What is Privacy Automation?

Privacy Automation refers to software platforms and technologies designed for website operators, privacy professionals, and information security departments to more effectively manage the data access and usage rights of integrated third-party applications from the client side. The goal of Privacy Automation is to automate the repetitive tasks of monitoring third-party activity, assessing privacy and security threats, and mitigating risk to maintain compliance with domestic (Federal, State, & local) and international privacy laws.

Why is consumer privacy important to protect?

Consumer privacy is important to protect primarily because your customers expect you to deal openly and fairly with them, so it’s the right thing to do, ethically speaking. If you are a company, you probably also have a legal responsibility to protect certain customer information, though the specifics vary depending on what jurisdiction you are in and what kind of personal data you are handling. In some cases, the only regulations you have to worry about are ones that require you to notify affected individuals if you have a data breach. In other cases, your responsibility to protect customer information begins even before you collect the data. If a company has an incident such as a data breach that discloses customer information, or if your customers discover that you haven’t been protecting their data, it can expose your business to lawsuits and fines and can cause serious damage to your brand. If you are knowingly or unknowingly leaking customer information to your competitors (which is possible in the case of some third-party web apps), you are effectively handing your customers over to your competitors, which is generally considered to be a poor business practice.

What is personally identifiable information (PII)?

Personally identifiable information (PII) is information that, either by itself or in combination with other information, can be linked to a specific individual. PII is a broad category, encompassing many data elements.

What are the challenges in managing PII?

The main challenges in managing PII are:

  1. Knowing what PII you are collecting, where it is, and what you are doing with it
  2. Understanding and complying with any laws, regulations, and industry standards that apply to the PII you have or plan to collect.
  3. Communicating clearly and accurately to individuals regarding their PII you have and what you are doing with it.
  4. Where required or appropriate, obtaining consent from individuals to collect their PII.
  5. Ensuring, where relevant, that you do only what you are allowed to do with their PII based on applicable laws and regulations and what they have consented to.

What is GDPR and why is it important?

The GDPR (General Data Protection Regulation) is the law governing the handling of personal data about individuals within the European Union (EU) and the European Economic Area (EEA). It took effect in 2018 and applies not only within the EEA but also to organizations outside the EEA that offer goods and services to individuals within the EEA or monitor these individuals’ behavior.

 

The GDPR is important because it has specific requirements you must follow in order to collect personal data, including specific notice language you must post and in some cases, opt-in consents you must obtain before you collect the personal data.

 

The GDPR restricts what you can do with the data once you have collected it. It requires you to satisfy certain conditions in order to transfer personal data to countries outside the EEA, which can complicate things for multi-national organizations.

 

The GDPR applies to almost all organizations within the EEA, with few exclusions. It even applies to organizations outside the EEA, if they are offering goods or services to people within the EEA or monitoring these individuals’ behavior.

 

The GDPR is also important because it is being used as a model for privacy laws in other nations and jurisdictions, such as the recently passed California Privacy Rights Act (CPRA).

What are the main principles of the GDPR?

The main principles of the GDPR are found in Article 5 (https://gdpr-info.eu/art-5-gdpr/). They are:

  1. Personal data shall be processed lawfully, fairly, and in a transparent manner. This means that those processing the data must not only make sure their processing is legal, but they must also clearly, completely, and honestly communicate with data subjects about how the data will be processed and used.
  2. Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in ways inconsistent with those purposes (there are some exceptions).
  3. Personal data that is collected shall be adequate, relevant, and limited to what is necessary (this concept is referred to as “data minimization,” and is analogous to the US HIPAA “minimum necessary” standard).
  4. Personal data shall be accurate and up to date.
  5. Personal data shall be retained in identifiable form no longer than is necessary (there are some exceptions).

Do I need to be GDPR compliant?

If your business is based in the European Economic Area (EEA), or if you process personal information in the EEA, you likely need to fully comply with the GDPR. You can get specific information about what you need to do from your national Data Protection Authority. If your business is located outside the EEA, but you interact with individuals who are located within the EEA, you still probably are required to handle these individuals’ data in compliance with the GDPR. This does not necessarily mean that your entire business has to comply with the GDPR for all the data you collect from non-EEA individuals, but if the GDPR doesn’t apply to non-EEA data, you will have to segregate the GDPR data and handle it according to the GDPR requirements.

When are US businesses required to be GDPR compliant?

