SPOKES Virtual Privacy Conference Winter 2022

Register for Free

Blog

  • Analyst
  • Company

WireWheel Is a Strong Performer in the Forrester Wave for Privacy Management

This week Forrester Research Inc. named WireWheel a Strong Performer in Privacy Management and noted that we’re on a trajectory for leadership in the category.

WireWheel is proud of the role we’re playing in helping define the privacy management industry. To be ranked as a Strong Performer when we’re in only our second year of ‘scaled’ go-to-market tells us we’re on the right track in a rapidly changing market.

The Forrester Wave™: Privacy Management Software, Q1 2020 evaluated 15 vendors against 26-criteria across the categories “Current Offering,” “Strategy,” and “Market Presence.” This is the first Wave to focus on Privacy Management Software, highlighting privacy technology as a growing category of critical importance to security and risk (S&R) and privacy professionals.

In its Wave report, Forrester affirms the potential for privacy to become a competitive differentiator that goes beyond a rote compliance check. “The ramifications of privacy management on customer engagement, brand reputation, CX, and, ultimately, revenues affect firms both positively and negatively depending on their commitment to privacy — or lack thereof,” Forrester notes. “Spreadsheets fail to provide the formalized, automated process firms demand as they wrestle with not only a single set of privacy rules but with worldwide, varied privacy laws.”

Forrester’s view aligns with our philosophy of moving beyond a simple compliance checklist and creating a regulation-agnostic privacy methodology and platform.

Forrester Ranked WireWheel Highly on Strategy, Usability and Addressing Core Requirements.

According to Forrester, “WireWheel’s offering combines ease of use and quick implementation with scalability and flexibility” and “empowers a very efficient approach to privacy compliance.”

In particular, the report recognizes our fulfillment of DSARs and integrated verification solution as flagship features of WireWheel. Additional capabilities Forrester notes are important for the future of privacy management are built into our 2020 strategic plan, including integration of our data classification engine and proprietary content.

Most important to us is the positive feedback Forrester received from our customers, some of the most privacy-conscious enterprises in the country. Thanks for calling WireWheel “impressive!”

We take pride in responding to our customer needs and incorporating their requirements in the development of our platform.

As Forrester points out, privacy is a nascent market with rapidly changing requirements and emerging options for customer choice. We’re committed to optimizing our solutions to address the evolving privacy challenges.

You can read the full report for an independent evaluation of the privacy management market.

  • CCPA & CPRA
  • Regulations

What CCPA’s Do Not Sell Rule Means for Your Business

Does your company sell consumer data?

When it comes to the California Consumer Privacy Act (CCPA), answering that question isn’t so straightforward.

Even if you don’t sell lists of personal data for money, you may still be “selling” under CCPA’s broad definition of “sale.” There’s a lot of confusion about the meaning of “sell” and “personal information” under CCPA and companies are reacting to the ambiguity in many different ways.

Let’s take a look at CCPA’s nebulous and evolving definitions to see what they mean for your company’s compliance.

The Definition of “Sell”

CCPA requires a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on websites—essential providing an opportunity for consumers to “opt-out” of the sale of their data.

CCPA’s definition of “sale” applies to “…the exchange for value of all consumer information to another business or third party for “monetary or other valuable consideration.”

This includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” personal information to another party.

It also covers the sharing of personal data captured by cookies and other tracking technologies with third parties like Facebook, Google, and others. Not all cookies have the same purpose, so you’ll need to know what type of cookies are used on your company’s website. Some—but not all—cookies are subject to CCPA’s Do Not Sell provision.

  • “First-party” cookies allow websites to perform essential functions, like remembering which products you selected for purchase and placed into your shopping cart. For “first-party” cookies, the entity or website storing the cookie on the computer is the entity or site that is being visited.
  • “Third-party” cookies are referred to as “advertising” cookies or “behavioral advertising” cookies. These are data files installed by another program, such as an advertisement that is presented on the site but is not owned or controlled by the site owner, or that is separate and distinct from the site that is being visited. Third-party cookies are often used by advertising agencies and track consumer activity across sites.

Third-party cookies are subject to CCPA’s Do Not Sell provision. To comply with CCPA, you must have the ability to stop using third-party cookies when a consumer opts out of the sale of their personal data.

The Definition of “Personal Information”

If you’ve determined that you are indeed selling information under CCPA’s definition of “sale,” you’ll also need to figure out if that info is publicly available or if it’s truly personal information.

CCPA currently defines “personal information” as “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

And that definition might expand this year. California Privacy Rights Act of 2020 (CPRA), follow-on legislation that could appear on the November 2020 California ballot, would expand the law to include other types of sensitive personal information such as financial info, biometrics, health status, geo-location, religion and race.

If there’s any grey area or room for interpretation when it comes to your company’s sale of personal information, err on the side of caution. You can’t go wrong if you stay on the safe side and assume that the law applies to you. Recent updates to CCPA and the proposed CPRA are likely to clear up ambiguities and close any loopholes or omissions. When in doubt, be proactive and demonstrate responsible data stewardship. It will build consumer trust in your brand and show that you care about consumer privacy.

Making Good on Your Promise Not to Sell: Suppression Lists

Once you’ve provided a way for consumers to request that you don’t sell their data, you need to follow through and honor their request. You can do this by creating suppression lists of people who opted out of the sale, based on the information you have about them at the time of the opt-out. If you only have their cookie or IP address, you may need to ask for more information to confirm their identity so you can connect the dots across your different marketing and advertising systems.

Your suppression lists need to be updated and applied internally and by third parties on an ongoing basis. You’ll need to check against the lists and restrict the data of consumers who have opted out from being sent to third-party advertising platforms and ad networks. This can be quite a heavy lift for companies with numerous data stores and third-party partners, so make sure your compliance solution has a way to communicate the Do Not Sell request to all parties involved.

WireWheel and LiveRamp Help You Comply with CCPA’s “Do Not Sell” Requirement

WireWheel and LiveRamp can help you build your privacy operations and while reducing the complexity of Do Not Sell compliance. The simple, end-to-end solution takes care of every step, including collecting consumer consent, logging requests, and executing a workflow to help you fulfill them. Information is passed automatically and securely to create a Do Not Sell suppression list. The suppression list is stored and can be used by anyone in your organization and third parties to prevent the sale of data.

Read more about the WireWheel and LiveRamp solution

No matter where privacy legislation is headed, you need to build consumer trust with a transparent privacy experience. WireWheel and LiveRamp can help you simplify, structure, and automate your privacy program for today and the future.

  • CCPA & CPRA
  • Regulations

CCPA 1.0 vs. 2.0: What’s Changing and How Will It Impact You?

The California Consumer Privacy Act (CCPA) is proving to be a moving target. There’s been lots of back and forth as the California Attorney General shares proposed changes and receives feedback in at least two rounds of comments before the July 1 enforcement date.

Amendments address aspects of consumer privacy that were overlooked or addressed incompletely in the original CCPA.

In the short time since CCPA took effect, your customers have become more CCPA-savvy. There’s been more media coverage informing consumers of their data privacy rights and explaining how to exercise those rights. Their expectations for a positive privacy experience are rising.

Businesses must remain flexible to accommodate changes in the law as well as consumer expectations. Any technology you use to operationalize privacy compliance should be equally adaptable.

Why All the Change?

The law was written in a rush. When it went into effect on January 1, 2020, lawmakers warned that there would be ongoing changes.

The Attorney General is using an iterative process to clarify the law before enforcement begins. All this back and forth allows for ample public comment, ensuring that the proposed regulations facilitate consumers’ rights under CCPA and provide compliance guidance to businesses.

Every round of revisions remedies gaps and shortcomings in the law, making it more clear, comprehensive, and fair.

2020 Timeline for CCPA

In the short time since CCPA went into effect, the AG’s office has published two sets of modifications for public comment. The modified regulations released on February 10, 2020 had public comments due back to the Attorney General by February 25. For the second set of modifications, released on March 11, the deadline for submitting written comments is March 27.

The Attorney General’s office is expected to issue another set of revisions or a final set of regulations before enforcement is scheduled to go into effect on July 1, 2020.

