Hate Reading the Fine Print About Privacy Laws? Ignore at Your Peril
The EU’s General Data Protection Regulation (GDPR) caught many companies with European customers off guard. It started a tidal wave of data regulation legislation across the globe, including America.
GDPR introduced higher privacy standards, transparency, and accountability for all companies (both inside and outside the EU) that offer goods or services to — or collect the data of — EU individuals.
Think it doesn’t apply to you? The GDPR has set precedence for a wave of similar data privacy laws… everywhere!
Tens of thousands of violations were reported within eight months after the GDPR went into effect on May 25, 2018 — one of which was Google. Facebook’s verdict should be revealed in the coming months.
Sites that weren’t prepared, such as the LA Times and Chicago Tribune, went dark in Europe while they scrambled to get up to speed because they didn’t prepare. The penalties under GDPR can be up to 4% of a company’s revenues.
Learn more about our secure customer engagement solutions
The new US data privacy laws expose companies to fees and lawsuits
Even though the federal government has yet to adopt a nationwide data privacy law, the states have been taking up the slack and creating their own. To date, data privacy, data security, cybersecurity, and data breach notification laws have been passed, enacted, or are pending in 25 states creating a potpourri of regulation that can be confusing.
The penalties of these laws are stiff, but they can also expose companies to private legal action which can be considerably more damaging to both a firm’s bottom line and brand.
Firms need to be proactive and get in front of the coming onslaught of data privacy laws. On the state level, the most comprehensive law thus far is the California Consumer Privacy Act (CCPA). The CCPA goes into effect on January 1, 2020.
Coupled with the GDPR, the CCPA is a good frame of reference to gauge what changes you need to implement today. The CCPA is currently worded to apply to companies that:
- Have more than $25M in gross annual revenue, or
- Handle the personal information of 50k consumers, households or devices, or
- Receive 50% of their revenue from selling consumer personal information.
Qualifying hurdles are likely to get even more stringent as legislation continues to be enacted and amended all over the country.
The Gist? Consumers Own Their Own Data. You Don’t.
In contrast to the past, today’s data is no longer the property of the company to do with what it wants, it’s the property of the customer. Under the CCPA regulations, here’s what needs to happen when consumers visit your site.
- Consumers must be informed that you collect data, what data you collect, and how that data will be used — in language they’ll understand
- Consumers must be provided with all of their personal information if they request it
- Consumers can request that you delete all of their personal data which means you must make sure that any third-party service providers you do business with delete it as well
- Consumers can’t be discriminated against for exercising their rights
Consumers can sue if there’s a breach of non-encrypted or not-redacted data.
Five Steps To Take Right Now
1. Educate yourself on GDPR and CCPA laws
Companies will not only have to comply but also be able to prove what they did to ensure compliance. Learn more about these regulations, and any other regulations that are relevant to you, so you can understand how data privacy laws might apply to you. You’ll then have to do a bit of data soul searching and thoroughly revisit why you collect data in the first place.
2. Create a team and framework for compliance
- Integrate IT and legal to develop a team and a plan for compliance
- Understand the definitions of “Personal Information” under GDPR, CCPA, and any other laws that may have jurisdiction over the data you collect, how you collect it, how it is controlled, processed, managed and protected.
- Identify similarities, overlaps, and gaps between privacy laws in different relevant jurisdictions
3. Identify and classify what data you collect by asking these questions:
What lawful basis do you have for collecting data?
There must be a lawful reason for you to collect, control, and process data to be in compliance under the GDPR. There are six categories of lawful basis for data collection:
- Consent:The consumer has given you consent to collect their data.
- Contractual: The collection of data is necessary for your company to fulfill a contract with the consumer.
- Legal Obligation: Your company must collect and/or keep the data to comply with the law.
- Vital Interests: Your company must collect/keep/use a consumer’s data because it is necessary to protect the vital interest of the consumer or another party.
- Public Task: Your company must collect/keep/use a consumer’s data in order to perform a task that is in the public interest.
- Legitimate Interests: It’s in the legitimate interest of your company and the consumer to collect/keep/use their data.
What data is subject to GDPR, CCPA, or any other relevant data privacy regulations?
Beyond obvious identifiers such as names, social security numbers, medical records, etc, personal information can extend to many other more indirect identifiers. Both data laws specify data that could be used as an identifier ranging from cookies and IP addresses to order history and geolocation.
While the GDPR includes all publicly available data, the CCPA makes further distinctions about which publicly available data is subject to the law. This means that even though you may collect data that is available to anyone online, once it is controlled by you, you may be subject to compliance. A careful study of what constitutes data under any relevant privacy regulation is critical.
What data is shared and/or managed by third parties?
Both data controllers and processors are subject to compliance. GDPR and CCPA both say companies can only work with other companies that are also completely compliant. Anyone that processes data sourced from you must be in compliance. Your business associates need to follow suit. If they don’t, find new ones.
If your service providers or business associates aren’t in compliance, find new ones!
4. Evaluate your data management and protection systems
- What are your current data protection systems?
- What are your data mapping and integration processes?
- What are your procedures and controls for internal access rights and requests?
5. Take Action
- Overhaul vendor agreements, on both sides, for third-party compliance
- Develop procedures for tracking and confirming the compliance of business associates and service vendors — If the’re not in compliance, get new ones
- Develop procedures for managing opt-out and deletion requests
- Revise customer consent, disclosure, and privacy notices with legal counsel
- Invest in technology upgrades, security tools, and AI to mitigate risk and upgrade your cyber defense platform
- Hire or designate staff to manage data protection, stay apprised of changes in regulation and communicate with regulators
- Develop procedures for ongoing internal updates and security awareness staff training to stay in compliance with evolving regulations
The benefits of complying today
As privacy standards become the status quo, transparency and trust will be major players in generating brand loyalty. Firms that incorporate secure, compliant customer solutions will enhance consumer trust and engagement sooner while others are still scrambling.
SnapEngage chat solutions let you send and receive data and images in compliance with the most rigorous privacy laws emerging both internationally and in the US. Our customizable platform and omnichannel reach allow you to engage with prospects and customers wherever they are.
With SnapEngage, you won’t have to worry about making sure you’re up to speed with any new data security and privacy law regulation or amendment. We do that work for you.