Category: Privacy

Our favorite time of the year is finally here—and yes, we know the winter holidays have already come and gone. But as much we may love warming up with a cup of hot cocoa (topped off with unreasonable amounts of marshmallows, please!), there’s one day that holds a special place in our hearts: January 28th is World Data Privacy Day.

And while there aren’t any seasonal beverages to enjoy along with it, we think Data Privacy Day represents something fundamental: the right of every person to control their own personal data with the confidence that it won’t be shared, sold, or otherwise exposed without their consent. 

World Data Privacy Day: a short background

Observed annually worldwide, Data Privacy Day honors the signing of Convention 108 in 1981, the first international treaty to deal with privacy and data protection. 

1981 was a long time ago, though.  

Since then, generations of activists, lawmakers, and ordinary citizens have advocated long and hard for a future where an individual right to their private data doesn’t get lost in the crowd.

That’s why we like to look at January 28th as something like a Data Privacy New Year’s for our industry: it’s a chance to stop and acknowledge the progress we’ve made, celebrate our privacy accomplishments, and look ahead to the work that still needs to be done. 

Data privacy day? Let’s make it a week (or even a year)

This year, the National Security Alliance decided to expand its Data Privacy Day campaign to cover an entire week—to which we say, why not? After all, privacy is an ongoing issue, and there’s only so much work you can do in a day.

In fact, we’d like to propose an even more ambitious idea: what if we made 2022 a Data Privacy Year? Because as much as we love the 28th, the things you do on those other 364 days are more important. 

Three good reasons to make data privacy your New Year’s resolution

We know the ball dropped weeks ago (and some of us even managed to stay up long enough to see it), but that doesn’t mean it’s too late to make a few more resolutions. 

Our suggestion? You guessed it: making data privacy a priority. From legal compliance to business considerations to just straight up doing the right thing, here are a few good reasons to keep data privacy top of mind as you plan for your business’s future in 2022.

1. Regulatory compliance

Convention 108 was left all by its lonesome, and lax (or nonexistent) data privacy laws allowed dangerous privacy practices to thrive for a long while. Consumer’s private information was often collected and sold without their knowledge or consent, and insufficient data security measures led to high-profile breaches of private consumer data.

Thankfully, Convention 108 finally got help. If your company sells products or collects data from users, you’re probably already familiar with the EU’s General Data Protection Regulation (GDPR), adopted in 2016. This far-reaching privacy and data security law placed a wide range of restrictions on how organizations collect, store, and use consumer data—at least within the EU. 

Since then, several US states have joined the EU in creating consumer privacy regulations, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA)

More state laws are likely to follow, and for those who care about consumer privacy, that’s cause for celebration. But it also means that companies need to carefully monitor their regulatory compliance obligations. Failing to prioritize privacy issues in the coming years could put your company on the wrong side of the law if you ignore policy changes.

2. Privacy is what your consumers expect

Even if you put regulatory concerns aside, prioritizing data privacy is simply good business. Consumers are increasingly aware of how their private data is being collected and used, and most Americans now report concern over companies’ use of their personal information.

That gives your company an excellent opportunity to differentiate itself by putting privacy first. In fact, a whopping 97% of companies report one or more tangible benefits after investing in robust privacy policies, from more significant competitive advantages to lower data-breach losses to increased investor appeal. 

(And that’s not a bad way to start the year.)

3. It’s simply the right thing to do

No matter what your industry is or who your consumers are, your relationship with the people you serve is built on trust: trust in your professionalism, trust in the quality of your goods or services, and trust that your business will uphold its core values.

Data privacy efforts are one way to pay them back for that trust. Each of your consumers is a living, breathing human being who has a right to privacy and control of their personal data, and helping them protect that right is an excellent New Year’s resolution.

Seven resolutions for a privacy-first 2022

Look, we know that staying true to your resolutions is hard (raise your hand if you’ve already broken the ones you made on New Year’s Eve). 

But when it comes to data privacy, staying ahead of the trends is a year-round effort, and it helps to have a plan you can commit to. Here are seven goals to keep the privacy fire burning bright when Data Privacy Day is just a warm and fuzzy memory.

1. Start with awareness and empathy

Successful privacy efforts need to go deeper than policy—you also need to foster a culture that values your privacy plans. And one of the best ways to do that is to remember the people you serve.

Whenever you implement steps to keep your clients’ and customers’ data safe, you’re also protecting the legal and ethical rights of the people who trust you. Keeping an awareness of this responsibility top-of-mind can help you fuel your efforts with empathy, even when breaking your privacy resolutions is oh-so-tempting.

2. Train and educate your team

Setting goals is admirable, but implementing real and lasting change requires full-team buy-in and participation. If you want to create a company culture that values privacy, you’ll need to equip your team with the knowledge they need to put privacy first.

That involves clearly articulating your privacy goals to your team, providing them with opportunities to engage with your privacy policies, and making it as easy as possible for them to comply. Instituting company-wide use of privacy measures like VPNs, encryption, and two-factor identification can help you make privacy awareness the norm.

3. Plan for 2023 (and ’24, and ’25 . . .)

Another thing to reflect on as we enter a new year: didn’t that last one go by really fast?

There’s simply no stopping the future from rolling on in, and data privacy regulations are now evolving more quickly than ever before. By 2023, it’s estimated that current data privacy regulations will impact 65% of the world. 

That’s a lot of new privacy laws to keep up with. If you’re planning on staying ahead of new compliance demands, you’ll need to start future-proofing your privacy efforts today. And while you can’t perfectly predict the privacy demands of tomorrow, implementing a robust privacy program based on today’s best practices and current data protection laws will set you up for success as the years roll by.

4. Put the cookie jar down

Speaking of future-proofing, one of your priorities right now should be to move beyond reliance on third-party cookies. With data protection regulations like the GDPU banning the use of most third-party cookies without explicit uses consent, even major browsers are now dropping cookie support. 

Thankfully, the kind of cookies you eat is still on the table—and there are plenty of viable ways to move toward a cookieless future.

5. Build a robust preference center

As third-party cookies quickly become a thing of the past, the preference center is stepping up to become your new privacy best friend. Preference centers give your site’s users all the tools they need to opt-in or out of the collection or use of their data.

It’s a vital way to stay in compliance with privacy regulations and an easy way to build trust with your site’s users. 

6. Data mapping

One of the cardinal rules of responsible data collection: never collect or keep data you don’t need. 

But how do you get started if you don’t know what data you have? Enter data mapping, an irreplaceable tool for taking stock of the data you’re collecting, where it’s coming from, how (and how long) you’re storing it, and how it’s being used. 

Building one out should be a priority if you don’t have a data map yet. Thorough data mapping helps your company stay compliant and can serve as the first step toward effective preference centers.

7. Work with a privacy consultant

All of the above resolutions are well worth the effort, but when you’re navigating the increasingly complex world of privacy regulations, sometimes you just need some extra professional help.

Working with an experienced data privacy consultant is one of the best ways to ensure your efforts don’t go to waste. Letting privacy professionals take the lead this year can take the load off your shoulders while allowing for a more informed and comprehensive strategy.

Contact us if you’re ready to make 2022 your Data Privacy Year. We’d love to help you move your data privacy program forward.

There is a lot of *aaS-es in the world of cloud-based computing.

No, no. 

That’s not what we meant.

We’re talking about Xas-a-service options.

First, there was SaaS, or Software as a Service. Originating in the 1960s as terminal keyboards networked to a mainframe computer in a hub-and-spoke system, SaaS has been in continuous evolution as personal computers became less expensive and more popular. Businesses needed a way to preserve hard drive and server space while simultaneously making huge amounts of data and complex programs universally accessible to employees.

The rise of cloud-based computing meant SaaS became the norm for, well, everything. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) evolved to allow for new application design capabilities and meet the demand for virtual data centers.

But SaaS and PaaS aren’t the only players here. 

The rush of eCommerce, social media, and digital marketing, advertising, communications in the 2000s and 2010s was transformative for our work and personal lives. We connected, communicated, and consumed in totally new ways, all of which generated massive amounts of data—without much oversight. 

It was a bit exhilarating for those who love working with data. But it was a lot concerning for those whose minds were on the privacy implications for all that data. 

Enter privacy regulations. 

These unregulated information collection and sale practices came to a screeching halt in 2016 when the European Union passed the General Data Protection Regulation, the world’s first comprehensive data privacy law. 

The GDPR dramatically changed how businesses obtain consent to collect and process user information, leading governments around the world to follow suit and pass data privacy laws of their own. 

In the United States, the California Consumer Privacy Act, or CCPA, was the first digital privacy law enacted to protect American consumers. Colorado and Virginia have passed similar laws, and numerous states have bills ready for the 2022 legislative session. These laws have been led, in part, by vigorous consumer privacy advocates, who have pushed for greater privacy protections and greater transparency from businesses. 

This seismic shift in how we view digital privacy, combined with new obligations for website owners, has created a new kind of *aaS—data privacy as a service, or DPaaS.

And businesses are working hard to catch up with both privacy laws and consumer expectations. 

What is DPaaS?

By definition, DPaaS is the outsourcing of a business’s privacy functions. 

So DPaaS helps with “privacy”…but what does that mean? 

It means a lot of things. Keeping your data collection practices in a state of ongoing compliance. Tracking your risk assessment across internal teams, external partners, and third-party vendors to reduce risks of data breaches. Helping scale privacy processes. 

