Brexit, personal data, and the GDPR.Everyone’s talking about the latest Brexit deadline and the implications of the UK actually leaving the European Union (EU).

There’s talk of economics and trade agreements, but data privacy isn’t exactly on the tip of everyone’s tongues. However, there are real issues regarding data privacy and Brexit to consider.

The General Data Protection Regulation (GDPR) is the EU’s main privacy law. It describes seven main principles regarding the “lawful processing of personal data.”

According to GDPR, processing includes the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.

So if the UK is not longer a part of the EU, how will its citizens’ data be protected?

Basically, this is what will happen:

  • The transfer of personal data from organizations within the EU to organizations in the UK will be subject to strict data transfer rules, as outlined by the GDPR. It will be the responsibility of companies in the EU to ensure data transferred to businesses in the UK are lawful. 
  • The UK will have to achieve adequacy status in order for data transfers to be legal. That means the EU has to find that the UK data protection system is equivalent to that of the EU’s GDPR.
  • If the final Brexit deal contains a provision regarding data privacy and protection, the UK may be automatically granted adequacy status. 
  • It can take several months and up to several years for a country to reach adequacy status. The longer it takes, the more likely new restrictions for data transfers will come into play. Organizations should begin working with their EU partners now to construct a plan so that no disruptions will occur in March if there’s no provision for data privacy when Brexit becomes official.

How does this affect businesses in the UK?

If a company is already GDPR-compliant, not much will change, especially if that company doesn’t conduct business outside the UK. However, if your business has data that flows between the UK and EU, you’ll have to comply with EU and UK privacy laws and stay up to date about changes with both sets of regulations.

The UK government said it remains committed to data privacy. It already has regulations in place similar to the GDPR. As of now, though, nobody knows for sure if the EU will consider those regulations adequate. 

The best rule of thumb for UK companies looking ahead to Brexit is to become GDPR-compliant as soon as possible, if they’re not already. This step will prevent any interruption in the flow of data in and out of that business. 

Does Brexit affect U.S. companies?

In short, yes. Brexit does affect companies based in the United States.

Brexit has implications on the US-EU Privacy Shield. Once Brexit is official, the UK will no longer be covered by that agreement.

The Privacy Shield framework was designed by government officials in the United States and Europe to provide companies on both sides of the Atlantic clear guidelines of data protection requirements when transferring personal data from the European Union and Switzerland to the United States. 

The framework was developed in support of transatlantic commerce. As trade and data privacy agreements are in flux during Brexit negotiations, your company should stay informed about this subject. If your company shares data with organizations in the UK, you should consider and develop strategies for potential changes or additions to the Privacy Shield framework now to avoid data privacy issues and interruptions to your operations down the road.

Top Three Brexit Tips 

  1. Review your data inventories to understand cross-border transfers and how they affect your company.
  2. Determine if your vendors are prepared for Brexit. If they aren’t, develop steps to appropriately manage the situation.
  3. Stay close to news of future updates so you can easily determine any other changes you may need to make. After all, Brexit is still a fluid situation.

If you’re still unsure of how Brexit can impact your company and its data protection systems, contact us today for a complimentary consultation. 

Schedule a free consult!

There’s a lot of uncertainty in the world right now. 

A global pandemic, major lifestyle changes, and increased isolation have turned our business worlds upside down. One thing remains certain, though. Red Clover Advisors is committed to providing trusted and practical privacy consulting services to our business community. 

By taking careful precautions and acting with sober judgement when it comes to remote work, we believe that together, our businesses can grow stronger and more resilient during this time.

Remote Work Best PracticesSecurity and privacy must be top of mind for remote work.

While the world is on lockdown, we get to connect more than ever online through the modern miracle of remote work. This presents a plethora of opportunities for your team to grow while getting creative about new ways to conduct business.

However, there are also a lot of new ways privacy and security risks can creep in and put your company in danger. 

As always, our team is prepared to help. 

In particular, we want to outline some of the privacy and security areas related to remote work that may affect your business. There are specific legal and practical steps you should be taking to keep your customers, your employees, and your business safe when it comes to remote work. 

Virtual Meetings

Conference calls and web meetings – aka virtual meetings – are at the center of making remote work successful. You’ll need to connect with colleagues and clients in order to move projects forward. 

There are major implications for virtual meetings, though. 

Just think about the situations when one meeting runs over, and the callers who dial in for the next meeting – on the same conference line – unwittingly overhear proprietary, client-specific, or competitor information. That’s a big no-no.

Virtual meetings must be set up correctly and procedures followed to a tee to avoid these unwanted privacy blunders from happening. Follow this checklist to make sure you’re doing it properly:

  1. Have a separate code for each virtual meeting you set up. 
  2. Schedule meetings to end at 25 or 40 or 55 minute intervals. The extra five minutes will give users time to log off before new users log on. 
  3. Set a timer to make sure you don’t run over meeting times.

Although virtual meetings tend to be quicker than in-person versions, you should still take extra precautions to make sure they end on time for the sake of protecting sensitive information. This ensures your remote work will increase collaboration without causing an embarrassing or costly security or privacy incident.

Remote Work Connections

VPNs and intranets are essential for successful remote work. When they’re set up correctly, it makes a security issue far less likely.

If your company doesn’t have a process for setting up a secure VPN, now is the time to create one. It should be reviewed by executives and technical experts on your team. And everyone in your company should be trained about how to use it.

Other tips for keeping connections and data secure include:

  • Best practice dictates not allowing employees to use their personal devices for work activities. If they do, it’s critical they follow all the following steps.
  • Don’t allow employees to use public WiFi without a VPN.
  • Install the proper software, firewalls, and connections securities required by your industry on employees’ work devices. 
  • Consider adding two-factor authentication to employees’ work devices and any tools from which they access work content. Google Authenticator, Ping ID and Authy all sync with hundreds of apps commonly used to protect data.
  • Make sure employees are aware of who can see their screens when working offsite. Screens shouldn’t be visible to others, especially when entering passwords.

One of the silver linings to the remote work cloud is the companies stepping up to provide free security resources to help organizations better protect their networks during this time.

Disinformation and Deepfakes

Even if your business is internally secure while pursuing remote work, outside threats are taking advantage of the situation. Fake news and deepfakes are at the center of this conspiracy.

A deepfake is Photoshopping for video. Using a form of artificial intelligence (AI) called deep learning, creators make videos of fake events, often superimposing faces on bodies. They’re common and convincing. 

Fake news and deepfakes can be weaponized to harm brands and undermine trust in companies and industries. It’s a possibility your company could be targeted by this disinformation while working remotely. It’s important you understand legal actions that can be taken against the perpetrators, as well as how to prepare and react to exposure of this kind.

Preparation is Your Ally

While businesses aren’t defenseless in this new remote work environment, protecting customers and individuals will require forward thinking, preparation, and diligence. Red Clover Advisors is here to help you navigate these issues and other topics as they arise. 

We’ve created The Remote Work Best Practices Guide to give you a detailed rundown of privacy and cybersecurity challenges to watch out for.

It’s a practical checklist you can implement with your remote work team today.

Please reach out if we can help explain any of these concepts or help you work through them. During this unprecedented time, we are thinking of you, your families, and your teams. We’re all in this together, and our team is prepared to provide assistance in all the ways we can.

The orchestra of privacy managementYou can’t have an orchestra without a conductor, and you can’t have a conductor without the instruments. And none of it works without music to play.

The same can be said when it comes to privacy management.

The GDPR, CCPA and other global privacy laws operate as an orchestra. The lawmaker is the composer, the conductor is the Fractional Privacy Officer (FPO), and the orchestra is the technology to implement compliance.

And just like an orchestra needs all parts – composer, conductor, and instruments – to operate, so does privacy management. You can’t have one without the other.

Being a conductor – in this case the FPO – for an orchestra isn’t a gesture to cue the music and walk away. The FPO and the technology go hand-in-hand to create a unified implementation force. It’s directionally sound and delivers a satisfying result.

