SPOKES Virtual Privacy Conference Winter 2022

Register for Free

Blog

  • Privacy Law Update

Privacy Law Update: June 21, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

UK Issues Response To Data Reform Consultation

The United Kingdom’s post-Brexit reform of its data protection laws took another step forward Friday with the government’s final response to its data consultation. Initially launched September 2021 under “Data: a new direction,” and opened to public comment for ten weeks, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.

EDPB Adopts Guidelines On Certification As A Tool For Transfers And An Art. 65 Dispute Resolution Binding Decision Regarding Accor

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46(2)(f) GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.

EDPB Deputy Chair Ventsislav Karadjov said: “These guidelines are ground-breaking, as they provide the very first practical guidance on certification as a tool for transfers – a new transfer tool introduced by the GDPR. The guidelines provide guidance on how this tool can be used in practice and how it can help maintain a high level of data protection when transferring personal data from the European Economic Area to third countries.”

Canada Introduces New Federal Privacy And AI Legislation

Canada took a step toward updating its privacy regime June 16, as Minister of Innovation, Science and Industry François-Philippe Champagne and Minister of Justice and Attorney General of Canada David Lametti introduced Bill C-27.  The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.

The three-pronged legislation aims to strengthen Canada’s data privacy framework, primarily the Personal Information Protection and Electronic Documents Act, and create new regulations for the responsible development of AI, while continuing to implement Canada’s Digital Charter. The proposal would also introduce changes to how privacy is enforced in the nation.

IAB Eager To Work With Congress To Improve Federal Data Privacy Bill

The Interactive Advertising Bureau (IAB)’s Lartease Tiffith, Executive Vice President for Public Policy, released the following statement today in response to draft legislation in Congress creating a national data privacy framework, the American Data Privacy and Protection Act:

“We’re glad that Congress has finally produced a discussion draft for national privacy legislation that is bipartisan and bicameral, after years of hard work in the House and Senate to find a compromise. IAB and our members across the digital advertising industry support many of its provisions, and we’re eager to help improve the bill, not only to protect Americans’ consumer privacy, but also to create jobs and help strengthen the economy. We’re concerned about the impact on small businesses and internet users, who enjoy many free products and services thanks to data-driven digital advertising. Data is crucial to almost every business in today’s global economy. Rather than repeat mistakes that have harmed innovation and growth overseas, national privacy legislation here in the U.S. must maintain our country’s technological leadership and competitive advantage. IAB is working hard with our partners to produce the best result.”

Privacy Legislation

California: We continue to await the launch of formal rulemaking on the proposed CPRA regulations which will likely trigger a 45-day public comment period. We encourage anyone interested in timely updates on the CPRA rulemaking process to sign up for the Agency’s email list here.

Separately, AB 2273 the ‘Age Appropriate Design Code Act’ and AB 2408 the ‘Social Media Platform Duty to Children Act’ are on the agenda for a June 28 Senate Judiciary Committee hearing.

District of Columbia: B 24-0588 the ‘Stop Discrimination by Algorithms Act’ has been scheduled for a public hearing on September 22, 2022. This legislation was originally introduced in December 2021 at the request of Attorney General Karl Racine. The bill seeks to: (1) prohibit organizations from using discriminatory algorithms to make decisions about key areas of life opportunity, (2) require algorithmic audits for discriminatory patterns, and (3) require companies to publish easy-to-understand disclosures about their algorithms and permit individual correction if an adverse action is based on an algorithmic eligibility determination.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

Consent & Preference Management for Marketing

With the arrival of several new data privacy regulations, marketers all over the globe are racing to get up to speed with how best to manage consumer consents and preferences. Enabling consumers to manage consents and preferences is both a legal and commercial obligation, however, this can run counter to your own marketing and sales efforts.

How does consent and preference management affect marketing campaigns? Is there a way for marketing teams to identify data privacy concerns and overcome them?

The short answer to all of the questions around consent and preference management is that solutions exist to keep companies compliant, brands visible, and consumers in control of their personal information. A longer answer requires understanding what marketing teams strive to accomplish and how their work relates to data privacy.

Marketing Challenges and Data Privacy

Consumers demand more from their content. Whether they want education, information, or entertainment, traditional media is being left behind. Marketers have to keep up and give consumers what they want. Consumers typically don’t want to be shown ads that don’t speak to them. They want personal experiences they can connect and resonate with; experiences that are more likely to boost a brand’s visibility and convert prospects into paying customers.

