Category: News

Our favorite time of the year is finally here—and yes, we know the winter holidays have already come and gone. But as much we may love warming up with a cup of hot cocoa (topped off with unreasonable amounts of marshmallows, please!), there’s one day that holds a special place in our hearts: January 28th is World Data Privacy Day.

And while there aren’t any seasonal beverages to enjoy along with it, we think Data Privacy Day represents something fundamental: the right of every person to control their own personal data with the confidence that it won’t be shared, sold, or otherwise exposed without their consent. 

World Data Privacy Day: a short background

Observed annually worldwide, Data Privacy Day honors the signing of Convention 108 in 1981, the first international treaty to deal with privacy and data protection. 

1981 was a long time ago, though.  

Since then, generations of activists, lawmakers, and ordinary citizens have advocated long and hard for a future where an individual right to their private data doesn’t get lost in the crowd.

That’s why we like to look at January 28th as something like a Data Privacy New Year’s for our industry: it’s a chance to stop and acknowledge the progress we’ve made, celebrate our privacy accomplishments, and look ahead to the work that still needs to be done. 

Data privacy day? Let’s make it a week (or even a year)

This year, the National Security Alliance decided to expand its Data Privacy Day campaign to cover an entire week—to which we say, why not? After all, privacy is an ongoing issue, and there’s only so much work you can do in a day.

In fact, we’d like to propose an even more ambitious idea: what if we made 2022 a Data Privacy Year? Because as much as we love the 28th, the things you do on those other 364 days are more important. 

Three good reasons to make data privacy your New Year’s resolution

We know the ball dropped weeks ago (and some of us even managed to stay up long enough to see it), but that doesn’t mean it’s too late to make a few more resolutions. 

Our suggestion? You guessed it: making data privacy a priority. From legal compliance to business considerations to just straight up doing the right thing, here are a few good reasons to keep data privacy top of mind as you plan for your business’s future in 2022.

1. Regulatory compliance

Convention 108 was left all by its lonesome, and lax (or nonexistent) data privacy laws allowed dangerous privacy practices to thrive for a long while. Consumer’s private information was often collected and sold without their knowledge or consent, and insufficient data security measures led to high-profile breaches of private consumer data.

Thankfully, Convention 108 finally got help. If your company sells products or collects data from users, you’re probably already familiar with the EU’s General Data Protection Regulation (GDPR), adopted in 2016. This far-reaching privacy and data security law placed a wide range of restrictions on how organizations collect, store, and use consumer data—at least within the EU. 

Since then, several US states have joined the EU in creating consumer privacy regulations, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA)

More state laws are likely to follow, and for those who care about consumer privacy, that’s cause for celebration. But it also means that companies need to carefully monitor their regulatory compliance obligations. Failing to prioritize privacy issues in the coming years could put your company on the wrong side of the law if you ignore policy changes.

2. Privacy is what your consumers expect

Even if you put regulatory concerns aside, prioritizing data privacy is simply good business. Consumers are increasingly aware of how their private data is being collected and used, and most Americans now report concern over companies’ use of their personal information.

That gives your company an excellent opportunity to differentiate itself by putting privacy first. In fact, a whopping 97% of companies report one or more tangible benefits after investing in robust privacy policies, from more significant competitive advantages to lower data-breach losses to increased investor appeal. 

(And that’s not a bad way to start the year.)

3. It’s simply the right thing to do

No matter what your industry is or who your consumers are, your relationship with the people you serve is built on trust: trust in your professionalism, trust in the quality of your goods or services, and trust that your business will uphold its core values.

Data privacy efforts are one way to pay them back for that trust. Each of your consumers is a living, breathing human being who has a right to privacy and control of their personal data, and helping them protect that right is an excellent New Year’s resolution.

Seven resolutions for a privacy-first 2022

Look, we know that staying true to your resolutions is hard (raise your hand if you’ve already broken the ones you made on New Year’s Eve). 

But when it comes to data privacy, staying ahead of the trends is a year-round effort, and it helps to have a plan you can commit to. Here are seven goals to keep the privacy fire burning bright when Data Privacy Day is just a warm and fuzzy memory.

1. Start with awareness and empathy

Successful privacy efforts need to go deeper than policy—you also need to foster a culture that values your privacy plans. And one of the best ways to do that is to remember the people you serve.

Whenever you implement steps to keep your clients’ and customers’ data safe, you’re also protecting the legal and ethical rights of the people who trust you. Keeping an awareness of this responsibility top-of-mind can help you fuel your efforts with empathy, even when breaking your privacy resolutions is oh-so-tempting.

2. Train and educate your team

Setting goals is admirable, but implementing real and lasting change requires full-team buy-in and participation. If you want to create a company culture that values privacy, you’ll need to equip your team with the knowledge they need to put privacy first.

That involves clearly articulating your privacy goals to your team, providing them with opportunities to engage with your privacy policies, and making it as easy as possible for them to comply. Instituting company-wide use of privacy measures like VPNs, encryption, and two-factor identification can help you make privacy awareness the norm.

3. Plan for 2023 (and ’24, and ’25 . . .)

Another thing to reflect on as we enter a new year: didn’t that last one go by really fast?

There’s simply no stopping the future from rolling on in, and data privacy regulations are now evolving more quickly than ever before. By 2023, it’s estimated that current data privacy regulations will impact 65% of the world. 

That’s a lot of new privacy laws to keep up with. If you’re planning on staying ahead of new compliance demands, you’ll need to start future-proofing your privacy efforts today. And while you can’t perfectly predict the privacy demands of tomorrow, implementing a robust privacy program based on today’s best practices and current data protection laws will set you up for success as the years roll by.

4. Put the cookie jar down

Speaking of future-proofing, one of your priorities right now should be to move beyond reliance on third-party cookies. With data protection regulations like the GDPU banning the use of most third-party cookies without explicit uses consent, even major browsers are now dropping cookie support. 

