A MESSAGE FROM OUR FOUNDER
A couple of years ago, BBC interviewed experts from virtually every domain to create a list of 50 grand challenges for the 21st century. Among the obvious existential threats like climate change, superbugs, and the fall of democracy, was an unlikely challenge: data privacy. And given the fierce debate, broad media coverage and numerous policy measures around the subject over the last few years, it seems to be getting its due attention.
But on the other end, such sweeping measures are making businesses nervous. To make matters worse, some naysayers go a step further to claim the new privacy-related laws would cause major disruptions and would require a complete overhaul of business operations. To paraphrase Mark Twain, those reports are somewhat exaggerated.
This is why we’re writing this article to separate truth from hype. After all, we in the data world live and breathe data and if the privacy laws affect anyone, it’s us.
Jump to section:
- General Information about Primary Data Compliance Laws
- Primary Data Compliance Laws: GDPR and CCPA
- Document and Understand Your Data Flow
- Develop a Process for Handling Consumer Requests
- Implications of Non-compliance
General Information about Primary Data Compliance Laws
Effective May 25, 2018, GDPR, in many ways, is the foundation upon which all subsequent privacy laws are based. It was a landmark piece of legislation because 1. It recognized for the first time the right of consumers to own their personal data; 2. It set regulations based not on the location of companies but the customers.
Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
As most experts call it, “CCPA is the GDPR of the United States” but I must also add, it’s just the beginning (more on this later). While the law went into effect January 1, 2020, it is expected to be enforced only after July 1, 2020 (due to some legislative requirements). Further, there are some employee and B2B exemptions for an additional year meaning most of us here still have ample time to get things straight.
CCPA has 5 key requirements:
- Data inventory and mapping of in-scope personal data and instances of “selling” data
- New individual rights to data access and erasure
- New individual right to opt-out of data selling
- Updating service-level agreements with third-party data processors
- Remediation of information security gaps and system vulnerabilities
The first step for complying with any law is to understand it. In that context, every privacy law gives consumers certain control over their personal information collected by companies.
If you look closely at the phrase, you’ll find 4 entities involved: consumers, companies, personal information, and control. It is how any particular law defines these 4 entities that ultimately determines its scope and by extension, its compliance process.
In short, it tells you four basic things:
- Whether any privacy law applies to you
- Who you need to protect
- What you need to protect
- What rights your consumers have
For the sake of clarity, we’ll mostly take CCPA as an example from here on but be assured that the basics apply to all existing and even upcoming privacy laws.
In CCPA, a consumer is defined as “a natural person who is a California resident.”
Next, the CCPA applies to any for-profit legal entity that meets the following general criteria:
- Collects consumers’ personal information
- Determines how and why that information is processed
- Conducts business in California, even if only online
- Meets one of the following annual criteria:
- Gross revenue of at least $25 million
- Collects personal information for at least 50,000 consumers, households or devices
- Derives half of its annual revenue from the sale of personal information
In terms of personal information, CCPA takes a very broad view and includes the following:
- Demographic information (i.e., name, address, email)
- A unique identifier, such as an IP address
- Account or Social Security number
- Driver’s license or passport
- Personal property records
- Online activity
- Biometric, geolocation, employment, and education data
- Any inferences that an entity draws from the above information
As for consumer’s rights, CCPA-defined consumers have the right to:
- Know what personal information is being collected on them
- Know if that information is being sold and to whom
- Opt-out of that information being sold
- Obtain a copy of their personal information
- Receive equal service and price regardless of whether they exert the above rights
- Sue for damages if their personal information is breached
At this point, you should be clear whether this law affects you and if it does, what you need to do about it. So let’s discuss how:
Document and Understand Your Data Flow
Map all of the personal information under your control. If you aren’t sure where to start, ask yourself these questions:
- What personal information do you collect or possess?
- How do you collect it?
- Where and how do you store it?
- Do you share it with other entities?
- Is such shared data part of a sale, a provision of service, or used for some other purpose?
Personal information that is held by a third party on your behalf will likely pose the biggest risk. So, in addition to conducting your own data-mapping exercise, make sure all of your third-party vendors do the same and share the results with you.
Update Privacy Disclosures
The next step is to provide a disclosure of what information is being collected and its purpose “at or before the point of collection.”
The disclosure should also include where that personal information is gathered from, the categories of third parties with whom it is shared.
Create a Homepage Privacy Link
This is the part where your business starts to be visibly seen as privacy compliant. Place a privacy link on the homepage of your website (something like Do Not Sell My Information) that should take consumers to a page with the opt-out request.
Develop a Process for Handling Consumer Requests
Once you have such a system in place, you should be ready to respond to consumer requests about their personal information that is allowed under the law. CCPA, for instance, prescribes that such requests should be processed within 45 days so you must also have an internal data governance structure in place, something I’ll discuss in a moment. Generally, consumer inquiries are of the following types:
- Request a copy of their personal information
- Request that their personal information be deleted
- Find out what categories of their personal information are being sold
- Request to opt-out (opt-in for underage) of the sale of personal information for those over 16 years old
Not necessarily a part of compliance but the following two measures are also highly recommended as they significantly affect your compliance success and risk management:
Once you have updated the system, you should begin training employees (especially those in customer-facing roles) on the key aspects of the law, your corresponding procedures, and system updates. This education should cover three broad aspects:
- Their physical location or that of company headquarters does not determine the law’s coverage; the consumer’s location does.
