Stay ahead of the compliance curve by proactively prepping for the California Privacy Rights Act. 

In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.

Before the ink was even dry on the California Consumer Privacy Act (CCPA), privacy advocates were already working on its replacement, the California Privacy Rights Act, or CPRA.

And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.

Here’s what’s new

CPRA has a lot of similarities to the CCPA, but there are some key differences in who the law applies to and how it’s enforced:

  1. CPRA changes its threshold for businesses. (Small business owners, rejoice!)  It’s either:
    1. $25M in global revenue (this stays the same from CCPA 1.0)
    2. OR 100,000 consumer/household/device records (this is an increase from 50,000)
  2. Fines are automatically $7,500 for violations involving minors.
  3. Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
  4. Businesses are responsible for how third-parties use, share, or sell personal information collected.
  5. Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
  6. CPRA eliminates the 30-day cure period before businesses can be fined.
  7. Enforcement shifts from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).

Differences for consumers

The whole point of CPRA is to clarify vague sections of the CCPA and expand the protections available to consumers, including:

  • Expanding the categories of information eligible for private right of action after data breaches.
  • Adding the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
  • Adding protections for sensitive personal information like SSNs, driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
  • Granting consumers the right to deny both the sale and the sharing of their information.
  • Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.

What it all means

Some of these changes are a bigger deal than others. 

Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).

Even more complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.

Another major change that CPRA introduces is the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened AG office for enforcement, the CPPA will dedicate significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement. 

This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.

Keep reading to learn how you can manage everything that is heading your way.

Here’s your to-do list

Check out our eight steps that can help you be CPRA-compliant.

1. Plan your compliance strategy

The biggest thing everyone has going for them is that CPRA doesn’t take effect until January 21, 2023. You have almost two full years to prepare and get your ducks in a row. Take advantage of it.

If you start working on it now, you have time to break your strategy into manageable pieces that won’t overwhelm your teams or your systems, letting them drink from a drinking fountain instead of a privacy firehose. 

Starting now also allows you the opportunity to truly build a great program, one that is agile and goes beyond just compliance to truly establish you as a forward-thinking, consumer-focused leader.

2. It’s all hands on deck

A good privacy program doesn’t depend on IT for everything. You should incorporate every function in your organization, from HR to legal to operations to marketing, in the development and execution of your compliance program. Identify team members from different departments and form a committee that can help share the work. 

3. Get what you need

If you’re already CCPA compliant, you’ll likely be able to complete this step by making small changes to your existing processes.

If you aren’t CCPA compliant yet, having a good compliance strategy is crucial to making this step work. Do you need to upgrade your IT infrastructure or buy new software? Do you need a consultant to help you understand the ins-and-outs of your responsibilities?  Do your employees need to be trained (or re-trained)?

Don’t feel like you need to become a privacy guru or that you need to manage compliance on your own. Resources and professionals exist to help you, and starting now gives you time to find the ones that fit your needs and budget.

4. Organize your data

Once you have a strategy, a first-rate privacy team, and the tools you need, you’re ready to start the hard work. Hands down, the biggest challenge CPRA presents is creating an efficient data inventory and effective workflows for managing the individual rights requests that will inevitably come your way.

This is, in part, because CPRA has changed what constitutes sharing and selling data. If you have been sharing data with advertisers for a cross digital device or ad targeting, now you have to disclose that and give consumers a way to opt-out of it. 

That means keeping close tabs on what you’ve got going on, datawise. You need to know what you’re selling and what you’re sharing because CPRA is un-blurring the lines between the two activities. The best strategy for data clarity? A thorough data mapping project. (See below for where to start.)

To do this well, you should complete (or update) your data mapping processes. Data mapping will expose any gaps you have in your data collection practices by showing you what type of data you are collecting, who you are collecting it from, where/how long it’s being stored, and who it’s being sold to or shared with. All of that information is critical to establishing and maintaining CPRA compliance.

Side note: Are you a sensitive data collector? Under CPRA, you need to have clear business purposes for using it. You need to know what you have because the restrictions and requirements around usage may differ. So double down on your data mapping efforts if this applies to you. 

5. Understand individual rights

Again, if you’re already CCPA compliant, updating your processes to manage the new categories of sensitive personal information and the new timelines for request acknowledgment and resolution is totally doable.

If you’re starting from scratch, it’s still totally doable. It will just take a little more effort. CPRA requires you to be able to respond to individual requests from consumers who want to access, delete, or correct the data you have collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information. 