How can companies discover consumers’ preferences? By finding out what they want by collecting information about their tastes.

With data privacy laws quickly emerging across the globe, and the growing expectation of individual privacy as civil liberty, consumer data collection has also become a large challenge.

Organizations must inform website visitors about what information including what they want to collect, the reason for collecting, and how long they will store the data. Additionally, consumers must be given the option to deny permission and to dictate the channel and frequency of marketing communications. Marketing teams can no longer simply acquire consumer information without permission. They must comply with regulations and respect consumer privacy rights through transparent consent and disclosure.

Data privacy laws along with the depreciation of cookie technologies may hinder marketing efforts from a data analysis standpoint, and without all of the consumer data to drive market insights, organizations may struggle to develop and sell their products and services. The key is to acquire consumer data while practicing effective consent and preference management by balancing the need for collecting data and respecting individual privacy rights.

Marketing Considerations for Consent & Preference Management

The law is one primary aspect marketing teams should take into consideration when approaching consumer data privacy and consent and preference management. Companies can be fined for non-compliance with privacy regulations designed to protect people’s rights.

Another significant aspect is consumer demand. What do people want? The growing trend among consumers is that they want to maintain their privacy, control their information, and receive relevant content.

Consent and preference management can allow marketing teams to serve the interests of their companies, follow regulations, and give consumers what they want. It is unethical to collect data from unsuspecting consumers without their consent or minimally an easy-to-understand notice about the data being collected. Amazingly, many marketing teams don’t take advantage of the benefits that come with using a preference management system. Whatever preferences that customers submit have the potential to provide marketing teams with an additional layer of data that could help uncover new market segments for revenue growth.

Benefits of Consent and Preference Management for Marketers

Consent and preference management gives marketing teams a prime opportunity to focus on consumers. Giving customers the power to grant consent, as well as provide their own preferences can create a bond between a brand and a potential paying client. Trust can build loyalty, which can result in repeat business.

Personalizing marketing messages zeroes in on what consumers want. When served with content that resonates with their interests, consumers tend to have a more positive experience. Additionally, the organizations that do this are also viewed as more genuine and caring towards customer needs. By respecting their consent and abiding by their preferences, it demonstrates that the consumers have been heard. Personalization can deliver a first-rate customer experience that forges a connection between brands and their target audience.

Succeed with Consent and Preference Management

Marketing teams should be doing everything they can to leverage these requirements as a competitive advantage. Marketers should work with data privacy, legal, and IT professionals to build, employ, and maintain a privacy program that includes consent and preference management. Collaboration can lay the groundwork for a system that delivers compliance and consumer insights.

A consent management platform can help ensure quick compliance while meeting a company’s business needs. Using such a platform can ease the burdens of consent and preference management. Marketing teams can use data that was legally obtained directly from consumers to improve the customer experience. When all of these factors work together, marketing teams can effectively engage with consumers and new prospects to generate even more revenue from sales.

  • Privacy Law Update

Privacy Law Update: June 13, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

Understanding the American Data Privacy and Protection Act

On Friday, June 3, Representative Frank Pallone (D-NJ), Chairman of the House Energy & Commerce Committee, Representative Cathy McMorris Rodgers (R-WA), the committee’s Ranking Member, and Senator Roger Wicker (R-MS), Ranking Member of the Senate Commerce, Science and Transportation Committee, released to the public a draft discussion federal privacy bill.  The “American Data Privacy and Protection Act” (ADPPA) is a comprehensive bill that touches all facets of the privacy debate that has been ongoing in Congress for well over 20 years.  Some of the provisions in the discussion draft are bracketed, indicating those provisions are still under discussion and are not subject to agreement between the authors.  In their press release, the three authors thanked Consumer Protection and Commerce Subcommittee Chair, Jan Schakowsky (D-IL), and Ranking Member Gus Bilirakis (R-FL), as well as Members of the Senate Commerce Committee for their input and leadership on the discussion draft.  However, of note, Senator Maria Cantwell (D-WA), the Chair of the Senate Commerce Committee, is not an author of the bill.

The Genesis of ‘Privacy By Design’

The U.S. has never had a national data privacy law. That might be set to change with a new draft bill being debated in both chambers of Congress, with support from leaders in both parties.