Note that there’s been significant pushback on the enforcement date, which may change this schedule. In January 2020, advertising industry groups were already seeking a six-month delay in enforcement, citing the “extraordinary complexity of the law and the wide range of open issues to be clarified.” On March 19, 2020, almost three dozen trade associations sent a letter to the Attorney General saying they need more time to operationalize the law given the current coronavirus crisis.

Even with enforcement dates in question, it’s useful to take a look at the recent clarifications and modifications proposed in “CCPA 2.0” to make sure you’re prepared.

What’s Changing in CCPA 2.0?

First, the AG’s office has cleared up some ambiguities with these notable clarifications:

  • Expanding the definition of “household” data to apply not only to people who live at the same address, but also to people who share a common device or service from a business, and are identified as sharing the same account or unique identifier.
  • Adding examples of “categories of [data] sources” and “categories of third parties” that must be disclosed to consumers.

Beyond these language clarifications, additional modifications impact how businesses should interact with consumers when handling requests and verifying consumer identity.

Flexibility for Consumers Submitting Requests

The updates allow more flexibility for consumers to communicate their requests to businesses, specifically:

Businesses must accept request via email in addition to web forms.

Methods of submitting requests cannot be a barrier to making access requests.

Intake methods for request should reflect how the business normally interacts and communicates with the consumer.

Opt-Out Icons

In February 2020, modifications to CCPA provided an option of an opt-out icon for websites. They even specified that the icon must be placed to the left of the “Do Not Sell My Info” link and must be the same size as other buttons on the webpage.

The Attorney General has since received written comments arguing that the proposed icon was confusing. The objections were recently validated in a study led by Internet design experts at Carnegie Mellon University.

One month later, the second set of modifications deleted those specifications and the proposed icon from the draft law. Instead, version 2.0 proposes an optional “Do Not Sell” icon but requires the use of a “Do Not Sell” link regardless of whether the icon is posted.

Identity Verification

Verification of consumer identity also gets closer scrutiny with the following modifications:

Eliminating use of a consumer’s credit card security code as a method of verification.

Consumers can’t be required to pay a fee for identity verification.

Businesses must establish, document, and comply with a reasonable method for determining whether a person submitting a request of a child under the age of 13 is the parent or guardian.

Businesses can deny a request if they can’t verify the identity of requestor.

This last point creates a new scenario, which is addressed in the second set of proposed modifications: if a business denies a request to delete and the consumer has not already opted-out, the business must ask if the consumer if they would like to opt-out of the sale of personal data, and include either the notice of right to opt-out, or a link to it.

Non-Discrimination

Another important aspect of the modifications provides for non-discrimination when handling consumer requests. The modifications state that all notices must be reasonably accessible to consumers with disabilities. For notices provided online, businesses must follow the Web Content Accessibility Guidelines (WCAG) 2.1, which are generally recognized industry standards.

Non-discrimination also applies to businesses that may entice consumers to provide their personal data in exchange for something of value. The modifications state that businesses shouldn’t offer financial incentives to consumers in exchange for the use of their data if they’re unable to calculate a good-faith estimate of the value of the consumer’s data or can’t show that the financial is reasonably related to that value.

The second round of modifications clarifies the meaning of ‘financial incentive’ by defining it as ‘a program, benefit, or other offering, including payments to consumers, related to the collection, retention, or sale of personal information.’

Easing the Burden on Businesses

CCPA 2.0 adapts some areas of the law which businesses argued would create an excessive burden for compliance.

For example, the February 2020 modifications relax the reporting requirement for businesses by increasing the threshold for transparency reporting from 4 million to 10 million consumers.

The March 2020 modifications specify that if businesses neither collect personal information directly from consumers, nor sell that information, they don’t need to provide a notice at collection.

The modifications also state that businesses won’t be required to provide a link to their corporate privacy policy when collecting employment-related information.

How Should Your Business Adjust to the Changes?

You should expect that CCPA and other data privacy laws will continue to evolve. Businesses need to keep up with the changes or risk undercomplying or overcomplying.

Businesses should look to privacy management technology to simplify and streamline privacy compliance. Be sure to choose a privacy management solution that’s flexible enough to adapt to changes and accommodate new state, federal or international privacy laws.

Most importantly, stay focused on the needs of your customers. Make sure every step of their data privacy journey is transparent and builds trust with your brand.

  • Privacy

Leveraging Privacy as a Competitive Advantage [Infographic]

Happy Data Privacy Day!

With this year’s theme emphasizing businesses to “improve their data privacy practices,” is your organization doing its part in safeguarding your consumers’ data? If you need a refresher on best practices, we’ve put together a helpful infographic on how building up your privacy program and consumer trust provide a competitive advantage.

Learn more about Data Privacy Day and how your organization can get involved at staysafeonline.org.

See how WireWheel can help you protect your customers’ data and request your free demo today.

  • CCPA & CPRA

Your CCPA To-Do List for Today and 2020

When the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, it will codify what we’re seeing globally: a new emphasis on the rights of consumers to own and control their personal data.

Keep in mind that by addressing CCPA, you’re also formulating a new privacy journey for current and prospective customers; one that will impact consumers in California, as well as those in other states and around the world.

Don’t get so engulfed in CCPA compliance tasks that you neglect to realize opportunities for building consumer relationships in a privacy-centric future. From day one, your company should seize CCPA as a chance to demonstrate responsible data stewardship and build consumer trust.

Let’s take a look at how you can tackle compliance and use privacy leadership to strengthen your brand now and in 2020.

By January 1, Make Sure You’ve Done the Essentials

The first question to ask yourself: Have you given consumers the ability to exercise their privacy rights?

Prepare Your Website to Accept SRRs

From every page of your website, consumers should have an easy way to tell you “hey, don’t sell my personal info,” “send me back all the info you have on me,” or “delete my personal data from your systems.” If your company has an offline presence, you’ll need to provide a phone number for consumers to do the same.

This is the bare minimum you should have in place to show consumers that your company is addressing critical privacy issues. Other websites will have this basic privacy language, and if yours doesn’t, it will stand out like a red flag. Keep in mind, this is the very first interaction that consumers will have with you on their data privacy journey with your company, so make it a positive one.

Get Processes in Place to Fulfill SRRs

Now is also the time to solidify your basic processes for accepting, verifying, tracking, and responding to Subject Rights Requests (SRRs). You’ll need a system in place to keep track of all the SRRs you’ve received, their status and the approaching deadlines.

Make sure you can automatically build and check suppression lists when consumers opt-out of the sale of their data, including cookies and other tracking technologies.

Consider the technical elements and how you’ll rely on colleagues and third-parties to fulfill requests. Make sure people know what will be expected of them and which systems they’ll need to access when the first requests come in. Do it now so you’re not scurrying when the first deadline looms for providing consumer data.

Breathe a Small Sigh of Relief

You won’t be required to hand over any consumer data in January 2020. CCPA gives businesses 45 days to respond to all Subject Rights Requests (SRRs). If a consumer submits an SRR on January 1—the earliest possible date—you’re not required to get back to them until February 14. If you’re unable to do so within 45 days, CCPA allows you to contact the consumer to let them know you need an additional 45 days.

SRR Fulfillment Begins in February 2020

February 14 is the soonest you’ll need to respond to any SRRs. From this date onwards, you’ll need to show all the SRRs you’ve processed and provided back to consumers and on to third-parties. You’ll know how many SRRs you received since the start of the year and you can use that as an indication of the volume of SRRs you can expect in the months ahead.

Review and Refine the Consumer Privacy Journey

If you were in a rush to set up your “opt-out” web links and phone number at the end of December, in the New Year take a closer look at the consumer journey you’ve created. Ask yourself:

  • Is the process easy and intuitive, and does it use clear, human language that consumers will understand?
  • Have you informed consumers how you’ll keep them updated on the status of their request?
  • Have you ensured consumers that their request and their personal data will be handled securely during every step of the process?
  • Is your privacy messaging consistent with your company’s overall approach to consumer privacy?

