The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you’re collecting personal information. This should include the aforementioned Don’t Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers’ personal information. 
  5. Protect minors’ rights via appropriate consents for collecting children’s information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it’s good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there’s not an imminent replacement. That means some fancy footwork may need to take place if you’re going to keep processing EU data. (But it’s worth getting that choreography down.)

Brexit

When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 

For CCPA:

  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA

For GDPR:

  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like Monday.com, MailChimp, and Apple craft engaging user experiences that speak directly to their customers’ privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.

An international tour of cookies? Sounds delightful after this long year. We’re thinking: palmiers from France, Polish torunskie pierniki, Brazilian sequilhos, and kourabiedes from Greece. 

Wait, that’s from the baking blog, not the privacy one. 

But it’s important to talk about the other type of cookies from this perspective, too. While the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive gets lots of airtime, there are nuances that businesses need to consider when planning and implementing their cookie strategy.

 

Recently Google and Amazon were fined $163 million for their use of web cookies to track user activities without seeking proper consent. Read more about is here.

Key GDPR and ePrivacy Cookie Requirements

Before we jump into talking about cookies in the EU, here’s a quick refresher on general GDPR and ePrivacy cookie requirements. 

  • You have to tell your users about all the cookies on your website in plain language. This allows them to provide informed consent. (Or not.)  
  • You can’t drop cookies—except strictly necessary ones—until you’ve received user consent for each cookie. This consent must be clear and explicit.
  • You can’t withhold services—including website or application access—if they don’t consent to cookies. (FYI: This is often referred to as “freely given consent.”)
  • You’ve got to protect your users’ data. Do third parties have access to user data? It’s still your job to protect it. 

What Do You Need to Know About Cookie Consent?

Not surprisingly, countries in the EU have come up with varied interpretations of privacy. Each member state has its own data protection authority (DPA) that monitors privacy laws in their state. They provide guidance and interpretation for businesses and the general public. 

DPAs don’t always agree on many issues in privacy. Some are still finalizing initial guidance following GDPR’s implementation. Others have been proactive in implementing GDPR and then revising regulatory guidance. Naturally, cookies are a topic up for (repeated, heated) discussion. 

And why not? Cookies can be ambiguous. What does consent look like? Is it opt-in? Opt-out? What cookies need consent? What’s personal information? What about banners and cookie walls? What’s the meaning of life? 

Need a refresher on cookies? Check out our whitepaper here or read Do I Need a Cookie Consent Banner

The list goes on. But that’s why we’re here—to help you understand the different perspectives on cookies within the EU. (We can’t help with the meaning of life, though. That’s outside of our scope.) Let’s take a look at where guidance is strongest: France, the UK, Germany, and Spain.

Cookie Consent by Country

GDPR and ePrivacy have done a great deal to bring privacy practices in line throughout Europe. Among France, the UK, Germany, and Spain, there are some big similarities. 

First off, cookie rules don’t apply just to cookies. Rather, they’re relevant to any technology storing or accessing information on a user’s device. (Notably, though, under German practice, it also has to involve processing personal data.)

Consent is viewed similarly, particularly when we’re looking at its definition. Consent—when required—must be specific, freely given, and unambiguous before cookies are deployed. However, there are some nuances when it comes to how it’s put into action in Spain. 

Consent, moreover, takes place on multiple levels. Global consent is broadly shared among the UK, France, and Spain, meaning that consent must cover each purpose for which the cookies are used. (Germany, an outlier, doesn’t comment on this.) 

Granular consent—the practice of getting consents for separate things—is also a point of general agreement, though each country takes a different approach to achieving it. While the UK doesn’t provide any guidance on the matter, France mandates a second layer allowing users to give consent to each cookie separately. Spain requires that a first layer link to granular consent tools for each category of cookie. Finally, the ability to give granular consent is a must for Germany, but they don’t dictate where it should be implemented.

One big issue in consent is third-party vendors—more commonly referred to as processors in GDPR. French, German, UK, and Spanish authorities all agree: organizations need to identify all processors who will rely on users’ consent. (France goes just a bit further and states that a list of third parties should be accessible and regularly updated.) 

But enough about the similarities. Time for a deeper dive into each country’s cookie policies.

France

France bases its cookie laws on the GDPR and ePrivacy Directive and on guidance from Commission nationale de l’informatique et des liberté (CNIL). CNIL’s most recent guidance was issued in October 2020, which updated instructions around user consent, analytic cookies, and cookie walls. 

Lawful basis for processing and consent

When it comes to the lawful basis for processing, France limits it to either user consent or strict necessity for technical cookies. Content must be given through positive action and it must be informed consent, meaning the data subjects have been given explicit and clear details about the purposes of the cookies. 

As per CNIL’s guidance, several actions don’t constitute content:

  • Continuing to browse a website
  • Pre-checked boxes
  • Browser settings

Analytic cookies and consent

According to France, organizations don’t have to inform users and collect consent if analytic cookies are being used:

  • Solely to evaluate and measure a website or application’s audience
  • Test a new version of a website or application
  • Only generate anonymous statistics

Cookie walls

According to CNIL’s latest guidance, the cookie wall as a tool isn’t GDPR compliant—consent is only valid if the user chooses to accept cookies without any significant inconvenience or negative consequences. Being denied access to a website would fall into that category. 

Consent retention and lifespan of cookies

As per CNIL-recommended best practices, cookie consent should ideally be valid for six months. Similarly, they recommended that cookie refusal should be retained for the same period of time. 

When it comes to the lifespan of cookies, it shouldn’t be longer than 13 months.

Spain

The Spanish DPA, the Spanish Agency for Data Protection or AEPD, looks to GDPR in putting together its guidance, as well as local laws: Law 34/2002 on Information Society Services and Electronic Commerce, Law 3/2018 on Data Protection and Guarantee of Digital Rights, and the AEPD’s opinions. 

AEPD was updated in July 2020, and organizations were expected to comply by October 31 of this year.

Lawful basis for processing and consent

In Spain, the lawful basis for processing is clear, affirmative consent. However, some privacy professionals have considered Spain’s definition of affirmative consent to be ambiguous.  

Unlike other member states, Spain now considers continued browsing on a website to be a valid form of consent, assuming that adequate notice has been given. Other actions that may constitute valid consent include:

  • Using a scroll bar, insofar as the information on cookies is visible without using it.
  • Clicking on any link contained in the site other than those in the second layer of information on cookies or the privacy policy link.
  • On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.

Note: these actions are considered valid consent as a form of affirmative action. They’re not saying that implied consent suffices.

Analytic cookies and consent

Analytic cookies require consent. (See, sometimes it’s straightforward!)

Cookie walls

Spain’s AEPD most recent guidance has determined that cookie walls aren’t compliant if they don’t offer an equivalent alternative to access without having to give their consent.

Consent retention and lifespan of cookies

The lifespan of cookies match their intended purposes. And given that the AEPD suggests user consent should only last 24 months, cookies should match the lifespan of consent.

UK

In the UK, the DPA is the Information Commissioner’s Office (ICO). While other DPAs in the EU are bound by GDPR, the upcoming Brexit puts the UK in a different position. Questions have, naturally, cropped up.

The UK has committed to following GDPR’s guidelines, but under the guise of a UK GDPR. More officially known as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

As such, GDPR won’t actually apply in the UK after December 31, 2020—yes, it’s that soon—but the above regulation nonetheless preserves GDPR’s guidance. ICO also looks to the Privacy and Electronic Communications Regulations (PECR). 

Lawful basis for processing and consent

The user’s consent is the lawful basis for processing under ICO’s guidance. 

If consent is required under PECR for non-essential cookies, organizations can’t fall back to an alternative legal basis under PECR or GDPR (or its replacement). In cases where personal data is involved, then the ball is in GDPR’s court and legitimate interests can be used as a legal basis. 

Analytic cookies and consent

Analytic cookies don’t belong to the “strictly necessary” category of cookies. As such, you need to get consent before deploying them. 

Another point to remember for ICO guidance: first-party and third-party cookies are considered distinct. You need consent for both, but as per ICO, valid consent is viewed as harder to get for third-party cookies because of the lack of direct relationship between third party and the user. Take extra care to highlight use of third-party cookies. 

Cookie walls

In other states, cookie walls aren’t generally aligned with valid consent. However, ICO allows for the possibility if it applies to specific content and it doesn’t impede access to the website as a whole. 

Consent retention and lifespan of cookies

ICO doesn’t extend any specific guidance for how consent can be retained nor what the appropriate lifespan of a cookie should be. For both questions, there’s not a one-size-fits-all answer. 

Generally speaking, for lifespan, it’s ideal to limit duration to what is necessary for the purposes of the cookie. Likewise, for consent, you should consider what the function of consent is in the context of use. Does a user visit frequent? Are functionalities changing? Is content updated? Those types of questions should guide you when you seek consent.

Germany

In Germany, GDPR and ePrivacy are applicable, but their DPA, delightfully known as Datenshutzbehörde (DSB), also provides robust guidance for organizations. That being said, unlike other EU member states, Germany hasn’t entirely implemented Article 5(3) of the ePrivacy Directive.

Instead, there is a debate around whether some provisions within the preexisting German Telemedia Act sufficiently cover the requirements of Article 5(3) of the ePrivacy Directive. Notably, the German Data Protection Conference takes the position that Article 5(3) of the ePrivacy Directive hasn’t been implemented in German law. As a result, according to them, there is no German cookie law and instead, guidance is reliant on GDPR.