The American Data Privacy and Protection Act includes requirements that any organization that “collects, processes, or transfers” information that can be linked to a particular individual follow the principles of “privacy by design.”  It’s a decades-old idea that the only way to ensure data privacy is to build it into applications in the earliest stages. It’s in Europe’s General Data Protection Regulation as well as Brazil’s national privacy law, among numerous other jurisdictions.  But applying that idea to continually evolving technology is likely to require some serious iterating, to use a Silicon Valley term.

Politico asked Ann Cavoukian, who coined the term and came up with seven “foundational principles” in 1997 when she was Ontario’s information and privacy commissioner, about the history — and the future — of the concept.

IAB Tech Lab Unveils Global Privacy Platform (GPP) To Consolidate Domestic And Global 

Following two years of collaboration with the industry and consultation processes with technical and legal experts across the globe, IAB Tech Lab, the digital advertising technical standards-setting body, announced the launch of the Global Privacy Platform. GPP is a product of IAB Tech Lab’s Project Rearc initiative. It is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers, and integrates with existing privacy signals from Europe’s Transparency & Consent Framework and the CCPA in the United States.

Location, Location, Location: Does Localization Still Matter In Data Privacy Regulation?

Today’s data privacy laws refer to specific regions. The GDPR applies in the EU, CCPA is relevant in California and so on. But as data privacy becomes more of a global standard, it’s time to evaluate this course of action and ask whether or not current and future laws still refer only to the regions for which they were initially meant.

Privacy Legislation

California: The California Privacy Protection Agency held a board meeting on Wednesday, June 8th. Lisa Kim and Stacey Schesser from the California AG’s office gave a presentation on the draft proposed CPRA regulations to the board. The board then voted 4-0 to empower Executive Director Soltani to take ‘all steps necessary’ to initiate formal rulemaking proceedings on this first set of CPRA implementing regs. Expect a formal announcement, and the start of a 45-day public comment period, soon (though we understand that non-substantive, technical corrections to the proposed regulations will be adopted first).

During discussion of future agenda items, Boardmember Le requested a legal opinion on what information the Agency can share about enforcement deadlines (suggesting there is appetite on the board to postpone at least some aspects of formal CPRA enforcement, given the delay in promulgating regulations). Boardmember Thompson also requested further information on the process for amending the proposed regulations.

Prior to the meeting, the board released its draft Initial Statement of Reasons (‘ISOR’) for the proposed regulations. Notably, the ISOR determined the regulations would not have a significant adverse economic impact on businesses as businesses are already required to comply with the CCPA and CCPA regs and that any adverse economic impact would come from the Prop 24 ballot initiative, not these new regulations. The ISOR further states that opt-out signals do not need to be enabled by a consumer, but that “selection of privacy-by-design products or services is an affirmative step and sufficient to express the consumer’s intent to opt out…”

Separately, California’s AB 2273 to establish an ‘Age-Appropriate Design Code’ has been referred to the Senate Judiciary Committee, joining AB 2408 the ‘Social Media Platform Duty to Children Act’ which was referred to the Judiciary and Appropriations Committees last week. Senate hearings have yet to be scheduled on either of these bills.

Colorado: The Office of the Colorado Attorney General announced that the comment portal for submissions on the Colorado Privacy Act’s pre-rulemaking considerations will close on August 5th.

Massachusetts: Mintz Law reports that last week the Joint Committee on Health Care Financing voted to send H 4514, the House version of the ‘Massachusetts Information Privacy and Security Act’ (MIPSA) ‘to study’ (rather than advance it). While the Senate companion (S 2687) is still technically awaiting action following its passage through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1, it seems safe to predict that this bill has stalled out for the year. MIPSA contains distinct elements from the GDPR (bases for processing); CPRA (definitions and consumer rights); CPA (contractual requirements); VCDPA (enforcement); and ODPA (safe harbor for breach litigation). The Massachusetts formal session ends on July 31.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • CCPA & CPRA
  • Regulations

The CPPA Issues First Draft Of CPRA Regulations – Part One

On Friday, May 27, 2022, on the brink of a holiday weekend, the California Privacy Protection Agency (CPPA) issued a preliminary draft of its proposed regulations implementing the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

General Overview

These are only the preliminary draft regulations. This is not the final language.