Plan for Extended Deadlines

If you informed any consumers that you needed an additional 45 days to fulfill their SRRs, you’ll start reaching those extended deadlines as early as March 30. By then you should have a good idea of the volume of SRRs to expect for the rest of the year. You can plan for a 45-day fulfillment cycle for SRRs and you’ll know if and when you’ll need to rely on an extra 45 days.

Enforcement Begins July 1, 2020

The first half of 2020 is your warm-up, or trial run, for CCPA. The Attorney General of California starts enforcing CCPA compliance on July 1. By summer you should have your consumer privacy journey clearly mapped and documented. If regulators decide to check on your compliance, you’ll be able to point to any interaction along your consumer journey and show how it exemplifies your company’s utmost respect for data privacy.

What’s Next for Your Privacy Program in 2020: Evaluation, Automation, and Evolution

Even if you’ve checked all of the boxes for CCPA compliance, your privacy journey is not over. Your consumer privacy program will continue to mature throughout 2020 and beyond as privacy laws and consumer expectations evolve.

Here are some critical areas where you’ll want to shore up your privacy program in the second half of the year:

  • Continue to scrutinize consumers’ privacy needs and your company’s communications to ensure that the journey builds trust in your brand.
  • Analyze the requests you’ve received to understand which represent the highest privacy risk, which take the longest to fulfill, and which require additional follow up or workflows.
  • Adjust your processes for evolving privacy laws. They may have different requirements and deadlines.
  • Evaluate how well your vendors and partners have been able to adjust to new privacy expectations and data requests. Add additional review steps to your relationships and processes and, if necessary, end relationships with third-parties that aren’t meeting expectations.
  • Look for opportunities to streamline your processes and automate repetitive tasks to help your team become more efficient. This could entail building workflows with pre-configured questions, continually capturing information about your data stores, or integrating with enterprise systems that impact consumer data.
  • Consider implementing a platform that automates the process of deleting customer data in internal SaaS systems and notifying vendors of opt-out or deletion requests.
  • Create reports and required documentation that you can share with executives, regulators, and anyone who needs to see the details of your privacy program, including systems and processes you’ve assessed and actions you’ve taken.

As your consumer privacy program matures, remember that you’re dealing with real people with real concerns about the privacy of their data. If you treat them with respect during every step of their privacy journey, you’re likely to see genuine benefits for your business.

WireWheel is here to help you launch a privacy program quickly so you can meet CCPA requirements and make sure you have everything you need to grow your program at your own pace. Learn more about our CCPA compliance software and request a live demo today.

  • CCPA & CPRA
  • Regulations

Table Stakes for CCPA’s Do Not Sell Requirement: What You Need on Day One

CCPA’s (California Consumer Privacy Act) primary objective is giving people the ability to exercise their privacy rights, in particular, the right to opt-out of the sale of their personal information. To demonstrate that you understand their concerns, your objective for January 1 should prioritize your company’s privacy interactions with consumers. You can make huge strides in a matter of days.

Take a breath… it’s not too late to get ready for CCPA! Focus on the big-picture goals of the law and you’ll be in great shape. Here’s what you need to do—at a bare minimum—to get ready for CCPA requirements that go into effect on January 1, 2020.

First Step: Get your Website Ready

Your website should show consumers that you’re making an honest effort to respect their data privacy rights. Every page of your website must provide an easy way for consumers to:

  • See your privacy policies so they understand how you collect and use personal data
  • Opt-out of the sale of their personal information via a link that states “Do Not Sell My Personal Information” or “Do Not Sell My Info”
  • Request all of the info you have on them and/or request that you delete all of that info

You can address these requirements by adding a link in your website footer to a privacy page with basic information and functionality. It’s an easy way of showing that you take consumer privacy seriously. If your website doesn’t include at least the basics, it could be a red flag for regulators.

Second Step: Take Consumer Requests

Make sure you can accept a consumer’s request and assure them that you’re processing it securely. You can use a web form that captures their info and an auto-reply message with details about what they should expect as the next steps.

If your company has an offline presence, CCPA also requires that you provide a phone number for consumers to submit requests. The experience on the phone should mirror the online experience and reflect your brand’s consumer-focused attitude toward privacy.

Third Step: Record Consumer Requests

Once you’ve taken a request, make sure you record it somewhere your team can view it internally, monitor the fulfillment process, and demonstrate that you’re securely handling the data. Acting on data requests requires careful coordination among different departments and data stacks. The better you are at recording and tracking from day one, the easier it’ll be to mature your data privacy program throughout 2020.

What About Delivery? When is the First Time I Would Need to Produce Information for CCPA?

Although you need to have the ability to take a request on day one, you don’t need to fulfill it immediately. You have 45 days after you receive a verified request to complete it. If you’re unable to do so within 45 days, CCPA allows you to contact the consumer to let them know you need an additional 45 days. So, if you were to receive a request on January 1, 2020, you’d have until February 14, 2020, to fulfill the request. And honoring a privacy request makes for a very thoughtful Valentine’s Day gift.

Get Moving Now!

Taking these simple steps today will pay off for your brand in the long run. Remember that it’s not just about checking the box for compliance. These requests are coming from humans. By honoring their privacy wishes, you’re showing that your company values them as current or future customers.

How WireWheel Can Help

Whether you’re working to meet CCPA requirements or any other privacy mandate now or in the future, building your privacy operations on a suite of privacy solutions will give you the visibility and control you need to be successful.

Learn more about our CCPA Compliance software and request a demo today.

  • CCPA & CPRA
  • Regulations

GDPR vs. CCPA: Crucial Differences You Need To Know

All the new privacy regulations coming out are creating a complicated compliance environment that many organizations are having trouble reckoning with.

Not to worry! WireWheel is here to explain the differences between these related policies so you can stay compliant and get on with business.

A Refresher on CCPA, GDPR, and DSAR

General Data Protection Regulation (GDPR) is the original privacy law that originated in Europe and placed restrictions and responsibilities on how companies need to handle customer data.

California Consumer Privacy Act (CCPA) is legislation passed by the state of California.

Data Subject Access Requests (DSAR) specifically is a term introduced by GDPR and is associated with a specific set of rights and obligations, but has since taken on a more general meaning. It is often used interchangeably with IRR, VCR, and SRR. While both CCPA and GDPR have requirements around DSAR, your GDPR DSAR process needs to be different than your CCPA DSAR process.

For more information about CCPA and GDPR, you can check out our articles that go more in-depth into each one:

GDPR vs. CCPA

To estimate what it will take you to prepare for CCPA, consider the experience many organizations had with GDPR. When GDPR came into force it was the biggest change in EU data protection laws in 25 years. For many businesses, GDPR was the first time they had documented and categorized where all data resided and how it was processed. Preparation meant sorting through paperwork, tracking down contracts, classifying data, and recording information manually. GDPR took companies many months or years to be ready and continues to demand resources as compliance is ongoing.

Preparing for GDPR has been costly. For a Financial Times Stock Exchange 100 firm, costs averaged $19 million. Across different sized businesses, costs averaged $380-$505 per employee.4

Not updating and tailoring data privacy operations built for GDPR to meet CCPA might cause you to miss nuanced differences in the relevant requirements. It could also mean “over- complying” by giving consumers a much wider scope of information than is required.

Let’s Review the Most Important Similarities and Differences Between the Two Laws on DSAR.

Scope

DSAR Under GDPR

GDPR protects individuals within the EU. It applies outside of the EU when a company sells products or services to individuals inside the EU or when individuals are targeted or monitored.

It covers “processing” of personal data, defined to include any operation performed on personal data, including collection.

DSAR Under CCPA

CCPA protects consumers who are residents of California, including households.

It covers collection, processing, as well as the sale of PI.

Personal Data/Information

DSAR Under GDPR

GDPR addresses personal data, defined as any information relating to an identified or identifiable natural person (data subject), including publicly available data.

It does not apply to anonymized data.

DSAR Like Requests Under CCPA

CCPA addresses information that relates to, describes, is capable of being associated with, or could reasonably be linked, indirectly or directly, with a consumer or household.

