Following previous modifications in October 2019, and in February and March 2020, the latest updates landed in December, delivered by the California Department of Justice.
CCPA regulations. The fourth set of proposed modifications
Each set of the previous modifications results from taking account of, and action on, the comments made to each of the developments in the earlier sets.
This latest, fourth set of modifications is primarily concerned with:
- Ambiguities regarding a consumer’s right to opt-out
- The use of a company opt-out button
- Processing opt-out requests
1. The right to opt-out
The proposed modifications concerning the right to opt-out are concerned with businesses selling personal information gathered in offline situations.
The new regulation dictates that companies should provide an opt-out of selling personal data in that same situation.
- A business that sells collects personal information that it collects in the course of interacting with consumers offline shall also provide notice inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out by an offline method that facilitates consumers’ awareness of their right to opt-out. Illustrative examples follow.
- A business that sells personal information that it collects from consumers in a brick-and-mortar store may inform consumers of their right to opt-out on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the opt-out information can be found online.
- A business that sells personal information that it collects over the phone may inform consumers of their right to opt-out orally during the call when the information is collected.
It delivers strong examples here—if the data is gathered during a phone call, the call must include dialogue that makes the subject aware that their data may be sold and an opportunity to opt-out from its selling. In this situation, the opt-out is verbal, as is the rest of the conversation and its arrangements and agreements.
The same must be provided then, in written arrangements, verbal methods in other situations (face-to-face, in-store, or video calling, for example), and during any other offline method.
2. The re-introduction of a company opt-out button
The use of an opt-out button looks to have been standardized by introducing a uniform logo that all companies should use when implementing the option. There are supporting instructions relevant to its use—once again, to keep the system standardized across the market.
An opt-out button was included in the first set of the CCPA regulation modifications, yet was removed due to negative feedback.
CCPA regulations. Opt-out button regulation updates
The following paragraphs were added to create a new section of the regulations, the first covers a smaller simple blue coloured tick/cross image, and the second the same image with the Do Not Sell My Personal Information wording to its right-hand side:
- May be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link as required by; and
- Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.
- The button shall be approximately the same size as any other buttons used by the business on its webpage.
3. Processing consumers requests to opt-out
The final modification includes instruction into streamlining the opt-out process as much as possible.
- “Requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.”
This subsection details that the method to opt-out should be just as simple as opting in, with no additional steps included in the process. Both options should contain the same number of steps in their process.
Comments to modifications closed on December 28th 2020.
For the full set of changes and modifications can be viewed here.
Data protection is at the heart of what our PrivacyRun system has been designed to manage. But what is it, exactly? And how do the laws, legislation, bills, and breaches of the Data Protection Act and GDPR affect your business?
Well, hopefully, we’re about to answer all of your questions. For further, more specific issues that our introductory guide doesn’t cover, we’d love to hear from you. Our team are experts in the field and will happily guide you through all aspects you don’t quite understand and show you how our PrivacyRun package manages them for you.
What is data protection?
Data protection is designed to ensure that anyone sharing information with a business or organization is protected and that their data will be used and held responsibly and legally.
What is data protection law?
Data protection law is the combination of legislation and regulatory acts and bodies that govern how your information is collected and utilized. The Data Protection Act is one part of the legislation. The other key area is GDPR (General Data Protection Regulation), the most comprehensive data protection legislation worldwide.
What is the purpose of the Data Protection Act?
The DPA protects us from our personal information getting into the wrong hands. We share so many sensitive details with different vendors and providers that we want to stay private. The act’s job is to make sure they stay that way.
What is the Information Commissioner’s Office (ICO)?
The Data Protection Act (DPA) is a UK Act of Parliament, passed in 1988, to develop the control of our information.
The DPA is monitored and regulated by the Information Commissioner’s Office (ICO). The ICO offers advice and guidance, promotes good practice, manages audits, reports, complaints, and breaches, also delivering enforcement and action where required.
What are the principles of the Data Protection Act?
GDPR, the ICO and the Data Protection Act sets out a range of key principles for lawful personal data processing. So, what are the 7 data protection principles?
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
These principles dictate how businesses and organizations collect, organize, structure and store our information. They also detail their proper communication, removal and destruction. They also cover what happens when anyone breaks those rules.
What data is covered by the Data Protection Act?
The DPA covers the processing of all personal data relating to a living individual (also known as the data subject) that can be used on its own or with other information, to identify them.
It covers data held electronically or as a hard copy, and wherever it’s stored.
What type of information does the Data Protection Act apply to?
Personal data includes the more typical types of private information, for example, a subject’s name, address, medical, and banking details.
Sensitive data digs a little deeper, including such information as race and religion, political opinions, criminal activity, your sex life, and more.
What is a breach of the Data Protection Act?
According to the ICO:
“A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
This definition covers a vast range of possible incidents—from accidental delivery of personal data to incorrect recipients and unauthorized access by a third party to loss of hardware containing personal data, and the loss of availability of any data.
There are also different guidelines and regulations for different types of service providers. You can find more information about each area and how to react to a data breach in each of them on the ICO website.
What happens if a company breaches the Data Protection Act?
If you suffer any kind of breach, then you have to decide whether you need to report the problem. Not all breaches need reporting, so the ICO provides a self-assessment form to help data controllers determine whether they need to register each incident or not.
For all incidents that need reporting, they must be presented to the relevant supervisory authority within 72 hours of the event discovery.
If the event is likely to present adverse effects on its data subjects’ rights, the business must inform those individuals without undue delay.
Of course, each organization must ensure that they have appropriate systems to limit any breach risk. Such a system should include breach detection, investigation, and internal reporting procedures.
What are the consequences of breaching the Data Protection Act?
The ICO has the power to prosecute all offences. They deliver a range of fines and even prison sentences for deliberate breaches. For issues that can be rectified within the law, enforcement notices are provided and should be carried out accordingly.
The prosecutors consider various criteria before delivering each fine. They include the nature, gravity, duration, and character of the infringement. They also examine the type of personal data affected and any previous violations. Finally, the punishment can also reflect how cooperative the business has been throughout the process.
Claims for damages
The data subjects can also claim compensation for damages due to a breach. So, as well as being fined by administrators, data controllers and processors are vulnerable to being sued by individuals. Those data breach costs just keep on growing!
What is the fine for breach of data protection?
The ICO can issue fines of up to £500,000, yet it’s GDPR that delivers the biggest fines.
For the most serious GDPR violations, fines can reach a maximum of €20 million or 4% of the organization’s total annual worldwide turnover.
For less serious breaches, the maximum fine drops to €10 million or 2% of the organization’s worldwide turnover. That’s still quite a fine to face, however big your business operations are.
As you can see, the fines are considerable—and so they should be. Our data and its protection need managing with the highest respect and security. Such substantial fines should hopefully reflect the serious nature of any inaction, the consequences of what happens if you breach the Data Protection Act, and the importance of implementing the right system to avoid them.
What does a data protection officer do?
Each business or organization must appoint a data protection officer to manage their data protection processes. That includes the personal data of its staff, customers, providers, and any other individual in compliance with the various data protection regulations.
A data protection officer will be hired based on their expert knowledge of the subject, as well as their personal and professional qualities. Understanding how their specific business/organization operates and handles the different data types within their system is also a key factor.
A data protection officer ensures that controllers and subjects are informed of their rights, obligations and responsibilities. They deliver advice and recommendations to the business about the interpretation and application of the rules and register operations with the correct institutions.
What is a data protection risk assessment?
Data managers, controllers, and officers need to understand precisely where their business or organization could be falling short of the Data Protection Act or GDPR. A risk assessment can highlight areas where your system doesn’t incorporate the appropriate protection levels for your data subjects.
Risk assessment is another key area covered by the ICO. They provide data protection impact assessments (DPIAs) to help businesses systematically analyze, identify and manage the data protection risks of any project or plan. The key word here is ‘help’. They don’t guarantee to eradicate all risk, but they help minimize risk to an acceptable level.