  • The CCPA’s June 8 meeting will likely provide more information on the rulemaking process.
  • The deadline for final CPRA regulations is still a moving target. Ashkan Soltani, CPPA Executive Director said in February the CPPA would go “somewhat past the July 1 rulemaking schedule” and the timetable for completion was tentatively expected “in Q3 or Q4.”
  • The CPPA will ultimately issue a Notice of Proposed Rulemaking to trigger the formal 45-day rulemaking process.
  • Consumers, the CPPA, and the California Attorney General’s Office all are empowered to take businesses, contractors, service providers, and third parties to task for perceived non-compliance with privacy obligations

The draft regulations:

  • Do not address all sections of the CPRA.  Additional regulations are still needed to address cybersecurity audits, risk assessments, and opting-out of automated decision-making technology.
  • Mandate the recognition of opt-out preference signals (i.e. GPC)
  • Do not address the technical specifications to accommodate GPC signals
  • Create new notice at collection requirements when a 1st parties like websites allow 3rd parties such as analytics providers to collect personal information
  • Add consent requirements to prevent dark patterns
  • Specify notice and permissible use requirements for the right to limit the use of sensitive personal information
  • Require businesses to confirm they’ve processed opt-out of sales/sharing and limitation of sensitive personal information requests
  • State that cookie management tools alone are not sufficient to honor opt-out and limitation requests
  • Need to align new requirements for data processing agreements with the current CPRA requirements
  • Require businesses to conduct due diligence on service providers, contractors, and 3rd parties processing personal information

 

Summary of The Draft Regulations

Restrictions on Collection and Use of Personal Information: Collection, use, retention, and sharing of a consumer’s personal information should be necessary and proportionate to the purposes for which it was collected or processed.  It should not be processed in a manner that is incompatible with those purposes.

Consent and Dark Patterns: When obtaining consent, businesses must

  • Use methods that are easy to understand
  • Provide for symmetry in choice
  • Avoid confusing language and elements
  • Avoid manipulative choice language

Privacy Policy: New requirements were added to:

  • Declare and provide appropriate notice if sensitive personal information is processed for purposes other than those authorized by the CPRA and the regulations
  • Provide information on the new rights under CPRA
  • Explain how opt-out preference signals are processed

Notice at Collection: In addition to existing CCPA requirements to notify about categories of personal information, purpose and use of collection, and if data is shared or sold, the draft regulations now require businesses to provide notice at or before the time of collection of personal information on:

  • Categories of sensitive information collected
  • Data retention for each category of personal information

There are new notice requirements for 1st and 3rd party data collectors

  • 1st parties allowing 3rd parties to collect data from consumers must list the names of all the 3rd parties collecting personal information
  • 3rd parties also controlling the collection of personal information should provide notice at collection on their homepage and provide the 1st party information about its business practices for the 1st party to include in its collection notice

Sensitive Personal Information: The CPRA currently allows businesses to process sensitive personal information for certain limited purposes.  The CPPA will rule on “other” purposes.  If a business processes sensitive personal information for other purposes, it must provide a notice and allow consumers to restrict processing to the permissible purposes through a conspicuous “Limit the Use of My Sensitive Personal Information” link.

Opt-Out of Sell/Share: In addition to the existing “Do Not Sell My Personal Information” links, the draft regulations require that links:

  • Are conspicuous
  • Have the immediate effect of opting the consumer out  OR
  • Lead the consumer to a webpage where they can learn and make choices.
  • A link is not required if opt-out preference signals are processed in a “frictionless” manner (Global Privacy Controls)

Alternative Opt-Out Link: To help simplify opt-out requests, instead of providing both an opt-out of sell/share link, and sensitive information use limitation link, a “ single, clearly labeled link on the business’ internet homepages” to effectuate both of these requests is permissible.  The link must:

  • Either must say “Your Privacy Choices” or “Your California Privacy Choices.”
  • Be conspicuous
  • Include the CCPA’s opt-out icon
  • Direct consumers to a website with certain information

Mandatory Opt-Out Preference Signals: The CPRA currently provides for the option of recognizing opt-out preference signals as valid consumer requests to opt out of the sale or sharing of personal information and to limit the use of sensitive personal information.  The draft regulations mandate businesses recognize these signals.

The CPPA believes the CPRA “does not give the business the choice between posting the opt-out links or honoring out-out preference signals.” They now distinguish between recognizing opt-out preference signals in a “frictionless” and “non-frictionless” manner. If a business provides the opt-out links, then it is allowed to honor opt-out preference signals in a “non-frictionless manner.” If a business processes opt-out preference signals in a frictionless manner, it does not need to provide the opt-out links.

