Stay ahead of the compliance curve by proactively prepping for the California Privacy Rights Act. 

In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.

Before the ink was even dry on the California Consumer Privacy Act (CCPA), privacy advocates were already working on its replacement, the California Privacy Rights Act, or CPRA.

And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.

Here’s what’s new

CPRA has a lot of similarities to the CCPA, but there are some key differences in who the law applies to and how it’s enforced:

  1. CPRA changes its threshold for businesses. (Small business owners, rejoice!)  It’s either:
    1. $25M in global revenue (this stays the same from CCPA 1.0)
    2. OR 100,000 consumer/household/device records (this is an increase from 50,000)
  2. Fines are automatically $7,500 for violations involving minors.
  3. Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
  4. Businesses are responsible for how third-parties use, share, or sell personal information collected.
  5. Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
  6. CPRA eliminates the 30-day cure period before businesses can be fined.
  7. Enforcement shifts from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).

Differences for consumers

The whole point of CPRA is to clarify vague sections of the CCPA and expand the protections available to consumers, including:

  • Expanding the categories of information eligible for private right of action after data breaches.
  • Adding the right to correct inaccurate information companies have on them and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
  • Adding protections for sensitive personal information like SSNs, driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
  • Granting consumers the right to deny both the sale and the sharing of their information.
  • Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.

What it all means

Some of these changes are a bigger deal than others. 

Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).

Even more complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.

Another major change that CPRA introduces is the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened AG office for enforcement, the CPPA will dedicate significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement. 

This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.

Keep reading to learn how you can manage everything that is heading your way.

Here’s your to-do list

Check out our eight steps that can help you be CPRA-compliant.

1. Plan your compliance strategy

The biggest thing everyone has going for them is that CPRA doesn’t take effect until January 21, 2023. You have almost two full years to prepare and get your ducks in a row. Take advantage of it.

If you start working on it now, you have time to break your strategy into manageable pieces that won’t overwhelm your teams or your systems, letting them drink from a drinking fountain instead of a privacy firehose. 

Starting now also allows you the opportunity to truly build a great program, one that is agile and goes beyond just compliance to truly establish you as a forward-thinking, consumer-focused leader.

2. It’s all hands on deck

A good privacy program doesn’t depend on IT for everything. You should incorporate every function in your organization, from HR to legal to operations to marketing, in the development and execution of your compliance program. Identify team members from different departments and form a committee that can help share the work. 

3. Get what you need

If you’re already CCPA compliant, you’ll likely be able to complete this step by making small changes to your existing processes.

If you aren’t CCPA compliant yet, having a good compliance strategy is crucial to making this step work. Do you need to upgrade your IT infrastructure or buy new software? Do you need a consultant to help you understand the ins-and-outs of your responsibilities?  Do your employees need to be trained (or re-trained)?

Don’t feel like you need to become a privacy guru or that you need to manage compliance on your own. Resources and professionals exist to help you, and starting now gives you time to find the ones that fit your needs and budget.

4. Organize your data

Once you have a strategy, a first-rate privacy team, and the tools you need, you’re ready to start the hard work. Hands down, the biggest challenge CPRA presents is creating an efficient data inventory and effective workflows for managing the individual rights requests that will inevitably come your way.

This is, in part, because CPRA has changed what constitutes sharing and selling data. If you have been sharing data with advertisers for a cross digital device or ad targeting, now you have to disclose that and give consumers a way to opt-out of it. 

That means keeping close tabs on what you’ve got going on, datawise. You need to know what you’re selling and what you’re sharing because CPRA is un-blurring the lines between the two activities. The best strategy for data clarity? A thorough data mapping project. (See below for where to start.)

To do this well, you should complete (or update) your data mapping processes. Data mapping will expose any gaps you have in your data collection practices by showing you what type of data you are collecting, who you are collecting it from, where/how long it’s being stored, and who it’s being sold to or shared with. All of that information is critical to establishing and maintaining CPRA compliance.

Side note: Are you a sensitive data collector? Under CPRA, you need to have clear business purposes for using it. You need to know what you have because the restrictions and requirements around usage may differ. So double down on your data mapping efforts if this applies to you. 

5. Understand individual rights

Again, if you’re already CCPA compliant, updating your processes to manage the new categories of sensitive personal information and the new timelines for request acknowledgment and resolution is totally doable.

If you’re starting from scratch, it’s still totally doable. It will just take a little more effort. CPRA requires you to be able to respond to individual requests from consumers who want to access, delete, or correct the data you have collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information. 

To do all of that, your data collection needs to be specific and limited. Your data mapping needs to be spot on. And you need to have really solid processes (that you have really trained your employees on) for responding to these requests.

One of the best ways to manage individual rights requests is to build a one-stop privacy shop called a preferences center. A preferences center allows consumers to see your privacy notice, manage their data, and submit requests without having to scour your site map for your business practices and contact information. A well-designed preferences center also virtually guarantees that you are CPRA compliant.

6. Strengthen your security

Like CCPA, CPRA requires companies to take “reasonable security measures” to protect the data they collect. But CCPA didn’t give much guidance on what those security requirements needed to look like. 

CPRA isn’t super specific either, but it does require that businesses whose processing presents a significant risk to sensitive information submit regular risk assessments and annual cybersecurity audits to the new CPPA. Taking the time to set up those processes ahead of time allows you the time you need to make sure they work and to fix any problems they find before CPRA is enforced.

CPRA’s stronger right of action and dedicated enforcement agency means it’s far more likely than ever before that bad actors won’t be the only ones on the business end of administrative actions. Even accidental mistakes can be costly, which is why you need to give yourself time to build a strong, proactive program. If you can demonstrate you’ve done your level best to comply, you’re far more likely to have regulators work with you if there is an issue.

7. Check your privacy notices

Complicated regulations that vary by location means standard cut-and-paste privacy notices just won’t cut it anymore. Additionally, the trend right now is to move away from dense, purposefully incomprehensible legalese toward customized, user-friendly privacy policies that clearly demonstrate what you are doing to protect your users.

And remember—CPRA requires your privacy notice to be front and center on your website. 

8. Train, train, and train again.

Your compliance program is only as strong as your employees’ understanding of it. Even if you are CCPA compliant, your employees will still need to be retrained. If you start now, you’ll be able to do this training in small chunks over the next two years instead of dumping a giant new manual on your employees right before CPRA goes into effect and hoping no one makes a mistake.

Training can happen more than once a year. You don’t need to only block off two days for a privacy symposium. You can also set aside a few hours once a quarter, ten minutes in a weekly staff meeting, or five minutes to write a team email. It all adds up.

9. Go brag!

Okay. You have a compliance strategy that is being executed by a top-notch cross-functional team. Your consulting team has helped you get the right software to map your data and build effective processes for responding to individual rights requests. Your team has closed the loopholes they found after the risk assessment. You’ve got a preferences center and your employees could answer Double Jeopardy questions about your user-friendly privacy notice.

Now what?

Now you go tell people!

You’ve spent a lot of time and effort getting compliant, and you should be getting credit for it. Companies that have a proactive privacy program can use that as a differentiating factor, especially since an increasing number of consumers have proven they will switch companies or providers over data collection and sharing practices.

So instead of hiding your privacy notice, flaunt it by:

  • Build an easy-to-understand section on your privacy program into your website.
  • Including your commitment to consumer privacy in marketing you put out about other social justice initiatives.
  • Write opinion pieces and guest posts about the intersection of privacy, e-commerce, and advertising. 
  • Establish yourself as a leader by having your privacy team create a presentation for business conferences and industry meetings on how you made privacy work.
  • Train your customer service employees to bring up your commitment to privacy in their user interactions ala Southwest Airlines’ “We know you have a choice when flying. Thanks for flying with us” flight attendant speech.

Don’t get overwhelmed. Just get to work.

Rome wasn’t built in a day. Neither is a strong privacy program. Privacy compliance can feel overwhelming, especially when it changes every few years. But every step you take makes it less overwhelming, especially when you give yourself time to do it right.

Three years ago, companies across the globe were scrambling until the very last minute to get GDPR-compliant. Even with a two-year runup, GDPR was the first regulation of its kind and no one knew what they were doing.

That isn’t the case this time around. You can do it. And we can help.

Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.

Drop us a line today and let’s get started.

“Regarding social media, I really don’t understand what appears to be the general population’s lack of concern over privacy issues in publicizing their entire lives on the Internet for others to see to such an extent… but hey it’s them, not me, so whatever.” Axl Rose

Yes, that quote is really from Axl Rose. 

As in Axl Rose, the lead singer of Guns N’ Roses.

When the frontman for the “most dangerous band in the world” starts talking about data privacy, you know the issue is part of the cultural zeitgeist.

Tie it in somehow

Big tech companies have a big problem

Machine learning happens when software programs “teach” themselves by using algorithms to extract and analyze a lot of data. And you may not realize it, but advances in machine learning have changed everything about our digital experience.  

Voice-recognition assistants like Siri and Alexa use machine learning to recognize commands. 

Social media and streaming platforms use it to recommend connections and content. 

Banks rely on machine learning to detect fraudulent activity and identify scams. 

Machine learning allows educational software to customize sessions for each student.

Basically, machine learning makes our lives markedly easier. But this ease comes at a tremendous cost.

Because machine learning requires a tremendous volume of incredibly detailed and frequently updated user data, technology companies tend to conveniently “forget” about privacy, leaving discussion of their privacy policies and programs until the last afternoon of a weekend retreat at the end of the year.

And so, often without even realizing it, technology leaders set themselves up to fail.

Privacy (by Design, that is.)

Were you thinking about privacy when you founded your startup? 

It’d be great if the answer was a wholehearted “YES!” but even if you’re just now joining the party, there’s still lots of ways to make privacy a guiding light for your tech company. Where do you start? Consider Privacy by Design.

