Privacy has become a focal point\u00a0surrounding the discourse of web-based platforms in 2020, and\u00a0will continue to be top of mind for the next several years.<\/p>\n
Events such as the Cambridge Analytica scandal of 2016<\/a>, Facebook\u2019s and Google\u2019s continued and\u00a0extreme\u00a0data collection measures, as well as the Equifax data breach<\/a>,\u00a0have all contributed to this international conversation about consumer protection in the digital space. A consequence of these conversations has been several pieces of\u00a0legislation<\/a> centered around consumer rights and protection.<\/p>\n It is\u00a0ultimately\u00a0a business\u2019\u00a0responsibility to stay on top of these advancements and ensure it is compliant with all regulations. We\u2019ll go through three major regulations to come out of these legislations and share some tips on how to become compliant.<\/p>\n The California Consumer Privacy Act (CCPA) is a state statue designed to increase protections for consumers when it comes to personal data collection.<\/p>\n Even though this statute is enacted inside of the state of California, it benefits most Americans due to the way the law was designed.\u00a0In order to qualify to be legally bound to this law, a business must meet the following criteria:<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0 Have annual gross revenues in excess of $25 million;\u00a0or<\/p>\n 2.\u00a0\u00a0\u00a0\u00a0 Buys, receives, or sells the personal information of 50,000 or more consumers or households; or<\/p>\n 3.\u00a0\u00a0\u00a0\u00a0 Earns more than half its annual revenue from selling consumers\u2019 personal information.<\/p>\n Note that there are exemptions for certain businesses\u00a0such as healthcare. Those industries are already bound by consumer protection laws regarding Personal Identifiable Information PII.<\/p>\n Knowing what satisfies the threshold to be bound to the statutes, let\u2019s look at what the\u00a0law’s\u00a0requirements\u00a0are for a business to comply.\u00a0The users of the website should:<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0 Know what personal data is being collected about them.<\/p>\n 2.\u00a0\u00a0\u00a0\u00a0 Know whether their personal data is sold or disclosed and to whom.<\/p>\n 3.\u00a0\u00a0\u00a0\u00a0 Have opportunity to say no to the\u00a0sale of personal data.<\/p>\n 4.\u00a0\u00a0\u00a0\u00a0 Have the ability to access their personal data.<\/p>\n 5.\u00a0\u00a0\u00a0\u00a0 Request\u00a0the business\u00a0to delete any personal information about\u00a0them\u00a0collected.<\/p>\n 6.\u00a0\u00a0\u00a0\u00a0 Not be discriminated against for exercising privacy rights.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident or actual damages \u2013 whichever is greater.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 There are caveats to this however, as the information stolen by hackers must include social security numbers, license numbers, financial account numbers, etc.<\/p>\n If you meet the criteria for CCPA there are several things a business needs to do.<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0 Display a notice of collection. We most often are seeing these in the form of a small pop-up banner that requests a user make a choice\u00a0whether\u00a0they agree to the use of cookies. If a user opts-out, the business must make reasonable efforts to not ask the same user again for\u00a012 months.<\/p>\n 2.\u00a0\u00a0\u00a0\u00a0 Add a \u201cDo Not Sell My Personal Information\u201d link on the home page that directs users to a page enabling them to opt-out of the sale of their personal information.<\/p>\n 3.\u00a0\u00a0\u00a0\u00a0 Implement a process to obtain parent or guardian consent for minors under the age of 13 and the affirmative consent of minors between 13 and 16 years to data sharing purposes.<\/p>\n 4.\u00a0\u00a0\u00a0\u00a0 Create and link to a privacy policy\u00a0that includes a description of California residents\u00a0rights.<\/p>\n 5.\u00a0\u00a0\u00a0\u00a0 At a minimum, maintain a toll-free telephone number for give users a way to submit data access requests.<\/p>\n 6.\u00a0\u00a0\u00a0\u00a0 Alternatively, create a form with the purpose of collecting the data\u00a0access\u00a0requests.<\/p>\n The General Data Protection Regulation is a law originating\/pertaining to the European Union and Economic Area.