There are data processing areas that automatically demand impact assessment, and areas that the ICO considers likely to result in high risk. For further information, check out the relevant pages on the ICO website.
What does high risk mean?
In this context, risk debates the potential for significant physical, material or non-material harm to individuals. An assessment evaluates the likelihood and severity of any potential harm to individuals.
Risk implies more than a remote chance of some harm.
High risk implies a far higher threshold. It could result from more severe damage, or greater chances of being put at risk—or both.
DPIAs are both flexible and scalable, so suit all sectors and projects. The importance of running regular risk assessments, or an IPO impact assessment, should be obvious. Just consider the fines you could be subject to, and then the added repercussions of failing to provide adequate data security and management systems. You’d be remiss not to have every angle covered.
Summing up…
We hope the above FAQs deliver an enlightening introduction to what personal data is, the Data Protection Act, and what happens if you break the Data Protection Act law.
Having a system in place that manages every angle according to the requirements of the ICO and GDPR is vital in today’s business. Fortunately, we’re here to help you every step of the way, so why not drop us a line to find out how we can provide you with the ultimate protection today?
A privacy policy is a statement of how the website operator collects, stores, protects and utilizes its users’ personal data.
Much of the consumer data is gathered automatically with the delivery of cookies, yet there are other, more obvious tools, including sign-up forms, newsletter subscriptions, new account registrations, and more.
Every user has a right to their privacy and to understand how businesses will use their information. It’s also their right to retract their decisions at any point navigating your website.
A privacy policy outlines all the elements required to comply with the latest data privacy laws.
GDPR. How do I add a privacy policy to my website?
Many modern website systems feature automated placements, implementing the legal policies to your website framework, yet others will rely on you to create your pages and insert them manually.
There are plenty of templates and online generators that will show you how to make a privacy policy for your website, delivering a document specific to your operations on completion.
If you’re unsure of exactly what you need, how to create a privacy policy specific to your business, or where to host it, the following information should steer you in the right direction. If you’d like a more personal touch or specific answers to how our system can help you develop and manage your company privacy policy, we’d love to help.
GDPR. Organizing cookie and privacy policies
How to add a cookie policy to a website is a very similar process. In some cases, a single directory will contain both policies and the links to each feature in most of the same places.
Why do websites show cookie policy separate to privacy policy? Well, with websites legally having to gain consent for their site cookies before they deliver them and activate the functions they control, they have grown into a considerable area of data privacy.
There’s a lot to cover, so it makes sense for providers to create separate policies for cookie use and delivery, and that of general data processing through other means, such as contact forms and mailing lists.
How to write a company privacy policy
According to GDPR, privacy policies must be:
- Concise, transparent, intelligible, and easily accessible
- Written in clear and plain language
- Delivered in a timely manner
- Provided free of charge
To collect information directly from an individual, a privacy policy must include:
- The identity and contact information of the organization, representative, and Data Protection Officer
- The purpose of the organization to gather and process personal data and its legal basis
- Legitimate interests of the organization or third parties
- Recipients or categories of recipients of the data
- Details of data transfer to a third country and its safeguarding
- The data retention period or criteria used to determine the retention period
- The data subject’s rights
- Right to withdraw at any time
- Right to lodge a complaint
- Whether the personal data is provided as part of a statutory or contractual requirement or obligation
- The inclusion of a profiling and automated decision-making system, how it was set up, its significance, and consequences
The most typical elements you’ll see covered by standard privacy policies, therefore, are as follows. However, depending on the data you gather, and how you use it, there are often areas unique to specific business practices that aren’t covered below.
- The data collected
- How the data is collected
- How the data is used
- Where the data is stored
- Using the data for marketing
- Data protection rights
- What are cookies
- How the cookies are used
- The types of cookies used
- Managing cookies
- Privacy policies of other websites
- Changing the privacy policy
- Contact details
- Contacting appropriate authorities
GDPR. Privacy policy best practices
Your users need to understand exactly what’s good and bad practice, and the wrong and right ways of delivering information.