The GDPR took effect in 2018. It applies to your handling of personal data if:

  1. You process personal data of individuals at a location within the European Economic Area (EEA);
  2. You offer goods or services to individuals who are located within the EEA – this is true even if the goods and services are free, and news articles or social media services count; or
  3. You monitor the behavior of individuals who are located within the EEA

It may NOT apply to your handling of personal data if:

  • You have a site designed for use only by non-EEA customers (for example, a US banking site), and your non-EEA customers use that site while traveling in the EEA.

What does it mean to be GDPR compliant?

In simple terms, it means that:

  1. You handle personal data according to the main principles of the GDPR, as outlined in Chapter 2, and its rules for specific situations (Chapter 9)
  2. You honor the rights of data subjects and are prepared to receive and respond to their requests (Chapter 3)
  3. You establish processes to ensure that you are adhering to data protection by design and by default requirements, fulfilling your responsibilities as a controller or processor, and protecting personal data appropriately (Chapter 4)
  4. You adhere to all other requirements of the GDPR, including limitations and conditions on the transfer of data outside the European Economic Area (Chapter 5), and compliance with orders from data protection authorities (Chapter 6)
  5. You document your data processing activities so you can demonstrate compliance across the board; it is not enough to do the right thing; you need to be able to prove that you do

Does the US have a single GDPR-style consumer privacy law?

No. The US does not have a broad, overarching privacy regulation like the GDPR. Instead, the US has multiple laws that protect the information in specific sectors (such as healthcare, finance, and education) in different ways and with different requirements. In addition, the FTC can take action on complaints of unfair and deceptive practices involving personal information. There are discussions in Congress about establishing an overarching federal privacy law in order to standardize requirements nationally.

At the State level, the California Consumer Privacy Act has similarities to the GDPR but it applies only at the state level. And other state privacy laws exist or are in the works.

What federal laws protect consumer privacy in the US?

So far, there is no federal law in the US that protects consumer privacy across the board, though the topic has been discussed for decades.  Instead, we have:

  1. The Federal Trade Commission, which has the ability to enforce promises made by companies about the privacy and security of their customers’/website users’ data.
  2. Specific protection around the collection of personal data of children under 13 (the Children’s Online Privacy Protection Act (COPPA)).
  3. Healthcare sector regulations, including:
    • The HIPAA Privacy and Security Rules, as modified by the HITECH Act (provides a baseline for the privacy and security of health data);
    • GINA (the Genetic Information Nondiscrimination Act);
      The Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2); and
    • FDA regulations protecting data collected in clinical trials and adverse reports
  4. Financial sector regulations, including:
    • The Gramm-Leach-Bliley Act;
    • FCRA (The Fair Credit Reporting Act); and
    • The FTC Red Flags Rule
  5. Educational regulation (the Family Educational Rights and Privacy Act (FERPA))
  6. Regulations relating to government and law enforcement access to personal data, though these tend to be more focused on ensuring access than restricting it:
    • The Electronic Communications Privacy Act (ECPA);
    • The Communications Assistance to Law Enforcement Act (CALEA);
    • The Foreign Intelligence Surveillance Act (FISA); and
    • The USA Patriot Act

If you are operating in the United States, it is critical to work with your legal counsel to determine which regulations apply to your business and how you are classified under those regulations as your responsibilities may vary depending on your classification.

What does the US Privacy Act require?

The Privacy Act of 1974 regulates federal agencies that maintain record systems containing information about individuals. It requires such agencies to follow a code of fair information practices and provide notice to the public about the systems of records they maintain. It also prohibits disclosure of information about an individual contained in those records without the consent of the individual unless the disclosure falls under an exemption within the Privacy Act. The Privacy Act regulates federal agencies, not private organizations unless they are using or maintaining such a system on behalf of a federal agency.

What are the 4 objectives of the US Privacy Act?

The Privacy Act of 1974, which governs US agencies, has four policy objectives (https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1279):

  1. Restrict disclosure of personally identifiable records maintained by agencies.
  2. Grant individuals increased rights of access to agency records maintained on them.
  3. Grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete.
  4. Establish a code of ‘fair information practices which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.

Which US states have consumer privacy laws?

The state data privacy landscape in the US is dynamic. Most states have some sort of privacy law that applies when a data breach occurs, but momentum is building for more comprehensive privacy laws, and the situation will continue to evolve rapidly unless and until federal-level regulations are put in place The International Association of Privacy Professionals (IAPP) maintains this resource about comprehensive state privacy laws: https://iapp.org/resources/article/state-comparison-table/

What is the California Consumer Privacy Act (CCPA)?

The CCPA gives California residents the right to control how businesses collect their personal information and what they do with it.