Lawful basis for processing and consent

The legal basis for processing in Germany rests on consent, contractual relationship, or legitimate interest, depending on the purpose of cookies and/or tracking tools. 

Analytic cookies and consent

Consent is required for analytic cookies when they result in transferring personal data to a third party. Even then, obtaining consent might not be strictly necessary as long as users can opt-out of transferring their data to the third party.

Cookie walls

As a rule, consent for cookies must be voluntary according to Germany’s guidance. Anyone wanting to access a site or application needs to be able to refuse cookies without negative consequences. In other words, access should be allowed even if cookies are refused.

Consent retention and lifespan of cookies

Germany doesn’t have specific local guidance on retention of consent and the lifespan of cookies. As a result, policies default to GDPR and ePrivacy. 

Cookies Around the World

Cookies in the EU, of course, aren’t limited to France, Spain, the UK, and Germany—each member state either has or has the ability to develop guidance on how cookies should be handled. And, don’t forget, these are just European cookies. Brazil, China, India, Australia, are just some of the other countries with privacy regulations in place that address cookies. 

Cookies are complex, but they’re a critical part of your privacy practices. If you haven’t had your fill of cookies yet, we’d love to help you customize your cookie practices to your EU audiences. Drop us a line to schedule a consultation today.

Cookie banners. Let’s talk about them.

They’ve been hanging around websites since 1994. (Basically, Stone Age digital technology.) Just think, how many cookie banners have you clicked past in your digital life without a second thought?

(A lot, probably.)

It’s enough to make a business owner or marketing professional wonder: do I really need a cookie consent banner to be compliant with the laws and regulations?

It’s hard to keep track of privacy regulations, after all, especially when changes are always appearing on the horizon. Consider that the European Data Protection Board (EDPB) adopted guidelines on valid consent in May. Or that Apple’s new iOs 14 requires users to authorize information known as IDFA, which requires opt-in permission before developers and publishers can start tracking ads. 

Let’s unpack this question together. 

What’s a Cookie Banner, Actually?

First: the cookie. Cookies are small text files that your computer stores when you visit a website. They contain lots of information and there’s a big variety when it comes to the types of cookie. Some are purely functional, while others might track visitor data or activity on a website. 

Cookies can be really helpful for both website owners and website visitors, but they aren’t universally loved. Especially by users. They can feel intrusive and a little Big Brother-ish, especially when the purpose of cookies isn’t clearly explained and users aren’t given options for managing user consent. 

In years past, it was acceptable to just pop some cookies onto your website and go back about your job. But now, as a result of legislative efforts, notice and consent are required before you can place cookies on a user’s device. 

The notice and consent come in the form of cookie banners. They can be a pop up. They can be a banner on your website. They can be in your header or footer. They can be a whole wall of text ala Google. 

No matter how it’s formatted, though, it has an important job: alert website visitors that cookies are present on the website and get informed consent prior to data collection. 

Approaches to Cookie Banners

You have options for cookie banners depending on your cookie practices and policies. You can take a simple approach of Notice Only, which isn’t compliant with GDPR but is straightforward. You can take the Opt-Out route, which means you fire all cookies when your visitors arrive on your website. 

However, this approach misses the GDPR mark. 

You can take the Implied Consent route, meaning your website activates strictly necessary cookies. Users are then asked to click through to learn more and otherwise consent is implied by continued use of the site. 

Finally, you can take the Opt-In approach, the most compliance-aligned method. This is your most compliance-forward approach. Fire only the strictly necessary cookies when a user arrives on your site, and get their explicit permission for everything else. An ideal opt-in cookie banner informs users what cookies are being used for and then has them take a specific and intentional action, like checking a box, before firing the rest of the cookies. 

What Laws Apply to Cookie Consent Banners?

General Data Protection Regulation (GDPR)

GDPR was seriously maligned when it rolled out in 2018. It still is spoken of in aggrieved tones by some marketing and privacy professionals. 

We get it. It’s a tough one. It required lots of businesses to recalibrate their operations. 

But behind the challenges, it does bring some good into the world. It gives people real, actionable rights! It gives them channels to exercise them! It holds businesses accountable for how they process and use personal data. That’s worth a lot. 

So where do GDPR and cookie banners meet? Like with so many privacy-related questions, it comes down to consent to data processing. 

Consent, Cookies, and GDPR

What pieces need to be included in your cookie banner according to GDPR

Opt-in Cookie Consent

GDPR requires that you take an opt-in approach, which means your website won’t fire cookies without the go-ahead from your visitors. (With the exception of those that are needed for essential site functions.) This consent should be given via an opt-in button. What’s more, you need to be extremely clear with your users: they are agreeing to cookie deployment. 

Informed Consent

Why is this clarity so important? Your visitors’ consent has to be informed and explicit. You can help them provide this informed consent by spelling out what kind of cookies you are using, why you want the data, and how you’re going to use it.  

Note that consent requirements are subject to change. For example, this fall the Commission nationale de l’informatique et des libertés (CNIL) in France issued new guidance that states scrolling past a cookie banner doesn’t constitute valid consent. Nor does the cookie wall, which makes consent required to access a site. Moreover, they recommend a “Reject All” button for the first layer of a cookie banner. 

Learn more about CNIL and their cookie guidance.

Third-Party Data Sharing

Let’s talk a little more about how you’re using personal data. For a GDPR-compliant cookie banner, you need to tell your website visitors if you’re sharing their information with third-party vendors. Yes, we know they provide important services but they’re also a significant security risk for your business and your customers. 

One big third-party service that deserves discussion here? Google Analytics. Google Analytics is one of the most common cookies run on websites so it’s understandable that people want to know how it interacts with GDPR. Google Analytics uses cookies and therefore requires user consent to be compliant. 

But while Google Analytics is a data processor, you can adjust the settings so it tracks data in an anonymous mode. This means you can choose to proceed without consent. (But we definitely recommend you consider getting consent anyway as a best practice.)

Learn more about anonymizing data.

We’d be remiss if we didn’t touch on Facebook, CCPA, and cookies. Facebook is a prolific cookie source, but they’ve taken the position that businesses need to determine whether their data transfer activities with Facebook qualify as sale of data under CCPA. 

That being said, businesses can make use of a feature known as Limited Data Use (LDU), which does just that: creates limitations on how Facebook can use your business’ data. 

Via LDU, marketers can specify which data they want to share with Facebook. Initially, LDU was automatically enabled for all Facebook business accounts, but since July 31, businesses will have to make the updates manually. 

Remember, this isn’t an exhaustive list of third-party vendors or their requirements. Always review terms and conditions for the cookies that you use.  

Link to the Website’s Cookie Policy. 

Finally, you’ve got to link to your cookie policy, which should detail how and why cookies are used and where they live on your site. (Remember, you need to have this legal document in place, too.) The easiest way to do that? Pop the link in your cookie banner.  

Link to Cookie Settings

Consider this a bonus activity. Linking to your cookie settings isn’t required for GDPR compliance if users can outright reject all your cookies. But consider this: Privacy doesn’t need to be all or nothing. Make consent management easy for customers. When they customize their interactions with your website and your brand, they’ll be in control of their information and you’ll build a better relationship with them. 

ePrivacy Directive

But before there was GDPR, there was the ePrivacy Directive. Passed in 2002 and amended in 2009, it’s not a law but rather a directive that requires EU member states to develop national privacy laws. 

While GDPR deals specifically with personal data, ePrivacy works on the issues of electronic communication, web traffic, and, you guessed it, cookies. In fact, it’s sometimes referred to as The Cookie Law because it, well, laid down the law on cookies, requiring explicit user consent before websites could fire anything but strictly necessary cookies. 

The regulation shares GDPR’s understanding and definition of consent as “freely given, specific, informed and unambiguous indication” through a statement or clear affirmative action. To be in compliance with the ePrivacy Directive, you’ll need to:

  • Get consent (as defined above) from users before firing anything other than strictly necessary cookies
  • Deliver accurate information about data tracked by each cookie before consent is given
  • Document and store consent records
  • Services shouldn’t be contingent on accepting cookies
  • Opting out and withdrawing consent should be easy

However, EU member states and their regulatory bodies add complexity to the picture. CNIL, the Information Commission Office (UK), the Swedish Data Protection Authority, and the Hellenic Data Protection Authority are just a few of the regulatory bodies that provide guidance for their states. 

To add even more complexity, the ePrivacy Directive is in the process of being upgraded to the ePrivacy Regulation. While it will carry on in spirit what the Directive put in place, it will have stricter rules for security and pose its own GDPR-like fines. On the plus side, though, the most current draft proposes to streamline cookie consent processes. (But hold your horses — the Regulation may not come into play until 2021 due to ongoing negotiations.)

Wait, what about CCPA?

You may notice that the California Consumer Privacy Act (CCPA) isn’t listed here. Quelle surprise! But CCPA, while currently the strongest state privacy law in the US, doesn’t technically require them. Instead, it requires that you notify website visitors “at or before” collection of “personal information,” which can include cookies.

Moreover, CCPA takes an opt-out rather than an opt-in approach to consent. You don’t need a banner to make the opt-out happen, but it’s the best practice to make sure you give users the fullest opportunity to exercise their individual rights. 

A little bit more about CCPA and cookies

As per CCPA, websites do need to tell users what personal data they’re collecting via cookies and if they’re going to be selling it to third parties. Don’t think you sell anything? Don’t jump to that conclusion quite yet. 

CCPA has an impressively broad definition of selling — it doesn’t have to mean that you or someone else has shelled out money. “Selling” in CCPA-land also refers to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…” Even your well-intentioned ad tech might be included.

To facilitate a transparent privacy program, you can include a link that lets users accept cookies or not. One helpful further step? Provide users a preference center so they can control their cookies. 

But while preference centers are great (really great, actually), they do take strategy to implement. Be thorough by including links to industry opt-outs like About Ads or Network Advertising Initiative’s (NAI) opt-outs. If Facebook and Google cookies are part of your cookie game, requirements for opting out should be linked, too. 

Who Needs Cookie Consent Banners?

But the big question: Do you need a cookie consent banner? There are privacy regulations all over the world that deal with cookies, so it depends on where your customers and audience are. Is your audience located in the EU or the US? If you tick these boxes, you have to have a cookie consent banner:

  • If you have customers in the EU?
  • Do you target individuals in the EU?  

So, that’s a pretty short list. If you don’t collect data from EU visitors, then you’re not legally mandated to post a cookie consent banner. 

You can even set up your cookie banner to trigger just for visitors from the EU. Or just for California. Or you can set it up the same banner for everyone. Point is: you have options.

But even if you don’t, you still should strongly consider it. 

Here’s why: Major data breaches in the past years, combined with misuse of our personal information by tech giants and the ubiquity of digital content in our lives, have eroded public trust. Only 15% of people feel like they have meaningful control over their personal information held by companies. 

Compliance regulations like GDPR and CCPA work to mitigate privacy concerns and reign in misuse, but the real work shouldn’t be done in courthouses and parliaments. 

It needs to be done on the ground floor. Companies, along with their legal departments and marketing teams, can take the initiative to protect their users and their data by creating transparency in their digital marketing and handing over the privacy reigns to their users. 

All of this can happen within your cookie consent banner. 

Privacy is operationally crucial. To get privacy working for you, it has to work for your customers and to do that, it has to center around transparency and trust. If that sounds like a goal for your business, we’d love to talk. Drop us a line to schedule a conversation today!

What if we told you that there was something that you could do that would:

  1. Build better relationships with your customers
  2. Protect your business
  3. Get you on the right side of data privacy laws and regulations
  4. Was totally achievable regardless of how big or busy your business is AND
  5. Would take your mind off of the crazy times we’re living through right now

We bet you didn’t think we were talking about working on California Consumer Privacy Act (CCPA) compliance, but it’s true. 

With all that’s happened in 2020, CCPA’s enforcement date came and went without the hubbub that it was due, but that’s okay. It’s always a good time to get compliant. 

Let’s take a look at the CCPA best practices and see what you can do to make your 2020 just a little better. 

CCPA: A View from the Top

If you’re just tuning in now to CCPA, welcome to the show. Privacy regulations are notoriously opaque and difficult to parse, but we’ve distilled the main goals down to the key takeaways.

CCPA went into effect on January 1, 2020 and became enforceable on July 1 and applies to any business that either: 

  • Earns more than $25 million in revenue per year OR
  • Collects or processes 50,000 consumer records per year OR
  • Derives 50% of its annual revenue from selling personal information

Don’t meet those thresholds? You might think compliance doesn’t need to be on your radar. But remember, consumer privacy is the new standard and if you don’t comply with CCPA (or any other major privacy regulation — we’re looking at you, EU’s General Data Protection Regulation), it may give customers pause. And more than that, it might cause you to miss out on that next big sale or investor.

Also remember, under CCPA, you’re not the one that needs to be in California – it’s your customers. California residents have the following privacy-related rights:

  • Right to know all data collected on them, the categories of data, and the purpose of collection
  • Right to refuse the sale of their information
  • Right to request deletion of their data
  • Mandated right to opt-in before the sale of information of children under 16
  • Right to know the categories of third parties with whom their data is shared, as well as those from whom their data was acquired

Have questions about CCPA regulations? Learn more about it here.

What do you need to do: The short and sweet version

What do all those rights mean for your business? I.e., how do they translate into operational practices. When you translate legalese into action items, it’s easier than it sounds.

  • Keep your privacy policies up to date and make sure to include CCPA disclosures in them
  • Make sure consumers have the ability to submit individual rights requests, including the right to delete, right to access, and right to opt-out of sale  
  • Create opt-ins for the sale* of minors’ data: 
    • For children under the age of 13, parents or guardians must opt-in
    • For children ages 13-16, the minor must opt-in  
  • Put a “Do Not Sell My Personal Information” link on your homepage that takes consumers to an opt-out form. 
  • Give consumers at least two ways to request any of their information that you’ve collected, shared, or sold. 
    • Toll-free phone number is required.  For companies who operate solely online (ensure you review with a privacy professional to see if you qualify), they do not have to provide a phone number.  They can provide an email address.  Generally, all companies provide either a web-form or email address to submit requests.
    • Web forms are required to opt-out of the sale of information
  • Make sure you fulfill any consumer requests when they ask for what information you’ve collected or sold*. If they want you to delete it, make sure to delete you fulfill this request too. 
    • If a third-party vendor is involved, you’ll also have to make sure they’re in compliance, too. Vendor management programs that incorporate thorough contract reviews and assessments can facilitate this. 

*CCPA uses a broad definition of the term “sell.” It doesn’t necessarily mean that money is changing hands. Besides, sell, it can refer to “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”

Getting from point A to B to C(CPA)

Okay, we’re on the same page of the general requirements for CCPA. But what are the best ways to accomplish these line items? 

#1: Get your privacy notice squared away

Whether you’re baking up a privacy notice from scratch or you’ve got one already completed, you’ll want to put some dedicated effort and attention towards this task. A copy-paste privacy policy and privacy notice from a template (or from another business — but let’s not go there right now) isn’t going to serve you well. Your privacy documents need to speak to your business practices and to your customers. Customize it. 

It’s also important where you put it. You shouldn’t tuck it away in some deep, dark corner of your website. As per CCPA, it needs prime real estate. To meet compliance requirements, your privacy notice needs to be put in a conspicuous place — most commonly on the home page — and anywhere data is collected. 

Keep your policy updated

Privacy policies are kind of like updates for your iPhone. You get everything updated and working smoothly…and then there’s another update. 

Thankfully, you don’t need to update your privacy documents quite that often. As per CCPA, you’re required to update annually. 

#2 Train Your Team on CCPA 

You — along with legal, marketing, IT, or consultants — come up with your privacy policy, but your employees execute it. The ones handling consumer questions, facilitating individual rights requests, assessing vendors, and so forth? Or maybe the ones handling marketing campaigns

They need to know how that all fits into CCPA compliance and why. They need to know what data security risks are present, what the implications of a data breach are, and a whole host of other critical points. 

There are philosophical, and mission- and values-based reasons for training. There are also legal ones; CCPA requires employees managing individual rights requests to be trained. But when it comes down to it, your team just plain need to be trained on how to correctly do that part of their job. Note, CCPA doesn’t dictate how employees need to be trained, but there are several ways to accomplish this, including using materials from the International Association of Privacy Professionals (IAPP), creating your own curriculum, or working with a privacy professional.  

#3 Keep Your Records Up to Date

Records are critical in compliance land. Without them, it’s simply not feasible to maintain compliance. So where do you start? 

Get yourself a data inventory. This will be your roadmap, helping you understand the flow of personal information across its entire lifecycle at your business. For CCPA, this will include tracking what information qualifies as “sold.” 

You need to keep your records up to date for consumer records requests as well; as per CCPA, you have to retain any request for at least twenty-four months. A data inventory also helps you track which of your vendors have access to your customer’s data. (See more on that below.)

But be diligent about security when it comes to your record-keeping practices; CCPA also requires that you implement “reasonable security procedures and practices.

#4 Review and update vendor contracts

Dust off your vendor contracts. It’s time to take a look and see who is doing their part for CCPA compliance. If you don’t have in-house counsel, contact your favorite law firm to get help assessing these contracts. 

Support from privacy professionals is also a big asset in these tasks, too, particularly when it comes to building a process around your vendor contracts. We look at how vendors are:

  • Keeping system, data security, and privacy as per best practices and the industry standards
  • Meeting confidentiality and privacy requirements
  • Committing to notify you of security breaches, incidents, and potential vulnerabilities 
  • Committing to independent audits and assessments and to providing you access to audit documents

As with so many things in our professional lives, these tasks are never truly and finally complete. You should plan to review your contracts annually. #5 Make it easy for customers

Finally, let’s not just make compliance easier on ourselves. Let’s make it easier on your customers. Your customers, after all, are giving you their personal information. It’s theirs! Respect that! Make sure they can control it. 

CCPA is intended to give customers that control through rights like opt-in, opt-out, consumer requests, and more. But these rights have to be implemented by you, the business. CCPA may provide guidelines on how you should do it, but there are ways to go above and beyond that build trust and transparency with your customers. 

Creating a preference center for your customers to access their preference choices, edit their contact information, adjust what data is being collected, and offer additional insight into your data collection and usage.

Finding your best path to compliance doesn’t have to be difficult. We won’t break out into a rendition of “ Get By With A Little Help From My Friends,” but having the right help in your corner makes a huge difference. That’s what we’re here for. Drop us a line and let us know how we can help you.

Get our free guide on Getting From Point A to B to C(CPA)!

While votes are still being tabulating for The Big Question of the election, you can count on one measure: California has passed the California Privacy Rights and Enforcement Act (CPRA).