Thankfully, the kind of cookies you eat is still on the table—and there are plenty of viable ways to move toward a cookieless future.

5. Build a robust preference center

As third-party cookies quickly become a thing of the past, the preference center is stepping up to become your new privacy best friend. Preference centers give your site’s users all the tools they need to opt-in or out of the collection or use of their data.

It’s a vital way to stay in compliance with privacy regulations and an easy way to build trust with your site’s users. 

6. Data mapping

One of the cardinal rules of responsible data collection: never collect or keep data you don’t need. 

But how do you get started if you don’t know what data you have? Enter data mapping, an irreplaceable tool for taking stock of the data you’re collecting, where it’s coming from, how (and how long) you’re storing it, and how it’s being used. 

Building one out should be a priority if you don’t have a data map yet. Thorough data mapping helps your company stay compliant and can serve as the first step toward effective preference centers.

7. Work with a privacy consultant

All of the above resolutions are well worth the effort, but when you’re navigating the increasingly complex world of privacy regulations, sometimes you just need some extra professional help.

Working with an experienced data privacy consultant is one of the best ways to ensure your efforts don’t go to waste. Letting privacy professionals take the lead this year can take the load off your shoulders while allowing for a more informed and comprehensive strategy.

Contact us if you’re ready to make 2022 your Data Privacy Year. We’d love to help you move your data privacy program forward.

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress enacted China’s Personal Information Protection Law (PIPL)(Translation available here). Taking effect on November 1, 2021, the PIPL will serve as China’s first comprehensive privacy law.

The PIPL clarifies and consolidates obligations on processing of personal information at a national law level. Together with the Cybersecurity Law and the Data Security Law, the PIPL forms an over-arching framework to govern data protection, cybersecurity and data security in China. As with many laws in China, the PIPL is drafted as aspirational principles; additional guidelines will be published in the coming months covering the practical compliance steps organizations should take when building and maintaining their China data privacy programs.

While the PIPL resembles the European Union’s General Data Protection Regulation (GDPR), it includes certain substantive obligations that differ from the GDPR, and there are also obligations found in the GDPR that are not included in the PIPL. Given China’s unique status in the world, the PIPL is likely to be interpreted and enforced differently than the GDPR and other data privacy laws. 

1. General concepts and key definitions

Like many privacy laws, the PIPL includes the general concepts of fairness, consent (with limited exemptions), openness/transparency, purpose limitation and data minimization. 

Under the law, “personal information” is defined as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymized. “Anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing.

The PIPL defines “sensitive personal information” as personal information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including, but not limited to: (1) biometric data; (2) religion; (3) specific social status; (4) medical health information; (5) financial accounts; (6) tracking/location information; and (7) data of minors under age 14.

The PIPL uses the term “personal information processing entity” to refer to “organization or individual that independently determines the purposes and means for processing of personal information” (similar to the concept of the “data controller” under the GDPR) and “entrusted party” to refer to “data processor” under the GDPR.

2. Territorial scope

Similar to the GDPR, the PIPL has extra-territorial effect, and applies to (1) data processing activities within Mainland China; and (2) processing of Mainland China residents’ data outside of Mainland China:

  • for the purposes of providing products or services to China residents;
  • for analytics or evaluation of behavior of China residents; or
  • for any other reasons as required by law or regulations.

The PIPL applies to both the public and private sectors.

Similar to the GDPR’s requirement for an EU representative, the PIPL requires offshore personal information processing entities subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes. 

3. Lawful basis for processing

The PIPL requires organizations to have a lawful basis to process personal information. Unlike the GDPR, the PIPL does not include “legitimate interests” as a lawful basis for processing personal information. Instead, in addition to consent, the PIPL offers the following non-consent bases:

  • Performance of a contract to which the individual is a party, or where necessary to conduct human resources management;
  • Responding to a public health emergency, or in an emergency to protect the safety of individuals’ health and property;
  • Performance of legal responsibilities or obligations;
  • To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests;
  • Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope; and 
  • Other circumstances as required by laws.

The definition of consent under the PIPL aligns with the consent requirements of the GDPR – i.e., it must be informed, freely given, demonstrated by a clear action of the individual, and may later be withdrawn. However, the PIPL requires a “separate consent” for certain processing activities, namely if a processing entity (1) shares personal information with other processing entities; (2) publicly discloses personal information; (3) processes sensitive personal information; or (4) transfers personal information overseas. 

4. Personal information rights

The PIPL mostly mirrors the GDPR with respect to personal information rights, though it lacks more precise language addressing such rights, including where restrictions or exemptions may apply. In addition, the PIPL does not provide a specific timeline for responding to requests; it only requires processing entities to “timely” respond to them.

Under the PIPL, individuals have the following rights:

  • Right to access and copy of data;
  • Right to transfer (similar to the right to data portability);
  • Right to correct or supplement;
  • Right to deletion in certain circumstances;
  • Right to limit or withdraw consent;
  • Right to request details of processing (including for automated decision making) and of handling rules;
  • Right to de-register an account;
  • Rights to access, copy, correct or delete personal information of a deceased individual can be requested by a close relative for legitimate and proper interests.

The PIPL clarifies situations where data controllers can refuse to comply with certain data subject rights, and how to respond to/reject data subject requests.

Importantly, individuals have the right under the PIPL to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights. 

5. Data controller obligations

The PIPL creates a new designation of data controller called the Critical Information Infrastructure Operator (CIIO), which has certain obligations under the law. Chinese regulators are currently developing regulations and notifying companies whether they qualify as a CIIO.

Under the PIPL, organizations that are (1) important internet platform providers; (2) data controllers processing data of a “large volume of users”; or (3) complex businesses (terms have not yet been defined) must comply with the following measures when processing personal information:

  • Set up personal information protection compliance mechanisms;
  • Establish platform regulations;
  • Establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
  • Set up external independent data protection organizations to supervise data protection mechanisms;
  • Stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
  • Publish social responsibility reports regarding the processing of personal information.

In addition, all data controllers have the following obligations:

  • Disclosure to overseas authorities: Data controllers must not provide personal information stored within China to overseas legal or enforcement authorities unless they obtain approval from a designated Chinese authority. Chinese authorities may provide personal information stored within China to overseas legal or enforcement authorities upon request if there are international treaties or regulations in place.
  • Disclosure to data processors or joint/independent data controllers. For other disclosures, data controllers must put in place a contract covering specified measures designed to safeguard the data.
  • Minors’ data: Organizations processing minors’ personal information must establish specific information processing regulations. 
  • Accuracy: Data controllers must ensure that personal information is accurate and up to date.
  • Retention: Data controllers must not retain personal information for longer than is needed for the purpose(s) for which the personal data is collected, unless required or permitted by applicable law. Once no longer needed, the data should be de-identified or deleted/destroyed.
  • Automated decision making: Analytics or evaluation based on computer program around behavior, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not discriminate between individuals.

6. Data processor obligations

The PIPL specifies that any organisation that is appointed as a data processor must act in accordance with the PIPLIn addition, the PIPL specifically requires data processors to do the following:

  • Adopt necessary data security measures to protect the safety of personal information;
  • Assist data controllers to comply with obligations of this PIPL;
  • Process data only as requested by data controller unless with concept;
  • Return or delete data upon completion of the data processing; and
  • Put in place a contract with the data controller.

7. Cross-border transfer of personal information

Regarding the cross-border transfer of personal information, a processing entity that plans to transfer personal information to entities outside of mainland China is required to (1) provide individuals with certain specific information about the transfers and obtaining separate consent; (2) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (including, among others, the Chinese version of standard contractual clauses, which are not yet available); and (3) carry out a personal information protection impact assessment (see below). In addition, certain entities that process a large amount of personal information are required to store personal information locally and must pass a security assessment administered by the Cyberspace Administration of China (CAC) before transferring the information overseas. One should note that the regulations around cross-border transfers are still evolving. 

In addition, the following categories of data must remain in mainland China:

  • Personal information processed by CIIO’s, unless a CAC-conducted security assessment has been completed
  • Personal information processed by data controllers above a threshold/volume to be identified by the CAC (not yet published), unless a CAC-conducted security assessment has been completed
  • Certain data under industry-specific regulations
  • Certain restricted data categories (such as “state secrets”, some “important data”, geolocation and online mapping data etc.)

8. Governance obligations

Organizations processing data must put in place the following:

  • Internal governance policies and procedures: Organizations must establish internal management regulations or standards.
  • Compliance audits: Organizations must conduct compliance audits on a regular basis.
  • Training: Organizations must provide data privacy training to employees.
  • Data classification and management mechanisms: Organizations must implement data classification and management mechanisms. 

9. Security and confidentiality

Organizations must also put in place the following security measures:

  • Personal information must be kept confidential, and security measures must be deployed, as prescribed by China’s Cybersecurity Law and Data Security Law and their underlying measures, guidelines and technical standards.
  • Additional safeguards must be applied for sensitive personal information and processing by organizations handling large amounts of data.
  • Data controllers must adopt corresponding encryption or deidentification technologies, and adopt access controls and training.

10. Personal information protection impact assessment

The PIPL requires personal information processing entities to carry out personal information protection impact assessments (PIAAs) for the following processing activities:

  • Processing of sensitive personal information;
  • Processing of personal information for automated decision making;
  • Appointing data processor to process data;
  • Providing personal information to other data controllers;
  • Disclosing personal information to the public;
  • Transferring personal information overseas;
  • Conducting processing activities that may have a significant impact on an individual’s interest.

Unlike the GDPR, under the PIPL, there is no obligation to consult a regulator in the event that an organization concludes – after completing such an assessment – that it cannot remediate certain residual risks identified. 

Organizations must keep all PIIA and processing records for at least three years.

11. Incident management

Organizations must implement and test a data incident contingency plan and take immediate remedial action in the event of any suspected or actual data disclosure, loss or tampering. If an incident occurs, they must provide immediate notification internally (to the DPO) and externally (to the regulator). Such notification should include (1) affected data categories; (2) reasons for the incident, and potential consequences; (3) remedial measures, and mechanisms required by data controller to minimize impact; and (4) contact information for the data controller.

If the data controller can effectively avoid the disclosure, loss or tampering of data, there is no need to notify data subjects. Otherwise, data subjects may also need to be notified under other laws and regulations within the data protection framework.

12. Enforcement 

The PIPL provides a range of enforcement options, including:

  • Enforcement notices and warnings;
  • Criminal sanctions (corporate/individual);
  • Civil claims from affected individuals/class actions;
  • Operational sanctions (including credit score loss, blocking of systems and suspension of services);
  • Breach of contract claims; or
  • Fines up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year and confiscation of unlawful income. The PIPL does not specify whether the annual revenue refers to revenue generated in China or worldwide. 

13. Next steps

If you do business in mainland China or collect personal information from individuals there, you should take the following actions:

  1. Assess your data handling practices in China
    1. Map Chinese data
    2. Develop data governance program
  2. Consider the impact of data localization and other restrictions
  3. Update privacy notices/consents
  4. Implement governance measures to safeguard regulated data
    1. Designate and register responsible officers (DPO/cyber and now data security as well
    2. Conduct regular important data risk assessments (and report)
    3. Align security to local China standards
  5. Conduct regular data security training
  6. Formulate/update internal guidelines for different data processing and transfer activities
    1. Data classification ( in anticipation of DSL tiered data scheme
    2. Cross-border data transfer
    3. Data breach notification
    4. DPIAs
    5. Overseas government data requests
  7. Update DPAs (but await SCCs)
  8. Monitor developments
    1. DSL and PIPL implementing guidelines
    2. “Important data” guidance (for specific industries automotive already published)
    3. CIIO indications
    4. CSL guidelines. (e.g. data localisation)

Stay ahead of the compliance curve by proactively prepping for the California Privacy Rights Act. 