To do all of that, your data collection needs to be specific and limited. Your data mapping needs to be spot on. And you need to have really solid processes (that you have really trained your employees on) for responding to these requests.

One of the best ways to manage individual rights requests is to build a one-stop privacy shop called a preferences center. A preferences center allows consumers to see your privacy notice, manage their data, and submit requests without having to scour your site map for your business practices and contact information. A well-designed preferences center also virtually guarantees that you are CPRA compliant.

6. Strengthen your security

Like CCPA, CPRA requires companies to take “reasonable security measures” to protect the data they collect. But CCPA didn’t give much guidance on what those security requirements needed to look like. 

CPRA isn’t super specific either, but it does require that businesses whose processing presents a significant risk to sensitive information submit regular risk assessments and annual cybersecurity audits to the new CPPA. Taking the time to set up those processes ahead of time allows you the time you need to make sure they work and to fix any problems they find before CPRA is enforced.

CPRA’s stronger right of action and dedicated enforcement agency means it’s far more likely than ever before that bad actors won’t be the only ones on the business end of administrative actions. Even accidental mistakes can be costly, which is why you need to give yourself time to build a strong, proactive program. If you can demonstrate you’ve done your level best to comply, you’re far more likely to have regulators work with you if there is an issue.

7. Check your privacy notices

Complicated regulations that vary by location means standard cut-and-paste privacy notices just won’t cut it anymore. Additionally, the trend right now is to move away from dense, purposefully incomprehensible legalese toward customized, user-friendly privacy policies that clearly demonstrate what you are doing to protect your users.

And remember—CPRA requires your privacy notice to be front and center on your website. 

8. Train, train, and train again.

Your compliance program is only as strong as your employees’ understanding of it. Even if you are CCPA compliant, your employees will still need to be retrained. If you start now, you’ll be able to do this training in small chunks over the next two years instead of dumping a giant new manual on your employees right before CPRA goes into effect and hoping no one makes a mistake.

Training can happen more than once a year. You don’t need to only block off two days for a privacy symposium. You can also set aside a few hours once a quarter, ten minutes in a weekly staff meeting, or five minutes to write a team email. It all adds up.

9. Go brag!

Okay. You have a compliance strategy that is being executed by a top-notch cross-functional team. Your consulting team has helped you get the right software to map your data and build effective processes for responding to individual rights requests. Your team has closed the loopholes they found after the risk assessment. You’ve got a preferences center and your employees could answer Double Jeopardy questions about your user-friendly privacy notice.

Now what?

Now you go tell people!

You’ve spent a lot of time and effort getting compliant, and you should be getting credit for it. Companies that have a proactive privacy program can use that as a differentiating factor, especially since an increasing number of consumers have proven they will switch companies or providers over data collection and sharing practices.

So instead of hiding your privacy notice, flaunt it by:

  • Build an easy-to-understand section on your privacy program into your website.
  • Including your commitment to consumer privacy in marketing you put out about other social justice initiatives.
  • Write opinion pieces and guest posts about the intersection of privacy, e-commerce, and advertising. 
  • Establish yourself as a leader by having your privacy team create a presentation for business conferences and industry meetings on how you made privacy work.
  • Train your customer service employees to bring up your commitment to privacy in their user interactions ala Southwest Airlines’ “We know you have a choice when flying. Thanks for flying with us” flight attendant speech.

Don’t get overwhelmed. Just get to work.

Rome wasn’t built in a day. Neither is a strong privacy program. Privacy compliance can feel overwhelming, especially when it changes every few years. But every step you take makes it less overwhelming, especially when you give yourself time to do it right.

Three years ago, companies across the globe were scrambling until the very last minute to get GDPR-compliant. Even with a two-year runup, GDPR was the first regulation of its kind and no one knew what they were doing.

That isn’t the case this time around. You can do it. And we can help.

Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.

Drop us a line today and let’s get started.

Cookies have been part of the internet since basically the beginning of the internet. As the internet has developed, advertisers have co-opted cookies from their original use and turned them into super data collection machines that track your every move across the web. 

But attitudes are changing. Consumers and governing bodies are pushing back. Not only are governments passing legislation regulating transparency around cookie use, but major browsers have also pushed the envelope by developing technology to block third-party cookies.

Their moves are shifting the data privacy landscape.

Cookies are good as a food, less so as a technology

Cookies are small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers. They also improve user experience by doing things like keeping carts full across visits and remembering log-in preferences. 