DPaaS technology can utilize SaaS and PaaS solutions that:

  • Launch privacy notices at the right time
  • Manage cookie notification and consent processes
  • Identify cybersecurity risks
  • Assist in fulfilling data subject access requests (DSARs) or individual rights requests
  • Automate notifications and containment measures after a breach is detected
  • Enable compliance with multiple regulations across regional jurisdictions
  • Provide data backup, storage, or disaster-recovery services

Non-tech DPaaS solutions, on the other hand, can come through fractional privacy officers who provide experienced guidance on things like data inventories, vendor management, risk assessments, employee training, and overall privacy strategy. 

FPOs don’t just help with the meat-and-potatoes of privacy practices, though—they help you figure out how to implement DPaaS tech in a way that’s effective and sustainable for your company.

DPaaS vs. cybersecurity

We can’t get too much further in the DPaaS discussion without pointing out the differences between DPaaS solutions and cybersecurity measures.

Data privacy and data protection are a chicken and egg situation. They’re closely related, and you can’t have one without the other, but they aren’t the same thing.

Where data protection/cybersecurity is all about protecting data from unauthorized users, data privacy focuses on figuring out who can access data, when they can access it, and what they can do with it. 

Think of it this way:

  • Cybersecurity (aka data protection) stops a hacker or unauthorized user from getting access to a user’s personal information.
  • Data privacy is about how a business collects, uses, or shares an individual’s personal information, as well as how a business communicates its policies and the choices it makes available to customers.  

A good cybersecurity program will be built around privacy obligations (i.e. least access privilege, network policies, etc.), but a good privacy program will also strengthen cybersecurity measures.

DPaaS for consumers

While privacy compliance is driving the development of  DPaaS right now, this increased focus on protecting privacy on an individual level is leading to the creation of privacy management apps and products for consumers. 

Crunchbase says that at least 207 privacy startups have raised over $3.5B in funding, and many of these companies are determined to make it easier for normal people to navigate the internet’s complex privacy landscape.

Some of these up-and-coming products let users figure out which businesses have collected and stored their sensitive personal information, while others help people track how businesses are using data they’ve willingly shared. 

No matter what the tool does, there’s no question that consumers are becoming exponentially more privacy-savvy. That savvy, combined with consumers’ increased expectations for personal control of their own information, gives businesses plenty of non-compliance reasons to get their privacy ducks in a row.

Benefits of DPaaS for benefits

Getting ahead of privacy is important. We’ve said it before—and we’ll definitely say it again. But there are lots of ways to build a privacy-first mindset in your business. Why should you consider DPaaS?

Decrease the risk of data breaches 

This reason, let’s be honest, is an important one for businesses. Data breaches are a problem. Data breaches in 2021 topped the already-record-breaking year of 2020—by 17%—and the year's not quite done yet. 

DPaaS solutions can identify and contain risks and reduce some of the human error that inevitably occurs, well, in any task that’s handled by people. 

Privacy improves your brand value—and customer relationships

Taking a transparent, consumer-friendly stand on privacy builds trust with your customers. When you make a clear, unambiguous commitment to protecting your customers' personal information and then take action to make that commitment real, your customers will trust you over competitors. Now, you can do this without DPaaS services…but….

DPaaS streamlines your privacy practices

Privacy operations can get pretty unwieldy. 

But with the right tools? You can build better—more up-to-date, actionable—data collections. You can automate privacy functions. You can manage data privacy requests from customers with ease. You can scale your operations smoothly.  

At least that’s the goal!

Is DPaaS right for you?

DPaaS, in theory, can help bridge the gap between where you want to be, privacy-wise, and where you are currently. 

According to IAPP, the world’s largest and most comprehensive privacy community, there has been a 17% increase in the number of companies exclusively dealing in enterprise privacy tech solutions.

But just because privacy solutions are technically available doesn’t mean that all businesses have the resources to implement them. DPaaS tools require knowledge of how privacy regulations work. 

What we’re really saying is that privacy solutions don’t necessarily equate to answers. In fact, products on their own are just one factor in the equation. The other factor is how you use them—or who you have to use them. 

Isn’t it ironic: Privacy is a team activity

Privacy expertise can be costly. It can be time-consuming to try to wrap your head around the newest privacy laws, only to have regulations shift on you at the last minute. (Yes, we’re looking at you, CCPA/CPRA!) 

But here’s the thing: when you incorporate DPaaS tech solutions with someone like a fractional privacy officer—the type of person who lives, eats, and breathes data privacy—you can get great results without spending hours trying to translate your jargon-filled privacy policy into something readable or deciphering the data inventory that your erstwhile head of legal wrote for your business. 

If you need help designing a compliant, consumer-friendly privacy program for your company, let us show you what Red Clover Advisors can do.

Until the mid-2010s, there were almost no comprehensive laws protecting digital privacy for anyone except children, and even those laws were few and far between.

This lack of government oversight gave industries almost no motivation to create best practices governing what types of data could be collected or how it could be used. While there were a few outliers, businesses generally assumed more was, well, more, and often collected more consumer data than they needed or could protect.

The rise of e-commerce and ad targeting technologies made consumer data the most valuable currency of the modern economy. And if history has taught us anything, it’s that bad guys can’t resist the currency du jour. Like pirates who hoarded treasure and outlaws who robbed trains, hackers started attacking everyone from major international corporations to regional companies to neighborhood businesses.

Add on top of that the misuse and sharing of data, and it’s easy to see why it became critical to put in place modern era privacy laws. 

The birth of digital privacy law

This surge of consumer outrage and government activism resulted in the first comprehensive privacy regulation, the European Union’s General Data Protection Regulation (GDPR). Passed in 2016 and effective in 2018, it completely changed the data privacy landscape for companies that operate in or collect information from residents of the EU.

The GDPR established regulatory obligations for all member countries, but so far the United States has opted for a sectoral approach, with laws for different sectors such as health (HIPPA), finance (GLBA) and email (CAN-SPAM). With no national framework, there has instead been a morph into a patchwork approach on a state-by-state basis.

With the California Consumer Privacy Act (CCPA), California was the first state in the U.S. to pass a comprehensive data privacy law. Virginia and Colorado followed suit this year, and a record number of state-level data privacy bills were introduced in 2021 legislative sessions.

What is consent?

Very little in privacy is straightforward, and that’s especially true when it comes to consent. Getting consent to collect an individual’s information doesn’t necessarily give a company the right to use or sell that information—unless that’s been clearly specified to the individual that’s how the data is going to be used. 

Building an effective consumer privacy program requires obtaining consent for the collecting, processing, selling or sharing, and storing of individuals’ personal data as well as for when and how you contact them.

Most countries require opt-in consent, but U.S. laws are more commonly centered on an opt-out model.

Yes, please! (How opt-in consent works)

Opt-in consent, the strictest of all consent requirements, is considered the gold standard of digital privacy best practices because it puts the burden of managing consent squarely on data processors. Additionally, opt-in policies institutionalize and standardize privacy practices, giving all users fundamental protections online.

Under opt-in laws, a user must take clear, affirmative action consenting to the collection or data processing of their information. This obligation can be satisfied in several ways, including:

  • Giving users the opportunity to consent to the processing of their personal information, using clear and plain language
  • Placing unmarked checkboxes on your website so users can choose whether their data is processed or sold (Note: because they don’t require users to actively agree to anything, pre-ticked checkboxes don’t meet the requirements of opt-in laws)
  • Using a cookie consent manager that allows users to accept or deny consent for specific categories of cookies

Most privacy laws with opt-in consent also stipulate that individuals who opt-in have a permanent and easily accessible way to withdraw their consent at any time. 

No, thank you. (What opt-out consent looks like)

Unlike opt-in frameworks, opt-out consent requirements make individual users responsible for protecting their personal information and managing how companies use it.

Opt-out systems default to giving companies the right to collect and process personal information as long as they have both notified users of their privacy practices and given them opt-out options.

In practice, this looks like those pre-ticked boxes that say “Yes! I agree to receive information about XYZ’s new cat-cleaning products, as well as emails from all of their partner companies.” Unless a customer removes the checkmark, the company and its vendors can pretty much do whatever they want with the data, from sending marketing emails every five minutes to selling your email addresses to the highest bidder.

Consent isn’t as black and white as it seems

Here’s the tricky part: consent is absolute, but it’s also layered. Consenting to cookies isn’t the same as consenting to receiving marketing emails, and consenting to either isn’t the same as consenting to the sale of personal data. 

The type of consent needed depends on the governing regulations, but there are five general categories of consent:

  • Notice only (e.g. simply notifying users that tracking cookies are active on your site)
  • Implied consent (aka soft opt-in, meaning users are notified about privacy practices but continue using the site/make a purchase without activating any opt-out options)
  • Explicit consent (user gives clear, unambiguous consent for their data to be used in a certain way)
  • Mixed consent (exactly what it sounds like: this model employs notice only, implied, and explicit consent options depending on the function, i.e., notice only for strictly necessary cookies, implied consent for performance cookies, and explicit consent for advertising cookies)
  • Do not track/sell/share Under a pre-existing California law, websites need to disclose if they honor a browser’s “do not track” feature. If you sell data or share it with a third party, that could be considered a sale under California law—meaning you need to give individuals the option to opt out. To make it easier, there are ad industry self-regulatory frameworks that allow users to opt out of advertising and analytics, like

The secret sauce that fixes everything

Whether your business needs to implement opt-in or opt-out consent policies, you must understand the type of consent needed to set cookies on your website, send marketing emails, process data, and sell data

As privacy consultants who excel at helping businesses develop compliant but practical consent solutions, we know that both opt-in and opt-out processes have enough in common that the steps for setting up both are basically the same.