\u00a0It is similar to CCPA, but with some substantial improvements \u2013 namely the requirement for a business to\u00a0report any data breach to the government within 72 hours of discovering it, and the processes and rules involving\u00a0transferring\u00a0the personal data of users between countries.<\/p>\n To make matters more complicated, a business must designate a natural (person) or morale (corporation) individual to act as an EU Representative that would be the point of contact for all matters pertaining to the regulation. The only way to designate this officer is through the form of a signed document. Failing to appoint this EU Representative is a violation of GDPR and can result in fines.<\/p>\n Even though these laws originate in the EU, it\u2019s important to know that businesses are still bound to these laws even if they operate outside of the EU. Essentially, if a business sells any goods or services to any consumer within the EU, that business is therefore obligated to comply with GDPR.<\/p>\n The only exemptions for GDPR are as follows:<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0 Personal or Household Activities.<\/p>\n 2.\u00a0\u00a0\u00a0\u00a0 Law Enforcement.<\/p>\n 3.\u00a0\u00a0\u00a0\u00a0 National Security.<\/p>\n The following are some of the penalties and remediations<\/a> that can be imposed for violation of GDPR, according to IT Governance.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A warning\u00a0in writing in cases of first and non-intentional noncompliance.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Regular periodic data protection audits.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A fine\u00a0up to \u20ac10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions:<\/p>\n o\u00a0\u00a0 The obligations of the controller and the processor.<\/p>\n o\u00a0\u00a0 The obligations of the certification body.<\/p>\n o\u00a0\u00a0 The obligations of the monitoring body.<\/p>\n \u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A fine up to \u20ac20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions:<\/p>\n o\u00a0\u00a0 The basic principles for processing, including conditions for consent.<\/p>\n o\u00a0\u00a0 The data subjects’ rights.<\/p>\n o\u00a0\u00a0 The transfers of personal data to a recipient in a third country or an international\u00a0organization.<\/p>\n o\u00a0\u00a0 Any obligations pursuant to member state law adopted under Chapter IX.<\/p>\n o\u00a0\u00a0 Noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority.<\/p>\n There is a lot to take into consideration when it comes to compliance.<\/p>\n Consent Gathering<\/strong><\/p>\n First and foremost, you need a mechanism to gain unambiguous consent to data collection. This is typically either a pop-up or a\u00a0notification\u00a0when a user first visits a webpage\u00a0asking if they consent to data being collected about them.<\/p>\n There are even rules regarding this consent form.<\/p>\n 1.\u00a0\u00a0\u00a0\u00a0 A form cannot have a default choice selected such as opt-in or opt-out. This is because you\u00a0must<\/em>\u00a0obtain\u00a0unambiguous\u00a0intentional consent.<\/p>\n 2.\u00a0\u00a0\u00a0\u00a0 If a user is a\u00a0minor,\u00a0you must obtain consent from their legal guardian with proof.<\/p>\n 3.\u00a0\u00a0\u00a0\u00a0 The form should not appear more than once per 12 months for each identified user.<\/p>\n Data Breach Notification<\/strong><\/p>\n Companies must notify authorities and all data collected subjects within 72 hours of discovering a data breach.<\/p>\n Right to Erasure<\/strong><\/p>\n A user has the right to request that their data be erased.<\/p>\n Data Porting<\/strong><\/p>\n Subjects have the right to request all data ever collected about them in a machine-readable format. They can also request to have their data transferred to another processor, for free.<\/p>\n Data Protection Officer<\/strong><\/p>\n Any company with over 250 employees or for any company processing the personal data of over 5,000 data subjects in any 12-month period, is required to designate a Data Protection Officer (DPO). This position\u00a0ensures data is not\u00a0misused\u00a0as well as ensuring the company maintains GDPR compliance.<\/p>\nCCPA<\/h2>\n
Overview<\/h3>\n
What Qualifies a Business<\/h3>\n
Penalties & Remedies<\/h3>\n
Compliance Recommendations<\/h3>\n
GDPR<\/h2>\n
Overview<\/h3>\n
What Qualifies a Business<\/h3>\n
Penalties & Remedies<\/h3>\n
Compliance Recommendations<\/h3>\n
OneTrust<\/h2>\n
Overview<\/h3>\n