Data Privacy Plans: When Creating One, Remember to K.I.S.S.

Data privacy sits at the center of business operations today. No matter what industry you’re in, you collect, store, and use it, and the laws now require us to better protect it. The worst thing any organization can do is make that obligation more complicated than it needs to be.

Personally Identifiable Information (PII) helps guide our decision-making processes, from purchasing to marketing to sales to hiring. Data you collect on current customers,  prospective customers, and your website visitors, for example, helps you run highly-targeted and highly-effective marketing campaigns. But data privacy regulations now complicate all of that.

As data proliferation is now a well-known fact, more people are becoming concerned about companies misusing theirs. This fear and concern have sparked new legislation around the world that regulates what businesses can and cannot do with the personal information they collect.

Whether it’s the GDPR in Europe or the CCPA and CRPA in California, new privacy protection laws are forcing businesses worldwide to change their practices to become compliant.

In response, companies have been rushing to create an all-encompassing privacy protection plan hoping to ensure compliance with California’s current laws and preps them for future regulation as well.

Of course, the challenge is these laws are complicated, and building a full data privacy plan can be just as involved. The general approach has been to create a massive program that covers every possible angle.

But is that necessary? In reality, it’s not. And that’s why companies end up scaling back. Like many other things in life, it’s best to follow the principle of K.I.S.S. — Keep It Simple Stupid.

Your Data Privacy Plan Should Fit Your Company

The KISS acronym is a funny way of reminding us not to make things too complicated, as many of us tend to do from time to time. It doesn’t mean we’re stupid, of course — far from it.

This saying is perfectly suited for companies that are building a data privacy plan. Another phrase comes to mind as well: Less is more.

Privacy is a complicated issue, but that doesn’t mean you need to build an incredibly complicated plan. Just because privacy laws are big blanket regulations does not imply a one-size-fits-all approach is right.

In most cases, such an approach is not only inappropriate, it’s onerous, costly, and unnecessarily time-consuming. A better approach is to build a privacy plan that fits your company’s risk profile.

That’s what we do at Compliance and Privacy Partners. We don’t let the regulators lead us. We help companies build a privacy program that is proportionate to your risk.

Doing anything above and beyond doesn’t always provide extra protection. It often complicates the compliance burden. Data privacy shouldn’t be about building levels of bureaucracy that rival that of the government. It should be about building simple, effective, and appropriate solutions focused on data protection.

There are Opportunities Where Gaps Exist

President John F. Kennedy once said:

“The Chinese use two brush strokes to write the word ‘crisis. One brush stroke stands for danger; the other for opportunity. In a crisis, be aware of the danger — but recognize the opportunity.”

That quote summarizes one of our three pillars of digital strategy consulting: Where gaps exist, so, too, do opportunities.

Many companies approach data privacy compliance as an arduous task they have to undertake. They seek to protect themselves from the regulatory authorities to fill the gaps in their current policies to keep them compliant.

That line of thinking is short-sighted, though. Companies that can understand there are opportunities to be had in this process are the ones who are going to separate themselves from the competition.

Instead of merely creating a data privacy plan that will abide by laws, why not use it as a way to connect with your current and prospective customers? Why not use it as a way to be a leader in your industry?

It’s amazing what opportunities you can find when you approach mundane tasks with an open mind. CAPP can help you do just that as you build your data privacy plan.

Relationships are What Matter Most

It’s essential to keep in mind that people are at the heart of your data privacy plan through it all. It’s not just the consumers whose data you are protecting but also your employees and business partners who help you protect it. Your customers have to believe that you are treating their data with care and are being responsible.

Your employees need to help you communicate this message and to execute the plan from the inside out. And business partners will serve an essential role in protecting this data exchanged between the two.

We Do More for Our Clients

We have busy enough lives as it is. There’s no need to make things more complicated than they have to be — even when we’re talking about something as crucial as data privacy compliance.

Privacy is a core value of ours at CAPP, and we can help make it one of yours, too. By working closely with your legal, HR, compliance and IT teams, we help you build a solution that matches your potential risk.

We not only build you a program that works today but anticipates what’s to come in the ever-changing world of data privacy, data security and regulation. Through it all, we help you see that compliance isn’t a burden but rather an opportunity.

Turn Waves Of Regulation Into Oceans Of Opportunity with CAPP.

To learn more about how Compliance & Privacy Partners can help prepare you for the new wave of privacy regulations reach out to us at 323-413-7432 or email us at support@capp-llc.com for a free consultation with a Certified Information Privacy Manager.

NOTICE OF THIRD SET OF PROPOSED MODIFICATIONS TO TEXT OF CCPA REGULATIONS

Pursuant to the requirements of Government Code section 11346.8, subdivision (c), and section 44 of Title 1 of the California Code of Regulations, the California Department of Justice (Department) is providing notice of a third set of proposed modifications made to the regulations regarding the California Consumer Privacy Act.    

The Department first published and noticed the proposed regulations for public comment on October 11, 2019.  On February 10, 2020 and March 11, 2020, the Department gave notice of modifications to the proposed regulations, based on comments received during the relevant comment periods.  The Department withdrew the following sections from the review of the Office Administrative Law (OAL) pursuant to Government Code section 11349.3, subd. (c):  999.305(a)(5), 999.306(b)(2), 999.315(c), and 999.326(c).  OAL approved the other sections submitted by the Department, effective August 14, 2020, and these provisions became final.

The modifications are indicated by bold blue underline for proposed additions and red strike out for proposed deletions to the regulations that became effective on August 14, 2020.  This third set of modifications include the following changes:

  • Proposed section 999.306, subd. (b)(3), provides examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
  • Proposed section 999.315, subd. (h), provides guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps.  It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
  • Proposed section 999.326, subd. (a), clarifies the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
  • Proposed section 999.332, subd. (a), clarifies that businesses subject to either section 999.330, section 999.331, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.

This Notice, the text of the third set of proposed modifications to the regulations, and a comparison of the text as approved by the Office of Administrative Law with the currently proposed modifications are available at www.oag.ca.gov/privacy/ccpa/current.  The originally proposed regulations and all documents relating to the rulemaking package, including previous modifications to the proposed regulations, are also available at this website.

The Department will accept written comments regarding the proposed changes between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Please limit comments to the additions indicated in bold blue underline and the deletions indicated in red strike out.  All written comments on the underlined changes must be submitted to the Department no later than 5:00 p.m. on October 28, 2020 by email to PrivacyRegulations@doj.ca.gov, or by mail to the address listed below.

CCPA Proposed Regulations Submitted to the Office of Administrative Law

California Attorney General Xavier Becerra submitted final proposed regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL). The regulations will provide guidance to businesses on how to comply with the CCPA and will enable consumers to exercise new rights over their personal information. Under Executive Order N-40-20 related to the COVID-19 pandemic, OAL has 30 working days and an additional 60 calendar days to determine whether the regulations satisfy the procedural requirements of the Administrative Procedure Act. Once approved by the OAL, the final regulation text will be filed with the Secretary of State and become enforceable by law.

A copy of the complete rulemaking package submitted to OAL, including a text of the regulations, can be found at www.oag.ca.gov/ccpa.

The final proposed regulations were drafted after a broad and inclusive preliminary rulemaking process, which included seven public forums, during which the office received over 300 letters. During the formal rulemaking process, Attorney General Becerra held four public hearings throughout the state, along with a 45-day comment period and two subsequent 15-day comment periods. These comment periods resulted in the submission of over 1,000 public comments, each of which were taken into consideration when drafting the final regulations.

FTC Finalizes Settlement with Company that Misled Consumers about how it Accesses and Uses their Email

The Federal Trade Commission finalized a settlement with an email management company that allegedly deceived some consumers about how it accesses and uses their email.

The FTC alleged that Unrollme Inc., which helps users unsubscribe from unwanted emails or consolidate their email subscriptions, falsely told consumers that it would not “touch” their personal emails in order to persuade consumers to provide access to their email accounts.

In fact, Unrollme shared users’ email receipts from completed transactions with Unrollme’s parent company, Slice Technologies, Inc. E-receipts can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer. Slice uses anonymous purchase information from Unrollme users’ e-receipts in the market research analytics products it sells.

As part of the settlement with the Commission, Unrollme is prohibited from misrepresenting the extent to which it collects, uses, stores, or shares information from consumers. It must also notify those consumers who signed up for Unrollme after viewing one of the allegedly deceptive statements about how it collects and shares information from e-receipts. The order also requires Unrollme to delete, from both its own systems and Slice’s systems, stored e-receipts previously collected from those consumers, unless it obtains their affirmative, express consent to maintain the e-receipts.

After receiving two comments, the Commission voted 4-0-1 to approve the settlement with Unrollme as well as responses to the commenters. Commissioner Rohit Chopra abstained from the vote.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers InsuranceReach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

5 Ideas To Kickstart Your Governance, Risk and Compliance Program in the New Year!

We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.

1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!

For example:

  • Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
  • Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
  • Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.

Executives need to make sure they are told what they need to hear, not what they want to hear.

3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.

Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.

4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.

Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.

5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.

Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Extends Deadline for Comments on COPPA Rule until December 11

The Federal Trade Commission is extending the deadline to submit comments on the agency’s review of the Children’s Online Privacy Protection Act Rule (COPPA Rule) until December 11, 2019.

The federal government’s Regulations.gov portal is temporarily inaccessible. The FTC is giving commenters additional time to submit comments, as well as an alternative mechanism to file them. Those unable to submit comments via Regulations.gov can submit them via email with the subject line “COPPA comment” to secretary@ftc.gov. All comments, whether filed through Regulations.gov or sent by email, must be submitted by11:59 p.m. ET on December 11, 2019.

The Commission voted 5-0 to extend the comment deadline until December 11, 2019.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.