2B Advice
TEL: +1 (858) 366-9750
FREE DOWNLOAD
Data Privacy Knowledge

Data Privacy vs Security

Common Misconceptions

Cybersecurity and security have been a consistent world news item for several years now, due largely to the number of high-profile data breaches that have occurred, especially in systems that were thought to be secure such as credit bureaus and healthcare.

Privacy is a relative newcomer to the limelight, driven in the United States by the passage and then enforcement of the California Consumer Privacy Act (CCPA), and before that in Europe with the enactment of the General Data Privacy Regulation (GDPR). Because privacy is so often associated with security in popular literature and the media, the confusion between privacy vs security might be understandable to some degree.

Many consumers assume that they are the same thing, when they are not. “Privacy” in this context refers to consumers right and ability to protect their personal information and be aware of where it has been shared. “Security” refers to the measures that a business entity takes to secure a consumer’s information against loss and potential publication.

 

Data Privacy vs Data Security: How CCPA Will Be Enforced

 

The most persistent misunderstanding that many businesses have regarding data privacy is in the enforcement of CCPA. Many California businesses remember the California Online Privacy Protection Act of 2003 (CalOPPA). This far-reaching legislation required all websites to have privacy policies and called out specific requirement including the use of cookies, the data collected and what was done with it.

CalOPPA did not include enforcement provisions and was broadly ignored. CCPA on the other hand gives consumers individual right to action, that is, a consumer can sue a business that fails to protect that consumer’s privacy. CCPA also charges the California Attorney General with enforcement, and as of this writing the California AG is committed to broad enforcement of CCPA. CCPA must be taken seriously by all businesses who have clients in California.

 

Other Common Privacy Mistakes

 

There is no data privacy without data security; if a business retains a consumer’s information it must protect it. But the obligations of a business under CCPA and GDPR (if it applies) don’t end with security, there are additional requirements imposed by these privacy laws, and they do not match each other. Here are some common misconceptions businesses have regarding CCPA/GDPR:

  • Cookie Management
    The simple “by continuing to use this website you agree with our use of cookies” statement that many businesses use is no longer acceptable. The visitor must be greeted on whatever page they enter the site with an easily readable banner that clearly states the use of cookies, and offers the visitor an opportunity to review the cookies that are installed or will be installed.
    Additionally, businesses that sell the consumer’s data must provide an opportunity for the consumer to opt-out. Also, businesses seeking compliance with GDPR need to be aware that the law requires visitor opt-in; you cannot load cookies and then ask the visitor if that is OK.
  • Compliance Requirements
    Businesses can believe that they do not have to comply because they a) do business in California but do not have yearly gross sales over $25 Million and b) do not buy, sell, or share the personal information of more than 50,000 California consumers, households, or devices per year and c) do not derive 50 percent or more of annual revenue from selling California consumers’ personal information. The mistake businesses make is not planning ahead, with the startup culture in California it is not unheard of for a business to go from no revenue venture-backed to $25 Million in under 24 months. It is also quite possible to buy 50,000 names several thousand at a time over the course of a year and not notice that the threshold has been breached. It is prudent for all but the smallest businesses to plan for CCPA compliance.
    Some businesses might believe that they do not have to comply because they do business only with other businesses (B2B) not consumers. That the businesses’ “consumers” are other businesses and not individuals make no difference under the CCPA.
  • Strategic Business Planning
    Businesses that think of privacy as just an outgrowth of security fail to plan properly to support it. Additional headcount will probably be needed to respond to consumer requests for information as mandated by CCPA, as well as deletion requests. A general accounting of all consumer information sources held by the company must be performed, and then reviewed regularly. Employees must be trained to understand the data privacy vs security difference. Substantial functional changes to the company’s website(s) are probably necessary, and it is likely that new software for managing the program must be procured.
  • Privacy Laws Are Here to Stay
    Potentially the biggest risk for businesses going forward is failure to realize the future impact of these privacy laws in the way they do business. Cisco argued in a 2019 benchmark study that organizations which embrace the spirit of privacy laws benefit from an improved relationship with customers. In any case, management of this new customer relationship will likely add headcount and complexity to the relationship, and will require many businesses to radically alter their promotional plans and practices.

Resources

  • cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/dpbs-2019.pdf
  • jacksonlewis.com/publication/california-consumer-privacy-act-faqs-covered-businesses

Similar Blog Posts

When Is a Data Protection Officer Required? When Is a Data Protection Officer Required?

Companies are required to appoint a Data Protection Officer. The question is which companies are affected? When do you need to do this?

Opt In vs. Opt Out Opt In vs. Opt Out

There is changing viewpoint over the practices of opt-in and opt-out email marketing. Here we explain the difference between opt-in & opt-out and what is the preferred approach today.

How Does a Consent Management Platform Help With Data Privacy? How Does a Consent Management Platform Help With Data Privacy?

A comprehensive privacy management software platform for managing CCPA compliance includes core elements such as consent manager, cookie banner, and policy notice generators.

ALL BLOG POSTS IN THIS CATEGORY

Blog Categories

Questions?

CONTACT

2B Advice LLC
7220 Avenida Encinas #208
Carlsbad, California, USA

Tel: +1 (858) 366 9750
Email:
sandiego@2b-advice.com

Please enter the text you see below:

Another Image
Thanks for contacting us! One of our representatives will be in contact with you shortly regarding your inquiry.