By themselves, cookies aren’t dangerous. First-party cookies—cookies you place on your site yourself to improve and monitor functionality and personalization—give you a more seamless and enjoyable user experience on the internet.

Third-party cookies, though, are another story. Privacy advocates have been trying to get rid of them for years because they’re incredibly invasive. Data collected from third-party cookies can be used to create a profile that knows you better than you know yourself. 

And data brokers sell that profile for a lot of money. 

What do these dynamics mean for the business-consumer relationship, though? For consumers, trading away privacy can be a serious trust-breaker. Businesses are finding that preserving data privacy—and consumer trust—isn’t optional anymore. What’s more, businesses that put privacy and trust first can differentiate themselves from their competitors.

Nirish Parad, marketing technologist at Tinuiti notes, “Respecting privacy is one thing, but are we building trust? Netizens don’t trust companies with their information. How do we earn that back? By leaning in. If you’re collecting data, be intentional, respect preferences, deliver value, and invest in the experience.” 

Where to start? Cookies. As consumers demand more control over how their data is used online, major tech companies are blocking third-party cookies altogether and making a big impact on consumer privacy.

Apple

Apple has led the browser privacy conversation since 2017, when they added the Intelligent Tracking Prevention (ITP) feature to their Safari browser. By March 2020, ITP updates made Safari capable of blocking all third-party cookies. More importantly, Safari now can block the workarounds ad networks that cookie makers had been using to circumvent earlier ITP versions.

Safari still allows first-party cookies, but they expire after one day instead of seven. This means that if you don’t visit a website every day to refresh the cookie, your device will get a new identifier the next time you hit the site. 

Effectively this means that it will be very difficult for advertisers and data collectors to follow Safari users around the internet, making Safari one of the most secure ways to surf the web.

But Safari isn’t the only cookie-free part of the Apple universe. The most recent update for Apple products—iOS 14—is *literally* cookieless. As of this update, developers are required to ask for permission before tracking iOS users for ad targeting. 

This opt-in requirement marks a big shift for smartphone users’ privacy because it makes developers responsible for addressing privacy, not users. And it’s expected that users are going to take advantage of these new protections—it’s estimated that iOS users granting permissions to developers will experience a massive drop, from 70% to 10%.

Apple is a prime example of a company using aggressive privacy technology and policies to differentiate their brand. In a market almost entirely controlled by Google Chrome, Apple’s commitment to privacy has made Safari a major part of the digital privacy and internet tracking conversation. 

Google

With 69% of the market, there is no question Google controls the browser game. But while they may have been driving browser innovation, they are behind on the privacy side.

Part of the reason for this is that up to 83% of Google’s revenue is ad revenue. Google’s official line is that getting rid of cookies will increase the use of workarounds like device fingerprinting, but it’s hard not to notice that eliminating third-party cookies without a backup plan would more or less implode their business model. 

In January 2020, Google announced their Chrome browser would stop supporting third-party cookies by 2022. They are using that time to develop the Google Privacy Sandbox, new technologies that can replicate a seamless web experience without the use of cookies. 

Google Sandbox & Consent Mode

Google’s Privacy Sandbox is a work in progress, but its goals are to:

  • Replace cross-site tracking processes with new technologies
  • Separating first-party cookies from third-party cookies so third-party cookies can be eliminated
  • Reducing the success of workaround tracking technologies used by bad actors

Reactions to the Privacy Sandbox have been mixed. Google will obviously benefit from having advertisers using their first-party tools. In turn those first-party tools will increase the control Google has of, well, everything.

In September 2020, Google also launched the beta version of its Google Consent Mode. According to Google, consent mode is an API that “allows you to adjust how your Google tags behave based on the consent status of your users.” From Google’s website:

“You can indicate whether consent has been granted for analytics and ads cookies. Google’s tags will dynamically adapt, only utilizing cookies for the specified purposes when consent has been given by the user. You can use consent mode in Google Ads for conversion tracking and remarketing.”

Whatever Google’s motivations, Google Consent Mode is popular with companies that provide cookie and online tracking consent and compliance solutions. 

According to Danish company Cookiebot, Google Consent Mode is a big step forward in building a more sustainable internet economy that brings both elements into greater balance – moving away from mass personal data collection towards a consent-based dynamic system that respects the privacy and dignity of each individual user without breaking the underlying business model of large parts of the Internet.”