I know, you might feel that you were just getting into the swing of the California Consumer Protection Act (CCPA). Now you have a new privacy law to work with? 

But CPRA makes some important strides. It clarifies ambiguous parts of the law. It brings its intent into greater focus. And given that CCPA provided a model of privacy regulation for other US states, CPRA takes a few important steps forward.

So let’s get to the good stuff — what does CPRA do differently?

New rights, new definitions

New rights under CPRA build off of what CCPA had already established, bringing privacy closer in line with the EU’s General Data Protection Regulation (GDPR). New rights include:

  • Right to Correct: Consumers can correct inaccurate information held by businesses about them. 
  • Automated Decision Making: Consumers can opt-out of having their personal information used in automated decision-making.   
  • Right to Data Portability: Consumers can request that pieces of their personal information be moved to another entity. 

One right that we should call out in particular stems from the Right to Restrict Use of Sensitive Personal Information. In a move that is very GDPR-esque, CPRA expands the definition of sensitive personal information. It now includes data like social security numbers, passport number, religion, genetic data, and sexual orientation.

What this means

If a business is collecting personal information in this category, consumers can limit how their own data is used to what is relevant for providing goods and services. Additionally, businesses will need to offer a “Limit the Use of My Sensitive Personal Information” link. This is on top of the already existing requirement to have a “Do Not Sell My Personal Information” link. 

Businesses should also prepare their teams to handle individual rights requests to support the newly established CPRA rights. Eventually, you’ll need to train up on verifying consumer identities and review your policies for fulfilling requests, but for now focus on documentation. Get a handle on what sensitive information your business has, how it’s used and how it’s collected.

Once you have that information, ask yourself if that data is being used beyond purposes other than what the consumer intended it for. If it’s being used for additional purposes other than what it was provided for originally, under CPRA you’ll need to go back and have the consumer make a decision on whether or not they approve that use.

Expanded definitions

CCPA baked in the concept of “selling” personal information to its privacy framework, but there were clear complaints that the definition was less than defined. CPRA separates out selling into selling and sharing, denoting “sharing” as its disclosing a consumer’s personal information for “cross-context behavioral advertising” – ad targeting based on information obtained about a consumer across different apps or services. Consumers may opt-out of sharing just like they can selling.  

What this means

For businesses, this increases their obligations to consumers. Not only will their privacy policy need to be updated, but they’ll need to provide or update opt-out links and deliver a “Do Not Sell or Share My Personal Information” choice. 

If cross digital device targeting is a part of your marketing strategy, you need to start thinking about how you’re going to allow consumers to opt out. And get ready to add in another piece to that end of year planning – figuring out how this is going to impact your marketing plan. 

Adjusts eligibility requirements to give small businesses more flexibility

Anytime there is a privacy regulation, the first thing businesses want to know is whether it applies to them. When it came to CCPA, the threshold for compliance was a sticking point for some. To address this, CPRA lifted the upward limits on personal information processing. 

Like CCPA, CPRA applies to businesses that do business in California, collect personal information from California residents, and determine how that information is collected, used, and shared. Businesses also must meet one of the following three requirements:

  • Earns more than $25 million in revenue per year OR
  • Collects or processes 100,000 consumer records per year OR
  • Derives 50% of its annual revenue from selling personal information

That 100,000 consumer records number is a change up from CCPA’s 50,000 records threshold. Small businesses rejoice! But don’t get too comfortable. Even if your business is under that 100,000 number, customers and investors are still expecting compliance. (Compliance is just good business is our mantra for a reason!)

New mechanisms for privacy oversight and other enforcement issues  

Handling civil action, along with the other aspects of regulatory oversight, is a time-consuming effort. CPRA provides funding for a Privacy Protection Agency to enforce CPRA and other privacy-related laws. Previously, this fell under the umbrella of the state attorney general’s office.

What this means

The new agency will receive substantial funding, staff dozens of employees, and create the resources to meaningfully enforce and guide privacy practices. For businesses that may involve more help understanding regulatory requirements, but also more aggressive auditing and enforcement. 

Data breach liability

Under CCPA, data breach liability was something of a murky area. Yes, your business could face legal action if found responsible for compromised personal information as a result of a data breach. However, the extent of a business’s responsibility in implementing reasonable security measures wasn’t clear. 

CPRA brings this topic into greater focus, articulating that if a breach compromises a consumer’s email address and either their password or security question/answer, the business may be held liable. If you have any type of user accounts, it’s going to be critical to make sure you have the proper security in place. 

Making sense of (and implementing) CPRA

Need help interpreting what the full impact of CPRA will be for your business? We’re here to help. Drop us a line to schedule a consultation. We’d love to chat. 

 

Let’s talk about vendors: the good, the bad, and the complicated. 

If you’re reading this page, you probably use them. You probably have thought long and hard about how they can expand your business services, streamline your operations, and make you more competitive.  

High five! You should be thinking about those things. But those issues are only half of what you need to be concerned with.

What else should be on your radar? Vendor risk management. 

What is vendor risk management? The basic basics.

When you’re talking about a vendor risk management system, you’re talking about everything that falls under the scope of mitigating the risks posed by incorporating third-party vendors into your business operations. 

The goal is to reduce the risks to your data security and privacy practices and prevent business disruption, compromised data, and financial and reputational damage.

As with any complex, nuanced issue (and data security and privacy is definitely that), you need to have a fully comprehensive plan and process that:

  • Assesses and tracks vendor relationship and contracts
  • Monitors data and how it flows to vendors
  • Identifies and reduces risks
  • Evaluates vendor performance
  • Tracks compliance requirements and metrics

Easy-peasy, lemon squeezy, right? (Actually, most people’s first response is “difficult, difficult, lemon difficult.”)

But whether this sounds like a challenge you’re excited for or not, you need to know how your third-party vendors treat your data, your customers’ data, and where they stand on the whole “let’s stay compliant” game. 

vendor risk management program

Who are vendors?

Vendors don’t just fit neatly into one little box and neither do vendor relationships. And depending on the regulatory frameworks that you need to comply with, definitions can vary. The California Consumer Privacy Act views vendors differently than the General Data Protection Regulation does. (Even terminology is different – under GDPR, vendors are known as “processors” while CCPA calls them “service providers.”)

But for our purposes right now, the term “vendor” encompasses a huge variety of relationships, services, and agreements. They can be:

  • Short-term or long-term relationships
  • Involve formal contracts or verbal agreements
  • Be paid or unpaid
  • With small mom-and-pop outfits, independent contractors, multinational companies, and more

Vendors don’t just provide IT or software services, either. When we’re talking about data privacy, security, and compliance, we’re looking at any past, present, or future business arrangement between an organization and another entity, by contract or otherwise. Let’s look at a few examples: 

  • Your IT provider who maintains your company wide servers (you know, the ones that are used every single day and store all your information.)
  • Your marketing agency that manages your email marketing campaigns
  • Your HR provider who helps you run your payroll services 
  • Your Software-as-a-Service (SaaS) provider who offer a free trial of a customer management solution

These are just a few examples of vendors that you might come into contact with in the course of doing business. Your job in developing a vendor management program is to establish a process for overseeing everything about your relationship with them. 

(Okay, so it may not be you specifically. But you’ll want to have someone who oversees vendor relationships as part of their job, i.e., a vendor manager.)

How do your vendors impact data security and privacy?

Before we dive into how to build a solid vendor management process, let’s look at why, why, why it’s so critical to have one in place. What risks come with the vendor territory anyway. 

vendor potential risks

Because it’s not good enough to just know that there are vaguely intimated “risks.” Knowing what’s really at stake helps you address vendors and extend your data privacy obligations along your entire supply chain.  

Vendor risk comes in a few different flavors. They pose:

  • Operational risk
  • Data security risks
  • Financial risks
  • Legal and regulatory (i.e., compliance) privacy risks 
  • Reputational risks

Unfortunately, these risks can have a cascading effect. One leads to the other. That’s why vendor evaluation should be taken seriously from start to finish. (And beyond.)

Where to start when developing a vendor management program

One of the best ways to mitigate cybersecurity and privacy risks posed by third-party vendors is to implement a Vendor Risk Management Program. 

A vendor privacy management program should reflect how much security your data demands and how risk tolerant your organization is. For optimal results, your program should start before your vendors are even onboarded as you determine what services and activities you’re needing vendors for in the first place. Lead with privacy and privacy will follow. 

vendor management process

Identifying your vendors and the scope of relationships

Do you know who all your vendors are? You probably have a list. But does that list account for everyone you have a vendor relationship with? 

Now is the time to do a deep dive and come up with “The Exhaustive List of All Your Vendor Relationships.” This information is pulled from previously performed data inventory work – but if that hasn’t been done, now is 1000% the time to do it. 

Want to know more about how to organize a data inventory? Check out our downloadable data inventory template.

This should cover the main points of vendor information – the Who, What, When, Where, and Whys of these relationships. But the real kicker is that your list shouldn’t stop at just your vendors. It really needs to include your vendors’ vendors, also known as subprocessors.   

Why is this important? Via your third-party vendor, subprocessors vendors end up with access to your data – and your clients’ data. And if they experience issues, it can impact your business operations and your clients’ security. These problems can be as temporary as a service outage or as impactful as a data breach. 

Either way, you need to know that these vendors are doing their part to stay compliant.  

No risky business

Risk needs to be spelled out when you’re putting together a vendor management process. Not all risk is created equal. In fact, some level of risk is unavoidable. The goal isn’t to avoid all risks but to determine what the risks are and then build appropriate internal controls in response to them.