According to OneTrust and our years of experience, these steps are:

  • Know your obligations

Not only do you need to understand which privacy regulations your business is subject
to on a local, national, and even global level, but you also need to be aware of industry
regulations (think HIPAA or the Gramm-Leach-Bliley Act) and vendor or customer

  • Understand your risks

Conducting a risk analysis will show you where your data is at risk. Poor vendor
cybersecurity practices, lax internal permissions protocols, overaggressive data
collection processes, or non-compliant marketing programs all expose your business to
possible fines, breaches, and reputational damage.

  • Map your data

A data map, also known as a data inventory, documents the flow of data as it travels through your company. Several privacy laws mandate that businesses have a lawful basis for collecting information, and a data inventory will tell you what you’re collecting and from whom, why and how you’re collecting it, and where and how long you’re storing it.

Mapping your data is the best, fastest way to understand your data at a granular level,
which makes getting compliant much, much easier.

  • Create a privacy-first culture

An opt-in or opt-out program won’t work if the people at your company—from the CEO to
front-line employees—don't understand and believe in it. A privacy-first culture means
every department plays a role in your privacy program and that privacy
training is a regular part of staff meetings, company newsletters, and marketing

  • Set up individual rights requests processes

Virtually all privacy laws give individuals the right to change their opt-in/opt-out status,
correct inaccurate information that’s been collected, or delete their information from a
company’s database through a process known as an individual rights request.

It’s important to have efficient processes and clear lines of communication set up
company-wide so you can meet the strictly mandated timelines for responding to and
resolving a user’s request.

Consider building a preference center

A preference center is a page on your website or in your app that allows users to opt-in or opt-out of marketing communications, the sharing or sale of personal information, and even cookies quickly and easily. It’s one of the easiest ways to quickly get compliant.

Opt-in to our consulting services

At Red Clover Advisors, we have the experience and knowledge necessary to help you achieve your brand’s goals of becoming a privacy-friendly company that is compliant with privacy regulations and best practices. Give us a call today to see what we can do for you.

A long time ago in a galaxy far, far away, all banking had to be done in person. Mobile deposits didn’t exist, stocks couldn’t be bought and sold on a cell phone, account statements were snail-mailed, not emailed, and friends had to pay each other back with actual cash.

Fintech changed all that. 

Like Bennifer and Brangelina before it, fintech is the celebrity couple name for the increasingly important and prevalent intersection of the financial services industry sector and the technology sector. 

Advances in mobile and ecommerce tech capabilities have affected every part of our economy, but almost no industry has been shaken up by these changes as much as banks and investment firms. Although these industries were once firmly in-person, brick-and-mortar operations with the power balance heavily weighted against consumers, fintech has:

  • Automated many financial services processes
  • Accelerated the growth of the startup economy 
  • Increased industry focus on omnichannel experiences (individualized customer touchpoints across apps, email, social media accounts, websites, etc.)
  • Enabled creation, use, and acceptability of cryptocurrencies (Bitcoin, Dogecoin, etc.)
  • Disrupted the loan market
  • Deepened business’s dependence on Big Data to analyze and understand risk

Fintech’s prevalence and success, however, means that the industry is relentlessly attacked by the Dark Side, er, hackers on the dark web just like Darth Vader followed the heroes of Star Wars across the galaxy. 

In this complicated environment, a strong data privacy program can act like the Force that made Jedi so powerful. It can warn you of incoming threats, protect you from multifaceted attacks, and show you your company’s strengths.

The Force Awakens: Fintech’s Rise

The fintech origin story began in 1886 with the successful installation of the first transatlantic cable. The launch of credit cards in the 1950s and the introduction of ATMs in the 1960s led to increased digitization of financial institutions which in turn facilitated the creation of digital stock exchanges and SWIFT, a data-sharing network still used by banks and investment firms to quickly, accurately, and securely send and receive information

The growth of ecommerce in the 1990s and early 2000s also played a significant role in the expansion of the fintech industry, but the fintech we know today started when the global market crashed in 2008. As distrust for traditional banks, mortgages, and investment firms spiked dramatically, plenty of entrepreneurs were ready to give consumers innovative new ways to manage their money.

Fintech has expanded and changed more in the last 10+ years than it did in the first 125. EY found that global adoption of fintech services grew from 16% in 2015 to 64% in 2019. With the ongoing pandemic increasing our reliance on virtual solutions for nearly everything, fintech use in Europe alone has increased 72% since 2020.

According to PWC, other drivers of fintech dominance include:

  • Decreasing age in the average workplace
  • Rapidly increasing urbanization
  • A growing global middle class
  • Increasing use of mobile apps for financial transactions

The Empire Strikes Back: Current Privacy Threats in Fintech

In Star Wars canon, the Rebel Alliance’s successful destruction of the first Death Star results in swift and harsh retribution from the Galactic Empire. By the end of The Empire Strikes Back, the secret base on Hoth is destroyed, the Alliance is scattered across the galaxy, Yoda is dead, Han is frozen in carbonite, and Luke is down a hand but up one evil dad. 

Just like the Rebel’s success brought new problems, fintech’s increased importance in our lives means the fintech industry is facing a new and ever-growing threat matrix.

Because they enable access to real-time financial data and other sensitive personal data like social security numbers and credit card details, fintech firms were a primary target for hackers even before COVID. 

Current security challenges include:

  • Modernization of legacy systems that do not have adequate data security capabilities
  • Undersecured mobile apps
  • Processing consumer data using third-party vendors with poor protections
  • Phishing, spoofing, and other social engineering techniques
  • Synthetic identity fraud
  • Transaction fraud

The biggest threats facing fintech aren’t that different from the threats facing everyone else, but the economic, reputational, and individual ramifications of fintech data breaches are staggering.

Fintech data usage

Another issue facing fintech that can be spun into a positive: how data is collected and used—and how consumers feel about it. When users provide information for financial purposes, the intent is different than when making an online purchase for a pair of shoes or a new light fixture.  Financial information is sensitive and very personal to individuals. 

Fintech companies need to design their practices to address those expectations. Make it clear how data is shared, what pieces and what users should expect. Even if the law, which is often a grey area, allows this sharing, customers might not be willing to. 

Take Venmo for example. Transactions are shared via a social feed when you log in, but users have the option to make their transactions private. But this approach raises the question of what truly gives consumers the greatest privacy control. By taking an opt out rather than opt in approach, Venmo users who didn’t make the change or who might be unaware of the feed could be unknowingly sharing their financial transactions. 

To provide the greatest level of consumer control over privacy, opt in should be privacy by design approach companies choose. 

A New Hope: How to Protect Privacy and Still Profit

People often talk about data privacy and cybersecurity like they’re the same thing, but they aren’t. They need each other, but they have nuanced differences. Where cybersecurity focuses heavily on solutions for securing consumer data, data privacy is a more holistic approach that combines tech, process, and people to instill a culture of privacy best practices while focusing on the use and collection of data. 

In A New Hope, the first movie in the Star Wars saga, Luke, Leia, and Han provide the Rebel Alliance with the missing pieces of their battle plan. We’re here to give you the keys you need to protect your customers from the Dark Side by building a strong, cost-effective data privacy program.

Create cross-functional compliance

You can’t have a good privacy program without input from every department in your organization. Your customer service reps who access private data to verify mobile payments need to be following the same standards as your marketing team does when they send customized promotion information and as your IT department does in managing the technical details of a transaction.

But while the standards need to be the same, the processes may not be. Depending on what platforms your teams use and how matrixed your company is, the way teams achieve privacy compliance may look different.

To ensure all your teams are working towards the same goal, it’s crucial to create a cross-functional task force that allows departments to collaborate on troubleshooting, process updates, and employee training.

Define your data

All fintech firms need to analyze their data collection practices, but this is especially true for financial technology companies that use legacy programs. If this is you, listen up.

The more data you have, the more access points hackers have. The older the systems your data is on, the less likely it is to be well-protected.

The best way to figure out if you’re collecting data you don’t need, keeping it too long, or storing it unsafely is through what privacy experts call data mapping. Also known as a data inventory, data mapping involves following a data record through its entire journey in your system.

Figuring out what types of consumer data you’re collecting, which consent options fire at collection, who the data is shared with, what your teams are doing with it, where you’re storing it, how you’re protecting it, and how long you’re keeping it will help you identify vulnerabilities and opportunities for improvement.

Analyze your access

One of the easiest, most low-tech ways to protect your data is to restrict access to it. If you use legacy platforms, data mapping may even show you that former employees still have access to databases, entry-level employees can get into what are supposed to be highly secure files, and vendors can enter records that have nothing to do with their contracts. 

By using the principle of least privilege, which gives employees the minimum amount of data needed to complete their job, you can instantly eliminate risk.

Vet your vendors

Hackers know that it’s much easier to breach a small company that sends customers notifications of payment details than it is to hack an actual bank. And, increasingly, that’s exactly what they’re doing.

There’s nothing worse than paying the price for a mistake you didn’t make. Take some time to ask your vendors about their privacy practices. If they don’t match yours, ask them to up their game or find a new provider. 