Privacy by Design, a concept originated by the former Information and Privacy Commissioner of Ontario, Ann Cavoukian, operates on seven core principles: 

  • Being proactive, not reactive 
  • Making privacy the default setting 
  • Embedding privacy into design of all things 
  • Fully functional privacy 
  • End-to-end security 
  • Visibility and transparency for all stakeholders 
  • Respect user privacy

While Privacy by Design is actually required for website developers under the EU’s General Data Protection Regulation, it’s also important for tech companies to consider. It provides the opportunity to refocus products, operations, services—really, anything in the scope of their business—on their user’s right to privacy. It doesn’t need to be any more complicated than having an finance department that handles payroll or a marketing department that sends out email. 

When done correctly, it’s just part of the process. 

Social media section

You’d think after watching Mark Zuckerberg get hauled into a Congressional hearing after the Facebook/Cambridge Analytica scandal that other social media CEOs would make privacy a priority. But so far, they seemingly haven’t.

Clubhouse, the newest social media app taking the world by viral storm, is a prime example of tech companies putting profits before privacy.

Clubhouse is a free, audio-only app that is kind of like an old-school conference call, except that anyone in the world can join in on conversations hosted by experts on topics ranging from cryptocurrency to Real Housewives to immunology. Going from two million users in January 2021 to 10 million by February 2021, Clubhouse is so popular you have to be invited by a current user to even access the platform.

At first glance, Clubhouse seems like it would be a privacy dream. No video. Nothing is recorded. Hosts can kick trolls out of their rooms, block people from joining, keep people from speaking…it feels like Twitter and Facebook had a baby, gave it a flip phone instead of a smartphone, and set strict house rules for inviting friends over. 

But the reality is much more complicated.

Right now, Clubhouse allows new users to invite two friends to join the app. But to invite those two friends, users have to give Clubhouse access to all their contacts. 

All of them. 

Let’s say you, a privacy-savvy consumer, decide to join Clubhouse but are smart enough to protect yourself and your friends by not sharing your contacts. You don’t invite anyone. That doesn’t mean you’re safe lurking anonymously in the back of Clubhouse chat rooms. Once you sign up, Clubhouse notifies everyone who has you in their contacts that you are there, even if they aren’t in your contacts.

Facebook has updated their privacy settings and given its users more options for protecting their profile. Instagram now allows ‘Grammers to manage which and how many photos the app can access. Twitter allows you to change the privacy settings for each tweet. All three apps require an email address, and while they offer phone number verification, you don’t have to give them your phone number to use the platforms.

Clubhouse has none of those options.

You have to give Clubhouse your phone number. They say they’re working on it, but the app also doesn’t have great options for moderating/removing hate speech and dis/misinformation. On February 24, 2021, Clubhouse confirmed their security had been compromised and hackers had figured out how to live-stream feeds from multiple rooms. According to Business Insider, the Stanford Internet Observatory (SIO) found some of Clubhouse’s back-end infrastructure was transmitting audio and data traffic without encryption

Everything but the kitchen sink

We’ve gotten so used to companies taking data from us for everything that everyone, from users to Clubhouse engineers themselves, probably don’t even realize the risk this type of sweeping, all-encompassing data collection practice exposes everyone to. Consumers put themselves at risk of having their identities stolen, identifying information exposed, and accounts hacked.

And for businesses, freewheeling data and privacy policies can cause lasting and permanent damage. Take a look at American Express’ list of seven risks every business should plan for:

  • Economic
  • Financial
  • Reputation
  • Operational
  • Competitive
  • Compliance
  • Security

With increasing privacy legislation like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), companies that don’t give their privacy program the same consideration as their human resource, financial, and legal policies are taking on risk in every single one of these categories.

The CCPA levies civil penalties of $7500 for intentional violations of its restrictions and $2500 for each unintentional violation. This means that if you wait to shore up your privacy policy and you get caught not being able to tell a consumer what data you’ve collected from them or if your users’ personal data is exposed after a hack, you can accidentally cost your company tens of thousands of dollars. The law also allows the California Attorney General to seek an injunction against and halt business operations of offenders.

While the CCPA is the first and most aggressive privacy law in the United States, it definitely won’t be the last. States across the country either have passed or are considering a multitude of privacy laws, including some that are more robust than anything California has enacted. Privacy rights are the wave of the future, and waiting to do something about it increases the risk you’ll fall afoul of regulatory requirements.

Is there another part of your enterprise that you’d leave so vulnerable?

Don’t leave your door unlocked, and don’t expect IT to lock all the doors either

In 2015, Apple CEO Tim Cook gave a speech about privacy and security. It’s a great speech that provides some key insights into a mind that is shaping the world’s tech future. Even five years later, there’s a quote that still stands out:

 “If you put a key under the mat for the cops, a burglar can find it, too.”

And since then, he’s spoken about the imperative for the digital marketing market to stop horning in on people’s privacy. At the Privacy & Data Protection conference in January 2021, he said:

“As I’ve said before, if we accept as normal and unavoidable that everything in our lives can be aggregated and sold, we lose so much more than data, we lose the freedom to be human. And yet, this is a hopeful new season, a time of thoughtfulness and reform.”

With this, Cook is highlighting how mission-critical privacy is for companies. When companies put sales and revenue growth ahead of privacy and security, they are taking on as significant a business risk as leaving their offices unlocked.

Luckily, you don’t have to be a privacy expert or a tech genius to take real steps to protect your company.

Prioritize privacy

Smart companies protect themselves by making their privacy program part of their core operations. Human resources, legal, financial, product and engineering, operations, and IT departments should be working collaboratively on workflows and processes that integrate forward-thinking data privacy policies across the entire organization. If you need help figuring out how to start, check out our privacy strategy, privacy compliance, and fractional privacy officer services. 

Train. And then train again.

Going along with the theme that every department should be part of developing your privacy program, it won’t do you any good to create the most amazing privacy program in the world if your employees don’t understand it. Privacy training doesn’t have to be full-spectrum seminars (but it can be!). Weekly email reminders, a quick agenda item in regular staff meetings, and small sections in a newsletter are all great ways to reinforce your expectations.

Less is more

One reason you need every department involved in your organization’s privacy work is you need to figure out exactly what data you need from users and employees to optimize your systems. And then you need to collect exactly that and nothing else. Limiting data collection decreases both your risk and your data storage costs while simultaneously making it easier for you to manage an agile response to changes in privacy regulations and best practices.

Sell it!

For some reason, even though they sacrifice privacy for sales and growth, everyone seems to forget that being privacy-friendly gives you a competitive advantage. You need to use it.

Remember that Tim Cook speech referenced earlier? Check out what else he said:

“I’m speaking to you from Silicon Valley, where some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.

Apple doesn’t need privacy to differentiate itself. They launched our modern, smartphone culture, made everyone a photographer, forever altered software development and distribution, and changed the way we access the internet. But they are smart enough to see that while everyone is willing to invest in developing the next generation of big data tech, far fewer companies are willing to put their resources towards protecting that data. 

Google Chrome controls 69% of the browser market and has a much higher usage rate than Apple Safari, but Apple was first to eliminate third-party cookies. They require software developers to include privacy labels detailing what type of data is collected for every app sold in the App Store. In short, Apple’s forward-thinking privacy policies have allowed them to continue changing their industry, even as other companies catch up technologically.

Your company can be like Apple. You can go beyond what is legally required to give your consumers maximum control of their personal information. And then, like Apple, you can control the conversation. 

Keep your eyes on the prize

Don’t get lost in the race to create and sell the best tech. Make sure you remember that your consumers are not your product. Their trust is the product that will make you perpetually profitable.

If you need expert help matching your privacy program goals to what is actually happening in your company, get in touch today and let Red Clover Advisors show you how easy and affordable privacy compliance can be.

Privacy regulations may seem like they’re making your job harder. But when done well, privacy compliance will improve your digital marketing program.

I find myself calming down a digital marketer afraid new privacy regulations will destroy their business almost every day. As a data privacy expert, my job is to help them see how increased privacy oversight can actually help them be better at their jobs. 

Here are my top four data privacy tips for digital marketers:

  1. Figure out which regulations apply to you.
  2. Focus your data collection.
  3. Automate your data management workflows.
  4. Market your privacy program as something that differentiates you from competitors. 

Figure out what applies to you

Risk comes from not knowing what you’re doing. –Warren Buffet

GDPR? CCPA? PECR? PIPEDA? POPIA? LGPD?

Because privacy regulation requirements vary greatly based on where you operate, where your users live, and what type of business you are, you need to figure out which law applies before you even look at your privacy notice or talk about data collection.

Are you a US-based company focused on US customers?  Do you have clients from Europe or Canada? What about California? Are you a B2B company or B2C? A scoping exercise can give you the answers you need to determine whether you need to build an opt-in or opt-out system, what your privacy notices need to look like, and how you can use the data you collect.

Update your privacy policies and cookie banners

Here’s a tip: ditch the dense legalese in your privacy notice and cookie banners.

If the point of consumer data privacy laws is to shine a light on data collection practices, don’t be the company turning off the light switch. Tell your consumers what information you are collecting, why you’re collecting it, what you’re doing with it, and who you’re sharing it with. Keep it simple, short, and easy to understand.

One more tip: Unless that business is going to be the one paying the fines for your violations, your privacy notice shouldn’t be lifted from another website.

Do a risk assessment

Regardless of where you are in your data privacy journey, I always recommend you complete a risk assessment. A good risk assessment will prove you can back up your privacy notice promises by showing you where your data is vulnerable, which vendors need to up their game, and what steps in your crisis response need extra attention.

Focus your data collection

Just because you can measure everything doesn’t mean that you should. –W. Edward Deming

For years, MarTech has been focused on coming up with new ways to analyze and parse big data. But with consumers demanding more control over their personal information, it’s time marketers start thinking about how to use small data as well.