These rights include:

  1. The right to know what information a business is collecting about them, and how the business is using and sharing it;
  2. The right to delete, which requires a business to remove personal information collected about them;
  3. The right to opt-out of the sale of their personal information by the business that collected it; and
  4. The right to non-discrimination, meaning that a business is not allowed to deny services or charge higher prices because an individual has exercised any of these rights.

If you are a business, the CCPA may require you to make changes to your websites, as well as have processes in place for handling consumer requests. For more information, visit the State of California’s official CCPA page: https://oag.ca.gov/privacy/ccpa

Who enforces the CCPA?

The California Attorney General enforces the CCPA and can act with or without having received consumer complaints. Private individuals can also sue businesses under the CCPA for data breaches in certain circumstances.

What is the California Privacy Rights Act (CPRA)?

The CPRA, which was enacted in November 2020 and will take effect on January 1, 2023, expands on existing California privacy laws (such as the CCPA) to set a new baseline for protection of personal information of California residents. It adds more protection for “sensitive” categories of data (which includes not only identifiers such as Social Security Numbers, credit card numbers, and precise geolocation as well as personal characteristics such as race/ethnicity, religious beliefs, sexual orientation, and health information). In many ways, the CPRA brings California’s privacy legal framework closer to the GDPR; it adds more rights with respect to an individual’s data, requires businesses to be more cautious in their use of it, and creates an independent enforcement authority (the California Privacy Protection Agency) with investigative, rulemaking, and enforcement powers.  It’s worth noting that the passage of the CPRA also extended the CCPA exemption for business-to-business information, and employee information, to the effective date of the CPRA, January 1, 2023.

How does the CPRA differ from the CCPA?

The CPRA gives individuals in California more rights with respect to their personal information than the CCPA does, bringing California’s privacy law much closer to the European model laid out in the GDPR.

Specifically, it does the following:

  1. Establishes an independent agency, the California Privacy Protection Agency (CPPA), with investigative, rulemaking, and enforcement powers to oversee privacy protection (under CCPA, this all came under the California Attorney General’s office).
  2. Makes changes to which businesses are regulated (a business now needs to handle information of 100,000 or more consumers or households rather than 50,000 or more under the CCPA), but the use no longer has to be “commercial;” deriving 50% or more of a business’s revenue from “sharing” consumer PI will also bring a business under it even if it is not a sale.
  3. Defines a subset of consumer personal information called “sensitive” personal information, which includes (unless it’s already publicly available):
    • Social Security, Drivers’ License, State ID Card, or Passport number.
    • Financial account login and access credentials.
    • Precise geolocation information.
    • Racial or ethnic origin, religious or philosophical beliefs, or union membership.
    • Contents of mail, email, and text messages unless the business was the intended recipient.
    • Genetic data.
    • The processing of biometric data to uniquely identify a consumer.
    • Information about a consumer’s health.
    • Information about a consumer’s sex life or sexual orientation.
  4. Gives consumers rights to limit the use and disclosure of their sensitive personal information to certain specified purposes, including the purposes for which it was disclosed, and requiring businesses to give notice of how it is going to be used so consumers can limit it.
  5. Expands data breach liability to situations where an email address, in combination with a password or security question answer which would permit access to the account, is exposed.
  6. Instructs the California Attorney General (and then the new CPPA) to issue regulations requiring regular audits and risk assessments for businesses conducting activities that present a significant risk to privacy or security and submit them to the CPPA.
  7. Defines “profiling” and creates opt-out rights with respect to it, as well as the right to receive meaningful information about the profiling process and its likely effect on the individual.
  8. Adds a right to correct inaccurate personal information.
  9. Clarifies that “sharing” personal information is treated the same way as selling it.
  10. Clarifies the rules around children’s data, increases fines for handling it in violation of the regulations, and calls for regulations to create specifications for an opt-out signal that allows children or their parents to specify that a consumer is under 13 or between 13 and 16 years old.
  11. Requires businesses to inform consumers of how long they plan to retain each type of personal information and prohibits retaining it longer than necessary for the purpose for which it was collected.
  12. Extends the exemption covering employee and business to business data until January 1, 2023.
  13. Adds new contractual and direct obligations on service providers, defines “contractors” and requires specific contract language, and adds a category of “third parties”.

What is a privacy violation?

Generally speaking, a privacy violation is when you do something with someone’s personal information that they did not agree to; it is not limited to a disclosure of someone’s personal information. Legally speaking, what counts as a privacy violation depends on what privacy regulations, if any, apply to your handling of the person’s information.

How do I develop a privacy program?

Start by figuring out what your business needs from a privacy program, and then set one up to accomplish those goals. You will want something that’s tailored to the needs of your business, but you shouldn’t reinvent the wheel. Make sure whoever is developing your privacy program has privacy training or expertise or has regular access to someone who does and can advise them. Next, conduct an inventory of your data environment.