Train your teams

Just like you want every department on your privacy planning team, you need to make sure employees in every department are getting the same privacy training. Almost all data breaches are caused by human error. Whether it’s clicking a suspicious link, opening an infected attachment, or using a weak password, your employees can either be the best defense or the biggest liability your privacy program faces.

Spending a little bit of time in every staff meeting, email blast, or company-wide event setting clear expectations for how financial account information can be used, who can access it, and how to avoid fraud will deliver a huge ROI.

Do or do not. There is no try.

Here’s a hard truth—if you aren’t actively working on a data privacy program, you’re setting yourself up to fail. 

Rome wasn’t built in a day, and you don’t have to create a just-add-water program that launches with all features all at once. 

But you also can’t expect to avoid hacks with half-measures.

Forty percent of fintech businesses that have invested in upgrading their cybersecurity and privacy systems have seen a return two to three times over their initial investment. On a basic, bottom-line level, implementing data privacy best practices is a sound business strategy.

But even more importantly, proactive privacy efforts can improve your reputation with both consumers and clients while saving you from embarrassing breaches.

Red Clover Advisors is a privacy consulting firm that specializes in helping businesses design and implement practical, functional privacy strategies. Give us a call to see how we can help you.

Hint: privacy is the right thing. 

Do the right thing as marketers to build trust.
Jon Dick, VP Marketing, Hubspot

For marketers, privacy can be a four-letter word. After all, your entire job is to get your message in front of as many people in your target audience as possible. 

But as people who specialize in creating and capitalizing on trends, most marketers also realize privacy is a trend with long-term staying power.

To be a successful marketing agency in this new privacy era, digital marketers have to understand the value consumers place on their privacy and understand an ever-growing body of privacy legislation. 

Consumers care about privacy. A lot.

Almost 92% of Americans are concerned about their privacy when they use the internet. The same number of people think companies need to be proactive about protecting the consumer data they collect. 

Most importantly, 87% of consumers think data privacy is a human right.

Driven in large part by the Facebook-Cambridge Analytica scandal and dramatic increases in major data breaches that have exposed millions of sensitive data records, consumers have started demanding increased transparency about the privacy practices of both their favorite companies and of the billion-dollar data brokerage industry.

In 2019, Cisco found that nearly one-third of consumers are willing to change how they shop online and who they shop with to protect their privacy. 

Businesses that ignore this groundswell of consumer support for privacy risk revenue and reputational losses. As a marketing agency, figuring out how to balance communicating privacy as a brand value with promotional messaging is crucial to your future success.

Governments care about privacy too

In 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect and changed consumer privacy forever. 

The world’s first comprehensive consumer privacy law, the GDPR, strictly regulated how companies that operate in or collect personal information from residents of the EU can collect, process, share, and store their collected data.

The United States doesn’t have a comparable federal privacy law, but multiple states (California, Virginia, and Colorado) have passed comprehensive consumer privacy laws that are in some degree similar to the GDPR, and more laws are being passed every year. 

Even though best practices are still being established, regulations are just going to keep coming.

Privacy compliance checklist

Almost every type of marketing is impacted by privacy regulations. But don’t let that scare you! Successful, privacy-compliant marketing is doable. Here’s how.

1. Probe your privacy policies

When we say “your,” we mean your agency policy and your client’s policy. 


Most new privacy laws require compliance from both data controllers (the entity collecting data) and data processors (the entity using the data, usually a vendor). Because data controllers can be held liable for data exposed in breaches of their non-compliant vendors, most companies won’t even work with vendors that haven’t updated their privacy policy.

As a marketing agency, you can be a data controller or a data processor. Sometimes you might be both, which means your privacy policy needs to be rock solid.

A few of the key points that your updated privacy policy should detail include:

  1. What personal data (name, address, phone number, email, location, etc.) you collect 
  2. Why (e.g. email marketing campaigns) and how (contact forms, cookies, weblogs, etc.) you collect the information you do, with whom you share it, and if you sell it as defined by the applicable law such as CCPA
  3. Who has access to the information you collect
  4. What choices the individual has and how the individual can make an individual rights request
  5. What data security measures you are using
  6. How you will tell your users about updates to your privacy policy 
  7. How and how quickly you will tell users about a breach

Once you know your privacy policy is up to regulatory snuff, you need to make sure it also matches up with your clients’ policies. 

If you have non-compliant clients, you can push them to create a new policy. Trust us, they will thank you for saving them from fines and injunctions.

And clients who already have an established privacy program will trust you more if you can prove privacy is as important to you as it is to them.

2. Cooperate and collaborate

To succeed in digital marketing, you have to be good at multitasking and at building relationships. These abilities can be a huge asset when it comes to privacy compliance.

Because your agency can be both a controller and a processor working across multiple systems, establishing strong, collaborative relationships with both your own IT and legal teams as well as your client’s IT and legal teams is critical to developing processes that actually work and do so smoothly for everyone.

3. Organize operations for opting-in or opting-out

Like the invention of caller id, consumers love opt-in and opt-out regulations. 

Marketers…not so much. But it’s not as bad as it looks from the outside.

GDPR = opt-in

The GDPR is built on an opt-in foundation. To achieve GDPR compliance, companies cannot collect any personal information from a consumer, share collected consumer information, or contact consumers without acquiring explicit consent. 

For marketers, this means that even if you have a huge email list with thousands of verified email addresses, with very few exceptions you can’t send emails to that list until you’ve verified the recipients have agreed to receive your emails.

CCPA/VCDPA/CPA = opt-out

By contrast, most US laws are based on allowing consumers to opt out of the collection, processing, sharing, or sale of their personal data. Under the new VCDPA and CPA laws, individuals need to opt-in to the use of their sensitive data. They can also opt out of receiving any marketing communication from you.

Opt-in to opt-in

Understandably, many marketers would prefer an opt-out system. Opt-out requires more engagement from users, which means you’ll probably be able to keep more data and continue contacting more people. 

While opt-in takes more work for you upfront and might initially shorten your email list, opt-in is the better, um, option long-term. 

Giving users the ability to choose the frequency and type of communication they receive from you and then honoring their choices will build more trust and loyalty with your target audience than any marketing campaign ever could.

If your users trust you, they’re far more likely to give you accurate information (no more fake email addresses!) and are also more likely to read whatever you send them. So instead of spending time trying to figure all that out, your marketing team can now spend their time nailing the message.

Basically, the more you let consumers ask to be left alone, the more effective your time together will be.

4. Vet your vendors

As an agency, you are a vendor. But, depending on your size, you might have vendors that help with things like production or analytics. 

You need to vet those vendors the same way your client vetted you. Read their privacy policy. Ask about how they protect the customer data you share with them. If there’s a mismatch, ask them to fix it or find a new vendor.

5. Analyze your access

As a vendor, one of the best ways to protect yourself is to make sure your relationship with your client is based on the principle of least privilege.

Under least privilege, your agency will only be given access to data that is key to your marketing work, which dramatically reduces the risk that data collected by your client will be exposed through a breach of your systems.

In addition to reducing your access to your client’s databases, make sure teams within your agency don’t have access to more sensitive consumer information than they need to do their job.

6. Scrutinize the social

Social media marketing is a fundamental part of every modern marketing campaign, and as such, has all the privacy challenges of regular digital marketing. But because social media is based on sharing and collecting information, there are special privacy considerations that must be addressed.

To be compliant with GDPR requirements, marketing agencies cannot use social media to manage remarketing campaigns unless users have explicitly consented to having their data processed. For example, in order for your business to remarket to an individual on Facebook, that individual would need to have consented to cookie placement. 

These expanded permissions structures are not necessarily difficult to create, but you need to make sure your agency fully understands the privacy laws your clients are subject to so you can help keep them compliant.

Privacy can be a powerful marketing tool

Privacy laws won’t end digital marketing, but agencies will have to innovate to come through this era of constantly changing guidelines and evolving best practices to survive. 

If your agency needs help designing and implementing privacy-centered processes, or if you want a partner that can help your clients up their privacy game, let's talk.

Ecommerce is big business. Really big business. Across the entire world.

In 2020, retail sales in the US declined 10.5% while ecommerce sales grew 18%

Another statistic? 

Over 2.14 billion people are expected to spend $4.2 trillion purchasing goods or services online this year. 

As an ecommerce business owner, you probably know a lot about product lifecycles, inventory management, drop shipping, order fulfillment. But how much do you know about consumer data privacy law?

Privacy, please 

There is a lot of money in ecommerce, and the sensitive personal information ecommerce companies collect about their users is worth even more than their products. 

Where there’s money, there are bad actors—it’s not only bad actors that consumers worry about. These sites gather and process a lot of data, and it’s important that individuals feel trust in how that data is handled.

The massive uptick in ecommerce has resulted in a massive uptick in the number of cyberattacks as well. Since 2015, approximately 45% of Americans have had their sensitive data exposed in a data breach. Partially driven by COVID-related surges in online shopping, 37 billion records were compromised in 2020, a 141% increase over the previous year and the highest volume since 2005.

And according to the University of Maryland, a hacker attack happens every 39 seconds.

Hackers are modern-day pickpockets. Like the Artful Dodger character in Charles Dickens’ Oliver Twist, hackers are drawn to crowds of distracted shoppers with (virtual) money in their pockets and identity cards (sensitive personal information) in their wallets (online accounts). 

Also like pickpockets, hackers try to steal all your information without anyone noticing. On average, it takes 266 days to find and fix a breach. Sometimes it takes longer, even years. 