A frictionless manner means: 

  • Not charging a fee or other valuable consideration, not changing the consumer’s experience with the product or service offered, and not displaying a notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to the opt-out preference signal
  • Including in its privacy policy that it recognizes opt-out preferences in a frictionless manner
  • Ensure the signal also effectuates opt-outs of any offline sales/shares

The draft regulations do not address the technical specifications for opt-out preference signals

 

Rights

Deletion Requests: The draft regulations require service providers and contractors to:

  • Notify the consumer the request has been honored
  • Permanently delete the information and
  • Notify their service providers and contractors to also delete the information

Correction Requests: The right to correction is a new right provided by the CPRA.  Businesses:

  • Are required to determine the accuracy of the personal information by considering “the totality of the circumstances relating to the contested personal information.”
  • May request that consumers provide documentation as needed
  • Must ensure accuracy of the information and that
  • Must ensure service providers and contractors also correct it

Opt-Out of Sale/Sharing Requests: The draft regulations state that a “notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information.“

  • Acceptable methods for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information
  • Businesses are required to confirm the request has been honored
  • Businesses may display ‘Consumer Opted Out of Sale/Sharing’ or through a toggle or radio button on their website that the consumer opted out of the sale of their personal information.

Limit Use and Disclosure of Sensitive Personal Information Requests: The limitation on the use and disclosure of sensitive personal information is another new right provided by the CPRA. Businesses must:

  • Provide at least two methods for exercising this right
  • Comply with the request within 15 business days
  • Notify service providers, contractors, and 3rd parties
  • Provide a means for the consumer can confirm that their request was honored

The regulations identify seven permissible purposes for processing sensitive personal information without having to provide the right to limit. These include:

  • Performing services or providing goods an average consumer would reasonably expect
  • Detecting certain types of security incidents
  • Ensuring the physical safety of individuals

Contracts for Service Providers and Contractors: The draft language introduces new requirements for service provider and contractor contracts that may need better alignment with the existing statutory requirements.

The purpose of contracts is to restrict service providers and contractors from processing personal information for any other purpose from those in the contract and permitted by the law. Contract language should among others include the following provisions:

  • Require compliance with all applicable provisions of the CPRA
  • Provide the same level of privacy protection as applicable to the businesses
  • Cooperate with the business for handling consumer rights requests
  • Provide reasonable data security provisions
  • Notify the business within 5 business days if the service provider or contractor determines it cannot meet its obligations
  • Provide the business the right to take reasonable steps to stop and remediate any unauthorized use of personal information by the service provider/contractor
  • Due diligence is required for service providers and contractors processing personal information

Service providers and contractors may:

  • Use and combine customer personal information “to detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity.”
  • Use customer data to comply with other laws, lawful process, to defend claims, if the data is de-identified or aggregated, or does not include California personal information.

 

CPPA Audits and Enforcement

  • The CCPA is permitted to perform audits in three situations:
    • To investigate possible violations of the law
    • The subject’s collection or processing activities present significant risk to consumer privacy or security
    • The subject has a history of noncompliance with the law “or any other privacy protection law.”
  • There are no provisions requiring consumers to file sworn complaints.
  • The rules provide that there is “probable cause” of a privacy violation if “the evidence supports a reasonable belief that the CCPA has been violated.”
  • The CPPA can find a violation through a probable cause hearing if it provides notice by service of process or registered mail with return receipt to the company “at least 30 days prior to the Agency’s consideration of the alleged violation.”
  • Businesses have a right to an in-person proceeding only if it requests the proceeding be made public. Otherwise, the proceeding may be conducted by telephone or video closed to the public.
  • Participants are limited to the company representative, legal counsel, and CPPA enforcement staff.
  • The CPPA serves as prosecutor and arbiter.
  • The draft rules do not define how the agency preserves its neutrality in its later role
  • The CPPA then issues a written decision and notifies the company electronically or by mail
  • The draft rules provide that this determination “is final and not subject to appeal.”
  • Violations can result in an administrative fine of up to $2500 for each violation, and up to $7500 for each intentional violation or if the violation involves minors.
  • Multiple parties involved can be held jointly and severally liable.
  • There is no process to challenge judgments

Notably, this is the first draft of the regulations and they will likely evolve and be joined by other regulations in the coming weeks. California is clearly drawing a line in the sand on its stance on privacy compliance.  We will continue to monitor this subject as it progresses and provide additional updates.

