Lokker's FAQs section is designed to answer commonly asked questions related to the fields of privacy automation, consumer privacy, cybersecurity, data loss prevention, privacy regulation compliance, privacy standards, and best practices concerning the practical protection of personally identifiable information.
Privacy Automation refers to software platforms and technologies designed for website operators, privacy professionals, and information security departments to more effectively manage the data access and usage rights of integrated third-party applications from the client-side. The goal of Privacy Automation is to automate the repetitive tasks of monitoring third-party activity, assessing privacy and security threats, and mitigating risk to maintain compliance with international privacy laws.
Consumer privacy is important to protect primarily because your customers expect you to deal openly and fairly with them, so it's the right thing to do, ethically speaking. If you are a company, you probably also have the legal responsibility to protect personally identifiable information, though the specifics vary depending on what jurisdiction you are in and what kind of personal data you are handling. In some cases, the only regulations you have to worry about are ones which require you to notify affected individuals if you have a data breach. In other cases, your responsibility to protect begins even before you collect the data. If a company has an incident such as a data breach caused by a hack that harms consumer privacy, or if your customers discover that you haven’t been protecting data, it can expose your business to lawsuits and fines and can cause serious long-term damage to your brand. If you are knowingly or unknowingly leaking customer information to your competitors (which is possible in the case of some third-party web apps), you are effectively handing your customers over to your competitors, which is generally considered to be a poor business practice.
Personally identifiable information (PII) is information that, either by itself or in combination with other information, can be linked to a specific individual. PII is a broad category, encompassing many data elements. Sometimes it is private, and sometimes it is public (such as a public directory listing).
The main challenges in managing personally identifiable information are:
1. Knowing what personally identifiable information you are collecting, where it is, and what you are doing with it
2. Understanding and complying with any regulations and standards which apply to the information you have or plan to collect
3. Communicating clearly and accurately to individuals about the information you have pertaining to them and what you are doing with it
4. Where needed, obtaining consent from individuals to collect personally identifiable information about them
5. Ensuring, where relevant, that you do only what you are allowed to do with it based on applicable regulations and what they have consented to
The GDPR (General Data Protection Regulation) is the law governing the handling of personal data about individuals within the European Union and the European Economic Area. It took effect in 2018 and applies not only within Europe but also to organizations outside Europe that offer goods and services to individuals within Europe or monitor their behavior.
GDPR is important because it has specific requirements you must follow up front in order to collect personal data, including specific notice language you need to post and in some cases opt-in consents. The GDPR restricts what you can do with the data once you have collected it. It requires you to satisfy certain conditions in order to transfer personal data to countries outside the GDPR’s jurisdiction, which can complicate things for multi-national organizations. The GDPR applies to almost all organizations within the European Economic Area, with few exclusions. It even applies to organizations outside the European Economic Area, if they are offering goods or services to people within the EEA or monitoring their behavior. The GDPR is also important because it is being used as a model for privacy laws in other nations and jurisdictions, such as the recently passed California Privacy Rights Act (CPRA).
The main principles of the GDPR are found in Article 5 (https://gdpr-info.eu/art-5-gdpr/). They are, summarized:
1. Personal data shall be processed lawfully, fairly, and in a transparent manner. This means that those processing the data must not only make sure their processing is legal, but must also clearly, completely, and honestly communicate with data subjects about how the data will be processed and used.
2. Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in ways inconsistent with those purposes (there are some exceptions).
3. Personal data shall be adequate, relevant, and limited to what is necessary (this concept is referred to as “data minimization,” and is analogous to the US HIPAA “minimum necessary” standard).
4. Personal data shall be accurate and up to date.
5. Personal data shall be retained in identifiable form no longer than is necessary (there are some exceptions).
If your business is based in the European Economic Area (EEA), or if you process personal information in the EEA, you likely need to fully comply with the GDPR. You can get specific information about what you need to do from your national Data Protection Authority. If your business is located completely outside the EEA, but you interact with individuals who are located within it, you still probably have to handle their data in compliance with the GDPR. This does not necessarily mean that your entire business has to comply with the GDPR. But if it doesn’t, you will have to segregate GDPR data and handle it accordingly.