Because they are so expensive both financially and reputationally, it’s in your best interests to do all you can to prevent and limit breaches.

Consumer privacy rights advocacy is gaining ground

In response to the growth of a data black market and the increasingly negative effects of identity theft, consumer privacy advocates have spent the past decade successfully lobbying governments for comprehensive privacy regulations governing the collection, use, and sharing of consumers’ sensitive personal data.

The first of these laws, the General Data Protection Regulation (GDPR), was passed by the European Union in 2016 and went into effect in 2018. GDPR requirements strictly govern the collection and processing of personal data for organizations that operate in or collect information from citizens of the EU.

The GDPR isn’t the only privacy law out there. Many other countries have passed or are considering passing similar regulations. 

The United States doesn’t have a federal comprehensive privacy law, instead opting for a fractional approach that relies on states passing their own laws. California, Virginia, and Colorado currently have privacy laws on their books, and more than 30 states have data protection laws proposed or in the committee process.

But the GDPR, the grand elder statesman of consumer privacy protections, is still the most aggressive and comprehensive. Even if your e-commerce business isn’t subject to GDPR compliance, implementing processes that are GDPR compliant will ensure you are using privacy best practices and will increase your ability to adapt quickly to whatever new regulations come your way.

If your site is active in the U.S. only, the CCPA is the most comprehensive general data privacy bill to which it is currently subject, which mandates that businesses act with transparency about how they collect, use, and disclose personal information.

Additionally, because of these laws, consumers are increasingly becoming accustomed to seeing privacy notices, cookie banners, and opt-ins. Even if your company is too small to technically be subject to these laws, consumer expectations are changing. They are more used to cookie banners, privacy notices, and opt-ins and expect companies to have clearly articulated privacy policies that are communicated upfront. 

Privacy compliance checklist

Establishing good privacy practices can be overwhelming, but it doesn’t have to be hard. The recommendations below are common-sense steps to make your e-commerce company a privacy-friendly one. 

1. Improve your data security practices for both transactions and data collection

Whether your company is collecting data or acting as a data processor, you need to make sure the data that passes through your system, including data you share with vendors, is secure.

For example, since a user’s email address and password are protected categories of data, you should have SSL certificates on your site to encrypt data transfers, payment details, and user login information. And, hopefully, this goes without saying, but patches and software updates should be installed immediately.

Additionally, security measures like two-factor authentication for both customers and employees make it much harder for brute force and password guessing attacks to succeed.

Internally, you should implement the principle of least privilege, which gives employees access only to the minimum amount of data needed to fulfill their responsibilities. Least privilege can mitigate the damage from phishing attacks, negligent network access practices, and malicious internal actors.

2. Complete a data inventory

Also known as a data map, a data inventory tracks every data record through your system, start to finish. This process allows you to fully understand what data you’re collecting from your customers, why you’re collecting it, and what you’re doing with it—information that is critical to creating an accurate privacy policy, managing individual rights requests, and complying with various privacy laws.


Data inventories also help you see where your data is vulnerable to exposure. Whether due to poor cybersecurity or bad data collection practices (i.e. collecting too much data and storing it for too long), data inventories also help you see where your data is vulnerable to exposure.

3. Update your privacy policy

For a long time, companies could get away with posting generic privacy policies created from templates of incomprehensible legal jargon.

That is not the case anymore.

Every privacy law out there requires companies to update their privacy policies and post them in highly accessible parts of their website. These policies need to clearly and simply explain your actual data collection and processing practices (which you will know if you complete a data inventory) and include information about how users consent to data collection and processing.

Additionally, most privacy regulations require companies to give each individual the ability to correct or delete any of their personal information. Your privacy policy should detail how consumers can complete a data subject access request (DSAR, called an individual rights request in the US) to achieve those outcomes.

4. Set up and practice an incident response plan

The sad truth is that even the very best data privacy program can be hacked. The best way to limit the damage a hack can inflict on your company is to have an aggressive response plan.

To be effective, a breach response plan needs to be both aware of compliance obligations and informed by the needs of every department in your organization. The GDPR requires companies to report notifiable breaches to the Information Commissioner’s Office (ICO) within 72 hours of discovery.

Seventy-two hours is not a lot of time to compile everything needed for reporting a breach. Additionally, subject to your privacy policy, your business has obligations to notify consumers if their data has been exposed.

Managing all of those notifications and reporting requirements while simultaneously trying to re-secure data and communicate with stakeholders is very difficult to do if everyone doesn’t understand what they will be expected to do in the event of a breach.

5. Review your email marketing plan and cookie consent banners

Make sure that your email marketing campaigns comply with all privacy regulations and best practices. If your users trust you, they’re far more likely to give you accurate information and remain on your email list.

You should also make sure that your cookie consent banners are updated and accurate.

6. Make sure your website is PCI DSS compliant

Payment Card Industry Data Security Standard (PCI DSS) compliance isn’t just a technical solution. Everything from card readers to payment gateways is subject to these standards.

The good news is that if you accept payment through major processors like PayPal, Square, or Stripe, chances are good your site is already PCI DSS compliant.

But since any business that is processing, storing, or transmitting credit card details needs to make sure their processes protect customers from identity theft by carefully following PCI guidelines for transaction security, it’s smart to double-check.

Need help?

If you owned a brick-and-mortar store, you wouldn’t wait to install locks on the doors, cameras over the windows, and alarms in the building.

As an e-commerce business, the internet is your store. Don’t put building a privacy program that is compliant, easy for customers to understand, and works for your business on the back burner.

Facing privacy challenges head-on will provide added value to your customers, reduce your operational risk, and mark you as a leader in your industry. 

At Red Clover Advisors, we are privacy nerds. We specialize in helping businesses of all sizes harness the power of data privacy to exceed customer expectations and stand out from their competitors. We offer everything from fractional privacy executive services to risk assessments to strategy design, all at an affordable price.

No matter where you are in your privacy journey, we can make you better without breaking the bank. 

Interested in learning what we’d recommend for your company? Schedule a consultation with us today.

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress enacted China’s Personal Information Protection Law (PIPL)(Translation available here). Taking effect on November 1, 2021, the PIPL will serve as China’s first comprehensive privacy law.

The PIPL clarifies and consolidates obligations on processing of personal information at a national law level. Together with the Cybersecurity Law and the Data Security Law, the PIPL forms an over-arching framework to govern data protection, cybersecurity and data security in China. As with many laws in China, the PIPL is drafted as aspirational principles; additional guidelines will be published in the coming months covering the practical compliance steps organizations should take when building and maintaining their China data privacy programs.

While the PIPL resembles the European Union’s General Data Protection Regulation (GDPR), it includes certain substantive obligations that differ from the GDPR, and there are also obligations found in the GDPR that are not included in the PIPL. Given China’s unique status in the world, the PIPL is likely to be interpreted and enforced differently than the GDPR and other data privacy laws. 

1. General concepts and key definitions

Like many privacy laws, the PIPL includes the general concepts of fairness, consent (with limited exemptions), openness/transparency, purpose limitation and data minimization. 

Under the law, “personal information” is defined as any kind of information relating to an identified or identifiable natural person, either electronically or otherwise recorded, but excluding information that has been anonymized. “Anonymization” refers to the process by which personal information cannot be used to identify specific natural persons and the personal information cannot be restored after processing.

The PIPL defines “sensitive personal information” as personal information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person, including, but not limited to: (1) biometric data; (2) religion; (3) specific social status; (4) medical health information; (5) financial accounts; (6) tracking/location information; and (7) data of minors under age 14.

The PIPL uses the term “personal information processing entity” to refer to “organization or individual that independently determines the purposes and means for processing of personal information” (similar to the concept of the “data controller” under the GDPR) and “entrusted party” to refer to “data processor” under the GDPR.

2. Territorial scope

Similar to the GDPR, the PIPL has extra-territorial effect, and applies to (1) data processing activities within Mainland China; and (2) processing of Mainland China residents’ data outside of Mainland China:

  • for the purposes of providing products or services to China residents;
  • for analytics or evaluation of behavior of China residents; or
  • for any other reasons as required by law or regulations.

The PIPL applies to both the public and private sectors.

Similar to the GDPR’s requirement for an EU representative, the PIPL requires offshore personal information processing entities subject to the PIPL to establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes. 

3. Lawful basis for processing

The PIPL requires organizations to have a lawful basis to process personal information. Unlike the GDPR, the PIPL does not include “legitimate interests” as a lawful basis for processing personal information. Instead, in addition to consent, the PIPL offers the following non-consent bases:

  • Performance of a contract to which the individual is a party, or where necessary to conduct human resources management;
  • Responding to a public health emergency, or in an emergency to protect the safety of individuals’ health and property;
  • Performance of legal responsibilities or obligations;
  • To a reasonable extent, for purposes of carrying out news reporting and media monitoring for public interests;
  • Processing of personal information that is already disclosed by individuals or otherwise lawfully disclosed, within a reasonable scope; and 
  • Other circumstances as required by laws.

The definition of consent under the PIPL aligns with the consent requirements of the GDPR – i.e., it must be informed, freely given, demonstrated by a clear action of the individual, and may later be withdrawn. However, the PIPL requires a “separate consent” for certain processing activities, namely if a processing entity (1) shares personal information with other processing entities; (2) publicly discloses personal information; (3) processes sensitive personal information; or (4) transfers personal information overseas. 