Google has also made the news very recently for a cookieless approach they’re calling “FLoC” (or Federated Learning of Cohorts). FLoC works as a browser extension that compiles data from thousands of site users. FLoC hasn’t been released for public testing as of yet—but look for a release in March, followed by advertiser testing in the second quarter of this year. 

Mozilla

We can’t talk about cookie-blocking browsers without talking about Mozilla Firefox. Firefox was created by a nonprofit, which means they create features based solely on user experience without worrying about shareholders. They don’t sell data. Additionally, Firefox is not based on Chromium, Google’s open-source code project that forms the infrastructure of the Chrome, Edge, and Brave browsers.

Mozilla’s entire mission is to foster the creation of “an Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent.” Spurred by the Cambridge Analytica/Facebook scandal, Firefox began using “containers,” a technology that isolates browser tabs from each other, in 2016, before Apple’s ITP and long before Google’s Consent Mode.

Firefox started blocking third-party cookies in 2019, but they’ve had to play catchup to be able to stop the workarounds that inevitably popped up. Currently, Mozilla engineers are working on a new technology called DNS over HTTPS, or DoH. This technology encrypts your browser requests and traffic, making it much harder for trackers to spy on you.

Mozilla’s constant push for a user-centered, privacy-based internet has given them a clout that doesn’t match their market share because giving consumers more control over how their personal data is collected, used, and shared online is the issue of the internet’s future.

You can still track (and be tracked) without cookie crumbs

Cookies aren’t the only way users are tracked online — they’re just the most common. And major browsers dumping them doesn’t mean your privacy worries are over.

For starters, you still need to advise your users about the first-party cookies you have on your site, and you’ll still have to manage the data those cookies collect. This means knowing what you’re collecting, why you’re collecting it, where and how long you’re storing it, and how you’re protecting it.

Device fingerprinting, also known as browser fingerprinting, happens when someone (or some technology) collects information about your device, including your:

  • Browser
  • Time zone
  • Language settings
  • CPU architecture
  • Plugins

Alone, these little bits of data wouldn’t mean anything to anyone. But trackers combine these identifiers to create a recognizable profile for individual users that is incredibly accurate. According to Mozilla, “recent developments in cross-browser fingerprinting [make digital fingerprinting] capable of successfully identifying users 99% of the time.”

Using a VPN and blocking cookies can’t stop fingerprinting. And fingerprinting isn’t all bad. It was first used by banking websites for fraud prevention and fraud investigations. From a privacy standpoint, however, fingerprinting can create a profile even more accurate than cookies.

And unlike third-party cookies that come from your vendor, your website might have fingerprinting technology without you even knowing it.

A study from Princeton University found that more than 60% of the top 1,000 sites on the web share information with third parties, and many of those third parties are fingerprinting visitors and selling the data. They also found that 96.5% of websites have access to digital fingerprints even if they are not using the technology themselves.

There are currently multiple regulations covering the use of cookies, but nothing has been done about device fingerprinting yet. While you’re working on eliminating your third-party cookies, it might be a good idea to also talk to your hosting provider and other vendors to see if they use fingerprinting technology. You don’t want to get caught with your hand in the newest version of a cookie jar when new rules come out.

Being proactive will allow you to find new, privacy-friendly ways to collect data on and communicate with your users before you legally have to. Rather than having forced downtime, you can set yourself up for an agile transition to whatever changes come your way.

Get on a cookie-free diet

Third-party cookies are an old technology whose time is almost up. If you want to minimize your risk for privacy action, increase trust with your users, and put your company at the forefront of one of the most important consumer issues of the next decade, you should shift your focus to first-party data. Think email marketing campaigns or retargeting campaigns—but in a privacy friendly way. And that’s where we come in!

If you’re ready to get a handle on your cookie use and privacy policy, get in touch with our experts today.

As an executive, it’s up to you to set the standard for your organization’s data privacy approach. You can use International Data Privacy Day to start your year off on the right foot. 

Thursday, January 28, 2021, is a big day. Not only is it National Have Fun at Work Day, National Kazoo Day, and National Blueberry Pancake Day, it’s also International Data Privacy Day. On this day, groups in the United States, Israel, Canada, and 47 European countries work together to empower individuals and businesses to respect privacy, safeguard data, and enable trust

It’s no secret that consumer expectations and regulatory requirements for data privacy will drive business best practices’ development and innovation over the next decade. The implementation of compliant privacy programs has a steep learning curve. It’s in your best interest as a leader to get in front of it now when you have time to do it, rather than wait until you legally have no choice.

