branding with

The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:

  • names
  • aliases 
  • addresses
  • emails
  • account names
  • social security numbers
  • medical information
  • passport details
  • IP addresses
  • phone numbers
  • PINs
  • geolocation

The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.

Understand that non-compliance can be extremely costly to your company. 

For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident. 

Doesn’t sound like much, right? That’s until you consider most privacy breaches involve hundreds of thousands of records. 

Even if you don’t have a data breach on your hands, you’re not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.

For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action. 

Companies have 30 days to “cure” (fix)  the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they’re anxious as they await the clarification of  the term “cure” as it relates to violations.

You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.

Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.

 

A CCPA readiness plan at your company should be underway.

Most companies surveyed said that it  took seven months or longer to wrangle their data into GDPR compliance.  A key issue was the lack of preparedness. 

For U.S. businesses specifically,  lack of experience was key. You see, European companies,  unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years. 

And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.

Take this big step now.

Create a data inventory by surveying all aspects of your business, from Marketing to IT  to Vendor Management and all points where you receive information from any source and in any format.  

There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.

Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties –  and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.  

That’s for starters.

 

Conclusion: These types of privacy law requirements aren’t going away. 

Let’s say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law. 

More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China

Our advice: Don’t reinvent the wheel every time there’s a new regulation. Don’t rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation. 

Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.

Schedule a short consultation with our team of experts today. 

We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time. 

 

 

95,000 complaints have been filed under the GDPR compliance law.

41,502 data breaches have been reported since it went into effect in May 2018.

And a $57 million dollar fine was levied at Google for failing to follow the mandate.

These are shocking numbers that should underline the fact that just because the deadline for GDPR compliance was a little over a year ago, implementation isn’t over yet.

Nor will it probably ever be.

That’s because parts of the GDPR mandate, including data inventories, aren’t projects to be checked off a list. Instead, they’re processes to be maintained and improved over time.

Your business changes over time. And a lot of time – a whole year – has gone by since GDPR went into effect. You likely added new vendors, collection points and processes. 

All that needs to be captured in your data inventory.

And while it’s time for you to dust off GDPR compliance best practices for all areas of your business, one of the most important is an accurate set of data inventories. 

What Is a Data Inventory?

Data inventory. Data mapping. Records of processing activities. Article 30 report.

If any of these sound familiar, then they all do. That’s because they all refer to the same thing, what GDPR calls a data inventory.

Data inventories help companies understand the data they have from start to finish. It includes all the third-parties the company uses and all the systems on which they rely.

It means that you know what specific pieces of information you’ve collected about each person and exactly where each of those pieces of information are stored. 

Data inventories are critical. 

They significantly influence the way you construct your privacy notice and individual rights process and policy. There’s no way to create these documents when you don’t know what data you have, how it’s being used, and where it’s stored. 

And those are the exact items you need to include in your policies.

Data inventories also advise companies to what information they actually need to be collecting. With GDPR in place, it’s a risk to collect and store data you aren’t using. It’s more of a benefit to only ask for the information you need for operating purposes from users.

Reviewing your data will tell you if you’re collecting too much data versus not enough.

Collecting the Minimum Amount of Data

Data minimization – only collecting the minimum amount of information you need – isn’t just a nice suggestion.

In reality, it’s the basic privacy mantra required by GDPR: Collect only what you need for business purposes.  

What’s the thought process here?

The GDPR believes the more data you have, the higher responsibility of your organization to protect it. In other words, more data = increased risk.

And let’s be honest, no business wants increased risk.

This can bleed into other areas of compliance, too. For example, after completing a data inventory, one company identified the sales team was sending emails manually through Outlook. 

At first glance, it’s no big deal. 

But when you consider this prevents any kind of tracking of data – specifically email opt outs – a picture starts to form about why this process is dangerous.

GDPR absolutely requires automatic opt-outs. Outlook, like all other email clients, doesn’t support this functionality.

The solution to this problem was to move to an email service provider (ESP). This software allows you to segment, send more efficiently, and most importantly in this case, provide a GDPR-compliant unsubscribe option. 

The point isn’t just that you’ll be following GDPR by using an ESP to send all your sales, marketing and customer emails. 

It’s that the company pinpointed this massive shortcoming by executing a data inventory.

Being Smart About Vendor Selection

One of the most underrated and perhaps largely unknown values of doing a data inventory is identifying quality and reliable third-party solutions.

If you choose your vendors out of a hat and hope for the best, you’re not alone.

But hope isn’t a good strategy when choosing a third-party solution. 

After all, these will be the people who act as an extension of your team, who might handle sensitive information and important details. 

Data inventories can help you vet your options.

And they can help you choose the ones who will be compliant with privacy laws.

Conclusion: Data Inventories are Critical to Privacy Compliance

So what’s the big deal with data inventories?

Companies need to maintain quality data inventories to comply not just with GDPR. They’re also helpful for pending laws such as CCPA and others coming down the pipeline. 

All the privacy laws primarily have to do with protecting personal data. And you can’t be compliant if you don’t know what data you collect, store, and use. You also have to consider that there are slightly different definitions of what constitutes “personal data” under different privacy laws, e.g. CCPA.

It can get a little overwhelming.

That’s why we created comprehensive resources in everyday language like the GDPR Checklist & Workbook and the CCPA Compliance Guide. They’re designed to help you tackle these privacy updates in the least amount of time, effort and expense.

And if you need a helping hand when it comes to updating existing data inventories or just getting started with data mapping, schedule a time to talk to one of our experts.