It does not apply to de-identified data (i.e., data that cannot be reasonably linked with a consumer or household), or aggregate data that cannot be linked to a consumer or household.

Right to Erasure/Deletion

GDPR

GDPR’s deletion right applies to all data concerning a data subject.

Under GDPR individuals have the right to erasure of their personal data. Controllers/processors must delete a data subject’s personal data if:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected.
  2. The processing of the data was subject to consent and no other legal ground for processing exists.
  3. The data subject protests under Art. 21(1) and there is no other legal ground for processing.
  4. The personal data have been unlawfully processed.
  5. Personal data must be erased for compliance with a legal obligation.
  6. The data may have been collected from a child under Art. 8(1).

Controllers do not need to erase personal data if it is necessary:

  1. For exercising the right of freedom of expression and information.
  2. For compliance with an EU or Member State legal obligation.
  3. For reasons of public health and medicine under Art. 9(2)(h)&(i) and 9(3).
  4. For archiving, scientific or historical research, or statistical purposes, subject to minimization (e.g., pseudonymization) under Art. 89(1).
  5. For establishing or exercising a legal claim or defense.

CCPA

The CCPA’s deletion right applies only to data collected from the consumer (i.e. not to data about the consumer collected from third party sources).

Under CCPA, consumers have the right to deletion of their PI, except when it is necessary to:

  1. Complete the transaction for which the PI was provided or perform a contract with the consumer.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity and prosecute those.
  3. Debug to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech (of business or another consumer) or other rights.
  5. Comply with the California Electronic Communications Privacy Act.
  6. Engage in public or peer-reviewed research in the public interest.
  7. Enable internal uses reasonably aligned with the expectations of the consumer based on their relationship with the business.
  8. Comply with a legal obligation.
  9. Use consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Right to Access/Disclosure

GDPR

Businesses must inform consumers of their rights at the point of data collection.

Data subjects have the right to request access to their personal data.

If the controller has made the personal data public, it must take reasonable steps to inform others that are processing the data that the data subject has requested erasure and must inform the data subject about those steps upon request.

Controllers and processors must know how to identify a request for access. They must provide the personal data undergoing processing. If it has been requested electronically, data must be provided electronically.

CCPA

Businesses must inform consumers at or before the point of collection as to the categories of PI to be collected and the purposes for which the PI will be used.

Consumers have the right to request information about what personal information is collected, how it is processed, for what purposes, and with whom it is shared.

Businesses must disclose within 45 days of receipt of a verifiable request. Business may exercise one 45-day extension when reasonably necessary if they notify the consumer within the first 45-day period.

Disclosure must include data covered 12 months before request.

Portability Requirement

GDPR

Where the request was made by electronic means, and unless otherwise requested by the data subject, the information should be provided in a commonly used electronic form.

In certain circumstances a data subject has additional rights to:

  • receive a copy of their personal data in a structured, commonly used, machine-readable format; and
  • transmit the data to another controller without hindrance from the original controller, including to have the personal data transmitted directly from the first controller to the second controller.

CCPA

Disclosures must be delivered by mail or electronically. If delivered electronically, information must be portable and in a readily useable format.

How WireWheel Can Help

Whether you’re working to meet CCPA, GDPR, and DSAR requirements or any other privacy mandate now or in the future, building your privacy operations on these four pillars gives you the visibility and control you need to be successful.

Learn more about our DSAR software and request a demo today.

  • Privacy

The Ultimate Guide to DSAR: How to Respond Quickly and Compliantly

What is DSAR?

Data Subject Access Requests (DSARs) give individuals the right to discover what data an organization is holding about them, why the organization is holding that data and who else their information is disclosed to.

DSAR specifically is a term introduced by GDPR and is associated with a specific set of rights and obligations, but has since taken on the more general meaning above. It is often used interchangeably with Subject Access Request (SAR).

How much does responding to all of these requests cost a business? The average cost is around $200, but some organizations report as much as $2,350 because of data complexity!

Are they a big deal? Yes! 46% percent of data protection related complaints lodged with the Information Commissioner’s Office (ICO) in the UK, (where data protection laws have a longer history) focus on DSARs.

How Will DSAR Impact Your Operations?

Timely responses to DSARs are not only required by CCPA and GDPR, but are critical to building trust with your customers and potential customers. By showing what you are collecting, who you are sharing it with and why, and where you keep their data, you build trust with your customers.

Ultimately, how DSAR impacts your brand will depend on how well you prepare for upcoming operational challenges.

Complying With DSAR Policy Requires Transparency, Collaboration, and Human Judgment

Preparing for DSAR under CCPA or GDPR isn’t a one and done activity. Now, more than ever, you need to establish a continuous process that can flexibly adjust as requirements change. Technology can increase your visibility and save you time. But, at the end of the day, human judgment is essential to your success.

Preparing for DSAR requests will be a collaborative effort among data privacy officers, information technology teams, and business leaders. To make decisions you must understand your data, be able to quickly and easily log requests, collect and review the information, before you securely deliver it to the requestor. Central to DSAR is being responsive, and ensuring security and data minimization.

Even if your organization has already prepared diligently for GDPR, you’ll need to revisit your DSAR program to comply with CCPA as the two laws have overlapping requirements but distinct differences.

Data Covered by DSAR

If you’re accustomed to thinking of personal data as “PII” under U.S. state data breach laws, you’ll find the CCPA’s definition far broader. Personal data as defined in Section 1798.140(o)(1) includes “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Specifically:

Information typically considered PII under state breach laws, such as names, unique personal identifiers, account names, social security numbers, driver’s license numbers, passport numbers, and biometric information.

Aliases, IP addresses, “characteristics of protected classifications under California or federal law,” commercial information (defined to include personal property records or purchasing history), geolocation data, internet activity (including browsing and search history as well as web tracking data), professional and employment information, and education information.

“Audio, electronic, visual, thermal, olfactory or similar information” and “inferences drawn” from any of the information contained in the definition.

DSAR Procedure: How to Respond to DSAR Requests

1. Register, Log, and Authenticate the DSAR:

Companies need an easy way to receive, log, and authenticate the DSAR, and to automatically notify the person and company leads.

Risk: Missed or unauthenticated requests: Without automation, important requests could be missed. Without authentication, cannot trust the requestor.

2. Collect the Personal Information:

Assign and manage the collection of information, usually from multiple data stores with multiple owners/managers.

Risk: Tracking, data minimization, and security:Requests need to be managed to make sure deadlines are met. Systems that manage DSARs should keep the personal information centralized and encrypted.

3. Review and Approve the Information:

Review the request and the personal information, and ensure that you are delivering what is required to the right person

Risk: Audit, data minimization and security:Approvals must be tracked and auditable.

4. Safely Deliver the Customer Information:

Personal information needs to be delivered to the right person, in a secure way

Risk: Authentication, verification, and security: Big risks if data is delivered to the wrong person.

Risks of Using Email to Manage DSARs

Using existing e-mail or document management systems to manage customer data requests brings huge security risks. You don’t want your customer data floating around in those systems.

Moving Personal Information Into Unencrypted Systems Can Be Perilous

When starting to manage customer DSAR requests, it can be tempting to use existing systems, like email, content management systems (such as Sharepoint), or something else you have already bought.

But, moving personal information or customer data out of the encrypted data stores, and into other systems can bring significant risks. These critical data sets need to be controlled and secured.

Chances are high you’ll experience a data breach of some sort in an unencrypted system. In fact, you’re more likely to suffer a data breach of at least 10,000 records than you are to catch the flu this winter. Considering it takes organizations an average of 196 days to detect a breach, you may already be experiencing one.3

Pick the system now that encrypts the information at rest, in transit, and controls where it will be stored to manage your DSARs.

Operational Challenges to DSAR

Responding to Access Requests

If a consumer submits a verified request you must provide detailed answers quickly — within 45 days — in an electronic, transferable format. Your obligations to respond vary, depending on what consumers ask for and how their information is handled.