The GDPR took effect in 2018, so it is in effect now.
The GDPR applies to your handling of personal data if:
1. You process personal data of individuals at a location within the EEA;
2. You offer goods or services to individuals who are located within the EEA – this is true even if the goods and services are free, and news articles or social media services count; or
3. You monitor the behavior of individuals who are located within the EEA
It may NOT apply to your handling of personal data if:
1. You have a site designed for use only by non-EEA customers (for example, a US banking site), and
2. Your non-EEA customers use that site while traveling in the EEA
In the simplest possible terms, it means that:
1. You handle personal data according to the main principles of the GDPR, as outlined in Chapter 2, and its rules for specific situations (Chapter 9)
2. You honor the rights of data subjects and are prepared to receive and respond to their requests (Chapter 3)
3. You establish processes to ensure that you are adhering to data protection by design and by default, fulfilling your responsibilities as a controller or processor, and protecting personal data appropriately (Chapter 4)
4. You adhere to all other requirements of the GDPR, including limitations and conditions on the transfer of data outside the European Economic Area (Chapter 5), and compliance with orders from data protection authorities (Chapter 6)
5. You document your data processing activities so you can demonstrate compliance across the board; it is not enough to do the right thing; you need to be able to prove that you do
No. The US does not currently have a broad, overarching privacy regulation like the EU has with the GDPR. Instead, the US has multiple different laws that protect the information in specific sectors (such as healthcare, finance, and education). In addition, the FTC can take action on complaints about unfair and deceptive practices involving personal information. There are, however, discussions in Congress about establishing an overarching federal privacy law in order to standardize requirements nationally. California’s CCPA has similarities to the GDPR, but it applies only at the state level. And other state privacy laws exist or are in the works. There is currently a push to create a GDPR-style privacy law for the entire US to avoid having to deal with a large number of possibly contradictory state laws.
So far, there is no federal law in the US that protects consumer privacy across the board, though the topic has been discussed for decades. Instead, we have:
1. The Federal Trade Commission, which has the ability to enforce promises made by companies about the privacy and security of their customers’/website users’ data.
2. Specific protection around the collection of personal data of children under 13 (COPPA, the Children’s Online Privacy Protection Act).
3. Healthcare sector regulations, including:
a. The HIPAA Privacy and Security Rules, as later modified by the HITECH Act (that provide a baseline for the privacy and security of health data)
b. GINA (the Genetic Information Nondiscrimination Act)
c. The Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2)
d. FDA regulations protecting data collected in clinical trials and adverse reports
4. Financial sector regulations, including:
a. The Gramm-Leach-Bliley Act
b. FCRA (The Fair Credit Reporting Act)
c. The FTC Red Flags Rule
5. Educational regulation (FERPA, the Family Educational Rights and Privacy Act)
6. Regulations around government and law enforcement access to personal data, though these tend to be more focused on ensuring access than restricting it:
a. The Electronic Communications Privacy Act (ECPA)
b. The Communications Assistance to Law Enforcement Act (CALEA)
c. The Foreign Intelligence Surveillance Act (FISA)
d. The USA Patriot Act
If you are operating in the United States, it is critical to work with your legal counsel to determine which regulations apply to your business and how you are classified under those regulations as your responsibilities may vary.
The state data privacy landscape in the US is dynamic. Most states have some sort of privacy law which kicks in when a data breach occurs, but momentum is building for more comprehensive privacy laws, and the situation will continue to evolve rapidly unless and until federal-level regulations are put in place The International Association of Privacy Professionals (IAPP) maintains this resource about comprehensive state privacy laws: https://iapp.org/resources/article/state-comparison-table/
The California Consumer Privacy Act (CCPA) gives residents of California the right to control how businesses collect their personal information and what they do with it. These rights include:
1. The right to know what information a business is collecting about them, and how the business is using and sharing it;
2. The right to delete, which requires a business to remove personal information collected about them;
3. The right to opt-out of the sale of their personal information by the business that collected it;
4. The right to non-discrimination, meaning that a business is not allowed to deny services or charge higher prices because an individual has exercised any of these rights
If you are a business, the CCPA may require you to make changes to your public-facing websites, as well as having processes in place for handling consumer requests. For more information, visit the State of California’s official CCPA page: https://oag.ca.gov/privacy/ccpa
The Attorney General of California enforces the CCPA and can act with or without consumer complaints. Private individuals can also sue businesses under the CCPA for data breaches under some circumstances.