4. Personal information rights

The PIPL mostly mirrors the GDPR with respect to personal information rights, though it lacks more precise language addressing such rights, including where restrictions or exemptions may apply. In addition, the PIPL does not provide a specific timeline for responding to requests; it only requires processing entities to “timely” respond to them.

Under the PIPL, individuals have the following rights:

  • Right to access and copy of data;
  • Right to transfer (similar to the right to data portability);
  • Right to correct or supplement;
  • Right to deletion in certain circumstances;
  • Right to limit or withdraw consent;
  • Right to request details of processing (including for automated decision making) and of handling rules;
  • Right to de-register an account;
  • Rights to access, copy, correct or delete personal information of a deceased individual can be requested by a close relative for legitimate and proper interests.

The PIPL clarifies situations where data controllers can refuse to comply with certain data subject rights, and how to respond to/reject data subject requests.

Importantly, individuals have the right under the PIPL to bring lawsuits against processing entities if they reject the individuals’ requests to exercise their rights. 

5. Data controller obligations

The PIPL creates a new designation of data controller called the Critical Information Infrastructure Operator (CIIO), which has certain obligations under the law. Chinese regulators are currently developing regulations and notifying companies whether they qualify as a CIIO.

Under the PIPL, organizations that are (1) important internet platform providers; (2) data controllers processing data of a “large volume of users”; or (3) complex businesses (terms have not yet been defined) must comply with the following measures when processing personal information:

  • Set up personal information protection compliance mechanisms;
  • Establish platform regulations;
  • Establish and publish processing obligations and processing rules that regulate products and service providers in an open and fair manner;
  • Set up external independent data protection organizations to supervise data protection mechanisms;
  • Stop the provision of products or service providers if they violate the law or regulations as regards processing of personal information; and
  • Publish social responsibility reports regarding the processing of personal information.

In addition, all data controllers have the following obligations:

  • Disclosure to overseas authorities: Data controllers must not provide personal information stored within China to overseas legal or enforcement authorities unless they obtain approval from a designated Chinese authority. Chinese authorities may provide personal information stored within China to overseas legal or enforcement authorities upon request if there are international treaties or regulations in place.
  • Disclosure to data processors or joint/independent data controllers. For other disclosures, data controllers must put in place a contract covering specified measures designed to safeguard the data.
  • Minors’ data: Organizations processing minors’ personal information must establish specific information processing regulations. 
  • Accuracy: Data controllers must ensure that personal information is accurate and up to date.
  • Retention: Data controllers must not retain personal information for longer than is needed for the purpose(s) for which the personal data is collected, unless required or permitted by applicable law. Once no longer needed, the data should be de-identified or deleted/destroyed.
  • Automated decision making: Analytics or evaluation based on computer program around behavior, interests, hobbies, credit information, health or decision making activities, must be transparent, open and fair, and should not discriminate between individuals.

6. Data processor obligations

The PIPL specifies that any organisation that is appointed as a data processor must act in accordance with the PIPLIn addition, the PIPL specifically requires data processors to do the following:

  • Adopt necessary data security measures to protect the safety of personal information;
  • Assist data controllers to comply with obligations of this PIPL;
  • Process data only as requested by data controller unless with concept;
  • Return or delete data upon completion of the data processing; and
  • Put in place a contract with the data controller.

7. Cross-border transfer of personal information

Regarding the cross-border transfer of personal information, a processing entity that plans to transfer personal information to entities outside of mainland China is required to (1) provide individuals with certain specific information about the transfers and obtaining separate consent; (2) adopt necessary measures to ensure that the overseas recipients can provide the same level of protection as required under the PIPL (including, among others, the Chinese version of standard contractual clauses, which are not yet available); and (3) carry out a personal information protection impact assessment (see below). In addition, certain entities that process a large amount of personal information are required to store personal information locally and must pass a security assessment administered by the Cyberspace Administration of China (CAC) before transferring the information overseas. One should note that the regulations around cross-border transfers are still evolving. 

In addition, the following categories of data must remain in mainland China:

  • Personal information processed by CIIO’s, unless a CAC-conducted security assessment has been completed
  • Personal information processed by data controllers above a threshold/volume to be identified by the CAC (not yet published), unless a CAC-conducted security assessment has been completed
  • Certain data under industry-specific regulations
  • Certain restricted data categories (such as “state secrets”, some “important data”, geolocation and online mapping data etc.)

8. Governance obligations

Organizations processing data must put in place the following:

  • Internal governance policies and procedures: Organizations must establish internal management regulations or standards.
  • Compliance audits: Organizations must conduct compliance audits on a regular basis.
  • Training: Organizations must provide data privacy training to employees.
  • Data classification and management mechanisms: Organizations must implement data classification and management mechanisms. 

9. Security and confidentiality

Organizations must also put in place the following security measures:

  • Personal information must be kept confidential, and security measures must be deployed, as prescribed by China’s Cybersecurity Law and Data Security Law and their underlying measures, guidelines and technical standards.
  • Additional safeguards must be applied for sensitive personal information and processing by organizations handling large amounts of data.
  • Data controllers must adopt corresponding encryption or deidentification technologies, and adopt access controls and training.

10. Personal information protection impact assessment

The PIPL requires personal information processing entities to carry out personal information protection impact assessments (PIAAs) for the following processing activities:

  • Processing of sensitive personal information;
  • Processing of personal information for automated decision making;
  • Appointing data processor to process data;
  • Providing personal information to other data controllers;
  • Disclosing personal information to the public;
  • Transferring personal information overseas;
  • Conducting processing activities that may have a significant impact on an individual’s interest.

Unlike the GDPR, under the PIPL, there is no obligation to consult a regulator in the event that an organization concludes – after completing such an assessment – that it cannot remediate certain residual risks identified. 

Organizations must keep all PIIA and processing records for at least three years.

11. Incident management

Organizations must implement and test a data incident contingency plan and take immediate remedial action in the event of any suspected or actual data disclosure, loss or tampering. If an incident occurs, they must provide immediate notification internally (to the DPO) and externally (to the regulator). Such notification should include (1) affected data categories; (2) reasons for the incident, and potential consequences; (3) remedial measures, and mechanisms required by data controller to minimize impact; and (4) contact information for the data controller.

If the data controller can effectively avoid the disclosure, loss or tampering of data, there is no need to notify data subjects. Otherwise, data subjects may also need to be notified under other laws and regulations within the data protection framework.

12. Enforcement 

The PIPL provides a range of enforcement options, including:

  • Enforcement notices and warnings;
  • Criminal sanctions (corporate/individual);
  • Civil claims from affected individuals/class actions;
  • Operational sanctions (including credit score loss, blocking of systems and suspension of services);
  • Breach of contract claims; or
  • Fines up to 50 million RMB or 5% of an organization’s annual revenue for the prior financial year and confiscation of unlawful income. The PIPL does not specify whether the annual revenue refers to revenue generated in China or worldwide. 

13. Next steps

If you do business in mainland China or collect personal information from individuals there, you should take the following actions:

  1. Assess your data handling practices in China
    1. Map Chinese data
    2. Develop data governance program
  2. Consider the impact of data localization and other restrictions
  3. Update privacy notices/consents
  4. Implement governance measures to safeguard regulated data
    1. Designate and register responsible officers (DPO/cyber and now data security as well
    2. Conduct regular important data risk assessments (and report)
    3. Align security to local China standards
  5. Conduct regular data security training
  6. Formulate/update internal guidelines for different data processing and transfer activities
    1. Data classification ( in anticipation of DSL tiered data scheme
    2. Cross-border data transfer
    3. Data breach notification
    4. DPIAs
    5. Overseas government data requests
  7. Update DPAs (but await SCCs)
  8. Monitor developments
    1. DSL and PIPL implementing guidelines
    2. “Important data” guidance (for specific industries automotive already published)
    3. CIIO indications
    4. CSL guidelines. (e.g. data localisation)

Whether you work alone or for a big firm, as a certified public accountant, you know privacy is important. But with new privacy laws being passed every year, it’s about to be more important than ever.

While laws protecting consumers’ sensitive personal data online are less than a decade old, governments have been passing laws protecting financial information for decades—because everyone wants to protect their money. In fact, there’s even an IRS rule about protecting taxpayer data that applies to CPAs.

One of the big laws, the Gramm-Leach-Bliley Act, passed in 1999, removed restrictions created during the Great Depression that barred financial institutions from combining banking, investment, and insurance services together. But it also created regulations to make the collection and disclosure of private financial information between these groups safer and more transparent.

The full picture of data privacy

When it comes to privacy, CPA firms are often ahead of the curve. Because they’re handling their clients’ financial information all day every day, they understand that data is as valuable a currency as actual currency. What they often fail to understand, however, is that it’s not only sensitive personal data that is subject to privacy compliance regulations. Instead, all data (including HR data and marketing data), needs to be handled in accordance with current privacy regulations. 

New consumer privacy laws like the European Union’s General Data Protection Regulation (GDPR)  and the California Consumer Privacy Act (CCPA) have changed the game dramatically. Because different jurisdictions have different regulations, this also means that firms have to comply with privacy laws depending on where their clients are. Firms that have clients in the EU have to deal with GDPR, while those in California have to deal with the CCPA.  

Additionally, if all clients are in the U.S. but the employees of the clients live elsewhere, a firm could be subject to the regulations of the regions where their client’s employees live. In other words, vendor due diligence requires companies to vet firms and the CPA firm could lose the business if they can't comply—and that includes both marketing and HR data, too.

Applicable to both CPA firms and their clients, these new laws provide both significant challenges and opportunities that smart CPAs can leverage to increase their credibility with clients and grow revenue by providing new services.

Accountants take everything seriously (as they should)

Privacy concerns are so important to CPA firms that the American Institute of Public Accountants (AICPA) created their Generally Accepted Privacy Principles (GAPP), a play on the standardized Generally Accepted Accounting Principles (GAAP), in 2009.

To account for the changes in technology and legal considerations surrounding consumer privacy, the AICPA Privacy Task Force revised the GAPP in 2020 and developed a new Privacy Management Framework (PMF) that helps CPA firms address the business activities that involve collecting, creating, using, storing and transmitting personal information of individuals.”

The PMF breaks privacy management into nine categories, each of which requires a strategy and execution plan:

  • Management
  • Agreement, notice, and communication
  • Data collection and creation
  • Data use, retention, and disposal
  • Data access
  • Disclosure of data to third parties
  • Data security for privacy
  • Data integrity and quality
  • Monitoring and enforcement of privacy program

Opening the curtain on privacy regulations

When the GDPR was passed in 2016, it was the first major consumer data privacy law in the world.

It wasn’t alone for long.

Since then, California has passed not one but two data privacy laws, with Virginia and Colorado following close behind. Multiple states have bills proposed, and other countries do too. 

Consumer privacy protections are here to stay. While these laws have some significant differences, there are basic principles they all share, including:

  • Consumers have the right to know what information companies are collecting about them, why it’s being collected, what is being done with it, and who it’s being shared with.
  • Consumers have the right to correct and delete their information from a business’s databases.
  • Consumers have the right to stop the sale or sharing of their personal information with third parties.
  • Businesses are required to provide users with transparent privacy policies that explicitly detail their data collection and usage practices.
  • Businesses must protect the consumer data they collect using reasonable security measures.
  • If businesses share their users’ data with a third-party vendor, they must ensure that vendor is also compliant with regulatory requirements governing data processors.

CPA can also mean “crushing privacy accountability”

Unlike the privacy laws CPA firms are used to working under, laws like the GDPR and the CCPA are targeted towards protecting consumer information that is collected online. 

This means that some of the information you are now responsible for may not belong to your actual clients, and it won’t be just financial data. If you collect or store information about site visitors, if you are collecting email addresses for marketing purposes, or if you are privy to information about your clients’ clients, all of that data is subject to the same laws around privacy compliance as the data you use for your services is.

But here’s the silver lining: as CPAs, you probably have significantly more experience complying with privacy regulations than many of your clients do. If you put the time and effort into building a strong privacy program, not only will you be compliant, but you will also be able to help your clients do the same thing.

Whether you provide advice as a value-added service or by adding value to your fee services, having expertise in privacy compliance can make you invaluable to your clients.

Set a good example

Before you can embed yourself into your clients’ privacy operations though, you need to make sure yours are up to snuff.

Here are a few steps you can take today to put yourself on the right track.

  1. Hire a fractional privacy officer.

We know, we know. We told you we’d give you steps you can take. But hear us out.

To your clients, you’re the expert sounding board. We can be your expert sounding board. Red Clover Advisors can provide you with executive-level privacy strategy development, compliance roadmaps, and data management plans without you having to pay executive-level prices. Hiring RCA will allow you to ramp up your privacy program quickly and efficiently.

  1. Map your data

Mapping data, also called a data inventory, involves following your data records’ journey through your system, from collection to processing to storage to deletion.

Completing this exercise will tell you if you are:

  • Collecting too much data and storing it for too long
  • Getting bad data from users
  • Using security programs or vendors that put your data at risk for exposure

It will also identify which data falls under the privacy laws that your firm is required to comply with, as well as what needs to be included in your privacy notice.

  1. Check your cookie recipe

Your website probably has cookies, and it may not have the right banner in place to indicate this. But with all major internet browsers banning the use of third-party cookies, it’s time to start building up your system’s first-party cookies. You’ll get better data from them, anyway.

Also, most privacy laws have requirements about how and when you notify users about your cookies, and many have stipulations for opting-out or opting-in to cookie tracking.

  1. Update your privacy policy 

We always recommend our clients get rid of privacy policies that read like something out of a law journal in favor of a brief, user-friendly description of the whys and hows and whos of their data collection and processing program. This open, transparent, and friendly approach to privacy will not only improve the user experience, but it will also mark you as a privacy-forward company.

  1. Train your team

Your employees aren’t going to be able to execute your own privacy program, let alone
help your clients build theirs, if they don’t understand what they’re doing and why. A
majority of data breaches are caused by human error and training is your best bet at
preventing simple mistakes from turning into costly headaches.

It’s going to matter to your clients

Because privacy laws hold companies responsible for data breaches through their vendors, it’s becoming common for businesses to select a CPA firm based on their privacy practices. Businesses will go through their due diligence processes and won’t hire a firm if they can’t comply with privacy laws or don’t have strong privacy and security practices.

Additionally, insurers are beginning to deny coverage to companies that don’t have adequate data privacy programs in place.

And most businesses aren’t ready. 

In December 2019, a month before the CCPA became effective, as many as 91% of companies hadn’t finished the compliance work they needed to do, and 34% had just barely started. With new privacy laws passing every year and old ones being constantly updated, it’s safe to say you have clients who need help.

As someone they already trust, your CPA firm has a real opportunity to solidify and grow your place in their processes by providing education, assessing the range and quality of their data privacy controls, and conducting security reviews.

And we can help you. If you want more information about how Red Clover Advisors can help you build a privacy program that helps your clients build theirs, call us today.

In a Latrobe, PA drugstore in 1904, apprentice pharmacist David “Doc” Strickler was challenged by a customer at the soda counter to make something “different.” Ice cream sundaes had been part of American cuisine for over a decade, but bananas had only recently become both affordable and widely available.

Looking at the bananas on his counter, the 23-year-old college student sliced the banana in half and topped it with chocolate ice cream covered in chocolate syrup, strawberry ice cream covered in strawberry syrup, and vanilla ice cream covered in pineapple syrup.

In a nod to the ever-popular sundae, he topped the whole thing with whipped cream, nuts, and maraschino cherries.

And the banana split was born.

But how is a banana split like a data privacy program?

We know. Going from the history of one of America’s most famous desserts to data privacy is a big leap. But stick with us and you’ll see what we mean.

Just like a banana split came out of years of incremental improvements in both ice cream making and freezer technologies in general, today’s data privacy landscape is heavily influenced by decades of technological advancements and consumer privacy rights advocacy.

And, just like a banana split has multiple layers that have to be assembled in a certain order, building an efficient, effective data privacy program requires a strong foundation based on methodical, step-by-step processes.

At Red Clover Advisors, we have the secret recipe you need to build a leading privacy program that will change the way your customers, your employees, and your industry view your company.

So put on your apron, grab an ice cream scoop, and let’s get started.

Step 1: Find your dish (or applicable privacy law)

Obviously, one of the things that sets banana splits apart from traditional ice cream sundaes is the inclusion of, well, bananas. Sundaes were usually made in the same funnel-shaped glasses as ice cream sodas, but those glasses weren’t designed to hold bananas (or multiple flavors of ice cream and syrups, for that matter). After the boat-shaped dish we associate with banana splits became common at soda fountains across the country, the ice cream game changed forever.

Just like the banana boat neatly contains the banana halves and catches all those tasty drips, privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) set the parameters for what your privacy program needs to be. (Hint: depending on your business, you might be subject to more than one regulation).

While we recommend building a program that goes beyond compliance and is capable of quickly adapting to regulatory changes, knowing which regulation(s) apply to your business is critical to ensuring you have the right functionalities built in from the beginning.

If you try adding the banana after you’ve scooped the ice cream, poured the syrup, and sprayed the whipped cream, you’ll end up with a mess that only partially resembles a true banana split. If you try to cram this concoction into a bowl that isn’t the right size, you’ll have an even bigger mess. And if you try to cram your existing privacy practices into compliance with data privacy laws retroactively, you’ll get about the same result.

Step 2: Slice your banana (or build your data map)

You can’t have a banana split without a banana, and you can’t build a data privacy program if you don’t know what data you are collecting, why you’re collecting it, who you’re sharing it with, and where you’re storing it.

A data map, also known as a data inventory, gives you all those answers and more. The data inventory process helps you understand exactly what happens to every data record that travels through your system. It also will show you exactly where your data is vulnerable to exposure, which is key to establishing the “reasonable security measures” required by most privacy laws.

Step 3: Scoop your first flavor (or, build your reasonable security measures)

Traditional banana splits have just three ice cream flavors: chocolate, strawberry, and vanilla.

We are going to make the “reasonable security measures” the chocolate scoop because its depth of flavor and decadence anchors the lighter, fruitier flavors, just like your cyber and information security anchors your privacy program.

Under newer privacy laws, companies that don’t take reasonable security measures can be held civilly (even criminally, in some cases) liable if a consumer’s personally identifiable information is exposed in a data breach. Protecting your data with multiple layers of security by checking up on your permission structures, acceptable use policies, internal password and network access practices, and IT protocols for staying on top of updates, patches, and licensing requirements will form the foundation of your breach prevention and response plans.

Step 4: Scoop your second flavor (or establish your data subject access request [DSAR] processes)

Nearly every privacy law requires you to give users a way to easily know about, correct, and delete the sensitive personal information you’ve collected from them. Also known as individual rights requests, a DSAR is how individual consumers execute that right.