 

Breaking Down The Ensemble: The Conductor

The Individual Rights Pocket GuideA conductor (privacy consultant or FPO) is essentially the interpreter for the composer (lawmakers). 

From setting the tempo to bringing the whole production to life, the FPO directs and implements the day-to-day execution of privacy compliance across global privacy laws for the organization. 

This expert also helps you create a strategy for what technology your company requires and how to integrate each piece of technology to complement the others, much like instruments in an orchestra. 

Outsourcing your privacy program management can save you time, money, and lots of headaches.

The compliance measures you established for the CCPA aren’t enough to support ongoing privacy issues and additions to the laws that inevitably arise. Checking the box once on compliance implementation isn’t going to fly with lawmakers. In fact, most require consistent and proactive monitoring.

Although many companies assign this role internally, this leaves too much room for error.

You wouldn’t see the expert violinist directing the orchestra during the symphony. So it’s not wise to pull a talented team lead into an arena they’re not trained to handle

Cue the FPO.

Timing and organization is vital for building a privacy management program. It’s not an easy task without the right technology. And it’s even more challenging when you don’t have any at all.

The FPO is responsible for the entire privacy ensemble:

  • Interpreting & monitoring privacy laws and industry updates to maintain compliance
  • Connecting and building a privacy program
  • Listening to maintain, report, and assess potential risks

Those are just some of the key aspects the Fractional Privacy Officer manages for a privacy program. But this privacy guru can’t implement a privacy strategy without the right tools. 

Every meastro needs his or her instruments, after all.

 

The Instruments of Privacy Technology

Top 5 To Dos to Make Your Digital Strategy Privacy-FriendlyWith 80+ countries having passed privacy laws, using the right kind of solutions to help automate, monitor, and implement compliance is key to finding the perfect pitch. Once you’ve mastered getting GDPR or CCPA compliance up and running, building a scalable privacy program becomes an additional layer to the foundation you’ve already built.

The instruments become the privacy technology the conductor needs to create a sustainable privacy management program.

Leveraging a full suite of solutions for compliance with GDPR, CCPA & new upcoming regulations will enable the FPO to fulfill their duties. Without both you risk data breaches, non-compliance suits, PR nightmares, and even worse, lost profits.

There’s one person who manages the technology to avoid such risks.

A key role of the FPO is to support implementation of privacy management technology. The complex landscape of privacy should be maintained by a proactive individual who understands the inner workings of the regulations, best practices, can measure effectiveness and mitigate risk before it even happens.

Privacy technology instruments are used by the FPO to:

  • Streamline data inventories & maintain continuous compliance
  • Maintain & update privacy notices & policies across digital platforms
  • Enable cookie consent banners & maintain website scan audits
  • Centrally manage & integrate consent with existing digital marketing platforms
  • Automate privacy assessments to see the impact on your business
  • Stay on top of new & existing privacy laws to manage compliance
  • Automate consumer rights requests from intake to fulfillment
  • Creating third-party risk assessments to manage vendors
  • Evaluate and strategize for new or existing products/services
  • Train team members on implementation & regulations

How would these tools be used in practice with the FPO as the conductor? 

 

Creating & Mitigating Third-Party Risk Assessments

Today, there are many tools at the FPO’s disposal to build an ongoing privacy program.

From cookie consent to performing third-party assessments, to overseeing compliance and technology, an expert can build a strong privacy program for any company. 

Third-party risk assessments are a proactive way for an expert to minimize risk before it actually becomes a red flag. The FPO can assess vendors with automated assessments to ensure they aren’t a risk for the company.

 

Review Existing Data Inventories & Update Them with any New Changes

Managing data inventories represents a critical component of compliance.

Data inventories help companies understand the data they have from start to finish. It means you understand what specific pieces of information you’ve collected about each person and vendor, and exactly where each of those pieces of information are stored. 

Using an Excel spreadsheet to a Google Doc to create a data inventory just won’t cut it anymore. There’s a massive amount of data that needs to be mapped and updated regularly. And there’s no way to create advanced reports. 

The FPO manages this entire process and the technology that automates it.