The California Privacy Rights Act (CPRA), which passed in November 2020 and will take effect on January 1, 2023, expands on existing California privacy laws (such as the CCPA) to set a new baseline for protection of personal information of California residents. It adds more protection for “sensitive” categories of data (which includes not only identifiers such as SSNs, credit card numbers, and precise geolocation but also personal characteristics such as race/ethnicity, religious beliefs, sexual orientation, and health information). In many ways, the CPRA brings California’s privacy legal framework closer to the European GDPR; it adds more individual rights with respect to their data, requires businesses to be more cautious in their use of it, and creates an independent enforcement authority (the California Privacy Protection Agency) with investigative, rulemaking, and enforcement powers. It’s worth noting that the passage of the CPRA also extended the CCPA exemption for business to business information, and employee information, to the effective date of the CPRA, January 1st, 2023.
The CPRA gives individuals in California more rights with respect to their personal information than the CCPA did, bringing California privacy law much closer to the European model laid down in the GDPR. Specifically, it does the following:
1. Establishes an independent agency, the California Privacy Protection Agency, with investigative, rulemaking, and enforcement powers to oversee privacy protection (under CCPA, this all fell under the California Attorney General’s office)
2. Makes slight changes to which businesses are regulated (a business now needs to handle information of 100,000 or more consumers or households rather than 50,000 or more, but the use no longer has to be “commercial”, and deriving 50% or more of revenue from “sharing” consumer PI will also bring a business under it even if it is not a sale)
3. Defines a subset of consumer personal information called “sensitive” personal information, which includes (unless it’s already publicly available):
a. Social Security, Drivers’ License, State ID Card, or Passport number.
b. Financial account login and access credentials.
c. Precise geolocation.
d. Racial or ethnic origin, religious or philosophical beliefs, or union membership.
e. Contents of mail, email, and text messages unless the business was the intended recipient.
f. Genetic data.
g. The processing of biometric data to uniquely identify a consumer.
h. Information about a consumer’s health.
i. Information about a consumer’s sex life or sexual orientation
4. Gives consumers rights to limit the use and disclosure of their sensitive personal information to certain specified purposes, including the purposes for which it was disclosed, and requiring businesses to give notice of how it is going to be used so consumers can limit it
5. Expands data breach liability to situations where an email address, in combination with a password or security question answer which would permit access to the account, is exposed
6. Instructs the California AG (and then the new CPPA) to issue regulations requiring regular audits and risk assessments for businesses conducting activities which present a significant risk to privacy or security and submit them to the CPPA
7. Defines “profiling” and creates opt-out rights with respect to it, as well as the right to receive meaningful information about the profiling process and its likely effect on the individual
8. Adds a right to correct inaccurate personal information
9. Clarifies that “sharing” personal information is treated the same way as selling it
10. Clarifies the rules around children’s data, increases fines for handling it in violation of the regulations, and calls for regulations to create specifications for an opt-out signal that allows children or their parents to specify that a consumer is under 13 or between 13 and 16 years old
11. Requires businesses to inform consumers of how long they plan to retain each type of personal information and prohibits retaining it longer than necessary for the purpose for which it was collected
12. Extends the exemption covering employee and business to business data until January 1, 2023
13. Adds new contractual and direct obligations on service providers, defines “contractors” and requires specific contract language, and adds a category of “third parties”
The Privacy Act of 1974 regulates federal agencies that maintain record systems containing information about individuals. It requires such agencies to follow a code of fair information practices and provide notice to the public about the systems of records they maintain. It also prohibits disclosure of information about an individual contained in those records without the consent of the individual unless the disclosure falls under an exemption within the Privacy Act. The Privacy Act regulates federal agencies and not private organizations unless they are maintaining or using such a system on behalf of a federal agency.
