Consumer Rights under the California Consumer Privacy Act (CCPA)

It can be argued the General Data Protection Regulation (GDPR) put the idea of consumer rights on the map regarding privacy. The California Consumer Protection Act (CCPA) which passed in 2018 went into effect on January 1, 2020. It is one of the lastest laws in a string of new privacy regulations that are sweeping the globe. To learn more about CCPA please see a recent article from RIVN that offers some great details here.

For this article, we focus on the rights that are protected under CCPA. But, the really interesting part about these rights is new privacy acts that are popping up in Nebraska, Florida, Washington and are all following this same playbook. Therefore, it is critically important for companies to establish a process to ensure their consumers have the availability to exercises these rights and more important to be able to react to them when necessary.

CCPA

Here are the rights that will be enforced by CCPA.

  • The right to delete personal information held by businesses and by extension, a business’s service provider;
  • The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
  • The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.
  • The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

As noted in the first bullet point above consumer deletion requests will continue to be a key part of almost all new privacy regulations. For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. 

Contemporary organizations are searching for a module-based solution such as RIVN to step up to meet this need with an easy to use SaaS-based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

3 Initial Insights on CCPA

The latest high profile consumer privacy regulation called the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. As a result, social media and various publications have been buzzing about the new regulation including users’ experiences.

As background CCPA is trying to give consumers more control over their data including how companies can manage it including selling data. That includes allowing consumers to request access or deletion of their data from companies. Along with expressing if they would like companies to not sell their data.

Under the new law companies that need to meet CCPA regulations include the following: (1) generate $25 million in revenue, (2) have more than 50,000 consumer records in your database, or (3) derive more than 50% of your revenue from selling consumers’ personal info.

After reading these insights I believe everyone can agree the CCPA has empowered the people to take control of how companies capture, store and manage their data.

 

So, here are 3 initial insights after one full week of CCPA:

 

CCPA Is Huge On Social Media

CCPA is having a larger social impact than anticipated. While many companies seem to be prepared for CCPA, it does seem like a lot of companies are either not prepared or are taking that stance of none compliance. The most surprising impact of CCPA has been the groundswell of regular people fully documenting their experiences with various brands in regards to CCPA. 

California citizens on their own are creating repositories to make it easy for others to submit data access & deletion requests such as this one here

Also, individuals are documenting how huge companies such as Facebook or OpenTable are simply denying consumer requests for access or deletion of their data. for now, as seen below.

Here is an example of OpenTable denying a do not sell request from one of the co-authors of CCPA Mary Stone Ross also on Twitter @MarySRoss18:

Here is an example of a Twitter user @ampersand_ie reporting back on Facebook denying deletion requests under CCPA:

CCPA is very different than the General Data Protection Regulation (GDPR)

In contrast to GDPR, CCPA has been very visible across the web. While GDPR was highly visible with the privacy community and in Europe, it has heavily focused on consent. While CCPA does have a consent component it is highly focused on consumer data access and deletion rights along with the sale of consumer data.

So for many consumers, they have seen the impact of CCPA directly in communication with them. Even more specifically in many people’s inboxes. You may have noticed emails from several of the companies that you subscribe to recently sending email updates about their privacy policy changes. 

These are directly associated with the anticipation of CCPA. While enforcement of CCPA does not occur until July 1, 2020, responsible companies are preparing now. This will continue to rise along with the use of a “Do Not Sell” button which should become a staple on most sites.

Here is an example from Potterybarn Kids:

The cost of CCPA will be great and teams will need to work closely together

The total cost of any regulation for companies is difficult to estimate. But, a recent article from Bloomberg estimated that CCPA alone will cost companies 55 Billion dollars. 

At these levels companies, internal teams will need to work in harmony. With executive oversight, the teams that have been affected by CCPA have been marketing, IT, legal and finance. 

  • Marketing Teams – These teams have been responsible for creating messaging to ensure consumers about compliance changes that have been seen in banner ads and emails.
  • IT Teams – These teams have been required to audit technology stacks and implement new compliance solutions where required.
  • Legal Teams – Most legal teams have been required to get up to speed on marketing and analytics processes to ensure corporate compliance.
  • Finance Teams – Financial organizations have been required to take new liabilities into account and allocate resources to ensure corporate compliance.