As a business owner, you need to understand that every piece of personal information you collect but don’t need exposes you to unnecessary risk. Irrelevant data points also increase the likelihood that you will be building marketing programs around bad, inaccurate, and/or outdated information.

With most internet browsers banning third-party cookies (cookies someone else, like a vendor, puts on your website), your marketing program should also consider shifting its collection efforts to first-party cookies (cookies you put on your website yourself) so you have more control over the quality and security of your data.

Spend some time with your marketing, operations, and IT teams figuring out what consumer data is critical to your operations and shift your focus towards collecting it accurately and storing it safely. A data mapping exercise, where you follow a data record through its lifecycle in your system, can give you a good idea of what type of information is most valuable to your organization.

Take advantage of automation to maximize small data

We have technology, finally, that for the first time in human history allows people to really maintain rich connections with much larger numbers of people. –Pierre Omidyar

The biggest upside to the explosion of data privacy regulations (besides consumer rights) is that there are hundreds of options for automating your privacy and digital marketing compliance program. No matter which regulation you are subject to or how big your company is, there is a program for you.

Using AI to manage your cookies, privacy notice notifications, and consumer sorting for communications will reduce the risk of human error. AI can also simplify workflows and improve your analytics capabilities, increasing the serviceability of your data.

Don’t sell your data. Sell your privacy program.

Marketing used to be about making a myth and telling it. Now it’s about telling a truth and sharing it. –Marc Mathieu

A proactive, privacy-friendly marketing program is a built-in marketing opportunity. Expanded privacy in marketing is still a new business area, and early adopters can tout their experience and commitment to consumers as a differentiator. 

Make sure your customers (and your potential customers) know about what you are doing to protect their privacy, and they’ll reward you with their loyalty.

What the Spice Girls can teach you about the intersection of privacy and business.

A preference center can help you fine-tune your marketing, get compliant with privacy regulations, and build customer trust. So why don’t you have one?

I won’t be hasty, I’ll give you a try, but if you really bug me then I’ll say goodbye

When, how, and how often to contact your users is the magic formula businesses have been trying to crack for years without realizing the answer was right in front of them the whole time: let your customers tell you.

New privacy regulations are forcing companies to battle these same types of questions. What data can I collect from my users? How much do I need to tell them? Instead of hoping to find a silver algorithm bullet, just ask your users.

Consider the following:

There is a clear through-line between how people feel about data privacy and how they act as consumers. If you don’t let your users tell you what they really (really) want, they’ll kick you to the curb.

Now you know how I feel! Say you can handle my [data]? Are you for real?

Like Sporty and Baby Spice say—saying you know how your consumers feel and backing it up are two very different things. Building a preference center puts your money where your mouth is.

A preference center is a dedicated page in your app or on your website that allows consumers to tell you:

  • What information they are okay with you collecting
  • What they will allow you to do with that information 
  • How often you can contact them
  • Correct the data you’ve collected about them if it’s wrong

Creating a preference center requires an investment of your time and resources, but it pays off in a big way. More than 40% of companies with strong privacy programs see benefits at least twice that of their privacy spend. A preference center will:

  • Help you be compliant with existing and proposed privacy regulations like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and Virginia’s Consumer Data Protection Act
  • Improve your ability to build accurate, real-time data sets by detoxing your data
  • Establish your reputation as a leader in consumer protection and data privacy
  • Protect against costly data breaches

So, how do you build a preference center? It’s easier than you think.

Now don’t go wasting my precious time. Get your act together and we’ll be just fine.

It’s possible to build a responsive, user-friendly preference center regardless of how big your company and budget are. Here are three critical steps for a privacy program that gives consumers what they really (really) want.

1. Create a data inventory

Two important points:

  • You can’t tell your users what types of data you are collecting and what you’re doing with it if you don’t know what data you have. 
  • The days of collecting anything and everything about your users are long gone, thanks to increasingly robust privacy regulations. 

A data inventory is a single-source-of-truth record of all your data assets that allows you to track a data record’s full lifecycle through your system. It tells you what you’re collecting, how and why you’re collecting it, and where you’re storing it. 

In short, it’s the most valuable thing you can do to improve your privacy program. 

It can give you pinpoint clarity into your users because it forces you to sit down and figure out what information your operation actually needs to function. 

Getting rid of the extra stuff means that even though you may have less data, what you have is more useful.

2. Be transparent & set expectations

Once you know what you’re collecting and why, you’re ready to revamp your privacy notice. 

Ditch your dense legalese. Be straightforward about why you need/want it and how having it will build a better user experience, and then place your new notice prominently on your homepage and in your preference center.

One note about your preference center—it should be a single page with easy-to-use opt-out or opt-in buttons. Make it clean and simple for a quality user experience  

3. Sell it! (Your work, not the data)

Doing all this work won’t do much good if people don’t know you’ve done it. Make a marketing push that tells your users all about how you built this amazing preference center just for them. Drill messaging that demonstrates your commitment to privacy, and you’ll build up priceless reservoirs of consumer trust.

4. Make their choices meaningful

When it comes to preference centers, it’s time to think beyond the unsubscribe button. Yes, you should let them unsubscribe, but preference centers are more than that. Give your customers real choices in how they interact with you:

  • Do they want emails? How often? And what kind?
  • Would they like to get SMS messages instead of emails?
  • Direct mail or in-person solicitation? Why not!

When you let them dictate the terms of engagement, you’ll get more useful information from them while establishing brand loyalty. 

You have got to give

When done well, privacy goes beyond regulations and cookie banners. It establishes trust with consumers because it recognizes that they’re people, not data sets. They have preferences and needs of their own. 

Using a preference center may seem like a small thing, but it tells your customers that you care about what they want out of the relationship. 

And in the immortal words of the Spice Girls, that kind of friendship never ends.

Privacy compliance is a long road. Luckily, you don’t have to go it alone.

Privacy management software can help you set up a robust privacy program. But without a privacy expert, you will be driving blind.

If privacy laws had a relationship status, it would be “It’s complicated”

If you’re reading this article, chances are you know at least the basics outline of today’s data privacy landscape. Maybe you are already compliant with the European Union’s General Data Protection Regulation (GDPR), or maybe you’re in charge of managing a California Consumer Privacy Act (CCPA) compliance program. 

Maybe you are really on top of things and are heading up a project to be ready for the 2022 California Privacy Rights Act (CPRA) rollout.

But even if these acronyms don’t mean anything to you (yet), you recognize that companies need strong data privacy programs to stay competitive in the marketplace.

The California State Legislature and the EU General Assembly were the first governing bodies to pass modern, aggressive privacy laws, but they definitely won’t be the last. Right now, dozens of states are considering California-esque bills that will continue the trend of giving consumers more control over how their personal information is collected and used online well into the next decade. 

While the laws vary across jurisdictions, there are some common themes including:

  • Expanding the definition of what’s considered “sensitive personal information” beyond names, birthdays, and SSNs by adding things like your phone number, health information, sexual orientation, religion, political affiliation, etc.
  • Giving consumers a way to deny permission to have their sensitive personal information collected, shared, or sold
  • Requiring companies to provide transparent and understandable privacy and cookie notices at or before the time they collect personal data
  • Mandating companies take reasonable security measures to protect consumer data
  • Levying harsh civil, even criminal, fines and punishments for noncompliance or if data breaches result in consumers’ personal information being exposed

So if you’re here and reading this, you know enough to know you probably need help to manage it all.

The United States is a melting pot — and so are its privacy laws

Unlike the EU, which took a unilateral approach to defining privacy law for all member states—although it should be noted that member states do have unique laws pertaining to data privacy on top of them—the United States has adopted a sectoral approach to privacy, meaning that unless the data is part of a federal regulation like HIPAA, privacy and data protection laws are by and large driven by individual states.

Because so much of our nation’s economy and tech infrastructure comes out of California, most large corporations complied with CCPA regulations. This new best practice standard shifted consumer expectations, leading to a domino effect of mid-and small businesses following suit.

But other states are now working on their own laws, making internet privacy the wild west, with each town having a different sheriff.

And the digital world isn’t going anywhere anytime soon. In 2020, consumers dropped a cool $861.12 billion in e-commerce sales with U.S. merchants alone. The Internet of Things continues to drive technological advancements. 

Companies increasingly need a data privacy expert to guide them through the unmarked places on the map.

Enter Privacy as a Service (PaaS).

PaaS is your own personal privacy butler

Batman’s butler, Alfred Pennyworth, makes Batman’s life so much easier. Working quietly behind the scenes, Alfred keeps the Batmobile tuned up, the suits ready, and the gadgets loaded. He is the reason Batman can swoop down into the Batcave and rush out to save Gotham without thinking twice.

If you do business in multiple jurisdictions, have a complicated privacy program, or manage large amounts of personal data, PaaS (also known as Data Protection as a Service or DPaas) can be your Alfred.

PaaS is a software platform that offers products and services to help you operationalize your company’s privacy program. It can be a real lifesaver for companies that don’t have a dedicated privacy team.

Privacy management groups like OneTrust build solutions that use advanced machine learning to help you build a program that complies with whatever privacy regulations affect you while simultaneously helping you be smarter about your data collection. 

Assessments and mapping and permissions, oh my!

Here is what PaaS can do for you:

  • Conduct privacy impact/data protection impact assessments for automating privacy processes
  • Map your data and help you collect a data inventory (data inventories, required by many new legislations, make it possible for you to remove/correct consumer data more easily and accurately)
  • Identify and predict risk and other weak points in your processes
  • Create and deploy privacy notifications, cookie consent banners, etc. with the standard contractual clauses required by law
  • Establish least-privilege access permission structure
  • Manage app consent processes on mobile devices
  • Automate breach incident actions and notifications
  • Onboard vendors and mitigate the risks they pose
  • Establish compliance with laws and regulations across multiple jurisdictions

It’s important to note that, while as close as cousins, PaaS programs are not the same thing as cybersecurity. The best privacy programs integrate privacy solutions into their larger cybersecurity plan.