In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.

Before the ink was even dry on the California Consumer Privacy Act (CCPA), privacy advocates were already working on its replacement, the California Privacy Rights Act, or CPRA.

And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.

Here’s what’s new

CPRA has a lot of similarities to the CCPA, but there are some key differences in who the law applies to and how it’s enforced:

  1. CPRA changes its threshold for businesses. (Small business owners, rejoice!)  It’s either:
    1. $25M in global revenue (this stays the same from CCPA 1.0)
    2. OR 100,000 consumer/household/device records (this is an increase from 50,000)
  2. Fines are automatically $7,500 for violations involving minors.
  3. Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
  4. Businesses are responsible for how third-parties use, share, or sell personal information collected.
  5. Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
  6. CPRA eliminates the 30-day cure period before businesses can be fined.
  7. Enforcement shifts from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).

Differences for consumers

The whole point of CPRA is to clarify vague sections of the CCPA and expand the protections available to consumers, including:

  • Expanding the categories of information eligible for private right of action after data breaches.
  • Adding the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
  • Adding protections for sensitive personal information like SSNs, driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
  • Granting consumers the right to deny both the sale and the sharing of their information.
  • Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.

What it all means

Some of these changes are a bigger deal than others. 

Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).

Even more complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.

Another major change that CPRA introduces is the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened AG office for enforcement, the CPPA will dedicate significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement. 

This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.

Keep reading to learn how you can manage everything that is heading your way.

Here’s your to-do list

Check out our eight steps that can help you be CPRA-compliant.

1. Plan your compliance strategy

The biggest thing everyone has going for them is that CPRA doesn’t take effect until January 21, 2023. You have almost two full years to prepare and get your ducks in a row. Take advantage of it.

If you start working on it now, you have time to break your strategy into manageable pieces that won’t overwhelm your teams or your systems, letting them drink from a drinking fountain instead of a privacy firehose. 

Starting now also allows you the opportunity to truly build a great program, one that is agile and goes beyond just compliance to truly establish you as a forward-thinking, consumer-focused leader.

2. It’s all hands on deck

A good privacy program doesn’t depend on IT for everything. You should incorporate every function in your organization, from HR to legal to operations to marketing, in the development and execution of your compliance program. Identify team members from different departments and form a committee that can help share the work. 

3. Get what you need

If you’re already CCPA compliant, you’ll likely be able to complete this step by making small changes to your existing processes.

If you aren’t CCPA compliant yet, having a good compliance strategy is crucial to making this step work. Do you need to upgrade your IT infrastructure or buy new software? Do you need a consultant to help you understand the ins-and-outs of your responsibilities?  Do your employees need to be trained (or re-trained)?

Don’t feel like you need to become a privacy guru or that you need to manage compliance on your own. Resources and professionals exist to help you, and starting now gives you time to find the ones that fit your needs and budget.

4. Organize your data

Once you have a strategy, a first-rate privacy team, and the tools you need, you’re ready to start the hard work. Hands down, the biggest challenge CPRA presents is creating an efficient data inventory and effective workflows for managing the individual rights requests that will inevitably come your way.

This is, in part, because CPRA has changed what constitutes sharing and selling data. If you have been sharing data with advertisers for a cross digital device or ad targeting, now you have to disclose that and give consumers a way to opt-out of it. 

That means keeping close tabs on what you’ve got going on, datawise. You need to know what you’re selling and what you’re sharing because CPRA is un-blurring the lines between the two activities. The best strategy for data clarity? A thorough data mapping project. (See below for where to start.)

To do this well, you should complete (or update) your data mapping processes. Data mapping will expose any gaps you have in your data collection practices by showing you what type of data you are collecting, who you are collecting it from, where/how long it’s being stored, and who it’s being sold to or shared with. All of that information is critical to establishing and maintaining CPRA compliance.

Side note: Are you a sensitive data collector? Under CPRA, you need to have clear business purposes for using it. You need to know what you have because the restrictions and requirements around usage may differ. So double down on your data mapping efforts if this applies to you. 

5. Understand individual rights

Again, if you’re already CCPA compliant, updating your processes to manage the new categories of sensitive personal information and the new timelines for request acknowledgment and resolution is totally doable.

If you’re starting from scratch, it’s still totally doable. It will just take a little more effort. CPRA requires you to be able to respond to individual requests from consumers who want to access, delete, or correct the data you have collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information. 

To do all of that, your data collection needs to be specific and limited. Your data mapping needs to be spot on. And you need to have really solid processes (that you have really trained your employees on) for responding to these requests.

One of the best ways to manage individual rights requests is to build a one-stop privacy shop called a preferences center. A preferences center allows consumers to see your privacy notice, manage their data, and submit requests without having to scour your site map for your business practices and contact information. A well-designed preferences center also virtually guarantees that you are CPRA compliant.

6. Strengthen your security

Like CCPA, CPRA requires companies to take “reasonable security measures” to protect the data they collect. But CCPA didn’t give much guidance on what those security requirements needed to look like. 

CPRA isn’t super specific either, but it does require that businesses whose processing presents a significant risk to sensitive information submit regular risk assessments and annual cybersecurity audits to the new CPPA. Taking the time to set up those processes ahead of time allows you the time you need to make sure they work and to fix any problems they find before CPRA is enforced.

CPRA’s stronger right of action and dedicated enforcement agency means it’s far more likely than ever before that bad actors won’t be the only ones on the business end of administrative actions. Even accidental mistakes can be costly, which is why you need to give yourself time to build a strong, proactive program. If you can demonstrate you’ve done your level best to comply, you’re far more likely to have regulators work with you if there is an issue.