Observing International Data Privacy Day is a smart place to start building your company’s data privacy culture.

Why you need a robust data privacy program

If your company sells products online or collects data from online users, the odds are high you’ve heard about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the EU’s General Data Protection Regulation (GDPR).

These are the most aggressive and far-reaching data privacy laws, but they are far from the only regulations on the books. Unlike other countries, the United States follows a sectoral approach to data privacy regulations, meaning regulations tend to be either regionally based or industry-focused. Industries and states currently without specific data privacy regulations may find them cropping up in the next several years.

Constantly shifting goalposts pose a big challenge for businesses. Just adhering to the current best practices for data privacy and protection for meeting current regulations isn’t enough to keep you competitive. If you want to maintain agile responsiveness to a changing data privacy landscape, you need to follow best practices that exceed existing standards.

Consumer expectations

Regulatory compliance is not the only reason you need to pursue an aggressive privacy culture. Consumers are increasingly proving that how a company uses their personal information plays a role in their purchasing decisions. A recent Salesforce survey found that 84% of consumers are more loyal to companies with strong security controls.

With 69% of consumers believing that companies will use their personal information in a way that they are not comfortable with, there is a real opportunity for businesses willing to differentiate themselves through forward-thinking, consumer-focused privacy programs.

The good news is that privacy policy development is good for your bottom line. Ninety-seven percent of companies proactively implementing robust privacy policies report an increased competitive advantage and/or investor appeal. Over 70% said that aggressive data protection practices improved their operational efficiency, agility, and innovation.

So break out your kazoos and look through the suggestions below to find a way your organization can celebrate National Have Fun at Work Day by observing International Data Privacy Day. (Blueberry pancakes optional.)

Ideas for Data Privacy Day

While it may sound like a tall order, getting your team committed to, even excited about, privacy is the natural result of education and empowerment. And it can be fun!

The National Cyber Security Alliance, a leading nonprofit, public-private partnership dedicated to promoting cybersecurity and privacy education, has five suggestions for ways executives can improve their company’s privacy program:

  • Create a privacy-aware culture
  • Organize regular privacy awareness trainings
  • Help your employees manage their individual privacy
  • Add privacy protections to your employee’s regular toolbox
  • Get expert help

One note — while the ideas below are a great entry point, running an effective privacy program doesn’t happen just by checking items off an agenda. Your privacy to-do list is more like a rotating chore chart than a to-do list. Just like you do month-end reconciliations and scheduled inventory orders, maintaining your privacy infrastructure needs to be part of your standard operating procedures.

Get #privacyaware

One of the biggest challenges companies face in developing an institutional privacy awareness is that people just don’t understand what data privacy is. The fastest way to eliminate this barrier is to help your employees see just how vulnerable they are and how much of their personal data is out floating around the internet.

Two great tools to help people see the gaps in their data privacy knowledge are the National Privacy Test and the Google Phishing Quiz. On January 28, you could have your team/department take these tests and give prizes to top performers. And bonus! If multiple people miss the same question, you have a ready-made list of training topics for future staff meetings. 

Other steps you can take on January 28 include running an internal campaign to make sure your employees know and understand your privacy program and their place in it. Every group email, newsletter, and meeting should have a “privacy moment” where these ideas and best practices are reinforced.

Teach your employees to fish (but to avoid phishing)

There is a reason the saying “teach a person to fish, you will feed him for a lifetime” has stuck around. As corny as it sounds, it’s true. Here’s a quick exercise your team can do on January 28 (or any day) that will help them understand their level of privacy savvy. The results may be surprising.

After completing the Google exercise, National Cybersecurity Alliance’s Manage Your Privacy Settings page can help them set personal privacy settings that align with their comfort level.

Why should you use your valuable working hours to take your employees through this process? 

Employees who are empowered to manage their personal privacy are more likely to understand why privacy is so important to your clients. 

Training, training, training. (Did we mention training?)

Before we talk about why your employees need consistent privacy training, let’s go over a few definitions:

  • Effective frequency is the number of times a person needs to hear an advertising message before acting on it.
  • Mere-exposure effect is the likelihood that people will develop a preference for something the more familiar they are with it.
  • Redundant communications is the term used to describe using multiple communication modalities to convey the same message. 

Advertisers, masters of getting people to do what they want, use these terms to create a framework for the behavior they are hoping to elicit with their campaigns. Current marketing research indicates that effective frequency can change behavior with as few as three messages but is most effective between 6 and 20 times. Similarly, mere-exposure reaches maximum efficacy between 10 and 20 times.