Here are the categories that you can rate vendors, based on levels of risk:

  • Critical risk: These vendors are (for lack of a better phrase) mission-critical to your business operations. If they can’t deliver the contracted services, it could shut everything down. 
  • High risk: These vendors either:
    • Have access to customer data and there is a high risk of information loss
    • Are relied upon by your organization to a high degree
  • Medium risk: These vendors either:
    • Have limited access to customer information
    • Losing these vendors would be disruptive to your business operations
  • Low risk: These vendors don’t have access to customer data. If you didn’t have their services, it wouldn’t disrupt your business.

Vetting and due diligence

If you’re considering bringing on a new vendor, you’ll want to vet them. And not just by doing a quick Google search or checking the company’s LinkedIn page. You want to be consistent and consistently thorough. (See above.) 

Your process should follow a standardized checklist for each and every potential vendor. Your checklist should include:

  • Getting references
  • Implementing regular vendor risk assessments
    • Critical and high-risk vendors should provide you:
      • Evidence of security controls such as information security policies, disaster recovery test results, proof of insurance, financial statements, etc.
      • Evidence of ability to ensure continuity of service 
      • Evidence of incident management program that meets industry compliance and best practice standards
  • Internal documenting and reporting procedures

These requests should be accepted and – dare I say – welcomed by the vendor. If they aren’t willing to extend this, then you’ve reached the “Stop, Do Not Pass Go” place on the board.

Contracts: Creating and reviewing

Your vendor contracts and agreements are big pieces of your vendor management puzzle. Your contracts should do the following to ensure a mutually beneficial, mutually protected relationship. 

contracts vendor risk management

Cross border transfer

We know that data has a serious case of wanderlust. It can move pretty quickly from vendor to vendor in the blink of an eye. And before you know it, it’s made its way over to the EU. (Or vice versa.)

When data travels like it, you need to be aware of what’s known as “cross border transfers.” Your contract should include provisions for how your vendor manages this process and what steps they have in place to manage the specific requirements that might be triggered.

Data protection addendum: Defining terms and relationships

As per your working relationship, what are personal data and sensitive information? Who are the data owners and who is the third-party in your written agreement? Establishing this helps you both understand how you’ll work together.

You’ll also need to define the purpose and duration of the agreement between you and the third party. It needs to be clear what you’re asking the third-party to comply with regarding privacy program management and risk mitigation. 

Confidentiality and accessibility

Your contract needs to put forth what data is being collected and, importantly, who has access to it. The goal? Ensure strict limitations to accessibility and minimize what personal data is disclosed. To help with this, you should detail the purpose of disclosure to ensure clarity for both parties.

Audits and support

Your contract should cover any requirements for audits and support needed from the third-party. Much like minimizing data disclosure, your contract should strive to include only strictly necessary measures for audits. Are on-site audits, for example, essential for you to meet your goals? If not, it may be better to not contractually require them. 

Your contract should also detail what kind of help your vendors will provide for fulfilling individual rights requests and in cases of data breaches.  

End of contract obligations

No vendor relationship lasts forever. Your contract needs to spell out what happens to data when you part ways. Do they return it? Destroy it? What about subprocessors? Make sure to be thorough here to protect your customers. 

Reviewing contracts

You need to build contract review into your processes. This is a job that should be handled across teams, so make sure to bring in your legal counsel, procurement team, and leadership on these discussions. 

You should develop a contract management system that tracks the things you need to know for privacy protection. Keep in mind, though, that free or low-cost vendors may not meet the threshold for legal review. Account for this possibility in your process.

As with your security questionnaires, your contracts should be reviewed annually. When reviewing contracts, make sure the following is in place:

  • Vendor is committing to keeping system, data security, and privacy as per best practices and the industry standards
  • Vendor is meeting confidentiality and privacy requirements
  • Vendor is committing to notify you of security breaches, incidents, and potential vulnerabilities 
  • Vendor is committing to independent audits and assessments and to providing you access to audit documents

Ongoing Work

Having a vendor management process isn’t just about what you do when you bring on new vendors. It’s just as important to know how you are going to go about managing vendors, from initiating relationships to terminating them. Here are the best practices for this ongoing work. 

Data mapping/data inventory

Your vendors have access to your data. But do you know exactly what they have access to and how it moves from your system through theirs? Data inventories offer a snapshot of this process that is invaluable for understanding risks. 

Vendor assessments

Questionnaires. They’re not just for BuzzFeed. The privacy industry gold standard best practice is to require that your vendors regularly self-audit their security practices. 

Your questionnaire should, at the minimum, cover the following:

  • Vendor’s business relationships
  • Data handling and security practices
  • Incident management and response plans
  • How data will be used and stored
  • Cross border requirements
  • Individual rights capabilities
  • Privacy notice disclosures

When completed, the questionnaire should allow you to better identify the overall risk the vendors pose and provide documentation of your due diligence. 

And take note: this section is put under “Ongoing Work” because it’s exactly that. These questionnaires aren’t one-and-doners. They are essential for helping with continually monitoring your vendors and preventing all of the worrying things that happen when your data is compromised.

As such, you should be sending these out annually to your vendors to monitor vendors, track new risks, and prevent security threats from reaching your business and your customers.

Vendor performance management

Privacy and data security are key, but let’s pause for a moment to look at performance management. Your vendors provide services that you need, but are they providing them at the level you need them? Are they meeting your expectations, the milestones you establish, are they living up to your service-level agreements and KPIs?   

Your vendor and supplier management process is an opportunity to gather this information and analyze it. 

Working with your team

To encourage transparency, encourage building partnerships across your organization to allow for visibility of vendor activity. 

When it comes to data security and privacy, you should be investing in team training. It’s a best practice, but may also be required. Does everyone in your organization understand the potential risks that vendors pose? The prevalence of free vendors can be a weak link for your team and a solid privacy training program can bring everyone onto the same page.

Sunsetting relationships

No relationship – business or otherwise – lasts forever. Whether you’ve outgrown a vendor, they’ve gone out of business, or they’ve failed to live up to compliance standards, you need to put processes in place for all end-of-relationship contingencies. 

This should cover your contract (see above for details!) but also your internal processes and decision-making steps. Natural terminations can be easier to navigate, but ending relationships because of noncompliance can be trickier. Your process should detail the whys and hows of these situations. 

Have a backup plan.

Sometimes vendors seemingly fall off the face of the earth. In these cases, you need to have backups, especially if they’re a critical service. Being able to pivot quickly and with confidence helps you maintain your standard of service. 

ending vendor relationship

Relaxed restrictions with long-term vendors can be a big risk. Whether you’re five days into a vendor relationship or five years, you need to approach them with the same level of care. 

One key way to reduce risk is to only give vendors access to what data they need to get their job done and no more. This approach dovetails nicely with compliance mandates to minimize data. Data minimization is one of the most efficient ways to reduce your risk factors and maintain a high degree of consumer trust. 

Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. Whether you’re a fresh startup that wants to prioritize privacy and compliance training from the get-go to an established business needing to reshape your approach, our approach provides your team with information that is practical and actionable.

Take your company beyond compliance. Reach out to our team at Red Clover Advisors today to start with your free consultation.

When privacy policies make it into the news, it’s rarely because people are raving about them. Bad privacy policies are talked about, lambasted for being incomprehensible, unfriendly, and, frankly, unreadable. (Just take a look at The New York Times’ “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster” to see just how excruciatingly unreadable they can be.) 

In the worst cases, privacy policies make headlines when their data practices and privacy notices don’t align. (At the extreme end, Facebook paid a hefty fine due to privacy notice violations) 

Or maybe you’ve thought a lot about privacy policies. You care about your customers and staying in line with laws and now you can cross this off your to-do list. Compliance – achieved!

But compliance is more complex than that. It’s not a bag of popcorn that you pop in the microwave and in 2 minutes, *ding*, it’s done and ready. Compliance is like a sourdough starter. (Yes, even privacy consultants do pandemic baking!) You’ve got to pay attention to environmental conditions, make adjustments to keep it happy, and treat it like the living, breathing being that it is. 

So let’s get started.

CCPA Privacy Policy Requirements

The California Consumer Privacy Act (CCPA) became enforceable on July 1, 2020, and a major element of it is keeping your privacy policy and privacy notice up to date. Let’s talk about how we make that happen.

Privacy policies and notices are essential for communicating how your organization thinks about personal information and data security. They facilitate compliance. They define terms, how data is handled, and communicate this critical information. 

Privacy notices should be like snowflakes

No two should be alike. Every company is on its own mission when it comes to data. That website your customer just visited? It’s got its own mindset at work. 

It’s not an overstatement to say this is a great opportunity. Own your privacy notice! Your privacy notice is an opportunity to show your customers the specifics of your data collection plans. Transparency builds trust, after all. 

How to get your privacy notice right

Communicating with your customers is critical when it comes to your data collection, so let’s focus on how you get your privacy notice done so well, they thank you for putting it together. (Hey, a privacy consultant can dream, can’t she?) 

Putting it together well is a statement of your brand, your values, and a chance to connect with your customers. Some things to keep in mind:

  • Make sure your brand voice and tone extend to your privacy notice. Whether you’re no-nonsense, cheeky, approachable, or authoritative, make sure it carries over.
  • Use sections and hyperlink between them to increase readability and usability
  • Visual elements can be valuable – consider a graphic summary to deliver the content to your audience in a way they’ll quickly understand.