DSARs (or individual rights requests) are limited in scope with specific requirements depending on the relevant laws. To achieve compliance, you will need an internal playbook that has been documented, tested, and reviewed, and your team needs to be trained on how to use it in order to respond appropriately to consumers within strict, statutory timelines.

Step 5: Scoop your third flavor (or write your company’s privacy policy)

Too often, companies put out a privacy policy full of what they (or their lawyers) think it should say rather than writing a document that accurately reflects their data privacy practices. Waiting to write the policy until you know what your regulatory obligations are, understanding what happens to your data, having created a thorough infosec plan, and having established your DSAR processes means your privacy policy will match your data collection and use practices.

One more hint: ditch the four pages of dense legalese. Make your policy easy for your customers to understand. They’ll thank you.

Step 6: Pour your first syrup (or complete a risk assessment)

You can never fully eliminate your data’s exposure risk, but a thorough privacy impact assessment will reveal vulnerabilities and significantly reduce a hacker’s windows of opportunity.

Step 7: Pour your second syrup (or test all your systems)

Once you’ve fixed whatever problems were uncovered by the risk assessment, testing your systems and processes before go-live will allow you to troubleshoot problems and avoid downtime so you can continue providing great and safe service to your customers. It’s also important to have regularly scheduled updates to your systems to ensure that all risks are mitigated.

Step 8: Pour your final syrup (or create an incident response plan)

A cross-functional incident response plan with input from all business-critical teams goes a long way in containing and limiting the impact a breach has on your data, reputation, and revenue—and once you have a plan, it’s critical to have it documented, printed, and reviewed or practiced annually.

Adverse events are usually much less adverse if everyone knows what they are supposed to do and trusts that everyone else knows and will complete their jobs too.

Step 9: Sprinkle the cookie crumbles (or evaluate and update your cookie practices and notifications)

Okay, technically this layer is supposed to be chopped nuts. But the pun was too good to skip, so we made it cookie crumbles instead.

To stay current with best practices and comply with current privacy laws, you need to make sure you know what cookies are on your site and what data they are collecting. And thanks to Apple, Google, and Mozilla, you should also be phasing out your third-party cookies. Then you can be confident your cookie banners are up-to-date and launching at the right time.

Step 10: Spray three whipped cream swirls (or training, training, training)

The fact that we’ve given three banana split elements the same part of a data privacy program should tell you how important it is.

Your data privacy program is only as strong as your employees’ understanding of it. Whether it’s five minutes in a staff meeting or a full-day symposium, consistent emphasis on the importance of every action from every employee to data privacy is key to building a company culture that respects and honors customers.

Step 11: Put the cherry on top (or sell it!)

Getting credit from your customers for being a forward-thinking, consumer-focused company is the sweet reward at the end of the long, privacy-program-building road. But you won’t get props if you don’t tell people what you’re doing. Turn your marketing team loose to sell your privacy program as the great value-add it is.

Enjoy a sweet treat

RCA excels at creating privacy-focused data strategy and digital marketing plans. We can help you build your privacy strategy and ensure your ongoing success. Contact us today to get started building your own data privacy banana split.

Cookies created modern digital marketing. Are they going to kill it?

Cookies: A Primer

Cookies are small, randomly encoded text files containing small amounts of data that can be used to identify your computer to different networks as you browse the internet. Originally created to simplify the browsing experience, cookies stored information about a site visit (like shopping cart and search history) on a user’s computer instead of on company servers. 

Cookies and Digital Marketing

Over time, cookie functionality was co-opted by advertisers. Instead of simply keeping an online shopping cart full, ad tech companies started using invasive third-party cookies to track browsing across multiple sites and build highly detailed user profiles. These profiles were then sold to marketers and advertisers by the billion-dollar data brokerage industry without the knowledge or permission of the person the data was collected from. 

The prevailing theory has been that these precise data profiles improve the performance of digital campaigns by allowing relevant ads to be targeted to individual users. In the name of personalization, companies began collecting and selling more and more sensitive personal information with little regulatory oversight. 

These reckless collection practices and lax information security protocols led to massive data breaches that continually made headlines in recent years and launched the consumer privacy movement.

Cookies and Data Privacy

After consumer privacy advocates raised the alarm, Big Tech and governments took action. 

The European Union adopted the General Data Protection Regulation (GDPR) in 2016. Among other things, the GDPR required sites to have a legal basis (such as consent) for launching cookies not strictly required for site functionality. Later, Safari and Firefox, two of the world’s top three internet browsers, banned third-party cookies. And finally, Google announced that their browser, Chrome, would not support third-party cookies by 2023.

Even though there aren’t any laws specifically prohibiting the use of third-party cookies, Apple and Google’s announcement effectively ended the current model of digital advertising. 

Cookie-Based Marketing Was Stale, Even If No One Knew It

The initial response of marketers to the impending demise of the cookie was one of panic.

But once the experts started getting into the nitty-gritty details of existing best practices, people started realizing something important: targeting ads and providing relevant experiences aren’t the same thing.

Here’s why:

  • Targeting is only as good as the data
  • Retargeting the wrong people is a waste of time 
  • Targeting has facilitated the proliferation of misinformation

Bad data = bad ads

Anyone who has ever filled out an online form knows that sometimes you put in a fake name, made up an email address, lied about your birthday, or used your ex’s address. But targeted ads rely heavily on the assumption that accurate data is used to create audience segments. No matter what ad buyers promise, campaigns built on bad data are 100% guaranteed to target the wrong (or even non-existent) people.

Retargeting = your annoying younger sibling

Another universal internet experience? Bad ad retargeting.

For example, say you buy a cooking class as a gift for your mom. Within minutes, you start seeing ads for pans and spatulas and mixers and aprons. 

You don’t cook. At all.

In fact, the owner of the taco shop down the street calls to check on you if she doesn’t see you for two days in a row.

But because you bought a cooking class gift certificate for Mother’s Day, you’ll be getting ads for kitchenware you definitely won’t buy for weeks.

Retargeting is often like an annoying little brother or sister that constantly follows everyone around telling knock-knock jokes at random intervals.

Retargeting is great in theory, but in practice, it’s the perfect example of how wide the user-experience chasm between targeting and personalization can be.

Misinformation and problematic contexts

One of the issues with programmatic marketing, or using a software program to buy digital ad space, is that your ads may end up somewhere you don’t want them, i.e. extremist, competitor, or offensive pages.

Retargeting also allows special interest groups to effectively execute misinformation campaigns that result in ideological echo chambers and filter bubbles. Bots can also manipulate ad targeting software and falsify ad performance data, so it can be very difficult to actually know if you’re getting the results you paid for. 

How to Redesign Your Marketing Strategy for the Cookieless Future

It’s clear that the loss of third-party cookies isn’t going to be the digital marketing death knell everyone initially expected it to be, but that doesn’t mean it’s business as usual. 

To maintain successful marketing operations and preserve user experience, teams will have to make a few pivots.

Preference centers

You may not have heard of preference centers yet, but you will. A data privacy best practice, a preference center is a dedicated page in your app or on your website that allows your users to tell you:

  • What information they’re okay with you collecting
  • What they’ll allow you to do with that information 
  • How often you can contact them
  • Correct data if the data you’ve collected about them is wrong

Preference centers are a triple threat because they:

  • Provide your users with transparency and control
  • Establish regulatory compliance for your data privacy program
  • Give you accurate, first-party data to build your campaigns around

While the first two bullet points are incredibly important, it’s the last one that gets marketers excited.

First-party data is as good as gold, and if you have a preferences center, odds are better than good that your customers will trust you enough to provide accurate information. 

Another bonus? If you know how and when your target audiences want to be contacted, you’ve eliminated the guesswork that’s always been part of marketing and can instead spend your time creating messages that are both relevant and targeted.

Cohort-based targeting

One way in which browsers are trying to get around cookies is the idea of cohorts, such as Google’s FLoC, or the Federated Learning of Cohorts. In theory, this approach allows marketers to target demographics based on data like age and location while also providing anonymity for targeted individuals. 

In practice, it remains to be seen how cohort-based targeting will function. Google has suggested that the smallest cohort size will be in the thousands, meaning that you are unlikely to end up in a cohort like “Men living in Jacksonville apartments with two cats, a Prius, a gluten allergy, and a son getting married on September 12th” (at which point anonymity could be said to be compromised). Cohorts will target more specific and subjective data than age and location, however—meaning that Thai-food-loving ferret owners could still find themselves with some pretty specific offers.

Walled gardens and programmatic marketing

A digital walled garden is a site that allows groups to run operations within their ecosystem without sharing their technology or user data to run those operations. Walled gardens give advertisers access to audiences, but those advertisers aren’t allowed to see customer-level data about audience members (Facebook, Google, and Amazon are the most powerful walled gardens in the market today, and Apple is believed to be developing similar technology).

While cookies used to help companies work around walled gardens, their loss means it will be even harder to find quality data. Many marketers are turning to programmatic and performance marketing to fill the gap.

Programmatic marketing isn’t perfect, but it can make marketing more efficient. By placing bids on multiple ad spaces within walled gardens, the system that was designed to work against marketers can work for them.

The Future Is Now

Navigating the intersection of technology, marketing, and privacy can be complicated. Red Clover Advisors excels at helping our clients manage these crucial but sometimes competing priorities through streamlined, practical solutions that drive compliance and improve user experience.

Contact us today to see what we can do for you.