But Alfred can’t be Batman…

I rarely tell clients that investing in privacy management software is a bad idea. 

But I also rarely tell them it’s all they need.

Anyone who has tried to get Siri or Alexa to answer a nuanced question knows that machine learning and AI has its limitations. Privacy management software is critical for companies to set up automation that can help with the privacy process, but if you don’t have a privacy expert guiding you through the process, well, you might as well hand the Batmobile keys and the Batarang to Alfred and send him off to save Gotham from the Joker.

The Joker (hackers, data thieves, and general internet bad guys) will win.

But if you combine the technology from the Batcave (privacy management software) with the experience and knowledge of Batman (your privacy expert), then you are in good shape.

Let’s leave the Batcave and talk about what this would look like in the real world.

Data Inventories

Data inventories are a big part of privacy programs, but let’s face it—they can be a big undertaking. However, the right software can cut down on the legwork by finding and documenting data. 

This alone is hugely helpful, but it doesn’t cover all your bases. You still need to determine the legal basis for data collection for GDPR. Or if the data has been sold under the scope of CCPA. Or if you can even collect and use that data in the first place. 

These kinds of questions are why privacy professionals are a critical resource for businesses. They have technical expertise and industry insight that can help you get answers—and solutions—to these questions. 

Social Media 

Facebook, Instagram, Twitter, and LinkedIn have historically been free advertising channels for businesses. But events like the Facebook/Cambridge Analytical scandal have made consumers much less likely to share personal information online.

The GDPR and CCPA control what categories and types of personal data a business can store about its users, but not all of the ramifications are clear yet. 

For example, it’s totally normal for a social network to host digital advertising. If a user clicks a link in one of those ads, now the app and the advertiser have the consumer’s information. Was the consumer adequately notified before the advertiser started collecting data? Is the activity considered the sale of data under CCPA? How should that be disclosed to the consumer?

The same principle works in reverse. If you have buttons for users to share your blog post or infographic on their social media accounts, are you confident you don’t have any exposure regarding whatever data that app collects from them? 

Notifications

The laws regarding privacy notices and cookie consent are constantly changing. Now that Apple and Google are eliminating third-party cookies, so are industry best practices. A privacy expert can help you maximize the functionality of your privacy management software so that your notifications are accurate and in line with industry standards so that you stay ahead of your competitors. If you do this, your privacy program can be a differentiating factor instead of just a cost center.

Individual rights requests

One of the most complicated parts of CCPA is the individual rights request provision. Under CCPA, consumers have the right to see what data you’ve collected about them and correct it if it’s wrong or delete it altogether.

A privacy management software can help you map the data so you can find it easily and quickly, but it can’t train your employees on how to execute a request. It can send notifications, but it can’t parse nuanced data to see if the request is valid. For that, you need a privacy expert. 

Privacy isn’t a one and done

Privacy is complex. So is software. And the implications of the wrong choice can be overwhelming! Don’t feel like you need to manage your company’s privacy program on your own.

Using a privacy management software can dramatically simplify your life, but if you don’t do it right, you’ll have a false sense of security. To have full confidence, you need to combine your PaaS program with the expert advice and knowledge of an expert. This expert doesn’t have to be a full-time employee. You can hire a consultant or cross-train another employee. 

Whatever you choose, remember to do regular checkups to make sure your program is keeping up with constantly changing legislation.

At Red Clover Advisors, we are experts in data privacy programs and training. If you need help picking a privacy management program, implementing the program you’ve picked, or maximizing your PaaS, drop us a line.

In 17th and 18th century England, highwaymen—thieves who traveled and robbed on horseback—concealed themselves along wooded sections of major roads leading out of London, waiting for the chance to stop vulnerable travelers in stagecoaches and carriages with a loud “Stand and deliver.” 

This was code for “handover your jewelry, purse, money, weapons, and whatever else you’ve got right now before we shoot you!”

Highwaymen faded into history by the mid-1800s, but on today’s cyber highways, new highwaymen are lying in wait outside weak passwords, missing patch updates, and phishy emails, ready to steal sensitive financial data, personal information, and proprietary intellectual property.

Like the highwaymen of old England, hackers may have specific targets or they may attack indiscriminately. Either way, everyone from big corporations to government agents to regular people running regular businesses have what they want — data.

Because in today’s world, data=$$$$$.

All the bad actors

Most people use the term “virus” to talk about any external program that disrupts computing functions, but a virus isn’t the same thing as spyware. Trojans aren’t the same as ransomware. 

These guys are all malware, but they work differently. Because of that, a basic understanding of how each type of malware infiltrates and attacks your system is critical to understanding how to both protect against them and how to get rid of them if your defenses fall.

As hackers have become more sophisticated hybrid or exotic malware, malware that combines two or more techniques into a complicated, multi-step malware capable of inflicting layers of damage while remaining undetected for a long time, sometimes years.

Ransomware — the internet’s highwayman

Ransomware is malware that attacks a system by heavily encrypting data and holding it hostage until the victim pays an untraceable cyber currency “ransom” for its return. Computers are most commonly infected with ransomware when a user opens seemingly benign but malicious email attachments. 

Ransomware can also be activated by clicking on links in social media messaging apps or through drive-by downloads that happen when you visit compromised websites.

Ransomware has been around since 2005. Its popularity ebbs and flows, but according to Cybersecurity Ventures, ransomware attacked a company was attacked every 11 seconds in 2020. The potential cost by end-of-year is estimated at $20 billion. 

There are many reasons for this trend in ransomware hacks. An entire industry has sprung up around the development and sale of ransomware kits, meaning even people who aren’t expert coders can activate an attack. Expert coders who are criminally minded, however, have developed new ways to create ransomware capable of operating across platforms while encrypting ever-increasing amounts of data.

Additionally, COVID-19 transformed entire industries to a mostly remote workforce almost overnight, leaving all kinds of gaps in security and data protection systems.

Because they are less likely to have robust cybersecurity protocols, small- and medium-sized businesses have historically been the most frequent targets of ransomware. But 2020 brought a dramatic increase in ransomware attacks against K-12 school systems, hospitals and healthcare systems, police departments, and municipalities, all groups who rely on technology to provide a necessary public service and who are likely to have insurance policies capable of “standing and delivering” on a ransom demand. 

The attacks against these types of organizations have also revealed the modern-day highwayman’s newest weapon: double extortion ransomware.

Double extortion ransomware

Double extortion ransomware takes the original concept of ransomware — pay up if you ever want to see your files again — and takes it one step further. Instead of just threatening to delete your files forever, hackers are now threatening to sell your data on the dark web.

This newest variation has made hackers more likely to specifically target large corporations or more valuable information (or both). It also has made victims more likely to make sure the ransom is paid and thus avoid having proprietary information sold to competitors or being held liable for their customers’ personal information being available to criminals around the world.

Adding insult to injury, it’s possible, even likely, that the victim pays and the digital highwayman doubles their profit by selling the data anyway.

Protect yourself against highway robbery

The recent SolarWinds hack, in which Russia gained access to gain entry to multiple government agencies including the Department of Homeland Security, the Commerce Department, the Treasury Department, the Justice Department, and the State Department (as well as tech giants Microsoft, Cisco, Belkin, and Intel), is a perfect example of why it’s so important to shore up your defenses. 

Note: Keep Solar Winds in the back of your mind. We’ll come back to it.

Defending against ransomware, especially double extortion ransomware, isn’t easy, but it’s definitely doable. The solutions are common-sense solutions that any cybersecurity professional will tell you. In fact, you’ve probably been told about them at least once already. So do your future self a favor and listen up. 

Train your employees

There are a lot of high-tech, complicated things you can (and should) do to protect your data, but one of the most effective and least expensive things you can do to protect against hacks is to train your employees regularly and well.

The top three most common vectors for infection are email attachments, drive-by downloads, and malicious links. You can dramatically reduce your risk for breaches if you teach your teams:

  • What phishing emails look like 
  • Why they can’t enable macros in their email (Microsoft now has macros off as a default setting, but everyone has those employees who insist on turning them on)
  • How critical it is to avoid clicking links in emails you don’t recognize and/or downloading attachments from people you don’t know
  • What can happen if they download unapproved/not whitelisted software and/or apps
  • When it’s appropriate to give a program administrative permissions

Remember — these “training sessions” don’t need to be day-long events. You can spend five minutes in a staff meeting explaining why employees need to stay off public WiFi connections or send a weekly email reminder about policies on using company devices for personal reasons (or vice versa). IT can teach staff how to set strong passwords through a post on internal message boards. 

The important thing in establishing a privacy culture is consistency and clarity from the top down.

Backup your data

Yes, I know. Technically, backing up your data won’t protect you from a ransomware attack, but it can lessen the severity of the fallout. 

Most ransomware is coded to look for and encrypt/delete backup files, which means your backed up data will be useless if it’s accessible from your main operating system. It’s most effective if you use a tiered or distributed backup strategy, prioritizing the most important data first and backing up data regularly using several modalities (cloud, external hard drive, etc.). 

One caveat — make sure your system has been cleared of any virus before you restore your backups. You don’t want to infect your backups and start the whole thing over again.

One more caveat — backing up your data may not help you if you are dealing with double extortion ransomware. As Justin Daniels, a shareholder, attorney, and cybersecurity expert at law firm Baker Donelson tells us, “Since double extortion ransomware is the latest variant, merely having separate backups is not sufficient. This type of ransomware means companies need to have in-depth cyber defenses that can identify the ransomware before it exfiltrates data as a prelude to the encryption of the company’s network.”

Use robust security software

I hate to break it to you, but your small business is using a free download of basic antivirus software, you’re doing it wrong. 