This person pinpoints what data you have, how it’s being used, and where it’s stored so the information entered is accurate, business purposes are approved and allowed per privacy regulations, and policies and individual rights processes are constructed accurately.

 

Managing an Integrated Digital Marketing Compliance Program

Leveraging a unified tool for consumer requests, cookie compliance, policies & notices and consent management can be a confusing and challenging task for your company’s marketing team to fully manage. But if anything, creating a strong digital marketing compliance program is vital to creating personalized experiences for prospects and customers. 

The laws and regulations are the least of your marketing team’s worries.

They have quotas to meet with what they think is a marketable database to reach those goals. That’s where a FPO would act as the expert to centrally implement preferences and consent across all marketing platforms. 

The danger here is thinking only using technology without an FPO will get the job done.

You still need the expert to train your team to use the technology. You need a person to safeguard what’s being captured is the right information. 

An orchestra without a conductor – without someone to teach the music and ensure it’s being played correctly – is just a jumbled mess of sound. It doesn’t work, and neither does privacy technology without an FPO.

The FPO would use his or her knowledge of the regulations to help your marketing team implement the right consent questions and policy notices necessary to collect data. The use of technology such as cookie banners and preference management pages would then be used to create a single source of truth for marketing consent. 

The combination of the privacy expert and the technology are vital to implementing the needs of your team while building a scalable program.

It takes the worry out of the hands of an individual whose day to day job isn’t privacy.

Again, you wouldn’t ask your star instrumentalist to lead the orchestra. Nor would you expect that person to understand anything but his or her own parts of the composition.

You can’t do the same thing with your marketing team, technology, and privacy management.

 

Conclusion: The Complete Privacy Management Orchestra

You need both the FPO and privacy management technology to make the orchestra of privacy compliance function. You can’t have one without the other. They’re both essential for building a strong privacy program. 

Both will create and maintain a strong foundation for GDPR, CCPA and any new privacy regulations for you to handle.

Without a designated individual to maintain the different components of technology, assigning an employee or letting the software run its course leaves room for a reactionary response for when something goes wrong. 

You need an expert in place who knows how to interpret the language, implement the technology, and can play the balancing act that lets your organization preserve trust. The role of the FPO is to navigate the privacy landscape for your company, understand the entire landscape, and determine a plan to carefully handle your data. 

Much like how a conductor uses his or her baton to direct the whole ensemble, creating a process that can be properly implemented by an FPO establishes the necessary automation and reporting you need to operate around each framework.

The FPO and technology work as one whole unit building a solid foundation. When all of the parts of the orchestra are working together it creates a beautiful sound. 

Cue the music.


FPO FAQ

If you’re not sure if you need a Fractional Privacy Officer or not, you’re not alone. Most companies ask themselves these questions to determine if it’s a good fit:

  • Do we have the knowledge to deal with complex privacy regulations?
  • Can we afford a full-time privacy officer?
  • Do we have someone who can address privacy concerns as we grow and develop new products?
  • Do we have a strategic data privacy mentor?
  • Do we have someone who can keep tabs on what has to be done for privacy compliance?

If you answered no to any of these questions, a Fractional Privacy Officer would be a wise addition to your team. And if you’re still not sure what a Fractional Privacy Officer does or if it’s right for you, our team of experts can help you decide.

Reach out today!

 

Schedule a free consult!

Third-party agreements

You’re only as strong as your weakest link.

And most companies are blissfully unaware of their weakest link when it comes to compliance with new and forthcoming privacy regulations.

This hidden danger? Third-party agreements. Truth is, they can make or break your privacy rights implementation.

Third-party vendors are fast becoming the fashion of the day. The General Data Protection Regulation (GDPR) refers to them as processors. Under the California Consumer Privacy Act (CCPA), they include true third party services, as well as service providers.

Outsourcing specialized or less intensive tasks (think technology, marketing, and IT) to experienced outside resources seems like a no-brainer. In fact, it’s proven more efficient and cost-beneficial for most companies that use it.

Because of the increasing demand for third-party vendors, the risks they bring to the table also escalate dramatically. And the responsibility for managing that liability falls fully on the company to which the third-party vendor is contracted.