If you collect personal information from a consumer you must provide

  • Categories of personal information your business has collected
  • Specific pieces of personal information your business has collected
  • Assurances that you honor deletion requirements

If you collect personal information about a consumer you must provide

  • Categories of personal information your business has collected
  • Specific pieces of personal information your business has collected
  • Categories of sources from which the personal information was collected
  • The business or commercial purpose for the collection
  • Categories of third parties with whom your business shares the personal information.

If you sell or disclose personal information about consumers you must provide

  • Categories of personal information you have collected about the consumer
  • Categories of personal information you have sold about the consumer
  • Categories of third parties to whom the personal information was sold (organized by category of personal information for each third party)
  • Categories of personal information you disclosed about the consumer for a business purpose.

Managing Deletion Requests

Deletion requests involve not only team members around your organization, but also all vendors and partners with whom you shared the personal information.

If you shared personal information with different internal teams and systems

You must be able to track back to the data stores sources and request that the personal information has been deleted.

If you disclose personal information to third parties, such as vendors or partners

You’ll need to be able to send a deletion request quickly and automatically when you get a deletion request to all of the downstream parties who received that information.

Communication With Consumers

To comply with CCPA you will need to:

  • Include a “Do Not Sell My Personal Information” link on your home page.
  • Set up a publicly accessible web page to allow consumers to opt out, without requiring them to create an account.
  • Share publicly a list of categories of PI collected, shared and disclosed about consumers in the last 12 months and update the information every 12 months.
  • Offer at least two methods for submitting requests for disclosure, including at minimum a toll-free number and a mechanism on your website.

To comply with DSAR, you need to support customer data requests to:

  • Access their information
  • Have inaccurate information corrected
  • Have information erased
  • Opt-out of direct marketing
  • Opt-out of automated decision-making & profiling
  • Have data portability

How to Begin Preparing for DSARs

Discover and Categorize Your Data

One word in the language of CCPA keeps coming up: “categories.” To comply with disclosure requirements and respond to access requests, you will need to organize data into categories and record and track those categories.

One Product at a Time

Preparing for CCPA and GDPR can seem overwhelming if you try to tackle every issue at once, particularly if you have multiple products that touch consumer data or complex, multi- party processes for data storage, manipulation, sharing and selling.

Working backwards from the goal of processing a timely, accurate and clear SRR, you can focus on tech systems that directly impact customer data and communications:

  • CRM systems like Salesforce
  • Marketing and advertising systems
  • Product usage data
  • Technical support systems
  • Billing systems
  • ERP systems
  • Customer communities
  • Systems that provide customer data to you
  • Third parties that process downstream data you provide

You can break the problem down by focusing on specific products. If you’re launching new products you should build privacy into the design from the start. For existing products, include product managers and business owners on the team so they have visibility into all process streams that touch data. You’ll have tighter alignment with tangible business goals instead of getting lost in the details of process streams.

How WireWheel Can Help

Whether you’re working to meet CCPA & GDPR  requirements or any other privacy mandate now or in the future, building your privacy operations on these four pillars gives you the visibility and control you need to be successful.

WireWheel allows you to create easy to use DSAR portals that your customers can use to make requests and allows you to respond quickly, efficiently and securely. to them automatically.

Learn more about our DSAR software and request a demo today.

  • CCPA & CPRA
  • Regulations

What is CCPA? Requirements, Compliance, and Solutions Explained

What Is CCPA?

CCPA was born from a consumer-driven ballot initiative to protect personal data privacy, much like Europe’s GDPR (though there are important differences). Rather than allow the original ballot initiative to proceed, the California legislature rushed to draft and pass CCPA, primarily because it is considerably easier to amend than a law enacted via the state’s initiative process.

See the details and actions your organization needs to take around CCPA explained below.

When Does CCPA Take Effect?

The fast-tracked process produced a law that leaves many details unexplained or open for interpretation.

As such, January 1, 2020 is the date the regulations take effect, but lawmakers left the door open for the state Attorney General to provide guidance and clarification and adopt regulations on or before July 1 2020. Even then, the Attorney General isn’t going to enforce regulations until 6 months after that date.

CCPA Requirements

CCPA introduces the following rights for consumers regarding their personal data:

  • Right to know all personal data collected by a business.
  • Right to say no to the sale of personal data.
  • Right to delete personal data.
  • Right to be informed of what categories of personal data will be collected prior to its collection, and to be informed of any changes to this collection.
  • Mandated opt-in before sale of children’s information (under the age of 16).
  • Right to know categories of third parties with whom personal data is shared.
  • Right to know categories of sources of information from whom personal data is acquired.
  • Right to know the business or commercial purpose of collecting personal information.
  • Private right of action when companies breach personal data.

Which Organizations Must Comply with CCPA?

CCPA compliance is required of organizations defined in Section 1798.140(6)(1)(A-C). You are obligated to comply with CCPA and have DSAR requirements if ANY of the following apply:

  • $25 million+ annual gross revenues.
  • 50K or more consumers, households or devices have personal information you buy, receive for commercial purposes, sell, or share for commercial purposes each year.
  • 50% or more of your annual revenue is derived from selling consumers’ personal information.

And the following is true:

  • You’re a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of your shareholders or other owners. As written, CCPA doesn’t appear to apply to non-profit organizations, but this is one of many items the California Attorney General and/or state legislature will further clarify.
  • You “do business” in California. This phrase isn’t defined in the CCPA, but you may assume that it applies to any business, whether or not geographically located in California, that collects and/or sells the personal information of California residents, which would be consistent with California’s tax and corporations codes.
  • You collect consumers’ personal information, or someone collects it on your behalf. “Collect” means to buy, rent, gather, obtain, receive, or even accesses information, by any means, whether actively or passively, including by observing a consumer’s behavior.
  • You alone, or jointly with others, determine the purposes and means of the processing of consumers’ personal information.

Risks of Non-Compliance with CCPA

Watchdog Groups Will Test the Law

We’ve already seen watchdog groups initiate requests to test how well companies have been complying with GDPR, which went into effect in May 2018. Expect this to happen with CCPA as well. If you’re not able to comply with their access requests in a sufficient and timely manner, watchdog groups could go public and refer you to the California Attorney General.

Fines Are Steep and Will Rise Quickly

Under CCPA, fines are enforced by the Attorney General and can reach up to $7,500 per every intentional violation . Non-intentional violations are subject to a $2,500 maximum fine.

Additionally, CCPA allows affected consumers to file individual or class- action lawsuits against offending businesses. With damages ranging between $100 and $750 per violation, costs could escalate quickly. A data privacy lawsuit could easily put a smaller company out of business.

CCPA Solutions: How WireWheel Can Help

Whether you’re working to meet CCPA requirements or any other privacy mandate now or in the future, building your privacy operations on a suite of privacy solutions will give you the visibility and control you need to be successful.

Here are some resources to help you on the journey to CCPA compliance:

  • Marketing

Ethical Marketing: Leveraging Data Privacy to Improve Customer Experience and Brand – Part I

Since the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) came into effect (May 2018 and January 2020 respectively), the concept of “ethical marketing” has increasingly become top of mind.

Of course, the immediate concern for businesses is achieving and maintaining regulatory compliance. But, particularly concerning to marketers are the constraints concerning the “sale” and use of consumer data and the ability of consumers subject to these regulations to “opt out” of that use.¹ This is not only a regulatory concern but directly challenges the heart of the digital marketing ecosystem.

As former Obama administration Acting Under Secretary, U.S. Department of Commerce and WireWheel CEO Justin Antonipillai notes, the “issue of ethical marketing has become a huge one for most companies in the last couple of years…How do we think about targeted marketing and use of consumer data, but to do it the right way?”

Martech and Ad Tech Impact

With the passage of the Consumer Privacy Rights Act (often referred to as CCPA 2.0) set to go into effect 1 January 2023, working with consumer data, to not only satisfy regulatory compliance, but doing so ethically and effectively has taken on an absolute sense of urgency for marketers. The impact to Martech and Ad Tech is profound. It is with this as backdrop that WireWheel’s Justin Antonipillai sat down with LiveRamp VP, Head of Innovation & New Business Rishabh Jain to record their discussion Ethical Marketing: Where Trust and Personalization Intersect.

While the CPRA does not go into effect until January 2023, because there is a look back from January 2022, leading edge companies are being proactive regarding its implications. They recognize that how they handle privacy is an opportunity to improve customer relationships – including those consumers not subject to the GDPR or CPRA. As LiveRamp’s Rishabh puts it: “I think that there’s a lot of opportunity right now for using privacy as a strategy to increase trust with consumers as opposed to viewing it as simply compliance.”

In short, ethical marketing begins with making data privacy a core company value and continues by viewing privacy regulations as opportunities to gain trust with consumers. Apple’s iOS 14 ad tracking announcement, Facebook’s retargeting management tool (LDU), and Google’s announcement regarding third-party cookies are key examples of leading companies…well, leading…with the idea that data privacy is not simply a regulation, but a core brand value (More on this in Part II of this post).

The Consumer POV

“There tends to be two things consumers have taught me” says Rishabh. Firstly, “It feels like a lot of things are happening in the background that they don’t really understand or have control over.” The use of third-party cookies exacerbates that sense of lack of control. Secondly, “when they learn about it, they want to understand, can I turn it off? And in some cases, they want to understand actually can I make it better?”

“So I have actually heard it both ways, which I think is a signal that what users really want is to be able to understand it and control it, not necessarily just turn it off.”

This attitude is not unique to Californians or citizens residing in the European Union. It really is common across all geos and demographics. Consequently, forward looking organizations like Apple are not necessarily bucketing their customers and prospective customers as Californians/Not Californians, Subject to GDPR/Not Subject. Rather they understand that consumer sentiment is in alignment with these regulations and view increased transparency and control as more ethical and valuable. “I think it’s pretty clear what consumers want” says Jain:

“You know, it’s voters who voted for the CCPA and CPRA. It’s not legislators in a room somewhere who came up with this, it’s a proposition and so it is people in California who said, ‘we want this.’ And then they said we want it again.”

“And when people are telling you what they want, it tends to mean they want it. And if you show that you’re listening, and you show that you’re listening sooner rather than later, they will trust you more.”

Forward-looking organizations are listening, and they are moving beyond compliance and thinking in terms of ethical marketing as strategy.

The Brand POV

Needless to say, companies still want to continue to market and advertise and be able to target potential customers effectively. And there will certainly be challenges.

Google Chrome’s planned obsolescence of third-party cookies; the perceived “creepiness” of cookies, Facebook Pixels and server-side API; the CPRA’s addition of Sensitive Personal Information (SPI) to the category of Personally Identifiable Information (PII) and attention to “cross-context behavioral advertising;” all portend challenges to the traditional Ad Tech approaches to, and Martech use of, identifying, segmenting, targeting, and retargeting customers and prospects. The Facebook LDU implementation earlier this year demonstrated with resounding clarity the impact of “do not sell” on marketing efficacy.

This is a trend that promises to continue, notes Justin. And operationalizing consumer relationship in light of these changes will be critical to success. And it is not a DIY affair which has led to “a lot of pain with not a lot of reward” for many. But those that get ahead of it – and understand data privacy as a new route to developing trust-based relationships – just may discover a significant competitive advantage over peers who merely aspire to compliance.

After all, “When someone grants permission they are acting consciously, becoming an active participant rather than a passive source of data to be pillaged. Permission equals engagement. And engagement is the ultimate goal here, isn’t it?” (Carroll, 2018).


Watch Ethical Marketing: Where Trust and Personalization Intersect Webinar Replay

Part II will look at what lies ahead, how to operationalize for today’s requirements and position for future challenges and opportunities.


[1] The definition of selling has been further defined by the CPRA as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

  • Privacy

Data Classification to Support Subject Rights Requests and Proactive Privacy Management

With modern data stores decreasing the price of storage, it’s now possible to collect more data and keep every scrap. Yet, it has become increasingly difficult to know what type of data you’re collecting and which data is subject to data privacy laws. This lack of visibility is a challenge for privacy teams struggling to manage Subject Rights Requests.

Simply put, if you can’t identify and monitor where an individual’s information resides and how it’s used, you won’t be able to produce it for a Subject Rights Request (SRR). You also won’t be able to modify it or remove it to meet SRR requirements. To locate data related to an individual making a request, you need the capacity to search files across vast repositories and group data together. That calls for data classification.

Security and IT teams may already have data classification schemes in place to rank data according to risk categories and make operations more efficient. Unfortunately, most data classification approaches don’t address the practical needs of privacy teams.

As part of our series on managing Subject Rights Requests, we’ll take a look at how data classification schemes that log and validate repositories of personal data can provide privacy teams with the granular supervision they need to do their job. With a coordinated approach, privacy, IT, and security teams can design and manage data classification processes to match privacy requirements.

A Coordinated Approach to Data Classification for Privacy Management

1. Classify Data to Flag Information Subject to Privacy Laws

What’s in your data stores? Did you know that 21% of files in the cloud contain sensitive data that could be regulated by privacy laws? This includes personal data, protected health information, information about minors, and other types of personally identifiable information (PII).

PII is any information about an individual that can distinguish or trace that individual’s identity. GDPR has loosened the definition of PII so that it now includes more than personal data such as name, email address, and social security number. The scope of PII has expanded to include related information that can be linked to an individual. As a result, you need to follow all of the links from personal data to additional information which could be analyzed and connected back to the source and classify that data as well. This includes information provided by supplemental data sources or observed through automation or analysis (a user went to a certain webpage, purchased a product, etc.) or inferred (such as preferences based on behavior).

Unstructured data, such as customer comments, reviews, blog posts, customer service notes, account management emails, even internal messaging, also needs to be classified as potential sources of personal information. Especially when combined with personal data, this type of unstructured information represents behavior-based insights that can become personal information.

By labeling, grouping, and classifying data, you’ll be able to identify personal data that represents the highest risk and must be handled with care to meet privacy obligations. You’ll also have more fine-grained control over access rights for personal data because you’ll know what’s inside.

2. Automate Processes to Classify High Volumes of Data

Make sure you classify data you store, as well as data you process or compute. When data lives in multiple places, it may need to be classified differently, depending on how it is used.

Automated classification and tagging solutions save time and energy to surface, categorize, and prioritize data.

When databases are managed in the cloud, it’s much easier to classify data automatically. Technology can provide insights into database schemas, which can then be analyzed at the top level to identify personal and sensitive personal information. Data can be tagged into key categories related to data protection requirements. Schema analysis can also be run automatically to collect data in a way that keeps information evergreen.

3. Verify Automated Classification

As great as automated classification is, it can’t do the job alone. Even with comprehensive data discovery and classification, data labels and tags within a data store can’t tell you all the information you need to know. Data may look innocuous on the surface, but actually be sensitive, personal information. Privacy management requires human judgment to confirm categories, provide context, and review results for false positives and negatives.

For example, it’s clear that names, email addresses, and social security numbers are personal data. But what if your database includes a series of numbers for each account? On the surface, these are just numbers. But, if each number represents what political party a person belongs to, that is personal information that should be protected. An automated classification scan will result in false negatives, and you may never know until an audit or data breach uncovers the problem.

To protect personal information and reduce risk, IT and security leaders need to collaborate with privacy professionals as well as business functions to understand the process and intention behind data usage and ascribe meaning to data to create a complete picture. Technologies and processes must support collaboration so that everyone involved in privacy management – from Privacy Offers to legal, compliance and security teams – shares the same information and can adjust quickly.

4. Adapt Classifications as Needed to Meet Changing Definitions and Data Lifecycle Stages

Any system that classifies and tracks personal data needs to be flexible enough to adapt to new requirements.

Privacy laws are evolving and definitions are changing. For example, we expect that data categories noted in CCPA will be further refined and may require new types of classifications.

Additionally, data doesn’t stay in a static state. Through its lifecycle, data may be moved, amended, appended, redacted, etc. Classification schemes need to adjust and continuously update as data changes.

WireWheel Data Discovery Classifies Data for Privacy Management

WireWheel’s data privacy management solution incorporates data classification directly into a central, accessible platform that lets you respond accurately and rapidly to SRRs.