In summary, the last week has been very interesting. Over the next several weeks and months companies will need to be vigilant & flexible to ensure they are not only meeting the new regulation but also meeting social expectations.  Very exciting times!

To learn how RIVN can help please visit www.rivn.com

Consumer Online Privacy Rights Act (COPRA)

Consumers across the globe have heard new acronyms regarding privacy. From the General Data Protection Regulation (GDPR) to California Consumer Protection Act (CCPA). All of these regulations have a simple goal; create trust between brands and consumers. However, most of the regulations have been developed in silo’s at the state or regional level only. 

The latest US legislation is known as the Consumer Online Privacy Rights Act (COPRA). COPRA is designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement,” laudable goals and ones on which privacy advocates, consumers and industry are increasingly finding common ground as states around the countries craft disparate rules on privacy protection.

The quote above comes from a recent IAPP article entitled “US Senators Unveil New Federal Privacy Legislation” which can be found here. The article also highlights the penalty level included in COPRA which is between $100-1,000 per infraction per day.

One novelty or twist that COPRA brings to the table is the bill tackles algorithmic decision-making, requiring those engaged in the practice to facilitate advertising or eligibility determinations for housing, education, employment or credit to conduct an impact assessment annually for accuracy, fairness, bias and discrimination. Challenges related to “deep fakes” are also addressed.

Below is an excerpt from the article that highlights the six pillars of COPRA:

Consent: The bill requires individual consent for data processing, including express affirmative consent for processing sensitive data, which is very broadly defined but excludes “publicly-available information.” Much like the California Consumer Privacy Act, COPRA provides individuals the right to opt out of the transfer of their covered data for “valuable consideration” and would grant the FTC rulemaking in that area.

  1. Access: The act requires covered entities to provide individuals with their own covered data upon request, in a portable format, as well as the name of any third party to which it has been transferred for valuable consideration.
  2. Correction and deletion: Individuals are granted the right to correct and delete their own covered data.
  3. Transparency: Covered entities must publish a privacy policy that includes information commonly seen in such policies today. This includes contact information for the entity, the categories of data processed, and the categories of third parties and service providers to which information is transferred. Somewhat more novel requirements include retention timelines, and perhaps more contentious, the identity of each third party to which covered data is transferred. The policy must be made available in all languages in which the covered entity does business.
  4. Data minimization: Covered entities may only process covered data for specific purposes, subject to necessity and proportionality standards.
  5. Data security: Covered entities must provide reasonable security, assess vulnerabilities, implement corrective action when risks are identified and dispose of data that is no longer needed.

As noted in the third bullet point above consumer deletion request will continue to be a key part in almost all new privacy regulations. For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. 

Contemporary organizations are searching for a module based solutions such as RIVN to step up to meet this need with an easy to use SaaS based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

The Power of Privacy

If you search the term “privacy” in Google you would see about 19 billions results in half a of second. The reality is people across the globe are interested in learning more about privacy and how they can protect themselves. More importantly the power of consumer privacy is on the rise. Recent news stories have highlighted the power of privacy in regards to big technology companies and political campaigns. 

Pew Research recently reported that “roughly six-in-ten U.S. adults say they do not think it is possible to go through daily life without having data collected about them by companies or the government.”

The team at Forbes recently published a great article found here. The article gives great background into how the rise of privacy has become a mainstream topic along with certain business vertices and technologies that are the most impacted.

Credit:https://www.enisa.europa.eu/news/enisa-news/security-for-privacy-on-data-protection-day

Below is an excerpt from the article:

Andrew Hawn, my former colleague and now founder of MetaForesight, is a technology, media and content expert. Andrew has been collaborating with my analytic startup, Metametrix, and we recently spoke about privacy and its far-reaching implications.

“We’re seeing a social shift in the long term effects of privacy…. As billions more in venture investing targets our personal data for resale in a multitude of ways, people are starting to more deeply question their growing lack of data privacy and control.”

Andrew went on to say:

“The truth is that there is only so much regular citizens can do without laws and policies that empower citizens to retake some personal data power. The EU’s GDPR was a blunt first instrument, and now California’s CCPA is trying to take a slightly smarter approach starting in 2020.”