In other words, you.

Paying attention to what your third-party vendors are sending – and what those third parties are doing with that data – isn’t just a suggested best practice anymore. Regulatory oversight has expanded to make monitoring sensitive data and processes of third parties critical to a company’s operational success.

If you’re a business that doesn’t have vendor evaluation and monitoring processes in place, you’re not alone. Even if you have created these elements, chances are they’re completed and managed on Excel spreadsheets. Worse, you’re probably using a one-size-fits-all approach for analyzing every vendor.

This is a huge red flag.

Not all vendors are the same. A small consulting firm won’t pose the same risks as a large IT database company. Evaluating both of these vendors on the same scale, with the same criteria, is inefficient and ineffective. It’s essential to customize third-party evaluations based on each company’s size.

Proper third-party agreements protect your company from reputational damage and inadvertently violating laws. Because third-party agreements are an essential part of regulatory compliance and can’t be overlooked, all companies should follow a complete privacy checklist to execute them consistently and accurately.

#1 – Nail Down your Vendor List

Sure, you can probably reference a list of vendors, suppliers, distributors and contractors with whom you do business. But under most regulatory guidance, the definition of a third-party vendor is more nuanced than just a simple list.

Many companies don’t understand that it covers any business arrangement between an organization and another entity, by contract or otherwise.

Under this definition, a third-party agreement includes undocumented, verbal, and hand-shake contracts. These could have been established recently or many years ago by someone who doesn’t work at your company any longer. It doesn’t matter. These contract manufacturers, brokers, agents, and resellers all count as vendors and must be a part of your evaluation of third-party agreements.

To take it a step further, some third parties actually outsource some of their own projects to additional resources. If this comes as a shock, don’t worry. It’s standard practice for vendors to do this without the consent or knowledge of the company they’re working for. However, it’s an essential piece of managing third-party agreements.

Point is, you probably have more third-party agreements than you thought. Nailing down your vendor list – including their own subcontractors – is an essential first step for privacy compliance.

#2 – Review and Update Contracts

Cybersecurity tips for small businessesThe next step on the checklist is reviewing and updating your third-party agreements. You’ll have to read through each contract to make sure it adheres to best practices for cybersecurity, data security, and privacy rights. Doubtless you’ll have to update the verbiage in these contracts to reflect privacy standards and clearly lay out duties for each entity to follow.

In order to maintain a clear definition of responsibility for data, you must follow a process to make sure all your vendors are compliant.

The first step in this process is creating and updating an evergreen inventory of security and privacy updates and requirements. You can then use this database to perform a comparable scan of each of your vendor contracts. You’ll want to hone in on specific contract terms and data processing agreements (DPAs) within contracts.

If you’re wondering if your work completed under the GDPR requirements applies for the CCPA, it doesn’t. There are specific requirements for each regulation, so you’ll need separate inventories supporting each standard.

Once you’ve extracted the outdated language from each vendor contract, it’s time to update it with the correct text. Traditionally, this has been the responsibility of the legal team and focused on data security topics. Now the privacy team also needs to have a say because of the privacy risks and stipulations so prevalent in legislation. Individual rights is an especially important part of this, with amendments limiting the use of data only to a specific purpose. Third parties must agree to honor these individual rights requests on your company’s behalf.

If the privacy team doesn’t lay out how and where data should be managed and stored, the security team can’t protect it. Because of this, all new contract language should be pre-written and pre-approved by the legal, security, and privacy teams.

Most importantly, all companies should have an established method for alerting stakeholders when vendors are subject to breaches or regulatory enforcement. The key to reviewing existing third-party agreements is to pinpoint high risk vendor relationships. When you’ve identified these organizations, you can put extra care around monitoring and preventing risks. This will ensure vendor accountability and compliance across the board.

#3 – Create a Third-Party Risk Management Process

Top 5 To Dos to Make Your Digital Strategy Privacy-FriendlyThe final task on your privacy checklist for evaluating third-party agreements is planning for the future. It’s not enough to ensure your existing vendors are up-to-snuff. You must also create a bulletproof plan for assessing, onboarding, and monitoring vendors you’ll add to your roster in the time ahead.