Getting it right means starting with a good privacy program. Learn more about what goes into one.

And remember, privacy regulations change over time. Although CCPA just became enforceable, there’s a new privacy regulation on the horizon – the California Privacy Rights Act (CPRA). This act will bring new requirements to bear on privacy practices and notice obligations will definitely be affected. What works today may need to change tomorrow. That’s why your business benefits from really integrating privacy into your brand values – it makes adapting to new conditions considerably easier when you have that infrastructure in place. 

Don’t make your customers look for it:

Keep these following line items in mind when determining if your privacy notice is ready to go:

  • How are your customers getting your privacy notice? You’ve got some options. You can make it available via a web form or cookie banner on your websites or a just-in-time pop up on your mobile app. 
  • However you choose to implement it, it needs to be available to users “at or before the point of collection.” That means no surprise notifications after the fact! 
  • Your privacy notice can’t just be “available.” It needs to be conspicuous. The standard location is the footer or within the hamburger menu on a mobile app. 
  • Make sure you include it for every personal data collected – this includes digital technologies like Facebook and Google Pixels. 

What does your notice need to tell people?

Under CCPA, there are some specific line items that you have to cover in order to be in compliance.

Privacy notice checklist

Let’s take a look at the content requirements for a CCPA compliant privacy notice. Your privacy notice has to include the following information. 

Categories of information

Your privacy notice should disclose how and when you collect the following information:

  • What categories of personal information your business has collected?
  • What categories of information have you sold?
  • What categories of personal information have you disclosed for business purposes?
  • What categories of third parties have received your customers’ personal information?

These disclosures should be relevant to the last twelve months of data collection. 

Individual rights

Your privacy notice needs to contain a description of your customer’s rights to disclosure, access, opting out and nondiscrimination. The biggest one is opting out – your notice should provide your customers the opportunity right then and there to opt out of the sale of their personal information. 

Contact methods

Consumer requests have to come in somehow! Your business needs to have two or more ways to allow your customers to contact you and exercise their CCPA rights. If your business is:

  • Online only: An email address, as well as a webform for “Do Not Sell.”
  • Physical only: A toll-free number and mailing address
  • Physical and online: Toll-free number and website. May also include mailing address, email address, or other. 

Have your contact methods well established and your team trained on how to respond is a big win for your business. There’s no clearer way to communicate to your customers that you value your relationship with them than by making things easy. 

How are you communicating this information?

Remember, you’ve got to get this information in front of your customer’s eyes AT OR BEFORE the point of collection. (I know, I already said this, but it’s really important!)

Another really important piece? The “Do Not Sell My Personal Information” piece. You’ve got to have a visible, easily identifiable button on your website with this title that links to a webpage that allows people to opt-out of the sale of their personal information. This link has to be available:

  • On your homepage
  • In your privacy policy
  • And in any California-specific description of consumers’ privacy rights

Here are some other points to remember

Privacy compliance is a lot of work. It’s complex. There are a lot of moving parts. It can feel like a puzzle where all the pieces keep changing shape. 

But it’s far from impossible. Especially when you have someone who can help you keep track of the pieces and who can remind you who’s going to be looking at this very puzzle later: your customers.  

How, you might ask, do you keep that in mind? Here are a few starting points:

Map your data

Data mapping – it’s not just for the General Data Protection Regulation (GDPR). Data mapping is a vital practice for any privacy-forward company. If you’ve already done data mapping for GDPR, great – you’ve got a head start, although you’ll still need to review and document if you’re selling data as per CCPA

If not, you’ll need to put together an inventory that documents your collection and sale and disclosure of personal information. 

Data mapping is multifunctional, but for our purposes today, you need it to be shipshape to build accurate privacy notice disclosures AND to provide accurate responses to your customer’s information requests.  

Stay up to date

Privacy notices are dynamic, living documents. It needs to be updated every twelve months to comply with CCPA and it needs to be current with what you’re doing with the data you’re collecting. 

That means, if you’ve shifted strategies and you’re collecting new categories of information, sharing/selling it with new vendors, or using it for different purposes, you’ve got to disclose these changes. 

And that’s not all. Got a new marketing campaign? Rolling out a new product feature? These totally normal business activities are relevant to your privacy notice. 

If you don’t, you risk violating your own notice and your mission to be transparent.

(Don’t forget, your privacy notice may live across multiple digital properties. Keep it updated at each location.)  

Make everything really easy to find and understand

You should make your privacy notice as easy to find as possible and your notice should be in a format that’s easy to read across all devices. As per CCPA accessibility rules, privacy notices and privacy policies be “reasonably accessible to consumers with disabilities,” and should be available to be printed out as a separate document. 

And (I know, I’ve said this already) it needs to be accessible where people will see if BEFORE information is collected and written in plain, straightforward language. No legalese or iambic pentameter, please.

Getting all the pieces of compliance can be challenging. Sometimes it takes a village to get your team trained, your policies in place, and help shift your business in a consumer privacy-oriented direction. But that’s what gets us up in the morning and excited for the day. Drop us a line and let us know how we can help you.

The California Consumer Privacy Act (CCPA) has been on the horizon for a long time. It was passed on June 28, 2018, but the lead time on finalization and enforcement has been a slow road. 

However, the wait is over – enforcement has become enforceable as of 2020. (Yes, it’s been in effect since January 1, 2020, but it’s the real deal now, complete with final rules and all.)

A lot has changed since CCPA first rolled out. And a lot has REALLY changed since January. So what’s a privacy-minded organization to do if they need to get up to speed on falling in line with CCPA regulations?

Sit back and put your feet up – we’ll tell you what you should know.  

What’s in CCPA (and what’s in it for me?)

It’s never a bad idea to start with a refresher on what exactly is going on with privacy regulations. By necessity, privacy regulations are complex and nuanced. CCPA is no exception. 

CCPA is the most expansive data privacy law to date in the United States. Informed by advertisers using consumer data without consent to influence events like political elections, it’s regulatory reach goes beyond the borders of California.

CCPA is often said to be the lite version of GDPR. That’s not inaccurate, but there are some important differences to make note of now that we’re entering into the enforcement period of CCPA.

Does CCPA apply to me?

Anytime there is a new regulation, the first question that pops into a business owner’s head is, “Okay, do I need to worry about this?” 

So, if you’re in a compliance state-of-mind and thinking you should probably dig into whether or not you need to start scrambling, here’s the short answer for you. The CCPA applies to your business if:

  • You’re a for-profit business that:
    • Collects and controls California residents’ personal information AND
    • Does business in California AND
    • Has one of the following:
      • Annual gross revenues in excess of $25 million
      • Annually receives or discloses the personal information of 50,000 or more California residents, households, or devices on an annual basis
      • Derives 50% or more of your annual revenue from selling California residents’ personal information

CCPA Rights: What You Need to Know and How to Get Prepared

CCPA provides thorough guidelines. (And it should – it went through numerous revisions to get where it is now.) There are seven articles with 42 sections total that cover how businesses can meet the regulations. 

What do you absolutely need to know, though? Here are some of the most relevant takeaways. 

If you’ve reached this point and you’re already thinking “Yikes!” don’t get overwhelmed. Compliance is always manageable with the right help.

You’ve got to know if your business is collecting or selling consumers’ personal information

Are you buying, renting, gathering, obtaining, accessing, or any other synonym for “receiving” personal information? If so, you’re collecting consumers’ personal information. It’s relatively straightforward. 

What constitutes selling data? CCPA defines it as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

But what does that actually mean? Selling data can often be misconstrued. Yes, it can be the usual “I’ll give you x amount of money for y amount of data,” but under CCPA, it can include the act of sharing that data where the third party uses data for their own purposes.  If data is shared with a service provider and per the contract the service provider is limited to use the data only to deliver the services, it would not qualify as a sale of data under CCPA..

Regardless of whether you collect or sell personal information, you need to have data mapping processes in place. Here are some questions to consider when you undergo data mapping:

  • Where do you host your data (including with any third parties)?
  • For what purpose is the data you collect used?
  • Do you collect and sell data on children? 

Wait, what’s considered “personal information”? Is it the same as GDPR?

Like GDPR, the CCPA defines personal information broadly. It’s any information that identifies or is reasonably capable of identifying a particular consumer or household. Significantly, the CCPA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (more on this below).

The statute provides a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name or alias, postal address, unique personal identifier, digital identifiers (all those pixels, cookies, etc), internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Characteristics of protected classifications under California or federal law
  • Commercial information, including records of personal property, goods or services purchased or considered, or other aspects of purchasing history
  • Biometric information
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Professional or employment-related information
  • Education information

Let’s pause for a moment on the category of “identifiers.” Digital identifiers are a new and increasingly important part of personal information. Think about how much time people spend online and how many websites – and how many pixels – they visit. This alone is a substantial source of personal information that you need to be aware of. 

Transparency and notice obligations

Transparency! It’s not just a buzzy value to tout to your customers – it’s essential under CCPA. You can’t just tell customers you’re collecting data after the fact. You need to give customers four distinct types of notices so your data collection practices are crystal clear:

  • Notice of the collection of personal information
  • Customer opt-out rights
  • Financial incentive notice
  • Business’ privacy policy

When putting together these notices, it’s important to balance comprehensive attention to detail with consumer-friendly copywriting. Your notices need to be easy to understand by your consumers. 