- How to process consumer requests regarding their personal information
- Whether your organization has decided to apply this law across its entire footprint for consistency’s sake or only where the law requires.
Strengthen Data Security
Since privacy laws allow customers to seek damages for breach of personal information besides regulators following up with their own investigations, it makes data security a determinantal factor to the financial and reputational well-being of a firm. It is highly recommended that you should review and update information security and privacy policies and actively monitor data security defenses to ensure this risk is mitigated to the greatest extent possible.
It’s Business as Usual
There is a broad notion that data privacy laws like GDPR or CCPA prevent businesses from selling or purchasing data. That is absolutely misleading on two counts:
- They can sell non-compliant data; i.e the ones not listed in the law
- They can even sell the compliant data; you just have to be transparent about it and offer a clear opt-out path to the consumers.
It’s Not Set in Stone, Yet
Like I said earlier, CCPA is just the beginning of the GDPR of the US. It’s almost certain that after California, other states will begin passing their own laws which will further add to the confusion. At this point, it’s reasonable to assume that Congress may step in to formulate a national privacy law- the true GDPR of the US.
So does that mean all the efforts you put in now for privacy compliance would be rendered useless just a couple of years down the line? Not really. While minor details may vary, the basic structure of all data privacy laws remains the same. So if you currently prepare for CCPA compliance by putting in place data governance structure and mapping your data flow, it would also put you in a better position to comply with any and every subsequent privacy laws.
Just like those companies who were already GDPR compliant had little trouble meeting CCPA compliance as well.
Implications of Non-compliance
Companies like Facebook can follow the mantra of “Move fast, break things” or “It’s easier to ask for forgiveness than permission” because well, they have the financial muscle to overcome any repercussion. For small or even mid-sized firms, just a few lawsuits can drive them to bankruptcy. That’s obviously beside the reputational damage and loss of credibility.
How SalesIntel Can Help: Being a data provider, we believe it’s our responsibility to not just comply ourselves but also guide each of our clients towards the path of compliance. We take a 3-pronged approach to that end:
Educate: Our first mission is to educate them about the process with a broad range of content.
Consult: For companies who have peculiar use cases or want personalized suggestions, we offer a 1-hour free consultation on the subject.
Collaborate: For companies who do not have the expertise to map their data and by extension, meet compliance standards, we have a build a compliance API (Compliance Intel). It helps you identify where you’re not compliant with records in your system/portal, and thus flag any potential compliance risk.
International Data Now Available
Earlier this month we launched 95% accurate international data for Canada in our portal. To view the data, just go to the location filter, select International and you’ll see the countries we have data for. We’ve launched with Canadian data, but will also be adding more countries to our international data set such as United Kingdom, Germany and more. Stay tuned for more updates!
WEBINAR – Ask an Expert: CCPA Compliance Q&A
Clearly we are at a crossroads of sorts when it comes to data – twenty years ago (and likely, even earlier than that) a highly intelligent person said that privacy would be the biggest issue of the first half of the 21st century and so far, slowly but surely, that prediction is proving true. The new California Consumer Privacy Act (CCPA) and other privacy laws are changing the ways companies must source and use their data. Yet, many are unsure of what that change really is and the impact it will have on their organizations.
In this webinar DV Dronamraju, the founder of InfoSecEnforcer, and Jason Hubbard, the VP of Growth at SalesIntel, will be covering the in’s and out’s of CCPA, how to become CCPA compliant and answer your questions in a liveQ&A. Don’t miss out on your opportunity to ask a CCPA expert!
- CCPA Basic Knowledge
- How to be Compliant & What Happens If You’re Not
- Live Q&A with CCPA Expert
WEBINAR – Ask an Expert: CCPA Compliance Q&A
In a recent study, TOPO found that companies with better-than-average ABM performance use an average of eight different tactics in the majority of their marketing programs. This is a great stat, but if I’m just starting out in ABM, or looking to improve the performance of my ABM programs, how do I know which channels to use, which to prioritize, and how to optimize to yield the best results.
Join Jason Widup, Lead Marketing Advisor for Metadata.io and VP of Search Marketing and Operations for Workfront, and Jason Hubbard, VP of Growth for SalesIntel, as they discuss how to be more effective using multi-channel, integrated marketing strategies.
In this webinar, you’ll learn:
- Which channels work the best?
- How to use Outbound to drive Inbound leads
- Creating content that resonates with your audience
- Are paid channels really worth it?
- How to use AI to create campaigns at scale
RECAP: How to Use Old School Marketing & New Age Automation to Increase Engagement
Old school marketing practices are making a comeback and we’re not surprised. Although email marketing is the go-to channel, it can only reach so far and consumers are getting more savvy.
A recent study showed 79% of consumers act on a brand’s direct mail piece immediately. The odds are in our favor, but direct mail pieces still aren’t a common practice yet.
In this webinar Jason Hubbard, VP of Growth at SalesIntel, and Jason Yarborough, Director of Strategic Alliances at PrintingforLess, will explain how to get the most from this strategy. Join us and learn how you can be among the first organizations to take advantage of new age automation and old school marketing to leave an impact with your audience.
- Why 79% of consumers act on a brand’s direct mail piece immediately.
- How to effectively use direct mail with marketing automation
- Bonus: Hubbard and Yarborough’s direct marketing stories
- Live Q&A