You need a comprehensive, behavior-based security solution.  Most conventional antivirus software run signature-based programs, meaning the program looks for the specific code markers of known viruses. This is why your antivirus program is regularly pushing out updates—when new virus markers are discovered, antivirus companies engineer a solution to be added to your system.

By contrast, behavior-based security programs monitor activity and flag/halt deviations in normal behavior patterns. Using machine learning, this type of software can detect suspicious activity before a malicious code can fully deploy.

Re-evaluate your permissions structure

Vulnerabilities in permissions access is one of the most common ways hackers specifically target sensitive information. It always shocks clients when we do a data audit and they realize there is a customer service rep with access to a database full of SSNs or that sensitive data sets have an admin who left the company three years ago. 

There are two things you can do to improve your data privacy and data security programs. First, implement the least privilege principle for data access. This means people have access to the smallest amount of data needed to complete their tasks. 

Second, consider a zero trust model for your cybersecurity plan. Zero trust means everyone in your company treats anything that comes from outside your system as suspect. You can read more about the concept and how to implement it here.

Have a recovery plan

You don’t want to wait until you’re in the middle of a breach to decide what you should do. To quote Ben Franklin, “By failing to prepare, you are failing to prepare.” 

Look at your data and create a hierarchy for your information. What information could you absolutely not operate without? Protect that first. Then move to the next most important data set and protect that.

Once you know what you are protecting and where it is backed up, you can start developing your recovery strategy. Your disaster recovery plan should: 

  • Identify the personnel needed to manage a breach
  • Include detailed documentation on your network infrastructure
  • Determine the data, technologies, and tools needed for each department to function and how long each group can function without it
  • Define a communications plan, including who is notified first (both internally as well as vendors) and how they are notified
  • Set clear recovery time objectives (RTO) and recovery point objectives (RPO)

You can find more information about setting up a disaster recovery plan here. Once you have a plan, you need to test it frequently. Practice simulations and table-top exercises and document what works and what doesn’t. Update your plan as your systems change. 

The time you spend on a solid plan will save you hours of pain if you’re ever actually hacked.

Back to SolarWinds

Okay, SolarWinds. How did the Russians manage to gain access to the top government agencies of the world’s reigning superpower and multiple global corporations? 

They used employees across all levels of each organization.

Russian hackers planted malware in a software upgrade for SolarWinds, a network management program used by 300,000 clients. After nearly 18,000 clients downloaded the update, hackers could mine networks, exploit vulnerabilities, and collect data undetected for nine months. Every expert out there says there are undoubtedly more victims than we know about and that it will take years to understand the full impact of the damage this single hack caused.

SolarWinds wasn’t a ransomware attack, but if it had been, the results could have been even more catastrophic. Implementing the failsafes listed above may not have completely stopped the hack, but it could have reduced the number of victims or shortened the amount of time it took to find the malware.

Things to remember in a stickup

Sadly, even the most prepared companies fall victim to ransomware bandits. Besides activating your well-tested and frequently updated disaster recovery plan, here are a few tips to keep in mind:

  • Identify and isolate the infected device. Turn off the WiFi and Bluetooth. Disconnect it from your network and any shared drives.
  • Turn off everything else. If there were any other devices or computers on the same network as your patient zero, turn them off, disconnect them from the networks, clearly label them as possibly infected, and put them in a separate location so no one accidentally reconnects them and infects everything else.
  • Do contact tracing on the remaining devices and computers. Look for weird file extensions and check your IT tickets for reports of files that won’t open or have gone missing, etc. 
  • Figure out what variant you’re dealing with. Whether you do it yourself or use a cybersecurity expert, knowing what type of ransomware you’ve caught may help you get rid of it. 
  • Contact law enforcement authorities. This is important both because law enforcement may have tools that can recover your data and because it will protect you from fines if the hack results in your clients’ data being stolen.
  • Don’t pay anyone anything. If you pay, there is no guarantee you’ll get a decryption key. It also makes you a mark, since hackers now know you are willing to pay for your data. 

Stand and deliver…yourself

When it comes to ransomware, your best protection is preparation. Remember, you don’t have to develop a comprehensive plan all at once. Start with the small steps that build a strong foundation, and then keep building.

And you don’t have to do it alone. Working with a data privacy professional to pick the right vendors, train your team, and stay on top of all of this throughout the busy year can simplify your life and establish efficient, effective operational privacy and security practices. 

We can help you. Call us today to take control of your data security and protect your company from highwaymen and their ransomware.

Cookies have been part of the internet since basically the beginning of the internet. As the internet has developed, advertisers have co-opted cookies from their original use and turned them into super data collection machines that track your every move across the web. 

But attitudes are changing. Consumers and governing bodies are pushing back. Not only are governments passing legislation regulating transparency around cookie use, but major browsers have also pushed the envelope by developing technology to block third-party cookies.

Their moves are shifting the data privacy landscape.

Cookies are good as a food, less so as a technology

Cookies are small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers. They also improve user experience by doing things like keeping carts full across visits and remembering log-in preferences. 

By themselves, cookies aren’t dangerous. First-party cookies—cookies you place on your site yourself to improve and monitor functionality and personalization—give you a more seamless and enjoyable user experience on the internet.

Third-party cookies, though, are another story. Privacy advocates have been trying to get rid of them for years because they’re incredibly invasive. Data collected from third-party cookies can be used to create a profile that knows you better than you know yourself. 

And data brokers sell that profile for a lot of money. 

What do these dynamics mean for the business-consumer relationship, though? For consumers, trading away privacy can be a serious trust-breaker. Businesses are finding that preserving data privacy—and consumer trust—isn’t optional anymore. What’s more, businesses that put privacy and trust first can differentiate themselves from their competitors.

Nirish Parad, marketing technologist at Tinuiti notes, “Respecting privacy is one thing, but are we building trust? Netizens don’t trust companies with their information. How do we earn that back? By leaning in. If you’re collecting data, be intentional, respect preferences, deliver value, and invest in the experience.” 

Where to start? Cookies. As consumers demand more control over how their data is used online, major tech companies are blocking third-party cookies altogether and making a big impact on consumer privacy.

Apple

Apple has led the browser privacy conversation since 2017, when they added the Intelligent Tracking Prevention (ITP) feature to their Safari browser. By March 2020, ITP updates made Safari capable of blocking all third-party cookies. More importantly, Safari now can block the workarounds ad networks that cookie makers had been using to circumvent earlier ITP versions.

Safari still allows first-party cookies, but they expire after one day instead of seven. This means that if you don’t visit a website every day to refresh the cookie, your device will get a new identifier the next time you hit the site. 

Effectively this means that it will be very difficult for advertisers and data collectors to follow Safari users around the internet, making Safari one of the most secure ways to surf the web.

But Safari isn’t the only cookie-free part of the Apple universe. The most recent update for Apple products—iOS 14—is *literally* cookieless. As of this update, developers are required to ask for permission before tracking iOS users for ad targeting. 

This opt-in requirement marks a big shift for smartphone users’ privacy because it makes developers responsible for addressing privacy, not users. And it’s expected that users are going to take advantage of these new protections—it’s estimated that iOS users granting permissions to developers will experience a massive drop, from 70% to 10%.

Apple is a prime example of a company using aggressive privacy technology and policies to differentiate their brand. In a market almost entirely controlled by Google Chrome, Apple’s commitment to privacy has made Safari a major part of the digital privacy and internet tracking conversation. 

Google

With 69% of the market, there is no question Google controls the browser game. But while they may have been driving browser innovation, they are behind on the privacy side.

Part of the reason for this is that up to 83% of Google’s revenue is ad revenue. Google’s official line is that getting rid of cookies will increase the use of workarounds like device fingerprinting, but it’s hard not to notice that eliminating third-party cookies without a backup plan would more or less implode their business model. 

In January 2020, Google announced their Chrome browser would stop supporting third-party cookies by 2022. They are using that time to develop the Google Privacy Sandbox, new technologies that can replicate a seamless web experience without the use of cookies. 

Google Sandbox & Consent Mode

Google’s Privacy Sandbox is a work in progress, but its goals are to:

  • Replace cross-site tracking processes with new technologies
  • Separating first-party cookies from third-party cookies so third-party cookies can be eliminated
  • Reducing the success of workaround tracking technologies used by bad actors

Reactions to the Privacy Sandbox have been mixed. Google will obviously benefit from having advertisers using their first-party tools. In turn those first-party tools will increase the control Google has of, well, everything.

In September 2020, Google also launched the beta version of its Google Consent Mode. According to Google, consent mode is an API that “allows you to adjust how your Google tags behave based on the consent status of your users.” From Google’s website:

“You can indicate whether consent has been granted for analytics and ads cookies. Google’s tags will dynamically adapt, only utilizing cookies for the specified purposes when consent has been given by the user. You can use consent mode in Google Ads for conversion tracking and remarketing.”

Whatever Google’s motivations, Google Consent Mode is popular with companies that provide cookie and online tracking consent and compliance solutions. 

According to Danish company Cookiebot, Google Consent Mode is a big step forward in building a more sustainable internet economy that brings both elements into greater balance – moving away from mass personal data collection towards a consent-based dynamic system that respects the privacy and dignity of each individual user without breaking the underlying business model of large parts of the Internet.”

Google has also made the news very recently for a cookieless approach they’re calling “FLoC” (or Federated Learning of Cohorts). FLoC works as a browser extension that compiles data from thousands of site users. FLoC hasn’t been released for public testing as of yet—but look for a release in March, followed by advertiser testing in the second quarter of this year. 

Mozilla

We can’t talk about cookie-blocking browsers without talking about Mozilla Firefox. Firefox was created by a nonprofit, which means they create features based solely on user experience without worrying about shareholders. They don’t sell data. Additionally, Firefox is not based on Chromium, Google’s open-source code project that forms the infrastructure of the Chrome, Edge, and Brave browsers.