7. Check your privacy notices

Complicated regulations that vary by location means standard cut-and-paste privacy notices just won’t cut it anymore. Additionally, the trend right now is to move away from dense, purposefully incomprehensible legalese toward customized, user-friendly privacy policies that clearly demonstrate what you are doing to protect your users.

And remember—CPRA requires your privacy notice to be front and center on your website. 

8. Train, train, and train again.

Your compliance program is only as strong as your employees’ understanding of it. Even if you are CCPA compliant, your employees will still need to be retrained. If you start now, you’ll be able to do this training in small chunks over the next two years instead of dumping a giant new manual on your employees right before CPRA goes into effect and hoping no one makes a mistake.

Training can happen more than once a year. You don’t need to only block off two days for a privacy symposium. You can also set aside a few hours once a quarter, ten minutes in a weekly staff meeting, or five minutes to write a team email. It all adds up.

9. Go brag!

Okay. You have a compliance strategy that is being executed by a top-notch cross-functional team. Your consulting team has helped you get the right software to map your data and build effective processes for responding to individual rights requests. Your team has closed the loopholes they found after the risk assessment. You’ve got a preferences center and your employees could answer Double Jeopardy questions about your user-friendly privacy notice.

Now what?

Now you go tell people!

You’ve spent a lot of time and effort getting compliant, and you should be getting credit for it. Companies that have a proactive privacy program can use that as a differentiating factor, especially since an increasing number of consumers have proven they will switch companies or providers over data collection and sharing practices.

So instead of hiding your privacy notice, flaunt it by:

  • Build an easy-to-understand section on your privacy program into your website.
  • Including your commitment to consumer privacy in marketing you put out about other social justice initiatives.
  • Write opinion pieces and guest posts about the intersection of privacy, e-commerce, and advertising. 
  • Establish yourself as a leader by having your privacy team create a presentation for business conferences and industry meetings on how you made privacy work.
  • Train your customer service employees to bring up your commitment to privacy in their user interactions ala Southwest Airlines’ “We know you have a choice when flying. Thanks for flying with us” flight attendant speech.

Don’t get overwhelmed. Just get to work.

Rome wasn’t built in a day. Neither is a strong privacy program. Privacy compliance can feel overwhelming, especially when it changes every few years. But every step you take makes it less overwhelming, especially when you give yourself time to do it right.

Three years ago, companies across the globe were scrambling until the very last minute to get GDPR-compliant. Even with a two-year runup, GDPR was the first regulation of its kind and no one knew what they were doing.

That isn’t the case this time around. You can do it. And we can help.

Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.

Drop us a line today and let’s get started.

Cookies have been part of the internet since basically the beginning of the internet. As the internet has developed, advertisers have co-opted cookies from their original use and turned them into super data collection machines that track your every move across the web. 

But attitudes are changing. Consumers and governing bodies are pushing back. Not only are governments passing legislation regulating transparency around cookie use, but major browsers have also pushed the envelope by developing technology to block third-party cookies.

Their moves are shifting the data privacy landscape.

Cookies are good as a food, less so as a technology

Cookies are small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers. They also improve user experience by doing things like keeping carts full across visits and remembering log-in preferences. 

By themselves, cookies aren’t dangerous. First-party cookies—cookies you place on your site yourself to improve and monitor functionality and personalization—give you a more seamless and enjoyable user experience on the internet.

Third-party cookies, though, are another story. Privacy advocates have been trying to get rid of them for years because they’re incredibly invasive. Data collected from third-party cookies can be used to create a profile that knows you better than you know yourself. 

And data brokers sell that profile for a lot of money. 

What do these dynamics mean for the business-consumer relationship, though? For consumers, trading away privacy can be a serious trust-breaker. Businesses are finding that preserving data privacy—and consumer trust—isn’t optional anymore. What’s more, businesses that put privacy and trust first can differentiate themselves from their competitors.

Nirish Parad, marketing technologist at Tinuiti notes, “Respecting privacy is one thing, but are we building trust? Netizens don't trust companies with their information. How do we earn that back? By leaning in. If you're collecting data, be intentional, respect preferences, deliver value, and invest in the experience.” 

Where to start? Cookies. As consumers demand more control over how their data is used online, major tech companies are blocking third-party cookies altogether and making a big impact on consumer privacy.

Apple

Apple has led the browser privacy conversation since 2017, when they added the Intelligent Tracking Prevention (ITP) feature to their Safari browser. By March 2020, ITP updates made Safari capable of blocking all third-party cookies. More importantly, Safari now can block the workarounds ad networks that cookie makers had been using to circumvent earlier ITP versions.

Safari still allows first-party cookies, but they expire after one day instead of seven. This means that if you don’t visit a website every day to refresh the cookie, your device will get a new identifier the next time you hit the site. 

Effectively this means that it will be very difficult for advertisers and data collectors to follow Safari users around the internet, making Safari one of the most secure ways to surf the web.

But Safari isn’t the only cookie-free part of the Apple universe. The most recent update for Apple products—iOS 14—is *literally* cookieless. As of this update, developers are required to ask for permission before tracking iOS users for ad targeting. 

This opt-in requirement marks a big shift for smartphone users' privacy because it makes developers responsible for addressing privacy, not users. And it’s expected that users are going to take advantage of these new protections—it’s estimated that iOS users granting permissions to developers will experience a massive drop, from 70% to 10%.

Apple is a prime example of a company using aggressive privacy technology and policies to differentiate their brand. In a market almost entirely controlled by Google Chrome, Apple’s commitment to privacy has made Safari a major part of the digital privacy and internet tracking conversation. 

Google

With 69% of the market, there is no question Google controls the browser game. But while they may have been driving browser innovation, they are behind on the privacy side.

Part of the reason for this is that up to 83% of Google’s revenue is ad revenue. Google’s official line is that getting rid of cookies will increase the use of workarounds like device fingerprinting, but it’s hard not to notice that eliminating third-party cookies without a backup plan would more or less implode their business model. 

In January 2020, Google announced their Chrome browser would stop supporting third-party cookies by 2022. They are using that time to develop the Google Privacy Sandbox, new technologies that can replicate a seamless web experience without the use of cookies. 

Google Sandbox & Consent Mode

Google’s Privacy Sandbox is a work in progress, but its goals are to:

  • Replace cross-site tracking processes with new technologies
  • Separating first-party cookies from third-party cookies so third-party cookies can be eliminated
  • Reducing the success of workaround tracking technologies used by bad actors

Reactions to the Privacy Sandbox have been mixed. Google will obviously benefit from having advertisers using their first-party tools. In turn those first-party tools will increase the control Google has of, well, everything.

In September 2020, Google also launched the beta version of its Google Consent Mode. According to Google, consent mode is an API that “allows you to adjust how your Google tags behave based on the consent status of your users.” From Google’s website:

“You can indicate whether consent has been granted for analytics and ads cookies. Google's tags will dynamically adapt, only utilizing cookies for the specified purposes when consent has been given by the user. You can use consent mode in Google Ads for conversion tracking and remarketing.”

Whatever Google’s motivations, Google Consent Mode is popular with companies that provide cookie and online tracking consent and compliance solutions. 

According to Danish company Cookiebot, Google Consent Mode is a big step forward in building a more sustainable internet economy that brings both elements into greater balance – moving away from mass personal data collection towards a consent-based dynamic system that respects the privacy and dignity of each individual user without breaking the underlying business model of large parts of the Internet.”

Google has also made the news very recently for a cookieless approach they're calling “FLoC” (or Federated Learning of Cohorts). FLoC works as a browser extension that compiles data from thousands of site users. FLoC hasn't been released for public testing as of yet—but look for a release in March, followed by advertiser testing in the second quarter of this year. 

Mozilla

We can’t talk about cookie-blocking browsers without talking about Mozilla Firefox. Firefox was created by a nonprofit, which means they create features based solely on user experience without worrying about shareholders. They don’t sell data. Additionally, Firefox is not based on Chromium, Google’s open-source code project that forms the infrastructure of the Chrome, Edge, and Brave browsers.

Mozilla’s entire mission is to foster the creation of “an Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent.” Spurred by the Cambridge Analytica/Facebook scandal, Firefox began using “containers,” a technology that isolates browser tabs from each other, in 2016, before Apple’s ITP and long before Google’s Consent Mode.

Firefox started blocking third-party cookies in 2019, but they’ve had to play catchup to be able to stop the workarounds that inevitably popped up. Currently, Mozilla engineers are working on a new technology called DNS over HTTPS, or DoH. This technology encrypts your browser requests and traffic, making it much harder for trackers to spy on you.

Mozilla’s constant push for a user-centered, privacy-based internet has given them a clout that doesn’t match their market share because giving consumers more control over how their personal data is collected, used, and shared online is the issue of the internet’s future.

You can still track (and be tracked) without cookie crumbs

Cookies aren’t the only way users are tracked online — they’re just the most common. And major browsers dumping them doesn’t mean your privacy worries are over.

For starters, you still need to advise your users about the first-party cookies you have on your site, and you’ll still have to manage the data those cookies collect. This means knowing what you’re collecting, why you’re collecting it, where and how long you’re storing it, and how you’re protecting it.

Device fingerprinting, also known as browser fingerprinting, happens when someone (or some technology) collects information about your device, including your:

  • Browser
  • Time zone
  • Language settings
  • CPU architecture
  • Plugins

Alone, these little bits of data wouldn’t mean anything to anyone. But trackers combine these identifiers to create a recognizable profile for individual users that is incredibly accurate. According to Mozilla, “recent developments in cross-browser fingerprinting [make digital fingerprinting] capable of successfully identifying users 99% of the time.”

Using a VPN and blocking cookies can’t stop fingerprinting. And fingerprinting isn’t all bad. It was first used by banking websites for fraud prevention and fraud investigations. From a privacy standpoint, however, fingerprinting can create a profile even more accurate than cookies.

And unlike third-party cookies that come from your vendor, your website might have fingerprinting technology without you even knowing it.

A study from Princeton University found that more than 60% of the top 1,000 sites on the web share information with third parties, and many of those third parties are fingerprinting visitors and selling the data. They also found that 96.5% of websites have access to digital fingerprints even if they are not using the technology themselves.

There are currently multiple regulations covering the use of cookies, but nothing has been done about device fingerprinting yet. While you’re working on eliminating your third-party cookies, it might be a good idea to also talk to your hosting provider and other vendors to see if they use fingerprinting technology. You don’t want to get caught with your hand in the newest version of a cookie jar when new rules come out.

Being proactive will allow you to find new, privacy-friendly ways to collect data on and communicate with your users before you legally have to. Rather than having forced downtime, you can set yourself up for an agile transition to whatever changes come your way.

Get on a cookie-free diet

Third-party cookies are an old technology whose time is almost up. If you want to minimize your risk for privacy action, increase trust with your users, and put your company at the forefront of one of the most important consumer issues of the next decade, you should shift your focus to first-party data. Think email marketing campaigns or retargeting campaigns—but in a privacy friendly way. And that’s where we come in!

If you’re ready to get a handle on your cookie use and privacy policy, get in touch with our experts today.

As an executive, it’s up to you to set the standard for your organization’s data privacy approach. You can use International Data Privacy Day to start your year off on the right foot. 

Thursday, January 28, 2021, is a big day. Not only is it National Have Fun at Work Day, National Kazoo Day, and National Blueberry Pancake Day, it’s also International Data Privacy Day. On this day, groups in the United States, Israel, Canada, and 47 European countries work together to empower individuals and businesses to respect privacy, safeguard data, and enable trust

It’s no secret that consumer expectations and regulatory requirements for data privacy will drive business best practices’ development and innovation over the next decade. The implementation of compliant privacy programs has a steep learning curve. It’s in your best interest as a leader to get in front of it now when you have time to do it, rather than wait until you legally have no choice.

Observing International Data Privacy Day is a smart place to start building your company’s data privacy culture.

Why you need a robust data privacy program

If your company sells products online or collects data from online users, the odds are high you’ve heard about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the EU’s General Data Protection Regulation (GDPR).

These are the most aggressive and far-reaching data privacy laws, but they are far from the only regulations on the books. Unlike other countries, the United States follows a sectoral approach to data privacy regulations, meaning regulations tend to be either regionally based or industry-focused. Industries and states currently without specific data privacy regulations may find them cropping up in the next several years.

Constantly shifting goalposts pose a big challenge for businesses. Just adhering to the current best practices for data privacy and protection for meeting current regulations isn’t enough to keep you competitive. If you want to maintain agile responsiveness to a changing data privacy landscape, you need to follow best practices that exceed existing standards.

Consumer expectations

Regulatory compliance is not the only reason you need to pursue an aggressive privacy culture. Consumers are increasingly proving that how a company uses their personal information plays a role in their purchasing decisions. A recent Salesforce survey found that 84% of consumers are more loyal to companies with strong security controls.

With 69% of consumers believing that companies will use their personal information in a way that they are not comfortable with, there is a real opportunity for businesses willing to differentiate themselves through forward-thinking, consumer-focused privacy programs.

The good news is that privacy policy development is good for your bottom line. Ninety-seven percent of companies proactively implementing robust privacy policies report an increased competitive advantage and/or investor appeal. Over 70% said that aggressive data protection practices improved their operational efficiency, agility, and innovation.

So break out your kazoos and look through the suggestions below to find a way your organization can celebrate National Have Fun at Work Day by observing International Data Privacy Day. (Blueberry pancakes optional.)

Ideas for Data Privacy Day

While it may sound like a tall order, getting your team committed to, even excited about, privacy is the natural result of education and empowerment. And it can be fun!

The National Cyber Security Alliance, a leading nonprofit, public-private partnership dedicated to promoting cybersecurity and privacy education, has five suggestions for ways executives can improve their company’s privacy program:

  • Create a privacy-aware culture
  • Organize regular privacy awareness trainings
  • Help your employees manage their individual privacy
  • Add privacy protections to your employee’s regular toolbox
  • Get expert help

One note — while the ideas below are a great entry point, running an effective privacy program doesn’t happen just by checking items off an agenda. Your privacy to-do list is more like a rotating chore chart than a to-do list. Just like you do month-end reconciliations and scheduled inventory orders, maintaining your privacy infrastructure needs to be part of your standard operating procedures.

Get #privacyaware

One of the biggest challenges companies face in developing an institutional privacy awareness is that people just don’t understand what data privacy is. The fastest way to eliminate this barrier is to help your employees see just how vulnerable they are and how much of their personal data is out floating around the internet.

Two great tools to help people see the gaps in their data privacy knowledge are the National Privacy Test and the Google Phishing Quiz. On January 28, you could have your team/department take these tests and give prizes to top performers. And bonus! If multiple people miss the same question, you have a ready-made list of training topics for future staff meetings. 

Other steps you can take on January 28 include running an internal campaign to make sure your employees know and understand your privacy program and their place in it. Every group email, newsletter, and meeting should have a “privacy moment” where these ideas and best practices are reinforced.

Teach your employees to fish (but to avoid phishing)

There is a reason the saying “teach a person to fish, you will feed him for a lifetime” has stuck around. As corny as it sounds, it’s true. Here’s a quick exercise your team can do on January 28 (or any day) that will help them understand their level of privacy savvy. The results may be surprising.

After completing the Google exercise, National Cybersecurity Alliance’s Manage Your Privacy Settings page can help them set personal privacy settings that align with their comfort level.

Why should you use your valuable working hours to take your employees through this process? 

Employees who are empowered to manage their personal privacy are more likely to understand why privacy is so important to your clients. 

Training, training, training. (Did we mention training?)

Before we talk about why your employees need consistent privacy training, let’s go over a few definitions:

  • Effective frequency is the number of times a person needs to hear an advertising message before acting on it.
  • Mere-exposure effect is the likelihood that people will develop a preference for something the more familiar they are with it.
  • Redundant communications is the term used to describe using multiple communication modalities to convey the same message. 

Advertisers, masters of getting people to do what they want, use these terms to create a framework for the behavior they are hoping to elicit with their campaigns. Current marketing research indicates that effective frequency can change behavior with as few as three messages but is most effective between 6 and 20 times. Similarly, mere-exposure reaches maximum efficacy between 10 and 20 times.

But that’s advertising. How does this apply to employee training?

Several years ago, Harvard Business School professor Tsedal Neeley conducted a study of how managers use redundant communication to help their team meet deadlines and other project goals. Neeley found that the most effective managers repeated themselves at least once, but more often between three and four times using multiple methods.

This means managers who successfully changed employee behavior and/or maintained team performance standards communicated the same information via meetings, emails, individual phone conversations, internal message boards, texts, and face-to-face. 

If you want your employees to buy into your data privacy strategy, you need to:

  • Consistently expose them to it
  • Provide opportunities for them to understand it at a deeper level
  • Clearly and repeatedly communicate your expectations using multiple modalities

These “trainings” do not need to be formal seminars with expensive guest speakers. They can be five minutes in a staff meeting or five sentences in an email. The key is to up the effective frequency and exposure to messaging using redundant communication.

Make privacy standard. And easy.

If you want your employees to understand you are serious about privacy, you can prove it by:

  • Implementing company use of VPNs, encryption, and two-factor authentication
  • Explicitly prohibiting the use of work devices for personal use (and vice versa) and use of public WiFi networks
  • Providing company-branded camera covers or privacy screens
  • Requiring strong passwords

Whether or not you do it on January 28, activities like passing out new privacy swag or sponsoring a company-wide strong password challenge reinforce your commitment to privacy as a core company value. That can only help in the long run.

