Customer Consent…A Slippery Slope

This year companies large and small dealt with managing the ever changing world of consumer consent. Facebook was fined $5 Billion1, Equifax was fined $700 Million2, and British Airways fined $230M3 all for mismanagement of consumer data. These fines have led to the realization that consent and data management can be a slippery slope.

As January 1, 2020 approaches companies are preparing themselves for the newest privacy regulation to go into place, the California Consumer Protection Act (CCPA). A huge part of CCPA is offering consumers the freedom to set preferences about which marketing companies would be able to advertise to them. And the ability to control what data can be sold to other advertisers.

A fantastic recent article from AdExchanger found here asks tough questions and highlights concepts that all companies need to be prepared for as CCPA goes into place. A common theme is how companies will be able to effectively communicate consumer preferences to their marketing vendors

Credit:https://www.kmuw.org/post/onwords-slippery-slope

As the world watches the California attorney general has made updates to how the state views CCPA. Below is an excerpt from the article:

“New in the draft regulations is a requirement that businesses that collect a California consumer’s personal information online must treat signals from “user-enabled privacy controls,” indicating consumers don’t want their personal information to be sold, as opt-out requests, otherwise known as “Do Not Sell” requests. These signals could come from a browser plug-in, privacy setting or any other user-enabled mechanism” 

In the latest update from the state attorney general explaining his comments further were:

“This is a completely new requirement absent from the statute itself. The California attorney general’s office explained in its Initial Statement of Reasons that this new addition was “intended to support innovation for privacy services that facilitate the exercise of consumer rights in furtherance of the purposes of the CCPA.” It said this was “necessary because, without it, businesses are likely to reject or ignore consumer tools.”

What this comment does give insight to is state is expecting new technologies such as RIVN to be in place so companies have the ability to respect user privacy preferences. All companies will need to adopt scalable technologies that lead to compliance.  

For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. Contemporary organizations are searching for a module based solutions such as RIVN to step up to meet this need with an easy to use SaaS based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

Data Subject Access Request (DSAR) Process Enigma

As we head towards the end of the year and closer to the establishment of the California Consumer Production Act (CCPA) companies are setting up strategies to handle Data Subject Access Request (DSAR). Since DSAR compliance was attached to the General Data Protection Regulation (GDPR) in 2018 companies are aware of the process, however, most companies are finding it is very expensive and a bit of an enigma. 

According to a recent Avepoint article (here), the cost for a DSAR request could range from $200 – $200k per request! The cost for a DSAR is heavily weighted towards ensuring a flexible process is a place including people and technology. 

Here is an example of a DSAR process from GDPR summit in Dublin last year:

Credit:https://www.slideshare.net/DamaIreland/the-data-value-map-for-gdpr-may-2018-gdpr-summit-dublin-100908410

As you can tell, the process is complicated. In fact, a quick Google search for “data subject access request process” will result in over 600M search results. Therefore organizations need to have a plan for the process and understand that technology + people = a successful process.

One helpful article from the Privacy Hub found here speaks to the DSAR requirements for companies under the GDPR.

“For individuals, gaining access to their data can often be the first step; it allows them to see what data is held on them – and how it’s used. The next step might be to exercise other important rights which the GDPR gives individuals:

  • The right to be informed
  • The right to rectification (data correction)
  • The right to erasure
  • The right to object to processing and to request that it is restricted
  • The right not to be evaluated solely based on automated decision making and the right in relation to profiling.”

What we at RIVN have found is every company will need a define a process that best suits their own business and an off the shelf solution is not sufficient. And that is important to select the best of breed technology solution for the DSAR process. 

The deletion function required for the DSAR request is where RIVN is here to help companies.  For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be the “Right to Erasure/Deletion” or the DSAR function itself.  Contemporary organizations are searching for a module-based solution such as RIVN to step up to meet this need with an easy to use SaaS-based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

Data Subject Access Request (DSAR) Challenges

With the rise of global privacy regulations, the concept of Data Subject Access Request (DASR) is becoming a challenge for companies large and small across the globe. Found in Article 15 of the General Data Protection Regulation (GDPR) and part of the several new regulations include the California Consumer Protection Act (CCPA). This regulation requires companies to allow consumers the ability to access and/or delete all of the data they have collected on that consumer (aka subject).

The challenge is that most companies do not have an easy method by which they can access and/or delete consumer data. During the tech boom, companies have collected trillions of data points over the years, without considering the need to one day deletes that data. In fact, these regulations can and have put time restrictions around the time these requests must be fulfilled. For example, in the GDPR article 12 highlights, companies have a month to comply with these requests.

Credit:https://www.komando.com/tips/426830/how-to-safely-delete-data-forever-on-your-pc-or-mac

A recent article by IAPP found here found several staggering stats based on the company’s responses to DSAR requests.

Below are a few key quotes highlighting the challenges:

“It is unsurprising that challenges managing DSARs could lead a company to fall out of GDPR compliance. The report reveals that companies that found it difficult to fulfill DSARs were less likely to fulfill them. Moreover, those who found it difficult to fulfill DSARs were more likely to take a month or longer to respond to requests. This may suggest that some companies are struggling to remain legally compliant with the GDPR because of these requests. Considering that Article 12(3) of the GDPR grants a one-month period to respond “without undue delay” to data access requests (which might be extended by two months “where necessary”), struggling with DSARs presents a significant compliance risk for controllers.”

“Therefore, the report reveals patterns in how controllers handle DSARs. According to the report, around half of the firms that receive DSARs have a dedicated team to handle them. Unsurprisingly, the controllers who found DSARs difficult were less likely to have a team dedicated to handling them. The report also spoke to the type of process used to handle DSARs. Two-thirds of the respondents handle DSARs manually, and one-third use a combination of manual and ad hoc processes. Those who reported difficulty with DSAR requests were more likely to use manual and ad hoc processes to handle their requests. This suggests that there is a relationship between how difficult DSARs are for firms and the methods the firms use to handle them. Clearly, a dedicated team or some sort of system for managing DSARs in a non–ad hoc style, if feasible, make DSARs easier to manage.”

The deletion function required with GDPR and CCPA is where RIVN is here to help companies.  For digital marketers, IT professionals and legal teams the greatest hurdle may be the “Right to Erasure/Deletion” or the DSAR function itself.  Contemporary organizations are searching for a module-based solution such as RIVN to step up to meet this need with an easy to use SaaS-based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below: