One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
Data privacy laws are multiplying quickly. First came the EU’s General Data Protection Regulation (GDPR), followed by the California Consumer Privacy Act (CCPA), and similar state laws in Virginia, Colorado, and Utah. This is undoubtedly a positive development for consumers, but with more state and national privacy laws on the way, it will become increasingly complicated for businesses to manage multiple compliance schemes at once.
In an age when data flows so easily across state and national borders, how can you be sure you are following the laws in each jurisdiction?
Regardless of which privacy law is in play, creating a complete data map for your business is an indispensable part of compliance. What is a data map? It is the systematic tracking of:
Take the example of a newsletter subscription signup. The data source is the consumer themselves, the collection point is the online sign-up form, a likely disclosure is to your email marketing vendor, and the data category is email addresses.
The creation of a data map takes a bit of preparation, but can be done relatively quickly with privacy compliance software. Once completed, it can be used to build compliance with all the various data privacy laws. This is because the information tends to stay the same across multiple jurisdictions. The definition of “personal data” in each law is similar enough to be more or less universal; the collection points and disclosures are often the same as well.
There may need to be a few tweaks from jurisdiction to jurisdiction. For example, the GDPR applies to employees’ personal data (which is generally exempt from the U.S. state laws), so that information would need to be added to your data map. These are usually minor changes, though, and the core of the data map will continue to apply across the board.
Following the GDPR’s example, new privacy laws grant consumers the right to make certain requests regarding their personal information. The types of privacy requests may not always line up 100% from one law to the next, but there is a lot of common ground. For example, each law creates the right to access or delete personal information, as well as the right to opt out of targeted advertising. The basic architecture for responding to these requests will remain more or less the same across jurisdictions, even if there are some minor differences (e.g., which data may be retained in response to a deletion request).
Rather than attempting to figure out what is required for each request on an individual basis, creating a series of master workflows will be immensely helpful in a number of ways, including:
As with data mapping, having a core set of workflows that can be modified according to each different law should be a central part of multi-jurisdiction compliance.
Because different laws have different privacy notice requirements and different types of privacy requests, many online businesses choose to display different information based on where the consumer is located. For instance, a business may be required to display a “Do Not Sell My Personal Information” link on their homepage in California, but can configure its site not to show that link to visitors from other states. You might also want to create separate privacy request forms for each jurisdiction so that consumers will see only the request types that apply to them.
Alternatively, other businesses have chosen to extend all privacy rights to all website visitors, regardless of their location. This approach is simpler in some ways and can help build consumer trust, but will require some planning.
The easiest way to manage multiple privacy laws at once is to use a compliance software that covers the jurisdictions you need. Keeping all the necessary information in one place and applying it automatically to each set of legal requirements will greatly simplify your compliance efforts.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.