This can be high-level, but you should follow these 10 steps and answer the specific questions associated with each:

  1. What types of personal information (PI) do you collect, where are the people the PI is about located, and what are you going to do with the PI?  (Don’t forget to include HR data, business contact information about customers, etc. Hunt down ALL of it. Pay attention to things like third parties on your websites, and vendors that handle data for you.)
  2. What are you going to do with the PI?
  3. What do you have permission to do with the PI?
  4. What laws and regulations do you have to follow based on those answers?  (For example, the GDPR for European data, HIPAA for US healthcare data, etc.).
  5. Are there any industry-specific standards your customers will expect you to adhere to? If you’re regulated by GDPR, HIPAA, CCPA, Sarbanes Oxley, etc., the regulations may give you guidance as to what needs to be in your privacy program at a minimum. You can also search for articles about how programs in your industry are normally structured. You can find template privacy policies, as well. (Important: You never need to start from scratch.)
  6. Figure out your goals. Between legal/regulatory requirements and business goals, what’s the minimum you need to be able to do with data in the normal operation of your business?
  7. Next, look at your available resources. What can you actually get resources to do? Prioritize. Regulatory requirements are not optional, but there’s usually a range of ways to satisfy the regulations. Make use of automated tools where you can (you may be able to split the cost on some of these with your Information Security or Risk Management organizations). Tools can help you leverage smaller staff, and these tools can do things humans can’t.
  8. Set your privacy program up for success. Write policies and procedures, train staff, and document everything.
  9. Periodically evaluate (review, audit) your privacy program to make sure it’s operating the way it should and correct any problems.
  10. And finally, iterate. This entire list. This isn’t a “once and done;” the data your business gets will evolve, what you do with it will evolve, and the regulations evolve constantly – though they always seem to move toward more restriction. Stay connected and active in professional organizations to keep up to date (the International Association of Privacy Professionals (https://iapp.org) provides great bulletins about privacy news plus focus on privacy/compliance organizations specific to your industry).

If you’re really starting from scratch, you may also have to figure out where the privacy program will report within your organization. If you have an existing Compliance organization, that’s a great option. If not, look at your Legal Department. Privacy needs independence from the revenue-driven portions of your business because the privacy function has to have the ability to review and raise internal flags about business decisions. (GDPR-mandated Data Protection Officers have to be even more isolated to avoid conflicts of interest, and it is sometimes better to contract an outside firm that supplies DPO services.)

What should a Privacy Policy include?

A Privacy Policy lays out the vision and goals of your organization’s privacy program in high-level statements which are specific enough to provide guidance and authority for the creation of specific and actionable processes and procedures (which exist in separate documents).

It should have at least the following:

  1. Statement of Purpose and Goals – The purpose of a privacy policy will vary from organization to organization, driven by the regulatory environment you operate in, client needs, and your organizational culture.
  2. Scope – Which of your organization’s data collection practices does this policy cover, or does it cover everything? If you have regulated data within your organization, do you have a separate policy for it?  What about HR data?
  3. Responsibilities – Statements about which aspects of the policy each role or range of roles, within your organization is responsible for. (For example, is HR responsible for making sure everyone gets the mandatory training or is that the responsibility of the Privacy Office? How are you going to delineate responsibility between your Privacy and Information Security organizations? What do you expect from every employee?).
  4. Provisions that are mandatory for compliance – You should never transcribe regulations into your privacy policy, but there may be provisions you are required to have in your policy in order to comply with applicable regulations.  (For example, under GDPR, there are a lot of things you must do: apply data protection by design and by default, appoint a DPO, have a process to receive requests from data subjects, etc.)
  5. Other provisions that are necessary for your business – Are there provisions you need to have to meet an industry standard?  Do you have client data and clients who insist that you include a general provision about it?

And there is one thing your Privacy Policy shouldn’t have:

Specifics – Specifics do not belong in the privacy policy. You do need them, but they belong in procedure and process documents, and internal standards, which reference the policy but aren’t part of it. This is especially true for specifics related to the current state of technology: never mandate the use of (for example) a specific encryption algorithm or key length, or a specific software package, in a policy-level document. (Technical specifications can become obsolete overnight, and policies are often hard to casually change. Also, you don’t want to find that you inadvertently violated your policy by using better technology for the job.)

We are Lokker

At Lokker, we believe freedom and security rely on our collective ability to protect privacy. Furthermore, we believe we have the right to control who sees our private data online and restrict how it is being used because this level of control is required to keep the internet a vital resource for good.