But remember, being user-friendly isn’t just about your writing style – it also means your website is set up in an ADA-compliant manner. The law requires privacy notices to be accessible for all users. That means you need to consider how individuals with disabilities and the technology used to help make websites useable, such as screen readers, will interact with the notices. 

Sidebar: When you’re structuring these practices and policies in a piecemeal fashion, it’s hard to connect the dots. The result can be ineffective and incoherent. But when you take a long, hard look at how privacy, data practices, and consumer needs fit into your organizational values, it comes together with greater ease. 

Your consumers, their information

Much like GDPR, the CCPA is meant to protect an individual’s rights regarding their personal data. How you implement it can significantly impact the trust your consumers have in your business. So how does your business achieve these objectives while providing value to your customers? By focusing on upholding individual rights. Here are some key points to think about. 

Think about: Consumer rights

There are six distinct consumer rights that are covered by CCPA that you need to uphold. Do you know what they are – and what you’ve got to do?  

  1. The Right to Notice
    • What does it mean?
      • You’ve got to tell your consumers that you’re collecting their data at or before the time of collection and when you collect new categories or data in plain and straightforward language.
      • You’ve got to link to your “Do Not Sell My Personal Data” button on your homepage.
  2. The Right to Access Personal Data and Information
    • What does it mean?
      • Your consumers have the right to access their data twice a year to confirm that you’re collecting their personal data and to get a copy of the data from the past twelve months.
  3. The Right to Know if Their Personal Data is Being Shared (And With Whom)
    • What does it mean?
      • Are you sharing your consumers’ data with other parties? Your consumers have a right to know and they can ask to see what you’re sharing.
  4. The Right to Deletion 
    • What does it mean?
      • Consumers can ask you to delete any of their personal information. The catch: You have to provide them this right in an accessible format. 
  5. The Right To Know Whether Their Data Is Being Sold And The Option To Opt-out Of Sale
    • What does it mean?
      • Consumers can ask you to not sell their data.
  6. The Right To Equal Rights And Services
    • What does it mean?
      • An individual’s use of their CCPA rights can’t affect the goods and services you provide them.

Want a closer look at individual rights? We’ve got an article for that.

Think about: Managing consumer requests

Responding to individual rights requests is huge for compliance, but it’s even bigger for establishing trust with your consumers. Under CCPA, consumers can submit requests to access their personal data in accordance with their rights.  

If you interact with customers in person, you need to provide at least two methods of contact, one being a toll-free number for requests. If your business operates ONLY online, you can get by with an email for submitting Requests to Know and Requests for Deletion. 

For requests to Opt-Out, you need to have two ways for consumers to achieve this and one of them needs to be through the Very Important “Do Not Sell My Data” link.   

Are you able to meet deadlines?

Under CCPA, you have 10 days to confirm receipt of the request to know and delete personal information, and 45 days to complete the entire process. This can be hard, especially for busy small businesses, but it’s important to make it a priority. 

Think about: Verifying data

When a consumer wants to request to know or a request to delete their personal data, you have to verify their identity. However, under CCPA, verifying data is nuanced: make sure that you’ve trained your team THOROUGHLY on your process. (And to meet the 45-day timeline!)

Think about: Is your team prepared?

Your customer-facing team has a lot of responsibility. They need to know what the requirements are. They need to know how to respond to different types of requests. They need to know what the limitations on requests are. They need to know how to correctly verify requests. And they need to know how to help your customers exercise their rights. 

Are you ready to help them handle all of this? Training, unsurprisingly, is essential. 

Enforcement and Beyond

Under the scope of CCPA, California residents have the right to sue companies if their non-encrypted and non-redacted personal information is subject to a qualifying data breach. This is a significant provision in and of itself. 

But beyond that, the California attorney general’s office is responsible for making sure companies are in compliance with the regulation. 

If you’re found in violation of the CCPA, your company will be subject to civil enforcement actions. You’ll get a notice of non-compliance and 30 days to resolve the problem. If you don’t meet the 30-day deadline, you’ll be subject to an injunction and a civil penalty of $2,500 for each unintentional violation and $7,500 for each intentional one. 

Enforcement is only part of the picture, though. Your customers expect you to do be doing the right thing with your data. If you’re not doing the right thing with it, you’re not staying in compliance. (And of course, that’s an issue.) 

But you’re also not honoring the trust your customers have given you by sharing their data. Breaching that trust is just as damaging as any data breach. 

So the question is – how do you factor this into your business operations? Your brand? Your vendor relationships? 

These questions don’t have one-time answers. Being responsible for consumer data, staying current on regulations – these things are the new norm, and meeting expectations is a moving target. 

 

We’re here to help you find the right roadmap for your business, no matter what it might look it. Contact us to schedule a free call.

GDPR (or the General Data Protection Regulation) has been around for over two years now. And like most two-year-olds, people have found ways to get some kind of compliance under control. 

That’s not to say that there haven’t been bumps along the way. Organizations have balked at the international reach of the regulation. Technology solutions have lagged in comparison to the regulatory environment. Business processes have lagged as well. 

Yet GDPR has continued to gain traction, especially as consumers look to protect their personal information wherever possible. Similar laws are being passed and going into action in the United States – the California Consumer Privacy Act is the first, but definitely not the last – and Brazil, Australia, and other places. It’s a big deal, globally. 

And a big job. Compliance with GDPR is a significant undertaking for organizations. The first place we suggest starting? With a data inventory. And what does a data inventory require? Taking a good long look at Article 30 of GDPR. 

Quick reference: What is GDPR?

GDPR is the most in-depth, comprehensive set of data protection regulations. GDPR, which went into effect in May 2018, limits what organizations can do with an EU resident’s personal data and codifies that resident’s right to determine how their data is used. Organizations don’t have to be located in the EU to feel the pressure of compliance or even conduct business with EU residents – if you simply collect their data, you’ve got to comply. (Or face some pretty hefty fines.)

Moreover, GDPR was a significant piece of legislation because it shifted the landscape on how personal data was defined. We all have a general understanding of personal data as information that identifies an individual. It can be something we all clearly associate with personal information, like a name or birthdate. 

However, GDPR pushed the envelope. It’s definition included technology-specific items like digital identifiers like cookies. GDPR made a particular impact in creating special categories of personal data. These categories are more carefully guarded and include information about racial or ethnic origins, political or religious beliefs, genetic or biometric data, and more. 

But GDPR isn’t just about defining data – it’s about structuring how and why companies can use it. Under GDPR, organizations that collect personal data have to keep records of processing activities. Herein lies the function of Article 30. 

See a full list of special categories of personal data here. To do a deeper dive into GDPR issues, we have a helpful FAQ that reviews common issues and a wealth of detailed blog articles that explore GDPR

A few words about Article 30

If GDPR focuses on accountability, Article 30 is one of the main tools to help create it. It tells organizations exactly what they need to document to be GDPR compliant. We’ll cover exactly what you should document for Article 30 below, but just as important as the actual data is keeping it up-to-date and organized. 

This emphasis on organized data collection is why the process of data inventories is so important. You don’t actually need a data inventory to meet Article 30 requirements, but it would be next to impossible to do it without one. With a data inventory, you can establish data flows, you can figure out what is (or isn’t) accounted for, and pinpoint vulnerabilities resulting from information transfer.

Meeting Article 30 requirements

GDPR compliance isn’t something that can be handled overnight – it contains 99 articles with important definitions, instructions, and guidelines to incorporate into how your organization handles personal data. (And even when you’re done, you’re not really done – it’s an ongoing process. That’s why we serve as fractional CPOs to help companies manage the long-term work.)

But let’s zoom in on Article 30. Article 30 provides an important jumping-off point for any GDPR-related compliance by requiring that all organizations provide records of how all personal data is processed. This means providing an Article 30 report, though you might know this by the name of, yes, data inventories, but also data mapping or records of processing activities. 

What do you need to collect to put together a data map/data inventory/record of processing activities/Article 30 report? Let’s take a look at the overall requirements referred to in the article and what they mean. 

Get ready, get set, get your records ready

Under Article 30, any organization acting in a processing capacity has to keep a record of all categories of processing activities conducted on behalf of a controller. These records should contain the following information:

  • Name and contact details of the controller
  • Purpose of processing
  • Categories of processing activities that are carried out for each controller  
  • Categories of data subjects and processed data
  • Categories of processing activities that are carried out for each controller  

It’s important to remember that an organization can be both a processor AND a controller. How to tell the difference? If you’re determining what data is collected and why, then you’re the controller. If you’re just doing the processing at the behest of another organization, then you’re the processor. As with everything in life and work, situations aren’t always black or white. Additional professional and legal guidance can be a big asset in navigating them. 

Names and contact details of the controller

If applicable, you should include the name and contact details of your data protection officer and of any joint controllers that decide with you why and how personal data is processed.

Purpose of processing

One of the kickers of GDPR is that there needs to be a legal basis for collecting data. This can include (but again, isn’t limited to):

  • When consent is given by the subject for a given purpose
  • When data collection is necessary for a contract with the data subject
  • When there is a legal obligation
  • To protect the vital interests of the data subject
  • For public interest or in the course of official authority
  • The legitimate interests of the data controller or a third party as long as those interests don’t infringe on the rights of the data subject

Categories of processing activities that are carried out for each controller  

According to Article 30, “processing’ means any operation or set of operations which is performed on personal data or on sets of personal data…” 

That’s quite a broad definition, right? This broadness allows the regulation to apply to as many organizations that might have their hands on personal data as possible. 

