Privacy Compliance Programs: Where to Start?

Article, CCPA, GDPR, Privacy Program

Introduction

Welcome to our privacy compliance checklist program! First of all, I want to thank you. Not only for your choosing Marketing Privacy but more importantly for taking the time to learn about the critical topic of how online privacy impacts your business. 

Personal data is essential to most businesses. Personal data is at the center whether you are collecting leads, trying to reach existing customers, or maximizing the return on your marketing investment. 

As a business, it is your responsibility to protect the data you collect. More recently, since the inception of the European Union’s General Data Protection Regulation (GDPR), heavy fines are being imposed on businesses that do not fulfill those obligations. 

We view the GDPR as the significant first step in what will become the norm globally. Then, in short order following the GDPR in the United States, California passed the California Consumer Privacy Act. 

While the regulations have some stark differences, the fundamental principle of respecting individual’s privacy rights and financial enforcement remains the same. 

Privacy Compliance First Steps

Throughout the next few sections, we will look at the GDPR and the CCPA. This article will provide an overview of building a privacy compliance program using these laws as an example. 

We’ll discuss the key provisions of these regulations in detail and discuss how these may or may not apply to your business. From there, we will look at how your business can begin to implement a privacy compliance program. Then guide you through the operational hurdles as well as the technical challenges. Lastly, we will look at how your company can continue to evolve based on new regulations or changes to the current rules. 

These steps can not guarantee that you will be fully in compliance after taking these steps. However, we can assure you that the time spent with our materials will give you the stepping stones to confidently make the right decisions and risk assessments for your company. 

As with anything related to legal matters, you should always seek the counsel of a licensed attorney. 

The materials Marketing Privacy provides are a collection of countless hours of research by certified experts in the privacy compliance space. We hope that this provides value to you. Along the way, we are here to help answer any questions.

Which Regulations Affect Your Bussines?

The first step in developing a privacy compliance program is to determine what regulations apply to your business. 

When introducing a new product, service, or data processing activity into your business, this can be accomplished by performing a Privacy Impact Assessment. A Data Privacy Impact Assessment or a DPIA is a series of questions that determine how your data collection may infringe on privacy rights and what regulatory considerations may come along with the data collection. 

You can find free PIA templates online from resources such as the International Association of Privacy Professionals, from regulatory authorities such as the ICO, or by visit Marketing Privacy’s research section for direct access to templates and guides.

Privacy Regulations fall under two categories, jurisdiction or location-based and specific regulations by industry sector. The laws we will take a deeper look at in this article falls under the jurisdiction category. 

We will not go into sector-specific laws, but it’s important to note that if you are in the US and work in an industry such as banking, finance, or healthcare, other laws will apply, such as HIPAA. 

Additionally, if you collect data on children aged 13 or under, the Children’s Online Privacy Protection Act or COPPA will apply. Marketing Privacy’s research section will provide additional guidance if these laws apply to you.  

GDPR Overview

The first law we will look at is the EU’s General Data Protection Regulation or the GDPR. This law, which went into effect on May 25, 2018, changed the landscape for Privacy Regulations. 

Before the GDPR there were directives and laws around data privacy in the EU, but they failed to have effective enforcement mechanisms. 

The GDPR changed that by imposing heavy fines for infractions. We’ll look in more detail in other articles on the site. Due to the complexity of the regulation, we have specific guidance on items such as Data Subject Rights and Data Inventories. 

Does the GDPR Apply to Your Business?

To determine if the GDPR applies to your business, you should consider these factors:

  • Does your business offer goods or services in an EU language or currency?
  • Your business allows EU data subjects to place orders. 
  • Does your business refer to EU customers when marketing its goods and services? 
  • Do you show intent to target EU data subjects?   

We will go into more detail about when the GDPR applies in the when GDPR applies article. Generally speaking, at a high level, if you collect data that originates from a data subject located in the EU, the GDPR will apply to your business. 

The easiest way to determine if your business offers goods and service is to determine if one of these conditionals are met: You ship products to the EU, you take payments from EU customers, or EU users can register an account

Secondly, to determine if your business monitors people in the EU you must look at if data is collected from EU IP Addresses. Meaning, if someone comes to your website from the EU and you use services like Google Analytics, that visitor receives online advertising, or they can submit their email address to sign up for your newsletter, you are likely “monitoring” and the GDPR applies.