Mozilla’s entire mission is to foster the creation of “an Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent.” Spurred by the Cambridge Analytica/Facebook scandal, Firefox began using “containers,” a technology that isolates browser tabs from each other, in 2016, before Apple’s ITP and long before Google’s Consent Mode.

Firefox started blocking third-party cookies in 2019, but they’ve had to play catchup to be able to stop the workarounds that inevitably popped up. Currently, Mozilla engineers are working on a new technology called DNS over HTTPS, or DoH. This technology encrypts your browser requests and traffic, making it much harder for trackers to spy on you.

Mozilla’s constant push for a user-centered, privacy-based internet has given them a clout that doesn’t match their market share because giving consumers more control over how their personal data is collected, used, and shared online is the issue of the internet’s future.

You can still track (and be tracked) without cookie crumbs

Cookies aren’t the only way users are tracked online — they’re just the most common. And major browsers dumping them doesn’t mean your privacy worries are over.

For starters, you still need to advise your users about the first-party cookies you have on your site, and you’ll still have to manage the data those cookies collect. This means knowing what you’re collecting, why you’re collecting it, where and how long you’re storing it, and how you’re protecting it.

Device fingerprinting, also known as browser fingerprinting, happens when someone (or some technology) collects information about your device, including your:

  • Browser
  • Time zone
  • Language settings
  • CPU architecture
  • Plugins

Alone, these little bits of data wouldn’t mean anything to anyone. But trackers combine these identifiers to create a recognizable profile for individual users that is incredibly accurate. According to Mozilla, “recent developments in cross-browser fingerprinting [make digital fingerprinting] capable of successfully identifying users 99% of the time.”

Using a VPN and blocking cookies can’t stop fingerprinting. And fingerprinting isn’t all bad. It was first used by banking websites for fraud prevention and fraud investigations. From a privacy standpoint, however, fingerprinting can create a profile even more accurate than cookies.

And unlike third-party cookies that come from your vendor, your website might have fingerprinting technology without you even knowing it.

A study from Princeton University found that more than 60% of the top 1,000 sites on the web share information with third parties, and many of those third parties are fingerprinting visitors and selling the data. They also found that 96.5% of websites have access to digital fingerprints even if they are not using the technology themselves.

There are currently multiple regulations covering the use of cookies, but nothing has been done about device fingerprinting yet. While you’re working on eliminating your third-party cookies, it might be a good idea to also talk to your hosting provider and other vendors to see if they use fingerprinting technology. You don’t want to get caught with your hand in the newest version of a cookie jar when new rules come out.

Being proactive will allow you to find new, privacy-friendly ways to collect data on and communicate with your users before you legally have to. Rather than having forced downtime, you can set yourself up for an agile transition to whatever changes come your way.

Get on a cookie-free diet

Third-party cookies are an old technology whose time is almost up. If you want to minimize your risk for privacy action, increase trust with your users, and put your company at the forefront of one of the most important consumer issues of the next decade, you should shift your focus to first-party data. Think email marketing campaigns or retargeting campaigns—but in a privacy friendly way. And that’s where we come in!

If you’re ready to get a handle on your cookie use and privacy policy, get in touch with our experts today.

As an executive, it’s up to you to set the standard for your organization’s data privacy approach. You can use International Data Privacy Day to start your year off on the right foot. 

Thursday, January 28, 2021, is a big day. Not only is it National Have Fun at Work Day, National Kazoo Day, and National Blueberry Pancake Day, it’s also International Data Privacy Day. On this day, groups in the United States, Israel, Canada, and 47 European countries work together to empower individuals and businesses to respect privacy, safeguard data, and enable trust

It’s no secret that consumer expectations and regulatory requirements for data privacy will drive business best practices’ development and innovation over the next decade. The implementation of compliant privacy programs has a steep learning curve. It’s in your best interest as a leader to get in front of it now when you have time to do it, rather than wait until you legally have no choice.

Observing International Data Privacy Day is a smart place to start building your company’s data privacy culture.

Why you need a robust data privacy program

If your company sells products online or collects data from online users, the odds are high you’ve heard about the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or the EU’s General Data Protection Regulation (GDPR).

These are the most aggressive and far-reaching data privacy laws, but they are far from the only regulations on the books. Unlike other countries, the United States follows a sectoral approach to data privacy regulations, meaning regulations tend to be either regionally based or industry-focused. Industries and states currently without specific data privacy regulations may find them cropping up in the next several years.

Constantly shifting goalposts pose a big challenge for businesses. Just adhering to the current best practices for data privacy and protection for meeting current regulations isn’t enough to keep you competitive. If you want to maintain agile responsiveness to a changing data privacy landscape, you need to follow best practices that exceed existing standards.

Consumer expectations

Regulatory compliance is not the only reason you need to pursue an aggressive privacy culture. Consumers are increasingly proving that how a company uses their personal information plays a role in their purchasing decisions. A recent Salesforce survey found that 84% of consumers are more loyal to companies with strong security controls.

With 69% of consumers believing that companies will use their personal information in a way that they are not comfortable with, there is a real opportunity for businesses willing to differentiate themselves through forward-thinking, consumer-focused privacy programs.

The good news is that privacy policy development is good for your bottom line. Ninety-seven percent of companies proactively implementing robust privacy policies report an increased competitive advantage and/or investor appeal. Over 70% said that aggressive data protection practices improved their operational efficiency, agility, and innovation.

So break out your kazoos and look through the suggestions below to find a way your organization can celebrate National Have Fun at Work Day by observing International Data Privacy Day. (Blueberry pancakes optional.)

Ideas for Data Privacy Day

While it may sound like a tall order, getting your team committed to, even excited about, privacy is the natural result of education and empowerment. And it can be fun!

The National Cyber Security Alliance, a leading nonprofit, public-private partnership dedicated to promoting cybersecurity and privacy education, has five suggestions for ways executives can improve their company’s privacy program:

  • Create a privacy-aware culture
  • Organize regular privacy awareness trainings
  • Help your employees manage their individual privacy
  • Add privacy protections to your employee’s regular toolbox
  • Get expert help

One note — while the ideas below are a great entry point, running an effective privacy program doesn’t happen just by checking items off an agenda. Your privacy to-do list is more like a rotating chore chart than a to-do list. Just like you do month-end reconciliations and scheduled inventory orders, maintaining your privacy infrastructure needs to be part of your standard operating procedures.

Get #privacyaware

One of the biggest challenges companies face in developing an institutional privacy awareness is that people just don’t understand what data privacy is. The fastest way to eliminate this barrier is to help your employees see just how vulnerable they are and how much of their personal data is out floating around the internet.

Two great tools to help people see the gaps in their data privacy knowledge are the National Privacy Test and the Google Phishing Quiz. On January 28, you could have your team/department take these tests and give prizes to top performers. And bonus! If multiple people miss the same question, you have a ready-made list of training topics for future staff meetings. 

Other steps you can take on January 28 include running an internal campaign to make sure your employees know and understand your privacy program and their place in it. Every group email, newsletter, and meeting should have a “privacy moment” where these ideas and best practices are reinforced.

Teach your employees to fish (but to avoid phishing)

There is a reason the saying “teach a person to fish, you will feed him for a lifetime” has stuck around. As corny as it sounds, it’s true. Here’s a quick exercise your team can do on January 28 (or any day) that will help them understand their level of privacy savvy. The results may be surprising.

After completing the Google exercise, National Cybersecurity Alliance’s Manage Your Privacy Settings page can help them set personal privacy settings that align with their comfort level.

Why should you use your valuable working hours to take your employees through this process? 

Employees who are empowered to manage their personal privacy are more likely to understand why privacy is so important to your clients. 

Training, training, training. (Did we mention training?)

Before we talk about why your employees need consistent privacy training, let’s go over a few definitions:

  • Effective frequency is the number of times a person needs to hear an advertising message before acting on it.
  • Mere-exposure effect is the likelihood that people will develop a preference for something the more familiar they are with it.
  • Redundant communications is the term used to describe using multiple communication modalities to convey the same message. 

Advertisers, masters of getting people to do what they want, use these terms to create a framework for the behavior they are hoping to elicit with their campaigns. Current marketing research indicates that effective frequency can change behavior with as few as three messages but is most effective between 6 and 20 times. Similarly, mere-exposure reaches maximum efficacy between 10 and 20 times.

But that’s advertising. How does this apply to employee training?

Several years ago, Harvard Business School professor Tsedal Neeley conducted a study of how managers use redundant communication to help their team meet deadlines and other project goals. Neeley found that the most effective managers repeated themselves at least once, but more often between three and four times using multiple methods.

This means managers who successfully changed employee behavior and/or maintained team performance standards communicated the same information via meetings, emails, individual phone conversations, internal message boards, texts, and face-to-face. 

If you want your employees to buy into your data privacy strategy, you need to:

  • Consistently expose them to it
  • Provide opportunities for them to understand it at a deeper level
  • Clearly and repeatedly communicate your expectations using multiple modalities

These “trainings” do not need to be formal seminars with expensive guest speakers. They can be five minutes in a staff meeting or five sentences in an email. The key is to up the effective frequency and exposure to messaging using redundant communication.

Make privacy standard. And easy.

If you want your employees to understand you are serious about privacy, you can prove it by:

  • Implementing company use of VPNs, encryption, and two-factor authentication
  • Explicitly prohibiting the use of work devices for personal use (and vice versa) and use of public WiFi networks
  • Providing company-branded camera covers or privacy screens
  • Requiring strong passwords

Whether or not you do it on January 28, activities like passing out new privacy swag or sponsoring a company-wide strong password challenge reinforce your commitment to privacy as a core company value. That can only help in the long run.