The Privacy Act of 1974, which governs US federal agencies, has four policy objectives (https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1279):
1. To restrict disclosure of personally identifiable records maintained by agencies
2. To grant individuals increased rights of access to agency records maintained on them
3. To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete
4. To establish a code of ‘fair information practices which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.
Generally speaking, a privacy violation is when you do something with someone’s personal information that they did not agree to. Legally, though, what counts as a privacy violation depends on what privacy regulations, if any, apply to your handling of the person’s information.
Start by figuring out what your business needs from a privacy program, and then set one up to accomplish those goals. You want something that’s tailored to the needs of your business, but you shouldn’t need to reinvent the wheel. Make sure whoever is doing this has privacy training or expertise, or has regular access to someone who does and can advise. Next, conduct an inventory of your data environment. This can be high-level, but you should follow these 10 steps and answer the specific questions associated with each:
1. What types of personal information (PI) do you collect, where are the people the PI is about located, and what are you going to do with it? (Don’t forget to include HR data, business contact information about customers, etc. Hunt down ALL of it. Pay attention to things like third parties on your websites, and vendors that handle data for you.)
2. What are you going to do with the data?
3. What do you have permission to do with the data?
4. What laws and regulations do you have to follow based on those answers? (For example, the GDPR for European data, HIPAA for US healthcare data, and so on.).
5. Are there any industry-specific standards your customers will expect you to adhere to? If you’re regulated by GDPR, HIPAA, CCPA, Sox, etc., the regs may give you some initial guidance as to what needs to be there at a minimum. You can also go out and search for articles about how programs in your industry are normally structured. You can find template privacy policies, as well. (Important: you never need to start from scratch.)
6. From here, figure out your goals. Between regulations and business goals, what’s the minimum you need to be able to do with data in the normal operation of your business?
7. Next, look at your available resources. What can you actually get resources to do? Prioritize. Regulatory stuff isn’t optional, but there’s usually a range of ways to satisfy the regs. Make use of automated tools where you can (you may be able to split the cost on some of these with Information Security or Risk Management). Tools can help you leverage smaller numbers of staff, and they can do things humans can’t.
8. Set your privacy program up for success. Write policies and procedures, train staff, and document everything.
9. Periodically evaluate (review, audit) to make sure it’s happening the way it should and correct any problems.
10. And finally, iterate. The whole list. This isn’t a “one and done;” the data your business gets will evolve, what you do with it will evolve, and the regulations evolve constantly – though they always move toward more restriction. Stay connected and active in professional organizations to keep up to date (IAPP does great bulletins about privacy news, plus watch privacy/compliance organizations specific to your industry).
If you’re really starting from the ground up, you may also have to figure out where the program will report within your organization. If you have an existing Compliance function, that’s a great option. If not, look at Legal. Privacy needs independence from the revenue-driven portions of your business, because the Privacy function has to have the ability to review and raise internal flags about business decisions. (GDPR-mandated Data Protection Officers have to be even more isolated to avoid conflicts of interest, and it is sometimes better to contract an outside firm that supplies DPO services because of this.)
2. Scope – which of your organization’s data collections does this policy cover, or does it cover everything? If you have regulated data within your organization, do you have a separate policy for it? What about HR data?
3. Responsibilities – Statements about which aspects of the policy each role, or range of roles, within your organization is responsible for. (For example, is HR responsible for making sure everyone gets the mandatory training or is that the Privacy Office? How are you going to delineate responsibility between Privacy and Information Security? What do you expect from every employee?)
4. Provisions that are mandatory for compliance – you should never transcribe regulations into your policy, but there may be provisions you are required to have in your policy in order to comply with applicable regulations. (For example, under GDPR, there are a lot of things you must do: apply data protection by design and by default, appoint a DPO, have a process to receive requests from data subjects, etc.)
5. Other provisions that are necessary for your business – are there provisions you need to meet an industry standard? Do you have client data and clients who insist that you include a general provision about it?
1. Specifics – specifics do not belong in the policy. You do need them, but they belong in procedure and process documents, and internal standards, which reference the policy but aren’t part of it. This is especially true for specifics related to the current state of technology: never mandate the use of (for example) a specific encryption algorithm or key length, or a specific software package, in a policy-level document. (Technical specifications can become obsolete overnight, and policies are often hard to casually change. Also, you don’t want to find that you inadvertently violated your policy by using a better technology for the job.)