“Just trying to turn things off by playing whack-a-mole won’t work; we need new innovations focused on protections that are more conversation driven and transparent.”

What these comments do give insight to is new technologies such as RIVN need to be in place so companies have the ability to respect user privacy preferences. All companies will need to adopt scalable technologies that lead to compliance.  

For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. Contemporary organizations are searching for a module based solutions such as RIVN to step up to meet this need with an easy to use SaaS based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

 

Customer Consent…A Slippery Slope

This year companies large and small dealt with managing the ever changing world of consumer consent. Facebook was fined $5 Billion1, Equifax was fined $700 Million2, and British Airways fined $230M3 all for mismanagement of consumer data. These fines have led to the realization that consent and data management can be a slippery slope.

As January 1, 2020 approaches companies are preparing themselves for the newest privacy regulation to go into place, the California Consumer Protection Act (CCPA). A huge part of CCPA is offering consumers the freedom to set preferences about which marketing companies would be able to advertise to them. And the ability to control what data can be sold to other advertisers.

A fantastic recent article from AdExchanger found here asks tough questions and highlights concepts that all companies need to be prepared for as CCPA goes into place. A common theme is how companies will be able to effectively communicate consumer preferences to their marketing vendors

Credit:https://www.kmuw.org/post/onwords-slippery-slope

As the world watches the California attorney general has made updates to how the state views CCPA. Below is an excerpt from the article:

“New in the draft regulations is a requirement that businesses that collect a California consumer’s personal information online must treat signals from “user-enabled privacy controls,” indicating consumers don’t want their personal information to be sold, as opt-out requests, otherwise known as “Do Not Sell” requests. These signals could come from a browser plug-in, privacy setting or any other user-enabled mechanism” 

In the latest update from the state attorney general explaining his comments further were:

“This is a completely new requirement absent from the statute itself. The California attorney general’s office explained in its Initial Statement of Reasons that this new addition was “intended to support innovation for privacy services that facilitate the exercise of consumer rights in furtherance of the purposes of the CCPA.” It said this was “necessary because, without it, businesses are likely to reject or ignore consumer tools.”

What this comment does give insight to is state is expecting new technologies such as RIVN to be in place so companies have the ability to respect user privacy preferences. All companies will need to adopt scalable technologies that lead to compliance.  

For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. Contemporary organizations are searching for a module based solutions such as RIVN to step up to meet this need with an easy to use SaaS based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below:

Data Subject Access Request (DSAR) Process Enigma

As we head towards the end of the year and closer to the establishment of the California Consumer Production Act (CCPA) companies are setting up strategies to handle Data Subject Access Request (DSAR). Since DSAR compliance was attached to the General Data Protection Regulation (GDPR) in 2018 companies are aware of the process, however, most companies are finding it is very expensive and a bit of an enigma. 

According to a recent Avepoint article (here), the cost for a DSAR request could range from $200 – $200k per request! The cost for a DSAR is heavily weighted towards ensuring a flexible process is a place including people and technology. 

Here is an example of a DSAR process from GDPR summit in Dublin last year:

Credit:https://www.slideshare.net/DamaIreland/the-data-value-map-for-gdpr-may-2018-gdpr-summit-dublin-100908410

As you can tell, the process is complicated. In fact, a quick Google search for “data subject access request process” will result in over 600M search results. Therefore organizations need to have a plan for the process and understand that technology + people = a successful process.

One helpful article from the Privacy Hub found here speaks to the DSAR requirements for companies under the GDPR.

“For individuals, gaining access to their data can often be the first step; it allows them to see what data is held on them – and how it’s used. The next step might be to exercise other important rights which the GDPR gives individuals:

  • The right to be informed
  • The right to rectification (data correction)
  • The right to erasure
  • The right to object to processing and to request that it is restricted
  • The right not to be evaluated solely based on automated decision making and the right in relation to profiling.”

What we at RIVN have found is every company will need a define a process that best suits their own business and an off the shelf solution is not sufficient. And that is important to select the best of breed technology solution for the DSAR process. 

The deletion function required for the DSAR request is where RIVN is here to help companies.  For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be the “Right to Erasure/Deletion” or the DSAR function itself.  Contemporary organizations are searching for a module-based solution such as RIVN to step up to meet this need with an easy to use SaaS-based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below: