Privacy has become a focal point surrounding the discourse of web-based platforms in 2020, and will continue to be top of mind for the next several years.
Events such as the Cambridge Analytica scandal of 2016, Facebook’s and Google’s continued and extreme data collection measures, as well as the Equifax data breach, have all contributed to this international conversation about consumer protection in the digital space. A consequence of these conversations has been several pieces of legislation centered around consumer rights and protection.
It is ultimately a business’ responsibility to stay on top of these advancements and ensure it is compliant with all regulations. We’ll go through three major regulations to come out of these legislations and share some tips on how to become compliant.
The California Consumer Privacy Act (CCPA) is a state statue designed to increase protections for consumers when it comes to personal data collection. The law doesn’t take effect until January 1, 2023, however parts the law take effect on January 1, 2022.
Even though this statute is enacted inside of the state of California, it benefits most Americans due to the way the law was designed. In order to qualify to be legally bound to this law, a business must meet the following criteria:
1. Have annual gross revenues in excess of $25 million; or
2. Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
3. Earns more than half its annual revenue from selling consumers’ personal information.
Note that there are exemptions for certain businesses such as healthcare. Those industries are already bound by consumer protection laws regarding Personal Identifiable Information PII.
What Qualifies a Business
Knowing what satisfies the threshold to be bound to the statutes, let’s look at what the law's requirements are for a business to comply. The users of the website should:
1. Know what personal data is being collected about them.
2. Know whether their personal data is sold or disclosed and to whom.
3. Have opportunity to say no to the sale of personal data.
4. Have the ability to access their personal data.
5. Request the business to delete any personal information about them collected.
6. Not be discriminated against for exercising privacy rights.
Penalties & Remedies
· A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
· Victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident or actual damages – whichever is greater.
· There are caveats to this however, as the information stolen by hackers must include social security numbers, license numbers, financial account numbers, etc.
If you meet the criteria for CCPA there are several things a business needs to do.
2. Add a “Do Not Sell My Personal Information” link on the home page that directs users to a page enabling them to opt-out of the sale of their personal information.
3. Implement a process to obtain parent or guardian consent for minors under the age of 13 and the affirmative consent of minors between 13 and 16 years to data sharing purposes.
5. At a minimum, maintain a toll-free telephone number for give users a way to submit data access requests.
6. Alternatively, create a form with the purpose of collecting the data access requests.
The General Data Protection Regulation is a law originating/pertaining to the European Union and Economic Area. It is similar to CCPA, but with some substantial improvements – namely the requirement for a business to report any data breach to the government within 72 hours of discovering it, and the processes and rules involving transferring the personal data of users between countries.
To make matters more complicated, a business must designate a natural (person) or morale (corporation) individual to act as an EU Representative that would be the point of contact for all matters pertaining to the regulation. The only way to designate this officer is through the form of a signed document. Failing to appoint this EU Representative is a violation of GDPR and can result in fines.
What Qualifies a Business
Even though these laws originate in the EU, it’s important to know that businesses are still bound to these laws even if they operate outside of the EU. Essentially, if a business sells any goods or services to any consumer within the EU, that business is therefore obligated to comply with GDPR.
The only exemptions for GDPR are as follows:
1. Personal or Household Activities.
2. Law Enforcement.
3. National Security.
Penalties & Remedies
The following are some of the penalties and remediations that can be imposed for violation of GDPR, according to IT Governance.
· A warning in writing in cases of first and non-intentional noncompliance.
· Regular periodic data protection audits.
· A fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions:
o The obligations of the controller and the processor.
o The obligations of the certification body.
o The obligations of the monitoring body.
· A fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions:
o The basic principles for processing, including conditions for consent.
o The data subjects' rights.
o The transfers of personal data to a recipient in a third country or an international organization.
o Any obligations pursuant to member state law adopted under Chapter IX.
o Noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority.
There is a lot to take into consideration when it comes to compliance.
First and foremost, you need a mechanism to gain unambiguous consent to data collection. This is typically either a pop-up or a notification when a user first visits a webpage asking if they consent to data being collected about them.
There are even rules regarding this consent form.
1. A form cannot have a default choice selected such as opt-in or opt-out. This is because you must obtain unambiguous intentional consent.
2. If a user is a minor, you must obtain consent from their legal guardian with proof.
3. The form should not appear more than once per 12 months for each identified user.
Data Breach Notification
Companies must notify authorities and all data collected subjects within 72 hours of discovering a data breach.
Right to Erasure
A user has the right to request that their data be erased.
Subjects have the right to request all data ever collected about them in a machine-readable format. They can also request to have their data transferred to another processor, for free.
Data Protection Officer
Any company with over 250 employees or for any company processing the personal data of over 5,000 data subjects in any 12-month period, is required to designate a Data Protection Officer (DPO). This position ensures data is not misused as well as ensuring the company maintains GDPR compliance.
OneTrust is a Consent Management Platform that makes data management easy. OneTrust has many different products, but they have one we are particularly interested in called OneTrust Privacy. This product helps businesses with managing compliance through automation.
OneTrust Privacy centralizes all your consent cookies from users, form submissions, etc. so that they can be easily tracked and managed. They can also act as your EU Representative, which takes the load off your shoulders.
OneTrust has all the compliance built in. It keeps all the records of your data subjects in one, central location, but can also handle the processing of each request made by a user in a simple way. On top of it all they also offer toll-free telephone number capabilities so that users can call the number to create a request.
The implementation process is a bit two-fold.
1. Sign-up for OneTrust and configure the tool. This includes creating the consent forms, workflows and automation.
2. Integrate into your website.
To over-simplify the integration process, you drop in a script or use their integration tool to connect to your database. This integration will discover what existing information you have on users and begins tracking any new information that is stored.
Once these requests are submitted it is your responsibility to process them and document that entire process. Luckily, OneTrust already has you covered for the latter. Their web UI lets you easily see what users are requesting information or deletion and providing you with the tools you need to complete those requests. Your only job is designating individuals and training them on to properly execute these requests!
We’ve covered a lot of technical information in this article that is extremely important for you and your business to understand. Privacy will only continue to trend upwards from here and it’s ultimately your responsibility to ensure the safety and proper handling of your user’s data.
If you have any questions about any of these privacy requirements that will become mandatory in the near future, please feel free to reach out to us.