But that’s advertising. How does this apply to employee training?

Several years ago, Harvard Business School professor Tsedal Neeley conducted a study of how managers use redundant communication to help their team meet deadlines and other project goals. Neeley found that the most effective managers repeated themselves at least once, but more often between three and four times using multiple methods.

This means managers who successfully changed employee behavior and/or maintained team performance standards communicated the same information via meetings, emails, individual phone conversations, internal message boards, texts, and face-to-face. 

If you want your employees to buy into your data privacy strategy, you need to:

  • Consistently expose them to it
  • Provide opportunities for them to understand it at a deeper level
  • Clearly and repeatedly communicate your expectations using multiple modalities

These “trainings” do not need to be formal seminars with expensive guest speakers. They can be five minutes in a staff meeting or five sentences in an email. The key is to up the effective frequency and exposure to messaging using redundant communication.

Make privacy standard. And easy.

If you want your employees to understand you are serious about privacy, you can prove it by:

  • Implementing company use of VPNs, encryption, and two-factor authentication
  • Explicitly prohibiting the use of work devices for personal use (and vice versa) and use of public WiFi networks
  • Providing company-branded camera covers or privacy screens
  • Requiring strong passwords

Whether or not you do it on January 28, activities like passing out new privacy swag or sponsoring a company-wide strong password challenge reinforce your commitment to privacy as a core company value. That can only help in the long run.

Use an expert

Getting your team on board is important, but employee buy-in alone will not make you compliant with privacy regulations or best practices. As a leader, it’s your responsibility to figure out or hire out the critical and technical pieces of your data privacy program:

  • A gap and maturity analysis will show you where you have exposure from your data privacy practices.
  • Creating a data inventory will give you insight into what types of data you are collecting, where and how long you are storing it, and who you are sharing it with. 
  • Custom privacy notices and policies allow you to clearly communicate your data practices in a way consumers can understand (instead of in dense legalese).
  • Reviewing and updating your cookie consent practices will help ensure that you collect only what you need and are compliant with collection notification regulations.
  • Having someone review your digital marketing practices can prevent costly fines and operating injunctions that can damage your reputation and bottom line.
  • Third-party assessments are vital to confirming your vendors’ privacy policies are both compliant and aligned with your standards.

Proactive privacy programming is possible

Whether you are subject to existing regulations or not, take advantage of International Data Privacy Day 2021 to chart a new course in your organization’s privacy journey. Need some help getting started? Contact Red Clover Advisors today to jumpstart your privacy program.

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

Brexit, personal data, and the GDPR.Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens’ data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

COVID-19 remote work policyCOVID-19 is rapidly increasing the number of remote employees around the world.

For companies that already have a remote workforce, it’s just another day out of the office. But for a lot of businesses, this is new territory.

It’s hard enough to keep data secure when your employees are all in one place. Here are some tips and best practices to consider as you navigate the ever-changing situation regarding COVID-19.

Data Security and Remote Working Tips

#1: Talk to your employees.

Before you deploy your workforce to work remotely, hold a training. If they’re already at home working, host a digital training session.

Train your employees about cyber security. Be sure they know how to recognize hacking and phishing attempts that can put your company’s data at risk. Use this time to remind your team of best practices.

This includes:

  • Don’t use public WiFi without using a VPN. Check out our top 10 security tips for SMBs.
  • Pay attention to who’s around when working offsite. Be sure others can’t see your screen or watch you enter a password.
  • Don’t use personal devices for work.

#2: Maintain a team atmosphere.

While your team is working remotely, bring them together via a digital platform to give them timely updates and reminders. This will help keep data security top of mind and energy focused on work.

#3: Address software concerns.

Be sure your employees’ devices are as secure as possible with the proper software, firewalls, and connection securities required by your industry. You may also want to consider two-factor authentication for employee devices.

#4: Enable remote connections.

If your team can directly connect to the business network, there are fewer chances of a data security hack. Be sure your company has a process for this and your team knows how to use it. Things like VPN and intranets are helpful.

#5: Have a shut-down process.

You need to have a policy in place for when an employee thinks or knows his or her account has been compromised. Ensuring your team knows this protocol will allow them to act swiftly and limit data privacy and security concerns.

COVID-19: Reminding Us Why We Need a Business Continuity Plan

Another item to consider in the wake of COVID-19 is your Business Continuity Plan.