First, get your team on the same page. This means organizing cross-functional stakeholders from procurement, IT, finance and executives to whom the vendors will report – and privacy officers, of course – to help perform and review new third-party agreements. Next, identify the critical risk categories on which you’ll assess new third parties: strategic, reputational, operational, financial, compliance, security, and/or fraud.

Remember, you also have to make sure appropriate questions are asked to organizations based on their sizes. A simple way to determine evaluation criteria and scoring is through third-party questionnaires. These tools are lifesavers when it comes to evaluating vendors for compliance, security, and other risk factors. Non-profit privacy organizations offer high-quality questionnaires to their members. In addition, any third-party risk management software will normally include these questionnaires for free as a part of a subscription cost.

You may be surprised to learn the most important part of these evaluations is not the completion of them by the vendors in question. It’s critical the team assigned to review these questionnaires – and accept or deny the vendor – actually completes its responsibility, and does it in a timely manner. This cross-departmental group should weigh the scores based on risk impact so vendors can be categorized and prioritized in tiers.

The steps of this third-party risk management plan should be written down and kept on hand by anyone who deals with onboarding new vendors at your company. It should be followed to the letter to ensure all third-party agreements meet company and regulatory standards. And of course, ongoing training is essential. New and existing employees should complete rigorous training on the new third-party risk management process.

Conclusion: Get a Handle on Your Third-Party Agreements

Today’s consumers hold more power than ever before. If there’s an issue with how their data is being managed or used, they’re not going to point the finger at the third-party vendor responsible for the misdemeanor. They’re going to fully blame you – the vendor’s employer.

If you don’t want to get in trouble for something you didn’t do, completing due diligence with your third-party agreements is crucial.

The good news is, risk management software can help you complete this privacy checklist for evaluating third-party agreements in the least amount of time, effort and expense. It allows you to ditch the Excel spreadsheets and dusty digital files. Instead, you’ll be able to utilize a cost-effective, intuitive system that’s applicable to each new vendor.

Hiring a Fractional Privacy Officer (FPO) can also give you a leg up. This individual is adept at creating the review process, managing it from end-to-end, analyzing the assessments, and making it right inside the organization. If you’re interested in seeing how an FPO can exponentially benefit your vendor management process, we’ve got a team of experts who are well-versed in this high-risk area.

Reach out today to schedule a free consultation!

 

Schedule a free consult!

Complete 2020 Privacy Compliance Checklist

Privacy compliance is no piece of cake.

In 2019 alone, the business world saw a shakeup brought on by  a slew of new state laws and year one of the General Data Protection Regulation (GDPR) implementation. 

And the companies that came out on top had a few things in common: transparent messaging to consumers, a privacy-centric re-brand, and tricked out privacy policies that used eye-catching marketing tactics. 

We know what it took to win at privacy in 2019. But what will privacy best practices look like in 2020 and how can brands – both big and small – get it right?

To answer that question, we’ve created an authoritative guide on what to expect in the year to come and a complete 2020 privacy compliance checklist to keep you on track.

Read more

privacy best practices

2019 has been quite a year for the privacy world.

The GDPR celebrated its first birthday with a slew of fines and investigations.

The Nevada privacy law (Senate Bill 220) passed and went into effect, as well as ones for Illinois and Maine. Vermont and South Carolina followed suit with minor updates to existing laws. And in all, 24 states considered enacting data privacy laws in 2019.

Not to mention with a deadline of Jan. 1, 2020, the California Consumer Protection Act (CCPA) has ushered in a slew of preparations of its own.

With all of these privacy regulations a part of business as usual in 2019 – and more coming down the pipeline – it’s important companies look at privacy best practices as more than just a nice-to-have. It could make or break your brand in the future.

Protecting consumer rights isn’t just the law anymore. It’s a way to prove your trustworthiness to consumers.

Because it’s such an important part of how brands will function and prosper in the future, we’re highlighting the ways big and small brands alike have embraced privacy best practices in 2019. Use these examples to shape your own strategy for privacy in 2020 and years to come. Read more

The 411 on the CCPA.

What did U.S. companies learn from their General Data Protection Regulation (GDPR)-readiness exercise last year? 

That GDPR took longer than expected. 

Hopefully, they learned key lessons. They can leverage these as they face the challenges of the  fast-approaching and complex California Consumer Privacy Act (CCPA). This law is slated to take effect January 1, 2020.

That’s right. Their work is not done.

Although they have a greater advantage, they cannot assume their systems will support CCPA or any other forthcoming privacy regulations. Why? Because more than likely they focused on implementing the GDPR-type standards to European data and not to the U.S. data. 

The question on everyone’s mind is how the two privacy laws differ.

Yes, the CCPA mirrors the EU privacy law. It does this in that it allows people to ask companies what personal information is collected about them and why. Consumers can also request their data be deleted. But the differences are complex. And the requirements are somewhat nuanced.  

Regarding the collection and  sale of personal information, GDPR only allows companies to ask consumers to “opt in”  while California’s law enables consumers to opt-out.  Arguably, 

It’s the most important right the California Consumer Privacy Act provides to California residents. 

“Sale” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” 

That’s why the California Consumer Privacy Act requires a business that “sells” “personal information” to “third parties” to provide a clear and conspicuous link on the business’s internet homepage, titled “Do Not Sell My Personal Information.”  It also requires you to include a phone number in your privacy notice. This might change to be a phone number OR email address. An amendment is waiting in the wings.

 

The California Consumer Privacy Act is top-of-mind for businesses nationally and globally.

California is the fifth largest in the global economy. So the CCPA’s impact is expected to be global. Understand the timeline and key deadlines of the California Consumer Privacy Act. It will help you differentiate the law from the GDPR, which did not involve amendments.

  1. May 31, 2019: The last day for amendments that were introduced in the Assembly (lower house of the CA Legislature) to move out of their house of origin to the Senate for committee process. A bevy of amendments to the CCPA have wound their way through the CA Legislature. This cleared up some of the law’s murky compliance requirements. What constitutes “personal information” was a part of this. Only twelve bills survived passage through the lower house.
  2. September 13, 2019: The final day for the state Senate (the upper house) to vote amendments into the law. Industry lobbyists would like to keep pushing for more changes right up until the law goes into effect. However, that’s not to be.
  3. October 13, 2019: The final day for the governor to sign or veto any bill that survives the Senate.
  4. January 1, 2020: The CCPA is slated to take effect. The individual rights requests will start coming in around this time.
  5. On or before July 1, 2020: Enforcement will only begin six months after the adoption of the AG’s regulations – or July 1, 2020 – whichever is sooner. But don’t breathe a sigh of relief that you’ll be getting a grace period. The state can bring enforcement actions from instances of noncompliance during those first six months.

Robust aptly describes the GDPR compliance process.  “Murky”, “complex” and “flawed” are words used to describe the California privacy law. Thus the reason for the flurry of amendments submitted to give businesses more clarity before the law takes its final form.

Back-up to the beginning for perspective.

In early 2018, millionaire real estate developer Alastair MacTaggart spearheaded California’s new consumer privacy law. His original intention? Gather enough signatures to qualify a privacy initiative for the ballot in November 2018. 

Spending about $3 million of his own money, MacTaggart created a more than 33-page long initiative. Had voters approved it in November, the Legislature wouldn’t have been able to amend it in the future. This would have caused problems for stakeholders. Almost every industry recognized that the initiative had significant issues.  

So the California Consumer Privacy Act (Assembly Bill 375) is considered a compromise. This truce is between consumer privacy advocates, legislators and businesses that may have been put together too hastily. And it resulted in glaring errors.

 

Words matter in the CCPA.

We’ve already pointed out the importance of understanding the definition of “sale” in the CCPA. There are other words worth defining.

The GDPR’s scope is broad. But the CCPA has applied its rules to a for-profit “business” that does business in California. It also conforms with one or more of the following:

  • Generates an annual gross revenue in excess of $25 million
  • Derives at least 50% of its annual revenue from selling California consumers’ personal information
  • Buys, sells, shares and/or receives the personal information of at least 50,000 California consumers, households or devices
  • Controls or is controlled by an entity meeting the above criteria and shares common branding with

The definition of personal information is broad in the CCPA. It’s defined as any information about a particular Californian consumer, household or device. The non-exhaustive list of examples includes:

  • names
  • aliases 
  • addresses
  • emails
  • account names
  • social security numbers
  • medical information
  • passport details
  • IP addresses
  • phone numbers
  • PINs
  • geolocation

The California statute says a consumer is a resident of California, period. You don’t need to enter into a transaction with a person for him or her to qualify as a consumer.

 

 

Understand that non-compliance can be extremely costly to your company. 

For data breaches, consumers may be able to sue for up to $750 for each violation. Residents can also choose to bring class action lawsuits. You can seek statutory damages of up to $750 per consumer per incident. 

Doesn’t sound like much, right? That’s until you consider most privacy breaches involve hundreds of thousands of records. 

Even if you don’t have a data breach on your hands, you’re not off the hook. The CCPA can slap a $2,500-$7,500 fine on you simply for non-compliance.

For intentional violations of privacy, the state attorney general can sue at up to $7,500 each. The law requires consumers provide written notice to a business within 30 days of a violation. They can then take legal action. 

Companies have 30 days to “cure” (fix)  the issue. The law doesn’t define what a “cure” would entail. And 84% of businesses say they’re anxious as they await the clarification of  the term “cure” as it relates to violations.

You also have to consider the potential damage to your company’s reputation. Plus the subsequent loss of revenue you stand to suffer due to decreased consumer confidence caused by lawsuits.

Customers expect you to comply. If you’re not compliant, it could cost you the trust of your existing and potential customers. And the loss of trust means the very real loss of dollars on your bottom line.

 

A CCPA readiness plan at your company should be underway.

Most companies surveyed said that it  took seven months or longer to wrangle their data into GDPR compliance.  A key issue was the lack of preparedness. 

For U.S. businesses specifically,  lack of experience was key. You see, European companies,  unlike their counterparts in the U.S., have been dealing with complex and multi-jurisdictional privacy issues for 20-plus years. 

And don’t be tempted to take the “wait and see” approach until the statutory language seems more settled in September, giving business an advantage. It won’t. If anything, it’ll expand the private right of action for consumers.

Take this big step now.

Create a data inventory by surveying all aspects of your business, from Marketing to IT  to Vendor Management and all points where you receive information from any source and in any format.  

There are lots of companies that collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold. In other words, find all the places where data could be hiding.

Companies compliant and non-compliant with GDPR may need to add a column flagging whether a data-use case involves data “selling” – a tracking of the categories of personal data transferred to third parties –  and a column indicating whether the data was only collected more than 12 months ago and therefore potentially exempt.  

That’s for starters.

 

Conclusion: These types of privacy law requirements aren’t going away. 

Let’s say you don’t fall under the GDPR or CCPA today. It’s still only a matter of time before you’ll have to transform your organization’s practices to comply with state, federal or international law. 

More and more states are gearing up for similar regulations coming down the pipeline. This includes Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota and Rhode Island. So are countries like Brazil (effective August 2020) and China

Our advice: Don’t reinvent the wheel every time there’s a new regulation. Don’t rely on piecemeal technology solutions. Instead, work closely with a technology services partner who understands the details of each regulation. 

Remember, the cost of penalties for non-compliance will likely be much higher than the cost of ensuring compliance for each customer in the long run.

Schedule a short consultation with our team of experts today. 

We’ll review your business and marketing materials to ensure they’re CCPA compliant and on time. 

 

Schedule a free consultation with Red Clover Advisors.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

Learn about the impact GDPR has on CISOs

Red Clover Advisors had the privilege to write an article about GDPR’s first year and what to expect in year two for the National Technology Security Coalition (NTSC) . The NTSC is a non-profit, non-partisan organization that serves as the preeminent advocacy voice for CISOs.

To see the full article, check it out here!