Be direct, instructional, and informative, leaving no room for doubt. Qualifiers such as may, might, some, and often should be replaced with will, won’t, must, mustn’t, all, none, always, and never.
If you plan to use the data for research or develop new services, you must be clear when describing the type of research and what each new service is intended to provide.
You should write in clear, easy to understand English (or the native language for the website). Using legal or technical jargon is frowned upon, as your users won’t necessarily be specialists in your industry.
Always aim to write in the active tense using well-structured sentences and paragraphs.
Clear and defined headings make documents easier to navigate, while bullet lists deliver easier to digest information than large text blocks.
How to add a privacy policy to your website or app
The following suggestions outline the essential placements for links to your policy page. Ideally, you should try to provide access from every page of your website or app, as your policy needs to be easily accessible to visitors at all times. This promotes transparency and inspires trust. Not only that, more often than not, it’s a legal requirement.
In footer links: Traditionally, most privacy policy links will be found in the footer menu, appearing on every page the site. They could even sit with the legal details on the copyright line. This provides the instant access your visitors need, wherever they are within the site.
On sign-up forms: Another good practice is including the link to your privacy policy in the small print at the bottom of sign-up forms. This assures new subscribers that you’re acting according to appropriate laws and practices.
Checkout pages: Given the additional personal data collected from a consumer during a sale, many vendors will include their privacy policy at some point in the process. A privacy policy link will often appear alongside terms of service, cancellation, refund, and shipping policies.
Cookie consent banners: Cookie consent banners and pop-ups are now standard components on all websites, allowing the website operators to deliver the functionality they intend for their visitors and deliver the information they legally need.
Sign-in pages: Signing in or signing up to new services requires your personal data. Including a privacy policy link on these pages is another a healthy reminder of your users’ rights.
About menus: Where a website has a dropdown menu containing all of the company history and legislation information, this is another appropriate location for your privacy policy link.
How often should a privacy policy be updated?
The way we do business during the modern climate changes from one day to the next, and the way we expect our websites to keep up has become part of everyday life. If any of the systems we add, develop, instigate or amend, affect the way we gather or use our customer or subscriber data, then it must be reflected in the company policy.
Reviewing a privacy policy should be a regular practice, and wherever change is required, you must update your policy immediately. If you fail to keep it up to date, you could be in danger of breaking the terms you’re legally required to uphold.
Updating users and subscribers
You may be legally required to notify your users of updates. Even where that does not apply to your business, it’s still good practice and should be part of your process.
The primary overseers of data protection and privacy all require updates and notifications, each of which will leave organizations open to penalties if they fail to follow legislation.
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
It’s also an opportunity to engage with customers, clients, and subscribers with any additional messages you may want to share with them.
Email notifications, pop-ups, and site banner delivery
You can notify users and subscribers in a few different ways. Your website’s cookie consent generally operates as a banner or pop-up message, so another inclusion asking your visitors to review your policy could be the simplest way of highlighting them to it. In other schools of thought, it’s just one more task for your visitors to wade through before they can finally access the content they want to read.
Alternatively, you could fire out an email to all subscribers and customers, or add a blog or news page with the latest news. A link featured prominently on your homepage is enough to promote updates—that way it won’t interfere with your visitor’s ability to navigate freely through to the required content.
Wrapping things up…
With regulations for data protection and compliance playing such a vital role in today’s websites, isn’t it time that you handed over the hard work to a system that’s quick and easy to deploy and simple to use?
PrivacyRun delivers the efficient and cost-effective solution every business needs to manage its website users’ personal data.
Our solutions are compliant with CCPA and GDPR, helping users worldwide to stay within the limits of the law, avoiding penalties and hefty fines.
If you’d like to know more about how PrivacyRun works and the vital benefits it can deliver to your business, we’d love a chance to tell you all about it. Why not give one of our team a call today, or drop us an email and we’ll get back to you at an appropriate break in your schedule.