The Five Fundamentals of Sound Privacy Compliance
The January 1, 2023 effective date of the California Privacy Rights Act (CPRA) has come and gone, with July 1, 2023, the date enforcement will begin, quickly approaching. Rules and regulations continue to be rolled out in phases, with changes to new and existing regulations seemingly a monthly occurrence.
The fluid and ongoing nature of legislation in this area is leaving many companies that will be affected feeling like they are constantly playing a game of “catch-up.” Rarely a week goes by that I’m not being contacted by clients and others wanting clarity on the next compliance deadline and its specific mandates. In addition to California, at least four other states will see new consumer privacy laws take effect in 2023.
But rather than feeling like one is constantly facing deadlines and the next event horizon, what if companies could stay ahead of the curve, and create a holistic privacy methodology that addresses 80 percent or more of all existing and future legislative updates, rather than play a game of Whac-a-Mole in compressed timeframes over and over?
I believe there are five key fundamentals that, once instituted, would address that 80% of everything companies need to do in order to remain CPRA- and CCPA-compliant (the California Consumer Privacy Act, CPRA’s predecessor legislation).
How to Make Privacy a Company-Wide Policy Initiative
The fact is, there is a great deal of overlap with respect to what is required from each regulatory framework to the next. By implementing these five key fundamentals, you will save you and your company a great deal of time, money and human resources over the long term:
1 - Designate and empower an internal data privacy manager.
As with any company priority, data privacy needs to be “owned” by someone — a single person, ideally at the highest level — so that there is clear accountability and dedicated focus to the initiative. Privacy compliance is not a series of periodic deadlines and events — it is an everyday, all-day priority. Ideally, this person should be internal to the organization, rather than outside counsel or a consultant. The privacy manager is deeply embedded into the daily workings of the company and its leadership, and will play the role of “quarterback” — coordinating and collaborating with outside counsel, outsourced technical support, and other vendors involved in the handling of personal data. The role doesn’t necessarily need to be held by an attorney or general counsel. Depending on the nature of your organization, this is not necessarily a full-time role, and the individual responsible may not need special training in data privacy, as this person will likely rely on the aforementioned outside resources for specific legal, technical and operational expertise.
Note the word empower above. I include this to emphasize that this individual must be granted the authority to act and make decisions. This person should be afforded the necessary resources to act on the company’s behalf, and absolutely commands senior leadership’s moral and logistical support.
2 - Map your data flows with input from all relevant stakeholders.
Though the actual written privacy policy is often the first area of concern for many companies, it’s not actually the first part of a holistic, long-term company privacy plan. Once the privacy manager is put in place, the natural first step should be to convene all stakeholders and gather all relevant information as to the custody of data, from the moment it is acquired by the company and at every point forward. Take stock: What data do we collect, what do we do with it, who do we share it with, how long do we keep it, and WHY? This may take a few days’ worth of meetings, and should bring in leadership from the Human Resources department, Marketing, IT, and the Webmaster (if someone other than a marketing or IT professional), and perhaps others. This written data-flow map will be a foundational, living piece of the company’s privacy initiative and will be updated and referenced frequently as compliance mandates require the creation and submission of new privacy documentation.
3 - Incorporate data privacy and security into third-party risk management.
Most companies have written process and policy for vetting partners, contractors, vendors and all other third parties. Much of the new compliance regulations pertain to the third-party actors a company gives access to its acquired user data and whether the company is placing the proper restrictions on these parties to make sure the data stays safe and secure. Make sure this gets documented thoroughly and accurately, as it will come up often now and going forward.
4 - Build privacy awareness in your marketing and product development teams.
Marketing and product development teams are often in the business of acquiring, handling, and perhaps sharing consumers’ private information, either acquired directly in the service of customers and users or acquired through a service provider or data broker. Marketing, in particular, has many uses and needs for acquiring data and/or targeting specific types of customers based on their data profiles or their prior interactions with the company. Some of the data being collected for these purposes may come from social media platforms and other online properties not owned by the company itself.
When developing new marketing campaign concepts, the internal privacy manager and outside privacy counsel (as well as other relevant resources, such as IT) should be brought into the campaign development conversations as early on in the process as possible. Too often, this is not the case, and a marketing program or product rollout are far too close to the launch date by the time the privacy experts are brought in, leaving the entire team of stakeholders scrambling at the last minute should something need to be adjusted due to the manner in which the campaign relies on processing personal data. Though new campaigns and product features are exciting, do the entire leadership team a favor by making sure the program is being conceived and implemented cautiously to achieve business goals as well as fulfill the company’s obligation to be a responsible custodian of customers’ personal information.
5 - Conduct security risk assessments regularly.
Starting in 2023, the CCPA will explicitly require companies to conduct a security risk assessment at least annually to help prevent a breach of customers’ and users’ personal data. A data breach is one of the only infractions consumers have a right to sue the company for, and when they do, it is almost always an expensive class action suit that threatens the company’s reputation. These risk assessments don’t have to be overly expensive or laborious, necessarily, as the nature and cost of which will vary based on the size of the organization, the industry it serves, the nature and extent of the data collected, and so on. Regardless of the technical requirements for risk assessments under any given framework, every company has the obligation to protect its data against breach and destruction, and this is a 24/7 critical aspect of doing business — not just an annual filing requirement.
Privacy Compliance and the New Normal
This is, as they say, “the new normal.” Data privacy laws are not going away, and they are not going to remain static once established. This new reality will require that companies remain vigilant and compliant — with regularity and rigor.
There is a better way to approach privacy, as a matter of company policy. Rather than “read and react” each and every time a new deadline looms or a new regulation is announced, I recommend a proactive, preemptive, and practical approach to data privacy. Make it a company mission — a collaborative effort that unites all stakeholders in a joint commitment to protecting and preserving the privacy rights of the customers and clients it serves.
It’s good policy; it’s best practice; and it’s sound business strategy.
Travis Brennan is a Shareholder with Stradling and Chair of the firm’s Privacy & Data Security practice, as well as a member of the firm's Business Litigation and Compliance and Corporate Governance practice groups. Contact him at tbrennan@stradlinglaw.com.