[et_pb_section bb_built=”1″][et_pb_row][et_pb_column type=”4_4″][et_pb_text]

What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year? 

That GDPR took longer than expected. 

Hopefully, they learned key lessons. They can leverage these as they face the challenges of the  fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.

That’s right. Their work is not done.

Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data. 

The question on everyone’s mind is how the two privacy laws differ.

Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.  

Regarding the collection and  sale of personal information, GDPR only allows companies to ask consumers to “opt in”  while California’s law enables consumers to opt-out.  Arguably, 

It’s the most important right the California Consumer Privacy Act provides to California residents. 

“Sale” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.”  It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.

 

The California Consumer Privacy Act is top-of-mind for businesses nationally and globally.

California is the fifth largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.

  1. May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
  2. September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
  3. October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
  4. January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
  5. On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.

Robust aptly describes the GDPR compliance process.  “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.

Back-up to the beginning for perspective.

In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018. 

Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn’t have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.  

So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.

 

Words matter in the CCPA.

We’ve already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.

The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
  • Controls or is controlled by an entity meeting the above criteria and shares common branding with

The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:

  • names
  • aliases 
  • addresses
  • emails
  • account names
  • social security numbers
  • medical information
  • passport details
  • IP addresses
  • phone numbers
  • PINs
  • geolocation

The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.

 

 

Understand that non-compliance can be extremely costly to your company. 

For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident. 

Doesn’t sound like much, right? That’s until you consider most privacy breaches involve hundreds of thousands of records. 

Even if you don’t have a data breach on your hands, you’re not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.

For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action. 

Companies have 30 days to “cure” (fix)  the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they’re anxious as they await the clarification of  the term “cure” as it relates to violations.

You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.

Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.

 

A CCPA readiness plan at your company should be underway.

Most companies surveyed said that it  took seven months or longer to wrangle their data into GDPR compliance.  A key issue was the lack of preparedness. 

For U.S. businesses specifically,  lack of experience was key. You see, European companies,  unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years. 

And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.

Take this big step now.

Create a data inventory by surveying all aspects of your business, from Marketing to IT  to Vendor Management and all points where you receive information from any source and in any format.  

There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.

Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties –  and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.  

That’s for starters.

 

Conclusion: These types of privacy law requirements aren’t going away. 

Let’s say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law. 

More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China

Our advice: Don’t reinvent the wheel every time there’s a new regulation. Don’t rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation. 

Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.

Schedule a short consultation with our team of experts today. 

We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time. 

 

Schedule a free consultation with Red Clover Advisors.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

95,000 complaints have been filed under the GDPR compliance law.

41,502 data breaches have been reported since it went into effect in May 2018.

And a $57 million dollar fine was levied at Google for failing to follow the mandate.

These are shocking numbers that should underline the fact that just because the deadline for GDPR compliance was a little over a year ago, implementation isn’t over yet.

Nor will it probably ever be.

That’s because parts of the GDPR mandate, including data inventories, aren’t projects to be checked off a list. Instead, they’re processes to be maintained and improved over time.

Your business changes over time. And a lot of time – a whole year – has gone by since GDPR went into effect. You likely added new vendors, collection points and processes. 

All that needs to be captured in your data inventory.

And while it’s time for you to dust off GDPR compliance best practices for all areas of your business, one of the most important is an accurate set of data inventories. 

What Is a Data Inventory?

Data inventory. Data mapping. Records of processing activities. Article 30 report.

If any of these sound familiar, then they all do. That’s because they all refer to the same thing, what GDPR calls a data inventory.

Data inventories help companies understand the data they have from start to finish. It includes all the third-parties the company uses and all the systems on which they rely.

It means that you know what specific pieces of information you’ve collected about each person and exactly where each of those pieces of information are stored. 

Data inventories are critical. 

They significantly influence the way you construct your privacy notice and individual rights process and policy. There’s no way to create these documents when you don’t know what data you have, how it’s being used, and where it’s stored. 

And those are the exact items you need to include in your policies.

Data inventories also advise companies to what information they actually need to be collecting. With GDPR in place, it’s a risk to collect and store data you aren’t using. It’s more of a benefit to only ask for the information you need for operating purposes from users.

Reviewing your data will tell you if you’re collecting too much data versus not enough.

Collecting the Minimum Amount of Data

Data minimization – only collecting the minimum amount of information you need – isn’t just a nice suggestion.

In reality, it’s the basic privacy mantra required by GDPR: Collect only what you need for business purposes.  

What’s the thought process here?

The GDPR believes the more data you have, the higher responsibility of your organization to protect it. In other words, more data = increased risk.

And let’s be honest, no business wants increased risk.

This can bleed into other areas of compliance, too. For example, after completing a data inventory, one company identified the sales team was sending emails manually through Outlook. 

At first glance, it’s no big deal. 

But when you consider this prevents any kind of tracking of data – specifically email opt outs – a picture starts to form about why this process is dangerous.

GDPR absolutely requires automatic opt-outs. Outlook, like all other email clients, doesn’t support this functionality.

The solution to this problem was to move to an email service provider (ESP). This software allows you to segment, send more efficiently, and most importantly in this case, provide a GDPR-compliant unsubscribe option. 

The point isn’t just that you’ll be following GDPR by using an ESP to send all your sales, marketing and customer emails. 

It’s that the company pinpointed this massive shortcoming by executing a data inventory.

Being Smart About Vendor Selection

One of the most underrated and perhaps largely unknown values of doing a data inventory is identifying quality and reliable third-party solutions.

If you choose your vendors out of a hat and hope for the best, you’re not alone.

But hope isn’t a good strategy when choosing a third-party solution. 

After all, these will be the people who act as an extension of your team, who might handle sensitive information and important details. 

Data inventories can help you vet your options.

And they can help you choose the ones who will be compliant with privacy laws.

Conclusion: Data Inventories are Critical to Privacy Compliance

So what’s the big deal with data inventories?

Companies need to maintain quality data inventories to comply not just with GDPR. They’re also helpful for pending laws such as CCPA and others coming down the pipeline. 

All the privacy laws primarily have to do with protecting personal data. And you can’t be compliant if you don’t know what data you collect, store, and use. You also have to consider that there are slightly different definitions of what constitutes “personal data” under different privacy laws, e.g. CCPA.

It can get a little overwhelming.

That’s why we created comprehensive resources in everyday language like the GDPR Checklist & Workbook and the CCPA Compliance Guide. They’re designed to help you tackle these privacy updates in the least amount of time, effort and expense.

And if you need a helping hand when it comes to updating existing data inventories or just getting started with data mapping, schedule a time to talk to one of our experts.