WireWheel connects to Amazon Web Services, Google Cloud Platform, and Microsoft Azure via our API for a rapid scan of your data, including data-related integrations with vendors and partners. We parse structured and unstructured data to find patterns, label and group information according to risk and privacy categories you define. Continuous scanning keeps information current as data is added and processed so you always have the most complete, up-to-date information.

  • CCPA & CPRA
  • Regulations

Our Take on California’s New Ballot Initiative

A year after his initial success with the California Consumer Protection Act (CCPA), Alastair Mactaggart is continuing to advance the privacy journey with a new California ballot initiative slated for the November 2020 election. The California Privacy Rights and Enforcement Act of 2020 seeks to continue the work started by CCPA by strengthening consumer protections and defining new requirements businesses need to follow.

Key Elements of the Ballot Include:

  • Enhanced efforts to restrict access to information regarding children and teenagers. While the existing statute focuses on permission to sell that data, the new proposal would require a company obtain permission before collecting data from consumers younger than 16 – an “opt-in” provision. If the person is 13 or younger, the company would need approval from a parent or guardian to collect data.
  • Requirements for technology companies to disclose information about the algorithms used to target consumers with specific advertisements.
  • Creation of a new state agency to field privacy questions and complaints and enforce the privacy protections rather than leaving oversight to the California attorney general’s office.
  • Tracking the time period a business intends to retain each category of a consumer’s personal or sensitive information, providing the business doesn’t retain information for each specific disclosed purpose for which it was collected for longer than is reasonably necessary.

Our Take: Change Is Inevitable

Privacy legislation is an ongoing journey that is going through a period of great change. CCPA brought new requirements for organizations to track the types of data they were processing and the types of vendors they were sharing it with and provide that information to consumers via Subject Rights Requests. When CCPA was penned, however, we knew that clarifications and changes would follow.

This new initiative underscores the importance of the privacy issue and is a step toward building an infrastructure that can provide expert, detailed guidance.

The Importance of Transparency

The new requirements further the goal of putting control of personal data in the hands of the people to whom it belongs.

Since the early days, modern privacy legislation has been crafted to implement controls directed at achieving our core human values. Privacy is a fundamental right that resonates with all humans. “The right to left alone” as it has been described demonstrates that humans want to be in control and choose how they interact with the world. This concept was penned by Louis Brandeis, a member of the supreme court, when describing core privacy values and challenges in a Harvard law review article he authored in 1890.

Technical advancements have fueled the pursuit of these rights over the past 40 years. All business transactions are now completed with the aid of computers and produce digital information which has become increasingly more personal and sensitive. This information – although about people – is not controlled by the people to whom the data refers. Additionally, this information has become an entity unto itself and contains valuable details on how we live, eat and function.

Flexibility Is Key

In creating these and other new requirements surrounding the processing of personal information the ballot authors will be forcing organizations to further improve their data management capabilities.

Granular tracking of data collection procedures, opt-in management, analytic operations, and data retention will require more details about the data to be captured, stored and understood. Serving up the right data to complete a Subject Rights Request will be an exercise of understanding the status and make-up of any particular piece of data quickly and accurately.

Privacy management platforms will have to be flexible and scalable enough to support these new requirements. Comprehensive inventory and classification solutions that enable organizations to understand and track sensitive customer data will be key to meeting current and future privacy regulations.

  • Analyst
  • Company

WireWheel Privacy Management in Three Gartner Hype Cycles

Recognizing the influence of privacy requirements on key business and technical decisions, Gartner has placed privacy management tools within not just one but three 2019 Hype Cycles.

The privacy landscape is changing rapidly and new technologies are emerging on a continuous basis. “Maturing privacy requirements globally have driven organizations to identify specific privacy requirements and compliance needs, creating substantial demand which has driven rapid development in the emerging vendor space,” Gartner reports. “Security and Risk Management (SRM) leaders in organizations that operate in multiple jurisdictions especially benefit from privacy management tools, facing various privacy laws. Similarly, SRM leaders operating in regulated industries such as healthcare, financial services and in regulated jurisdictions like the EU, or facing U.S. state privacy requirements like the California Consumer Privacy Act (CCPA), will benefit from these tools.”

But Why Three Different Hype Cycles?

By including WireWheel as a Sample Vendor in the Hype Cycle for Privacy, 2019, Hype Cycle for Data Security, 2019, and Hype Cycle for Risk Management, 2019, Gartner believes people come to the privacy problem from multiple perspectives. Each function in an organization – privacy, security, and risk management – has its own objectives, metrics and solutions. Privacy is where they intersect.

Privacy teams are subject matter experts typically responsible for managing Subject Rights Requests (SRR) and Privacy Impact Assessments (PIAs). Security teams keep personal data safe from cyber threats and insider abuse and must store and classify data according to privacy needs. Risk management teams consider privacy in light of legal requirements and business continuity.

None of them can address privacy on their own, which means privacy solutions must meet the requirements of all three. As Gartner points out, “wherever possible, SRM leaders should participate in related security, risk and compliance initiatives to achieve efficient spending across these disciplines and ensure that deployed tools sufficiently cover privacy demands. After all, various stakeholders require information dashboards with differently presented information, essentially derived from the same subsystems.”

According to Gartner, each Hype Cycle drills down into five key phases of a technology’s life cycle:

  • Innovation Trigger: A potential technology breakthrough kicks things off. Early proof-of-concept stories and media interest trigger significant publicity. Often no usable products exist and commercial viability is unproven.
  • Peak of Inflated Expectations: Early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not.
  • Trough of Disillusionment: Interest wanes as experiments and implementations fail to deliver. Producers of the technology shake out or fail. Investments continue only if the surviving providers improve their products to the satisfaction of early adopters.
  • Slope of Enlightenment: More instances of how the technology can benefit the enterprise start to crystallize and become more widely understood. Second- and third-generation products appear from technology providers. More enterprises fund pilots; conservative companies remain cautious.
  • Plateau of Productivity: Mainstream adoption starts to take off. Criteria for assessing provider viability are more clearly defined. The technology’s broad market applicability and relevance are clearly paying off.”

Interrelated, Integrated Solutions Appear in All Stages of Each Hype Cycle

Gartner includes WireWheel as a Sample Vendor of privacy management tools, noting “comprehensive (privacy and risk) management tools and consulting services are priced at a level that is prohibitive for many privacy officers, who usually have only a limited budget, which drives an increased interest in specialized (and less expensive) privacy management solutions. Hence, purpose-built (modular) privacy management tools have emerged that focus on fast deployment and usability.” The “modular” approach WireWheel enables is key for organizations starting to manage and automate critical privacy activities at scale. For example, companies expecting an influx of Subject Rights Requests (SRR) under CCPA come January 2020 need to get up and running with cost-effective solutions that solve their immediate need.

Additionally, to realize its true transformational potential, privacy management must be approached with a holistic strategy. Gartner notes that “finally, there are early indications that multiple privacy tools, developed for very specific use cases, are starting to converge toward more comprehensive privacy management platforms that can replace fragmented current solutions.” Gartner recommends “ideally, tooling supports compliance with both oversight, documentation and transparency, and offers integration with associated platforms such as data-centric audit protection (DCAP) or mobile device management (MDM), where control over personal data throughout its lifecycle is in scope” and advises companies to “look for privacy management vendors that integrate with various vertically connected solutions.”

We agree. Privacy can’t be managed in a silo. That’s why WireWheel is built to integrate with and enable many privacy solutions.

  • Data classification to organize information assets and identify personal data
  • Data security governance for risk assessment, prioritization and mitigation
  • Data operations to improve the communication, integration and automation of data flows
  • Privacy-by-design strategies that embed privacy often and early in technology development, procedures and processes
  • Consent and preference management that allows customers to determine how much of their data to expose, to whom and for what purpose
  • Format-preserving encryption to protect data at rest and in use, for example when fulfilling Subject Rights Requests

A comprehensive approach to privacy management considers every part of the privacy experience, both for internal teams and external customers and partners. By incorporating multiple solutions at every phase of the Hype Cycles, from the Innovation Trigger to the Plateau of Productivity, WireWheel’s approach supports you throughout your privacy journey.


Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  • Privacy

The Difference Between Privacy and Cybersecurity and Why It Matters

The terms “privacy” and “cybersecurity” are closely intertwined but they aren’t the same. Your organization needs to excel at both privacy and security to maintain customer trust and comply with regulatory requirements. Understanding how these concepts differ and how they overlap impacts how you structure internal operations, collaborate across teams, and measure success.

While it’s possible to have security without privacy, it’s impossible to have privacy without security. Why is that?

Security Is about Safeguarding Data and Systems from Unauthorized Access.

The goal of cybersecurity is to keep external threats and malicious insiders from breaching critical systems that hold sensitive information, including personal data and corporate intellectual property. In addition to keeping information confidential, cybersecurity must also maintain system availability and data integrity.

To mitigate the risk of a cyber-attack, cybersecurity teams implement a variety of security tests and controls. For example, encryption, multi-factor authentication, and password protection solutions determine who can access what, including IoT systems that share information without human intervention. Security tools such as firewalls, virus scans, and data loss prevention software lower the risk of cyber-attack by monitoring IT systems and identifying and blocking unexpected behavior.

Let’s say all users accessing your customer database are “authorized” and their behavior is “expected.” Your IT systems likely meet the security test. But, do your operations meet the privacy test? Not necessarily. Anyone with valid credentials could view and manipulate a customer’s personal data or use it for a purpose for which consent has not been received, and that customer may never know.

Privacy Is about Safeguarding Information Tied to Personal Identity.

The concept of privacy is both more granular and broader than security.

How is it more granular? Importantly, privacy relates specifically to personal information, including any information related to an identified or an identifiable individual. Phone numbers, email addresses, financial and healthcare information, etc. are all personal information when they are tied to a unique individual. Privacy laws such as the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are designed to protect customers’ personal information.

Why broader? When you collect or process personal information, you take on an obligation not only to keep it safe from cyber-attack, but also to treat the information you collect responsibly and fairly and in line with the consent provided by the consumer.

Individuals have the right to keep their own information confidential. If they do share information, they have the right to expect it will be kept private and used only for the purpose they have authorized. Their information should never be accessed, shared or sold without their knowledge.

To meet privacy obligations, you need to ask the following questions:

  • Am I am being fair to my customers in the way I treat their data?
  • Have I explained to my customers how I treat their data, in a way that they easily understand?

To answer these questions privacy professionals are responsible for knowing answers to four fundamental privacy pillars:

  • What data do you have
  • Where that data is stored
  • Where data is processed
  • What third parties have access to that data and what are they doing with it

A privacy program can’t address these four pillars without the support of a security program. While the privacy team typically sets the requirements for data management, the security team typically selects and runs the actual IT systems and tools that manage data storage, access, sharing, and reporting.

Improving Collaboration and Communication Between Privacy and Security

Within an organization, there are often two distinct roles: a Chief Information Security Officer (CISO), who typically has an information technology background, and a Chief Privacy Officer (CPO), often an expert on legal and compliance issues. Although their areas of expertise and approaches may be different, these leaders and their teams must build a cooperative relationship to be successful.

The most effective and efficient privacy and security teams set a foundation for collaboration by putting a few core tenants in place:

  • A shared vocabulary for data classification. Security and privacy teams need to agree on how data is categorized. What data is considered “personal” or “protected?” Data classification allows certain data to be tagged and tracked throughout its lifecycle.
  • Transparency. Security and privacy teams need to share information about where data resides, who has access, and what data processing actions have occurred. When both teams can see the same information in a common platform, they save time communicating and planning.
  • Employee empowerment. Security and privacy teams are each responsible for making sure everyone in an organization, as well as third-parties that touch data, have the knowledge and ability to manage data responsibly. People must be trained on security and privacy best practices and understand their legal responsibility for acceptable data use. They must be empowered with tools that allow them to do the right thing regarding personal data and still be able to get their jobs done productively.

Both privacy and security are critical for an organization’s success. Let’s face it; their fates are intertwined. If a cyber attacker does circumvent security controls, he or she may access and expose personal data, triggering numerous privacy violations and destroying customer trust. Building a privacy operation based on close collaboration with IT security teams is an essential step in the privacy process.

  • Privacy

Keys to a Customer-Centric Privacy Experience

Keys to a Customer-Centric Privacy Experience

Customer relationships have always been at the heart of a successful business.

Companies that craft exceptional customer experiences outperform the market by 107.5%, due to higher revenue and lower expenses. When customers believe a company has been serving them well and made them feel special, over 40% are willing to forgive the occasional mistake.

What Does Customer Experience Mean for Privacy Teams?

Customer service has been the traditional domain of marketing, sales, and support teams, not privacy and security leaders. For the most part, legal, compliance, IT operations, and infosec teams focus on strengthening internal processes, rather than creating an exceptional experience for external customers.

Until now.

The latest privacy laws have made consumer privacy experience a core requirement. Both EUGDPR and California’s Consumer Privacy Act (CCPA) are designed to bolster consumer understanding and control over how personal data is collected, processed and shared. To achieve compliance, privacy teams now need to consider the end-to-end privacy experience, from the very first touch a customer has with a brand to the potential interactions that may follow.

Communication about data privacy must be fast, friendly and above-all, customer-centric.

Privacy Notices and Preference Centers

Privacy notices and preference centers are critical communication vehicles to build customer trust and understanding. “As companies start to think through their customer preference center and how they are going to address individual rights, having some granular choices that show real transparency is going to be important,” says PwC’s Jocelyn Acqua, an expert on cybersecurity, privacy and regulatory risk.

As soon as your customers visit your website or interact with your product, you have the potential to collect data (including user behavior and preferences) that can become personal information.

At or before the point of data collection, businesses subject to CCPA must notify consumers of categories of personal information collected (bought, rented, obtained, received, or accessed) and the purposes – or potential purposes – for which that information will be used. CCPA doesn’t explicitly say how companies should communicate this information, but guidance from privacy experts provides clear direction.

“A consumer can only truly consent to the collection, use and the sale of their personal information – including the terms of service and privacy policies they readily click to agree to – if they understand what information is being collected,” Mary Stone Ross, co-author of the CCPA initiative, writes in an article for IAPP.

GDPR Shows its Teeth: Enforcement of Transparency Requirements

Recent developments with GDPR underscore the importance of transparency when communicating data privacy information with consumers. At the start of this year, the French Data Protection Authority (CNIL) issued a fine of €50 million against Google for infringing GDPR’s principle of transparency.

Although Google’s information regarding privacy was posted publicly, according to CNIL, it wasn’t sufficiently accessible or understandable to a typical reader. As the finding states, key information was “excessively disseminated across several documents, with buttons and links on which it is required to click … implying sometimes up to 5 or 6 actions.”

TO DO: As European regulators seek ways to show the GDPR has some teeth, review your own privacy communications from the perspective of a first-time visitor seeking information. Is it clear? Can you get what you need?

Data Subject Access Requests (DSAR)

“Data subject access is coming up all the time,” Jocelyn notes. “The question that we’re getting is how to be responsive to customers in an efficient way.”

As a first step, companies need simple ways to receive subject access requests from customers. When they receive them, they also need automated ways to manage the collection of data and get it ready and approved internally. Finally, they need a secure method to efficiently and reliably deliver information back to the requestor.

“Companies need technology to work collaboratively across their enterprise,” explains Jocelyn, so they can streamline the DSAR process internally, ensure accuracy and accelerate response time. If requests take too long to process, customers may wonder about the accuracy of the information and lose trust. Worse, they may share their concerns with others or escalate using the courts.

TO DO: Test your own DSAR process from a customer perspective. How long does it take to process a request? How do you feel about the results?

How Can You Make Your Privacy Interactions with Customers More Human and More Helpful?

We’ve put together recommendations to improve the customer privacy experience with the Ultimate Guide to Data Subject Access Request (DSAR) Management. Get your copy to learn more about privacy portals, DSARs, and CCPA and GDPR requirements for privacy communications.