Cybersecurity and security have been a consistent world news item for several years now, due largely to the number of high-profile data breaches that have occurred, especially in systems that were thought to be secure such as credit bureaus and healthcare.
Privacy is a relative newcomer to the limelight, driven in the United States by the passage and then enforcement of the California Consumer Privacy Act (CCPA), and before that in Europe with the enactment of the General Data Privacy Regulation (GDPR). Because privacy is so often associated with security in popular literature and the media, the confusion between privacy vs security might be understandable to some degree.
Many consumers assume that they are the same thing, when they are not. “Privacy” in this context refers to consumers right and ability to protect their personal information and be aware of where it has been shared. “Security” refers to the measures that a business entity takes to secure a consumer’s information against loss and potential publication.
Data Privacy vs Data Security: How CCPA Will Be Enforced
CalOPPA did not include enforcement provisions and was broadly ignored. CCPA on the other hand gives consumers individual right to action, that is, a consumer can sue a business that fails to protect that consumer’s privacy. CCPA also charges the California Attorney General with enforcement, and as of this writing the California AG is committed to broad enforcement of CCPA. CCPA must be taken seriously by all businesses who have clients in California.
Other Common Privacy Mistakes
There is no data privacy without data security; if a business retains a consumer’s information it must protect it. But the obligations of a business under CCPA and GDPR (if it applies) don’t end with security, there are additional requirements imposed by these privacy laws, and they do not match each other. Here are some common misconceptions businesses have regarding CCPA/GDPR:
- Cookie Management
Additionally, businesses that sell the consumer’s data must provide an opportunity for the consumer to opt-out. Also, businesses seeking compliance with GDPR need to be aware that the law requires visitor opt-in; you cannot load cookies and then ask the visitor if that is OK.
- Compliance Requirements
Businesses can believe that they do not have to comply because they a) do business in California but do not have yearly gross sales over $25 Million and b) do not buy, sell, or share the personal information of more than 50,000 California consumers, households, or devices per year and c) do not derive 50 percent or more of annual revenue from selling California consumers’ personal information. The mistake businesses make is not planning ahead, with the startup culture in California it is not unheard of for a business to go from no revenue venture-backed to $25 Million in under 24 months. It is also quite possible to buy 50,000 names several thousand at a time over the course of a year and not notice that the threshold has been breached. It is prudent for all but the smallest businesses to plan for CCPA compliance.
Some businesses might believe that they do not have to comply because they do business only with other businesses (B2B) not consumers. That the businesses’ “consumers” are other businesses and not individuals make no difference under the CCPA.
- Strategic Business Planning
Businesses that think of privacy as just an outgrowth of security fail to plan properly to support it. Additional headcount will probably be needed to respond to consumer requests for information as mandated by CCPA, as well as deletion requests. A general accounting of all consumer information sources held by the company must be performed, and then reviewed regularly. Employees must be trained to understand the data privacy vs security difference. Substantial functional changes to the company’s website(s) are probably necessary, and it is likely that new software for managing the program must be procured.
- Privacy Laws Are Here to Stay
Potentially the biggest risk for businesses going forward is failure to realize the future impact of these privacy laws in the way they do business. Cisco argued in a 2019 benchmark study that organizations which embrace the spirit of privacy laws benefit from an improved relationship with customers. In any case, management of this new customer relationship will likely add headcount and complexity to the relationship, and will require many businesses to radically alter their promotional plans and practices.
Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?Opt In vs. Opt Out
There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.How Does a Consent Management Platform Help With Data Privacy?
A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.