Use an expert

Getting your team on board is important, but employee buy-in alone will not make you compliant with privacy regulations or best practices. As a leader, it’s your responsibility to figure out or hire out the critical and technical pieces of your data privacy program:

  • A gap and maturity analysis will show you where you have exposure from your data privacy practices.
  • Creating a data inventory will give you insight into what types of data you are collecting, where and how long you are storing it, and who you are sharing it with. 
  • Custom privacy notices and policies allow you to clearly communicate your data practices in a way consumers can understand (instead of in dense legalese).
  • Reviewing and updating your cookie consent practices will help ensure that you collect only what you need and are compliant with collection notification regulations.
  • Having someone review your digital marketing practices can prevent costly fines and operating injunctions that can damage your reputation and bottom line.
  • Third-party assessments are vital to confirming your vendors’ privacy policies are both compliant and aligned with your standards.

Proactive privacy programming is possible

Whether you are subject to existing regulations or not, take advantage of International Data Privacy Day 2021 to chart a new course in your organization’s privacy journey. Need some help getting started? Contact Red Clover Advisors today to jumpstart your privacy program.

The Complete 2021 Privacy Compliance Checklist Header

Maybe you’re ahead of the pack when it comes to privacy, keeping your privacy policy and data inventory in shipshape. In that case, we salute you! (But you probably also know that privacy compliance obligations are a moving target and you keep planning for the future.)

But for the lot of you working hard at meeting your business goals while also struggling to wrap your head around how to fit privacy compliance onto your to-do list, take heart: 2021 is a great year to take it on. 

Why? Because privacy is about more than just putting systems and technology in place to help track and manage your customers’ personal information. 

It’s about respecting your relationship with customers. It’s about prioritizing the trust that they extend to you when they share their names, emails, phone numbers, addresses, whatever data points you’re asking for. It’s about leading with privacy, whether you’re a multinational corporation or a brand-new startup. 

So what will it take to be a privacy-forward business in 2021? Here’s our list for the upcoming year. 

Wrap up CCPA compliance

We said the same thing last year, but it still applies. CCPA is the most comprehensive, enforceable general data privacy legislation in the US. If you haven’t finished up your CCPA compliance, don’t wait on this. 

So what do you need to know for CCPA? Ready to jump into CCPA compliance? We’re here to help with that. 

Just getting acclimated? See below for your debriefing. 

  1. Do that data inventory. You know that accomplished, on-top-of-your-to-do-list feeling that you get after spring cleaning? That’s how you’ll feel when you organize your data and figure out what you’re collecting, using, storing, sharing, and selling. 
  2. Be transparent with your audience about how you’re collecting personal information. This should include the aforementioned Don’t Sell My Personal Information link on your home page and a crystal clear privacy notice that details your collection practices.
  3. Make individual rights requests easy. Include at least two methods for submitting requests.
  4. Respond to individual rights requests ASAP. Implement a verification method to protect your customers’ personal information. 
  5. Protect minors’ rights via appropriate consents for collecting children’s information
  6. Cover your data security bases—consumers can file civil suits if you don’t take “appropriate security measures” and their data is exposed in a breach.

Getting CCPA compliant in 2021 isn’t just about avoiding the fines, fees, and reputational damage that comes along with compliance failures. It’s also part of preparing for the California Privacy Rights Act (CPRA) compliance in 2023. 

Read more on CPRA here

CPRA is guaranteed to give your business more to think about in terms of privacy. The new legislation, passed in the California general election in November 2020, expands on the core tenants of CCPA and moves privacy obligations closer to GDPR’s requirements (General Data Protection Regulation, EU’s privacy law).  It promises to help make enforcement of compliance more achievable for the state of California. Here are a few of the key features:

  • Grants new rights to data portability, correction, and restricting the use of sensitive personal information 
  • Clarifies definitions of selling information 
  • Raises threshold for personal information processing

But just because CPRA is coming down the road doesn’t mean that CCPA should be disregarded—its rules definitely still apply. 

But pay attention to other laws as well

And I’m not just talking about GDPR. CPRA may be the latest in US privacy law, but other states are edging towards more robust legislation. 

You may remember that last year, we mentioned the Texas Privacy Protection Act, the New York Privacy Act, and the Washington Privacy Act, the latter being back and updated for the third time.  These laws are still in the works, but New Hampshire, Oregon, and Virginia are also joining the party. While the final shape and outcome of legislative efforts is unknown, it’s good to keep your finger on the pulse of these discussions. 

And don’t forget about what’s going on overseas

We’re not just talking about general GDPR requirements. You need to be tracking several developments on the European privacy frontier.

Schrems II ruling

In July, the EU’s Court of Justice struck down the Privacy Shield arrangement, which supported the flow of personal data between the EU and the US. According to the ruling, American organizations weren’t meeting the conditions of providing “adequate” protection for EU residents’ personal data. While a replacement for Privacy Shield is in discussion, there’s not an imminent replacement. That means some fancy footwork may need to take place if you’re going to keep processing EU data. (But it’s worth getting that choreography down.)

Brexit

When January 1, 2021 rolls around, the UK will no longer be part of the EU. For privacy practices, this means that US-based businesses dealing with personal data from the UK will have to accommodate the UK’s equivalent of GDPR. Don’t delay in assessing whether you fall into the scope of their framework. While regulations will be similar, you may need to adjust some internal processes to comply.  

Align your digital marketing strategy with privacy

Digital marketing—especially these days—is critical to connecting you to your audience. But is your digital marketing on the right side of privacy? 

Between the General Data Protection Regulation (GDPR), the ePrivacy Directive, the California Consumer Privacy Act (CCPA), Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM), Canadian Anti-Spam Legislation (CASL), there’s a lot to weigh across your channels. 

Take email marketing for one. Email marketing is at the top of marketers’ to-do lists: 87% of them use email marketing to distribute content organically. 

That means you’re probably sending out emails. But do you know if you’re: 

  • Representing your message correctly? 
  • Setting up appropriate opt-ins and opt-outs for your recipients? 
  • Sufficiently managing your records? 

Email marketers should be able to answer these questions in the affirmative. But email marketing likely isn’t the only thing on your digital plate. Your website is a major piece of the pie. 

Give your website some love

Your website is a heavy lifter for your marketing efforts—and your compliance ones, too. If you’re a developer, the word “compliance’ likely sparks visions of ADA-accessibility requirements. But your website needs far more than that. For both GDPR and CCPA, you should always make sure that you’re locking down your data with the most up-to-date security practices. You should also make vetting your vendors one of YOUR best practices—how they handle data privacy and security has major implications for your business and customers. 

Here are a few of the other big-ticket items for getting your website compliant in 2021. 

For CCPA:

  • Provide a link from your home page that says “Do Not Sell My Personal Data” 
  • Make sure you get the appropriate consents before collecting personal data belonging to minors
  • Include a method for visitors to request, move, change or delete data 
  • Update your privacy policy to share what personal data you collect, how you use it, third parties data is shared with, data that’s sold and a description of their individual rights as per CCPA

For GDPR:

  • Add a cookie banner so your visitors are informed about your cookie practices and can provide opt-in consent 
  • If you depend on consent for email marketing, make sure you’re getting that consent appropriately (i.e., through opt-ins and/or double opt-ins)
  • Implement a system for notifying users about privacy policy updates or data breaches 
  • Make sure your anonymize data when using third-party services or plugins

Note: This list isn’t exhaustive. For help with GDPR and CCPA compliance, drop us a line—we can help you get moving in the right direction. 

Put together amazing privacy messaging

There’s not a single good, consumer-friendly reason privacy practices can’t be made comprehensible to your customers. That’s it. Short and sweet. You can do it. You need to do it. Because people are over convoluted privacy policies that are as indecipherable as Beowulf

A good start is to finetune your landing pages where you house your privacy and security policies. While B2C businesses might not have a rapt audience, B2B companies will find that customers are hungry to know how you’re complying with privacy laws. 

Part of your messaging strategy should be to help your customers tailor their marketing experience with you. Preference centers give them options of how much communication they want to receive and what type. Need inspiration? Just look at how companies like Monday.com, MailChimp, and Apple craft engaging user experiences that speak directly to their customers’ privacy concerns while staying true to their brand identity. 

Finally, to make integrating privacy into your marketing, a good practice is to have a checklist for the privacy regulations you need to follow. Knowing what the benchmarks are will make everyone’s job a little easier. 

Make privacy a focus at your workplace

To start, in 2021, get your team trained on privacy issues. That in and of itself is a multifaceted thing. It can involve information security awareness or privacy awareness. It can be a deep dive into CCPA individual rights requests, or it can reinforce industry-specific privacy compliance requirements. (Take, for example, the Gramm-Leach-Bliley Act for financial services.)

Your team also needs thorough data security training. After all, human error is responsible for some massive data breaches. And given the large numbers of workers still living the work-from-home life, your team needs to be looped in on all the relevant data security rules. Let’s not repeat the same mistakes in 2021. 

A final word on focusing on privacy in your workplace. Don’t leave internal privacy discussions to the IT crowd or the marketing department. Privacy is pertinent to your entire operation. So when you’re looking down the road at new projects, products, services, vendors, whatever you’re planning on getting up to next year, bring privacy to the table.  

The clock is counting down until 2021. I’m just as excited as everyone for the promise and opportunity of a brand new year. But seizing opportunity means being proactive. Don’t treat compliance as a last-minute addition to the rest of your business activities. 

Ready to get started before the ball drops? We’d love to chat. Drop us a line to schedule a consultation.

An international tour of cookies? Sounds delightful after this long year. We’re thinking: palmiers from France, Polish torunskie pierniki, Brazilian sequilhos, and kourabiedes from Greece. 

Wait, that’s from the baking blog, not the privacy one. 

But it’s important to talk about the other type of cookies from this perspective, too. While the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive gets lots of airtime, there are nuances that businesses need to consider when planning and implementing their cookie strategy.