Article 30 does provide a (non-exhaustive) set of examples for guidance, though. Data processing includes (but is in no way limited to), “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

As per this requirement, you don’t just have to pinpoint who is doing the collecting and processing. You also have to identify the “categories of recipients of personal data,” that is, anyone that you’re sharing collected personal data with. This could include vendors, government agencies, credit bureaus, and more. 

Categories of data subjects and of the categories of personal data

Article 30 requires that categories of data subjects and processed personal data are included in records of processing activities. In a more straightforward way, this just means what kind of information you’re collecting and about whom.

Personal Data

  • Name
  • Home address
  • E-mail address 
  • Personal phone number
  • Work phone number
  • Birthday/age Languages
  • Passport details
  • Social security number or other national identifiers


  • Driver's license details
  • Sex
  • Marital status 
  • Wage/salary
  • Bank account
  • Credit card details
  • Education level/diplomas

Data Subjects

  • Current personnel
  • Former personnel
  • Contractors/consultants/freelancers 
  • Students
  • Volunteers
  • Directors
  • Shareholders


  • Beneficiaries
  • Public officers
  • Consumers
  • Website end-users
  • Customers
  • Prospects
  • Suppliers

Special categories of data

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships


  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or secual orientation

Where applicable/possible

You may also need to include information on the following:

  • Identification of any transfer of personal data to another country or international organization. This needs to meet cross border transfer requirements.

  • Time limits for the erasure of different categories of data

  • General description of the technical and organizational security measures 

How to go about the work of meeting Article 30 requirements?

Data inventories don’t just create themselves! Knowing what you need to put together is half the battle, but you also need to determine effective internal processes to do the work. Some things to consider:

  • Are you starting from scratch or using an existing data map? 

  • How are you going to populate it: automated scanning? Questionnaires? API integration? 

  • How far back are you collecting data? 

  • Who is doing the work - your IT team? Legal? 

And, importantly, what is your long-term strategy for maintaining your records? Compliance is never a one-and-done deal. It requires care, attention, and strategy over time. 

If you’re ever feeling overwhelmed, let us know. We’re happy to advise. Red Clover Advisors has been a partner in guiding clients through the process of meeting GDPR compliance requirements for US. We help you create a comprehensive strategy covering data inventories, privacy policies, and data protection that are custom-built for your company’s needs. 

To get started with your own roadmap, reach out to set up a free consultation with our team today.

For many organizations in the US and abroad, the General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) lay the groundwork for how data security and consumer privacy are approached.

These regulations have made big impacts in the data landscape. An important element of these legislative landmarks? The need for businesses to implement cookie banners across their website and app. But while it’s tempting to just add a cookie banner to your website and move on to your next project, do you know what the deal actually is with them – and how to make sure you’re truly compliant? 

Differences Between GDPR and CCPA: The Nutshell Version

Comparing GDPR and CCPA can be a helpful exercise in understanding data privacy issues. While the two regulations aren’t interchangeable, they both deal with similar issues and similar concerns in individual rights. Both of them create legal requirements around:

  • Transparency in businesses practices dealing with personal data 
  • Security and control over personal information for consumers
  • Defining digital identifiers (cookies) as personal information  

One of the big points of departure between GDPR and CCPA is the issue of user consent. Consent and data are approached from two different angles between GDPR and CCPA. GDPR centers on the user, requiring prior consent for collecting cookies. CCPA allows businesses the ability to collect data before getting consent as long as users have the ability to opt-out of collection.

Another significant difference between GDPR and CCPA is scope. While both have international reach, despite the fact they pertain to residents of specific territories, compliance mandates differ. Under GDPR, any website, organization, or business has to comply with the regulation if it’s processing the personal data of EU residents. (Even if they aren’t actually located in the EU.)

On the other hand, the CCPA requires companies or for-profit businesses or organizations have to comply – and only if they meet the following criteria:

  • Has a gross revenue of more than $25 million
  • Buys, receives, sells, or shares personal information of more than 50,000 consumers, households, or devices each year for commercial purposes
  • Derives 50% or more of annual revenues from selling consumers’ personal information.

Meet Your GDPR Cookie Banner Compliance Requirements

GDPR compliance. We’ve been talking with that for a little bit, haven’t we? Seeing that GDPR has been in effect since May 25, 2018, you may have already grappled with cookie banners and consent.  

A key tenant – perhaps even THE key tenant – of GDPR requirements is that EU residents have the right to be informed when a business or organization collects their personal data. And it’s not just that they’re collecting the data – businesses and organizations have to tell people why they’re collecting it, how long they’re keeping it, and who they’re sharing it with. If an individual doesn’t want their data used in that manner, they have the right to object.

But how does this actually play out on websites? Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR and it has to have several pieces in place. 

Opt-in Cookie Consent

When you set up your cookie banner, the safest way to approach cookie consent is to take an opt-in approach. The opt-in approach means that website visitors have to actively give you permission to drop cookies. (At least those that aren’t essential for site functions.)  

How do you get that consent? By an opt-in button. But remember, your text has to be crystal clear in communicating that the user is agreeing to cookie deployment. 

More on Cookie Deployment

Let’s expand on cookie deployment just a little bit. According to GDPR, your website needs to be sufficiently detailed so that visitors are able to give informed consent about accepting cookies. A key piece of this information is the whats and whys of your cookies. What kinds of cookies are you using? Why do you want the data and how are you going to use it? 

Third-Party Data Sharing

When we talk about how we’re using visitors’ data, one topic that comes up time and again is sharing with third-party vendors. Third-party vendors provide businesses with valuable services, but they also pose a security risk. For transparency, you need to inform users who else has access to their data. 

Link to the Website’s Cookie Policy. 

You’ve got a cookie policy. (Right?) Don’t be shy about sharing it with your website visitors – it’s part of your compliance journey. 

The most straightforward way to get people to your policy is by adding a link to your website’s cookie policy in your cookie banner. Your cookie policy should cover the details of how cookies are used on your site and include an exhaustive list of all the cookies you’ve put into place. 

Win Brownie (Err…, Cookie) Points

You don’t have to do this, but your visitors will appreciate it if you add a link to your cookie settings within the cookie banner. Yes, it’s not strictly required by GDPR as long as visitors have the choice to refuse all cookies. Website users, unsurprisingly, appreciate the option to control their user experience and their data. 

Meet Your CCPA Cookie Banner Compliance Requirements

The CCPA went into effect on January 1, 2020, but only recently became enforceable as of July 1. Similar to GDPR, CCPA gives California residents the right to be informed when a business or organization collects their personal data. In fact, California residents even have the right to bring suit against businesses in certain cases. 

Under CCPA, website owners have to inform users about what information they’re collecting, how they’re processing it, and with whom they share it. That part is very similar to GDPR. 

However, there is a big difference between GDPR and CCPA: CCPA takes an opt-out rather than an opt-in approach. While CCPA doesn’t require a banner to facilitate the opt-out, it’s currently the best practice to make sure you’re giving visitors the ability to opt-out at the time of – or before – collection.  

The CCPA does restrict one aspect of data collection for websites: the sale of personal data for visitors under 16 years old. These underage visitors are required to opt-in rather than opt-out. So if you’re not sure you don’t have visitors under the age of 16, it’s better to use the opt-in approach. 

With all that in mind, let’s take a look at the Ingredients for a CCPA-compliant cookie banner. You should include the following in your cookie banner. 

Information About Cookie Use

CCPA requires websites to provide users with the details about why they’re collecting and using cookies and if they’re going to be sharing or selling that information to third parties. 

A Button to Accept Cookies

As noted above, there’s not an opt-in requirement under CCPA. However, you can include a link that allows users to accept cookies. (But you can fire cookies before the website user accepts them as long as you give them the information about data you’re collecting at the point of collection.) 

As in the GDPR version of a cookie banner, you have the option of including a link to a cookie setting page that allows users to opt-in or out. No, it’s not necessary, but yes, it’s a good step towards transparency and user experience. 

Do Not Sell Button

Under CCPA, you’ve got to give your users the ability to opt-out not just of data collection, but of the sale of personal information. According to CCPA, selling includes the following: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” With such a broad definition, it’s important for companies to understand the data that is collected and shared and specifically what the third party is doing with the information to determine if data is classified as a sale under CCPA 

(One issue to be mindful of is how you or your partners are using ad tech. While not all ad tech is considered selling, some uses may fall into the category of sales.) 

To uphold CCPA requirements, you need to provide the option of opting out. CCPA is specific on how you should do this: include a link or button to an opt-out form on your website’s home page. 

Your “Do Not Sell” needs to include some specific information, as well. It needs to have:

  • A link to your website’s privacy policy
  • A button that allows them to opt-out of personalized ads

Let us reiterate: Your “Do Not Sell” button isn’t the same thing as or interchangeable with a cookie banner. Don’t treat it as such. It’s a separate function. However, it’s smart to use it alongside your cookie banner to help your website use cookies to process data in a CCPA-compliant manner.

Tying it all together

Yes, both GDPR and CCPA have a lot of moving pieces that you have to address in your cookie banners. And yes, it’s tempting just to find a customizable cookie banner online and wash your hands of it. 

But we don’t recommend this approach. Cookie banners don’t exist in a vacuum. Cookies change and have to be updated. It should all be part of your larger privacy strategy.  

If this feels overwhelming, we hear you. That’s why we work closely with clients to build a manageable strategy for long-term business goals. Ready to take the next step? Give us a shout. We’d love to chat.