It’s one of those things people often don’t think about until it’s too late. If you aren’t familiar with the term, a Business Continuity Plan is a process that helps you create a system of prevention and recovery from potential threats to a company.

The plan ensures personnel and assets are protected and able to function quickly in the event of a disaster – in this case, COVID-19.

If you don’t have one in place, here’s a simple roadmap to get started and help prevent major downtime for your organization:

  1. Identify the scope of the plan.
  2. Identify key business areas to address in the plan.
  3. Identify critical functions of your company and team members.
  4. Determine the acceptable amount of downtime for each critical function.
  5. Identify crossover between business areas and functions.
  6. Create a plan to maintain operations.

While a strategic version of a Business Continuity Plan may be a long-term project for your company, now is as good a time as any to get started.

To save time, assign one piece of the plan to a few leadership team members and then come together to ensure it’s cohesive. It’s also important to train employees on their various roles and timelines should this plan need to be implemented.

If you don’t have a Business Continuity Plan, it can be difficult and, in some cases, nearly impossible to get your team and systems mobilized in the midst of a crisis. This can damage your reputation in the marketplace and cost you real money while trying to regain operations.

Additionally, the law requires nearly all businesses to have this sort of plan for emergencies. So if you don’t have one, you’re in violation of the law. And if you’re audited, you’ll be fined.

We all need a little push sometimes to take the time to do things we know need to happen but haven’t yet made a priority. Why not use this as your reason to create official policies and procedures regarding remote working and data security, as well as Business Continuity Planning?

As we all continue to navigate the balance between normalcy and safety during this pandemic, remember to keep data privacy top of mind for yourself and your employees.

If you want to talk about how remote working could impact your businesses functionality when it comes to data privacy, or if it’s time to dust off – or create – your Business Continuity Plan, contact Red Clover Advisors today.

Complete 2020 Privacy Compliance Checklist

Privacy compliance is no piece of cake.

In 2019 alone, the business world saw a shakeup brought on by  a slew of new state laws and year one of the General Data Protection Regulation (GDPR) implementation. 

And the companies that came out on top had a few things in common: transparent messaging to consumers, a privacy-centric re-brand, and tricked out privacy policies that used eye-catching marketing tactics. 

We know what it took to win at privacy in 2019. But what will privacy best practices look like in 2020 and how can brands – both big and small – get it right?

To answer that question, we’ve created an authoritative guide on what to expect in the year to come and a complete 2020 privacy compliance checklist to keep you on track.

Read more

The 411 on the CCPA.

What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year? 

That GDPR took longer than expected. 

Hopefully, they learned key lessons. They can leverage these as they face the challenges of the fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.

That’s right. Their work is not done.

Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data. 

The question on everyone’s mind is how the two privacy laws differ.

Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.  

Regarding the collection and sale of personal information, GDPR only allows companies to ask consumers to “opt-in”  while California’s law enables consumers to opt-out.  Arguably, 

It’s the most important right the California Consumer Privacy Act provides to California residents. 

“Sale” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.”  It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.

The California Consumer Privacy Act is top-of-mind for businesses nationally and globally.

California is the fifth-largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.

  1. May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
  2. September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
  3. October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
  4. January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
  5. On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.

Robust aptly describes the GDPR compliance process.  “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.

Back-up to the beginning for perspective.

In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018. 

Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn’t have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.  

So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.

Words matter in the CCPA.

We’ve already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.

The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
  • Controls or is controlled by an entity meeting the above criteria and shares common branding with

The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:

  • names
  • aliases 
  • addresses
  • emails
  • account names
  • social security numbers
  • medical information
  • passport details
  • IP addresses
  • phone numbers
  • PINs
  • geolocation

The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.

Understand that non-compliance can be extremely costly to your company. 

For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident. 

Doesn’t sound like much, right? That’s until you consider most privacy breaches involve hundreds of thousands of records. 

Even if you don’t have a data breach on your hands, you’re not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.

For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action. 

Companies have 30 days to “cure” (fix)  the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they’re anxious as they await the clarification of  the term “cure” as it relates to violations.

You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.

Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.

 

A CCPA readiness plan at your company should be underway.

Most companies surveyed said that it  took seven months or longer to wrangle their data into GDPR compliance.  A key issue was the lack of preparedness. 

For U.S. businesses specifically,  lack of experience was key. You see, European companies,  unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years. 

And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.

Take this big step now.

Create a data inventory by surveying all aspects of your business, from Marketing to IT  to Vendor Management and all points where you receive information from any source and in any format.  

There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.

Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties –  and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.  

That’s for starters.

 

Conclusion: These types of privacy law requirements aren’t going away. 

Let’s say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law. 

More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China

Our advice: Don’t reinvent the wheel every time there’s a new regulation. Don’t rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation. 

Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.

Schedule a short consultation with our team of experts today. 

We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time. 

 

 

95,000 complaints have been filed under the GDPR compliance law.

41,502 data breaches have been reported since it went into effect in May 2018.

And a $57 million dollar fine was levied at Google for failing to follow the mandate.

These are shocking numbers that should underline the fact that just because the deadline for GDPR compliance was a little over a year ago, implementation isn’t over yet.

Nor will it probably ever be.

That’s because parts of the GDPR mandate, including data inventories, aren’t projects to be checked off a list. Instead, they’re processes to be maintained and improved over time.

Your business changes over time. And a lot of time – a whole year – has gone by since GDPR went into effect. You likely added new vendors, collection points and processes. 

All that needs to be captured in your data inventory.

And while it’s time for you to dust off GDPR compliance best practices for all areas of your business, one of the most important is an accurate set of data inventories. 

What Is a Data Inventory?

Data inventory. Data mapping. Records of processing activities. Article 30 report.

If any of these sound familiar, then they all do. That’s because they all refer to the same thing, what GDPR calls a data inventory.

Data inventories help companies understand the data they have from start to finish. It includes all the third-parties the company uses and all the systems on which they rely.

It means that you know what specific pieces of information you’ve collected about each person and exactly where each of those pieces of information are stored. 

Data inventories are critical. 

They significantly influence the way you construct your privacy notice and individual rights process and policy. There’s no way to create these documents when you don’t know what data you have, how it’s being used, and where it’s stored. 

And those are the exact items you need to include in your policies.

Data inventories also advise companies to what information they actually need to be collecting. With GDPR in place, it’s a risk to collect and store data you aren’t using. It’s more of a benefit to only ask for the information you need for operating purposes from users.

Reviewing your data will tell you if you’re collecting too much data versus not enough.

Collecting the Minimum Amount of Data

Data minimization – only collecting the minimum amount of information you need – isn’t just a nice suggestion.

In reality, it’s the basic privacy mantra required by GDPR: Collect only what you need for business purposes.  

What’s the thought process here?

The GDPR believes the more data you have, the higher responsibility of your organization to protect it. In other words, more data = increased risk.

And let’s be honest, no business wants increased risk.

This can bleed into other areas of compliance, too. For example, after completing a data inventory, one company identified the sales team was sending emails manually through Outlook. 

At first glance, it’s no big deal. 

But when you consider this prevents any kind of tracking of data – specifically email opt outs – a picture starts to form about why this process is dangerous.

GDPR absolutely requires automatic opt-outs. Outlook, like all other email clients, doesn’t support this functionality.

The solution to this problem was to move to an email service provider (ESP). This software allows you to segment, send more efficiently, and most importantly in this case, provide a GDPR-compliant unsubscribe option. 

The point isn’t just that you’ll be following GDPR by using an ESP to send all your sales, marketing and customer emails. 

It’s that the company pinpointed this massive shortcoming by executing a data inventory.

Being Smart About Vendor Selection

One of the most underrated and perhaps largely unknown values of doing a data inventory is identifying quality and reliable third-party solutions.

If you choose your vendors out of a hat and hope for the best, you’re not alone.

But hope isn’t a good strategy when choosing a third-party solution. 

After all, these will be the people who act as an extension of your team, who might handle sensitive information and important details. 

Data inventories can help you vet your options.

And they can help you choose the ones who will be compliant with privacy laws.

Conclusion: Data Inventories are Critical to Privacy Compliance

So what’s the big deal with data inventories?

Companies need to maintain quality data inventories to comply not just with GDPR. They’re also helpful for pending laws such as CCPA and others coming down the pipeline. 

All the privacy laws primarily have to do with protecting personal data. And you can’t be compliant if you don’t know what data you collect, store, and use. You also have to consider that there are slightly different definitions of what constitutes “personal data” under different privacy laws, e.g. CCPA.

It can get a little overwhelming.

That’s why we created comprehensive resources in everyday language like the GDPR Checklist & Workbook and the CCPA Compliance Guide. They’re designed to help you tackle these privacy updates in the least amount of time, effort and expense.

And if you need a helping hand when it comes to updating existing data inventories or just getting started with data mapping, schedule a time to talk to one of our experts.