Use an expert

Getting your team on board is important, but employee buy-in alone will not make you compliant with privacy regulations or best practices. As a leader, it’s your responsibility to figure out or hire out the critical and technical pieces of your data privacy program:

  • A gap and maturity analysis will show you where you have exposure from your data privacy practices.
  • Creating a data inventory will give you insight into what types of data you are collecting, where and how long you are storing it, and who you are sharing it with. 
  • Custom privacy notices and policies allow you to clearly communicate your data practices in a way consumers can understand (instead of in dense legalese).
  • Reviewing and updating your cookie consent practices will help ensure that you collect only what you need and are compliant with collection notification regulations.
  • Having someone review your digital marketing practices can prevent costly fines and operating injunctions that can damage your reputation and bottom line.
  • Third-party assessments are vital to confirming your vendors’ privacy policies are both compliant and aligned with your standards.

Proactive privacy programming is possible

Whether you are subject to existing regulations or not, take advantage of International Data Privacy Day 2021 to chart a new course in your organization’s privacy journey. Need some help getting started? Contact Red Clover Advisors today to jumpstart your privacy program.

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You've got to tell your consumers that you're collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You've got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you're collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers' data with other parties? Your consumers have a right to know and they can ask to see what you're sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual's use of their CCPA rights can't affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

Brexit, personal data, and the GDPR.Everyone's talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There's talk of economics and trade agreements, but data privacy isn't exactly on the tip of everyone's tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU's main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens' data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU's GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there's no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn't conduct business outside the UK. However, if your business has data that flows between the UK and EU, you'll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they're not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren't, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you're still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

COVID-19 remote work policyCOVID-19 is rapidly increasing the number of remote employees around the world.

For companies that already have a remote workforce, it's just another day out of the office. But for a lot of businesses, this is new territory.

It's hard enough to keep data secure when your employees are all in one place. Here are some tips and best practices to consider as you navigate the ever-changing situation regarding COVID-19.

Data Security and Remote Working Tips

#1: Talk to your employees.

Before you deploy your workforce to work remotely, hold a training. If they're already at home working, host a digital training session.

Train your employees about cyber security. Be sure they know how to recognize hacking and phishing attempts that can put your company's data at risk. Use this time to remind your team of best practices.

This includes:

  • Don't use public WiFi without using a VPN. Check out our top 10 security tips for SMBs.
  • Pay attention to who's around when working offsite. Be sure others can't see your screen or watch you enter a password.
  • Don't use personal devices for work.

#2: Maintain a team atmosphere.

While your team is working remotely, bring them together via a digital platform to give them timely updates and reminders. This will help keep data security top of mind and energy focused on work.

#3: Address software concerns.

Be sure your employees' devices are as secure as possible with the proper software, firewalls, and connection securities required by your industry. You may also want to consider two-factor authentication for employee devices.

#4: Enable remote connections.

If your team can directly connect to the business network, there are fewer chances of a data security hack. Be sure your company has a process for this and your team knows how to use it. Things like VPN and intranets are helpful.

#5: Have a shut-down process.

You need to have a policy in place for when an employee thinks or knows his or her account has been compromised. Ensuring your team knows this protocol will allow them to act swiftly and limit data privacy and security concerns.

COVID-19: Reminding Us Why We Need a Business Continuity Plan

Another item to consider in the wake of COVID-19 is your Business Continuity Plan.

It's one of those things people often don't think about until it’s too late. If you aren't familiar with the term, a Business Continuity Plan is a process that helps you create a system of prevention and recovery from potential threats to a company.

The plan ensures personnel and assets are protected and able to function quickly in the event of a disaster – in this case, COVID-19.

If you don't have one in place, here's a simple roadmap to get started and help prevent major downtime for your organization:

  1. Identify the scope of the plan.
  2. Identify key business areas to address in the plan.
  3. Identify critical functions of your company and team members.
  4. Determine the acceptable amount of downtime for each critical function.
  5. Identify crossover between business areas and functions.
  6. Create a plan to maintain operations.

While a strategic version of a Business Continuity Plan may be a long-term project for your company, now is as good a time as any to get started.

To save time, assign one piece of the plan to a few leadership team members and then come together to ensure it's cohesive. It's also important to train employees on their various roles and timelines should this plan need to be implemented.

If you don't have a Business Continuity Plan, it can be difficult and, in some cases, nearly impossible to get your team and systems mobilized in the midst of a crisis. This can damage your reputation in the marketplace and cost you real money while trying to regain operations.

Additionally, the law requires nearly all businesses to have this sort of plan for emergencies. So if you don't have one, you're in violation of the law. And if you're audited, you'll be fined.

We all need a little push sometimes to take the time to do things we know need to happen but haven't yet made a priority. Why not use this as your reason to create official policies and procedures regarding remote working and data security, as well as Business Continuity Planning?

As we all continue to navigate the balance between normalcy and safety during this pandemic, remember to keep data privacy top of mind for yourself and your employees.

If you want to talk about how remote working could impact your businesses functionality when it comes to data privacy, or if it’s time to dust off – or create – your Business Continuity Plan, contact Red Clover Advisors today.

Complete 2020 Privacy Compliance Checklist

Privacy compliance is no piece of cake.

In 2019 alone, the business world saw a shakeup brought on by  a slew of new state laws and year one of the General Data Protection Regulation (GDPR) implementation. 

And the companies that came out on top had a few things in common: transparent messaging to consumers, a privacy-centric re-brand, and tricked out privacy policies that used eye-catching marketing tactics. 

We know what it took to win at privacy in 2019. But what will privacy best practices look like in 2020 and how can brands – both big and small – get it right?

To answer that question, we’ve created an authoritative guide on what to expect in the year to come and a complete 2020 privacy compliance checklist to keep you on track.

Read more