GDPR Summary

  • The scope of when GDPR applies is extremely broad
  • If you sell your product in the EU or if your monitor people in the EU the GDPR applies to your business
  • There are two tiers of fines that can be enforced.
    • The lower tier is €10m Euros or 2% of your annual revenue 
    • The higher tier €20m Euros or 4% of your annual revenue 
    • On both tiers, the fine is based on what is greater (the Euro amount or the percentage of your annual revenue)

CCPA Overview

The second law we will take a look at is the California Consumer Privacy Act or CCPA. 

In the absence of a United States federal law, the CCPA is a state law setting the baseline for the US. Additionally, other states such as Colorado and Virginia have passed similar laws that will go into effect starting in 2023. 

It is important to note that the CCPA is unlikely to be the only privacy law in the US in the coming years. As an example, there are currently six states with privacy laws with active bills. You can track changes and updates to these laws on the IAPP website.  

The CCPA went into effect on January 1, 2020 but extended the enforcement date out to July 1, 2020. 

The CCPA was further amended when the California Privacy Right Act passed in November 2020. These amendments will become effective on January 1, 2023. Although these were voted on separately, you can think of them as the same law since the CPRA clarified unclear provisions in the CCPA. 

In the guidance that follows, we will assume the CPRA is in effect to help you be prepared for the 2023 date. 

Does the CCPA Apply to Your Company?

To determine if your business is affected by the CCPA, you should consider the following: 

  • You conduct business in the State of California. 
  • Do you collect personal information (or on behalf of which such information is collected) from residents of the state of California? 
  • Is your annual gross revenue in excess of $25 million? 
  • Do you collect the personal information of 50,000 or more consumers, households, or devices from the state of California? 
  • Do you derive 50 percent or more of its annual revenues from selling consumers’ personal information?  

If one or more of these conditions are met, then the CCPA likely applies to your business. However, if you are uncertain, reach out to us to help you determine both CCPA and GDPR.

What Happens if I Don’t Comply?

Up until this point you may be thinking, this regulation seems daunting and complicated. What is the worst thing that can happen if my business doesn’t comply? The main concern businesses should have regarding non-compliance is the enforcement actions by large fines that could be imposed.

The best way to avoid these fines is by having a strong privacy compliance program. Contact us for help.

GDPR

The GDPR has two tiers of fines, let’s take a look at each.

The less severe is imposed for infractions of the articles related to Controllers and Processors (Articles 8, 11, 25-39, 42, & 43), Governing Bodies (42 & 43), and Certification Bodies (41). Any violation of these Articles could face €10 million Euros or 2% of your annual revenue, whichever is greater.

The more severe fine is €20 million Euros or 4% of your annual revenue whichever is higher. This fine can be imposed for infractions based on the principles of processing (Articles 5, 6 & 9), the conditions of consent (7), data subjects rights (12 – 220, and the transfer of international data. We’re going to take a look at how to mitigate the risks of the large fines now by looking at each of these sections in the next training module.

CCPA

The CCPA has similar fines that may impact your company. There are two types of infractions unintentional, and intentional violations.

  • Unintentional fines carry a penalty of $2,500 per violation.
  • Intentional fines carry a penalty of $7,500 per violation.
  • A violation is when a Californian’s consumer rights are violated

Where these fines differ from GDPR is that each violation gets added on top of each other. Meaning, the totality of the fines can become quite large depending on the number of records affected.

In addition to the fines mentioned above, the CCPA allows for a private right of action. However, this only occurs under very specific conditions on certain types of data.

How Can Marketing Privacy Help?   

Both the GDPR and CCPA can seem overwhelming to businesses starting their compliance programs. Our approach aims to ease the uncertainty. We offer custom solutions for your business structured around industry best practices. 

We can be deeply involved with your team through our managed services. With this approach, we will handle all aspects of your privacy program, including processing data subject requests, implementing cookie consent banners, organizing your data inventory, or assisting with drafting policies.

Another approach is that we offer the initial assessment and gap analysts. We will guide you through a questioner that will help determine your business needs. Based on those results, we will match against our Privacy Program Checklist. We then hand this over to your team to implement the suggestions. 

With wither approach, you will have complete control, and Marketing Privacy will answer any questions along the way.