 

Recently Google and Amazon were fined $163 million for their use of web cookies to track user activities without seeking proper consent. Read more about is here.

Key GDPR and ePrivacy Cookie Requirements

Before we jump into talking about cookies in the EU, here’s a quick refresher on general GDPR and ePrivacy cookie requirements. 

  • You have to tell your users about all the cookies on your website in plain language. This allows them to provide informed consent. (Or not.)  
  • You can’t drop cookies—except strictly necessary ones—until you’ve received user consent for each cookie. This consent must be clear and explicit.
  • You can’t withhold services—including website or application access—if they don’t consent to cookies. (FYI: This is often referred to as “freely given consent.”)
  • You’ve got to protect your users’ data. Do third parties have access to user data? It’s still your job to protect it. 

What Do You Need to Know About Cookie Consent?

Not surprisingly, countries in the EU have come up with varied interpretations of privacy. Each member state has its own data protection authority (DPA) that monitors privacy laws in their state. They provide guidance and interpretation for businesses and the general public. 

DPAs don’t always agree on many issues in privacy. Some are still finalizing initial guidance following GDPR’s implementation. Others have been proactive in implementing GDPR and then revising regulatory guidance. Naturally, cookies are a topic up for (repeated, heated) discussion. 

And why not? Cookies can be ambiguous. What does consent look like? Is it opt-in? Opt-out? What cookies need consent? What’s personal information? What about banners and cookie walls? What’s the meaning of life? 

Need a refresher on cookies? Check out our whitepaper here or read Do I Need a Cookie Consent Banner

The list goes on. But that’s why we’re here—to help you understand the different perspectives on cookies within the EU. (We can’t help with the meaning of life, though. That’s outside of our scope.) Let’s take a look at where guidance is strongest: France, the UK, Germany, and Spain.

Cookie Consent by Country

GDPR and ePrivacy have done a great deal to bring privacy practices in line throughout Europe. Among France, the UK, Germany, and Spain, there are some big similarities. 

First off, cookie rules don’t apply just to cookies. Rather, they’re relevant to any technology storing or accessing information on a user’s device. (Notably, though, under German practice, it also has to involve processing personal data.)

Consent is viewed similarly, particularly when we’re looking at its definition. Consent—when required—must be specific, freely given, and unambiguous before cookies are deployed. However, there are some nuances when it comes to how it’s put into action in Spain. 

Consent, moreover, takes place on multiple levels. Global consent is broadly shared among the UK, France, and Spain, meaning that consent must cover each purpose for which the cookies are used. (Germany, an outlier, doesn’t comment on this.) 

Granular consent—the practice of getting consents for separate things—is also a point of general agreement, though each country takes a different approach to achieving it. While the UK doesn’t provide any guidance on the matter, France mandates a second layer allowing users to give consent to each cookie separately. Spain requires that a first layer link to granular consent tools for each category of cookie. Finally, the ability to give granular consent is a must for Germany, but they don’t dictate where it should be implemented.

One big issue in consent is third-party vendors—more commonly referred to as processors in GDPR. French, German, UK, and Spanish authorities all agree: organizations need to identify all processors who will rely on users’ consent. (France goes just a bit further and states that a list of third parties should be accessible and regularly updated.) 

But enough about the similarities. Time for a deeper dive into each country’s cookie policies.

France

France bases its cookie laws on the GDPR and ePrivacy Directive and on guidance from Commission nationale de l’informatique et des liberté (CNIL). CNIL’s most recent guidance was issued in October 2020, which updated instructions around user consent, analytic cookies, and cookie walls. 

Lawful basis for processing and consent

When it comes to the lawful basis for processing, France limits it to either user consent or strict necessity for technical cookies. Content must be given through positive action and it must be informed consent, meaning the data subjects have been given explicit and clear details about the purposes of the cookies. 

As per CNIL’s guidance, several actions don’t constitute content:

  • Continuing to browse a website
  • Pre-checked boxes
  • Browser settings

Analytic cookies and consent

According to France, organizations don’t have to inform users and collect consent if analytic cookies are being used:

  • Solely to evaluate and measure a website or application’s audience
  • Test a new version of a website or application
  • Only generate anonymous statistics

Cookie walls

According to CNIL’s latest guidance, the cookie wall as a tool isn’t GDPR compliant—consent is only valid if the user chooses to accept cookies without any significant inconvenience or negative consequences. Being denied access to a website would fall into that category. 

Consent retention and lifespan of cookies

As per CNIL-recommended best practices, cookie consent should ideally be valid for six months. Similarly, they recommended that cookie refusal should be retained for the same period of time. 

When it comes to the lifespan of cookies, it shouldn’t be longer than 13 months.

Spain

The Spanish DPA, the Spanish Agency for Data Protection or AEPD, looks to GDPR in putting together its guidance, as well as local laws: Law 34/2002 on Information Society Services and Electronic Commerce, Law 3/2018 on Data Protection and Guarantee of Digital Rights, and the AEPD’s opinions. 

AEPD was updated in July 2020, and organizations were expected to comply by October 31 of this year.

Lawful basis for processing and consent

In Spain, the lawful basis for processing is clear, affirmative consent. However, some privacy professionals have considered Spain’s definition of affirmative consent to be ambiguous.  

Unlike other member states, Spain now considers continued browsing on a website to be a valid form of consent, assuming that adequate notice has been given. Other actions that may constitute valid consent include:

  • Using a scroll bar, insofar as the information on cookies is visible without using it.
  • Clicking on any link contained in the site other than those in the second layer of information on cookies or the privacy policy link.
  • On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.

Note: these actions are considered valid consent as a form of affirmative action. They’re not saying that implied consent suffices.

Analytic cookies and consent

Analytic cookies require consent. (See, sometimes it’s straightforward!)

Cookie walls

Spain’s AEPD most recent guidance has determined that cookie walls aren’t compliant if they don’t offer an equivalent alternative to access without having to give their consent.

Consent retention and lifespan of cookies

The lifespan of cookies match their intended purposes. And given that the AEPD suggests user consent should only last 24 months, cookies should match the lifespan of consent.

UK

In the UK, the DPA is the Information Commissioner’s Office (ICO). While other DPAs in the EU are bound by GDPR, the upcoming Brexit puts the UK in a different position. Questions have, naturally, cropped up.

The UK has committed to following GDPR’s guidelines, but under the guise of a UK GDPR. More officially known as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

As such, GDPR won’t actually apply in the UK after December 31, 2020—yes, it’s that soon—but the above regulation nonetheless preserves GDPR’s guidance. ICO also looks to the Privacy and Electronic Communications Regulations (PECR). 

Lawful basis for processing and consent

The user’s consent is the lawful basis for processing under ICO’s guidance. 

If consent is required under PECR for non-essential cookies, organizations can’t fall back to an alternative legal basis under PECR or GDPR (or its replacement). In cases where personal data is involved, then the ball is in GDPR’s court and legitimate interests can be used as a legal basis. 

Analytic cookies and consent

Analytic cookies don’t belong to the “strictly necessary” category of cookies. As such, you need to get consent before deploying them. 

Another point to remember for ICO guidance: first-party and third-party cookies are considered distinct. You need consent for both, but as per ICO, valid consent is viewed as harder to get for third-party cookies because of the lack of direct relationship between third party and the user. Take extra care to highlight use of third-party cookies. 

Cookie walls

In other states, cookie walls aren’t generally aligned with valid consent. However, ICO allows for the possibility if it applies to specific content and it doesn’t impede access to the website as a whole. 

Consent retention and lifespan of cookies

ICO doesn’t extend any specific guidance for how consent can be retained nor what the appropriate lifespan of a cookie should be. For both questions, there’s not a one-size-fits-all answer. 

Generally speaking, for lifespan, it’s ideal to limit duration to what is necessary for the purposes of the cookie. Likewise, for consent, you should consider what the function of consent is in the context of use. Does a user visit frequent? Are functionalities changing? Is content updated? Those types of questions should guide you when you seek consent.

Germany

In Germany, GDPR and ePrivacy are applicable, but their DPA, delightfully known as Datenshutzbehörde (DSB), also provides robust guidance for organizations. That being said, unlike other EU member states, Germany hasn’t entirely implemented Article 5(3) of the ePrivacy Directive.

Instead, there is a debate around whether some provisions within the preexisting German Telemedia Act sufficiently cover the requirements of Article 5(3) of the ePrivacy Directive. Notably, the German Data Protection Conference takes the position that Article 5(3) of the ePrivacy Directive hasn’t been implemented in German law. As a result, according to them, there is no German cookie law and instead, guidance is reliant on GDPR.

Lawful basis for processing and consent

The legal basis for processing in Germany rests on consent, contractual relationship, or legitimate interest, depending on the purpose of cookies and/or tracking tools. 

Analytic cookies and consent

Consent is required for analytic cookies when they result in transferring personal data to a third party. Even then, obtaining consent might not be strictly necessary as long as users can opt-out of transferring their data to the third party.

Cookie walls

As a rule, consent for cookies must be voluntary according to Germany’s guidance. Anyone wanting to access a site or application needs to be able to refuse cookies without negative consequences. In other words, access should be allowed even if cookies are refused.

Consent retention and lifespan of cookies

Germany doesn’t have specific local guidance on retention of consent and the lifespan of cookies. As a result, policies default to GDPR and ePrivacy. 

Cookies Around the World

Cookies in the EU, of course, aren’t limited to France, Spain, the UK, and Germany—each member state either has or has the ability to develop guidance on how cookies should be handled. And, don’t forget, these are just European cookies. Brazil, China, India, Australia, are just some of the other countries with privacy regulations in place that address cookies. 

Cookies are complex, but they’re a critical part of your privacy practices. If you haven’t had your fill of cookies yet, we’d love to help you customize your cookie practices to your EU audiences. Drop us a line to schedule a consultation today.