  • Privacy Law Update

Privacy Law Update: June 6, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

US lawmakers closing in on bipartisan privacy framework

For the first time in years, members of U.S. Congress have found common ground on comprehensive federal privacy legislation and a bipartisan framework may be in reach. Politico reported members of the U.S. Senate and House are circulating a draft bill that includes bipartisan compromise on the two biggest stumbling blocks between parties, federal preemption and the private right of action. The draft from Senate Committee on Commerce, Science, and Transportation Ranking Member Roger Wicker, R-Miss., and House Committee on Energy and Commerce leaders Frank Pallone, D-N.J., and Cathy McMorris Rodgers, R-Wash., speaks to previously reported momentum between chambers and parties, but the proposal also hasn’t yet garnered the support of Senate Commerce Committee Chair Maria Cantwell, D-Wash., arguably the most important legislator working on federal privacy legislation.

IAB Tech Lab Unveils Global Privacy Platform (GPP) To Consolidate Domestic And Global

Privacy Signals For Digital Advertising

Following two years of collaboration with the industry, and consultation processes with technical and legal experts across the globe, IAB Tech Lab, the digital advertising technical standards-setting body, is proud to announce the launch of the Global Privacy Platform (GPP). GPP is one of the products of IAB Tech Lab’s Project Rearc initiative. It is a single protocol designed to streamline transmitting privacy, consent, and consumer choice signals from sites and apps to ad tech providers, and integrates with existing privacy signals from Europe’s Transparency & Consent Framework and CCPA in the U.S.

Duck Duck Go Passing Data to Microsoft

An external auditor reported on a “secret data flow list” that enables the sharing of data with Microsoft for third-party advertising. The audit describes how DuckDuckGo’s web browser did not block data transfers to ad platforms owned by Microsoft—LinkedIn and Bing—when the auditor was on a site that was not a Microsoft property. The audit is nuanced, and I think the auditor’s commentary is the best way to simply relay the findings. One main take-away is this: DuckDuckGo intentionally left certain third-party trackers unimpeded while many users thought the product would be blocking those trackers.

Metaverse Privacy Concerns: Are We Thinking About Our Data?

The metaverse is no longer a concept—it’s here. And as it gains more traction from tech companies like Microsoft, Facebook and Nvidia, and retailers like Nike and Ralph Lauren, we need to start talking about the potential privacy implications that occur when our real and virtual lives become increasingly blurred.

Privacy Legislation

California: The California Privacy Protection Agency has released an initial set of draft implementing regulations for the California Privacy Rights Act. The Agency has yet to enter formal rulemaking procedures on this draft and we will be closely watching a June 8 Agency board meeting for potential announcements of next steps in the process. There is plenty to dig into in these proposed regs, so be sure to check out expert analyses from our friends at Frankfurt Kurnit, Hogan Lovells, & Kelley Drye.

Separately, we expect to closely follow Assembly-members Wicks (D) and Cunninghams’ (R) pair of child online privacy, safety and design bills as they move from the California Assembly over to the Senate. AB 2408 the ‘Social Media Platform Duty to Children Act’ has been referred to the Judiciary and Appropriations committees while AB 2273 to establish an ‘Age-Appropriate Design Code’ has yet to formally receive its committee assignments.

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) was withdrawn from a potential House vote by sponsor Daryl Deshotel (R) on Tuesday, May 31. Deshotel said that he wouldn’t run a bill without 100% business buy-in and that his bill only got 85% of the way there. Nevertheless Deshotel got a final set of amendments adopted to help set the bill up for next year including: (1) replacing the “sexual orientation” sensitive data category with “an individual’s sex,” (2) narrowing the right to portability to only cover information provided by the consumer in the previous 12 months, and (3) narrowing the right to delete to personal data previously provided by the consumer. We are moving HB 987 to the failed bills list.

New York: New York’s legislative session ended on June 2 without passing comprehensive privacy legislation. However, on May 31, S6701, the ‘New York Privacy Act’ from Senator Thomas (D) was significantly amended to bring the bill into greater alignment with the VA-CO legislative model. Core changes include:

  • Limiting the definition of “biometric data” to information that “allows or confirms unique identification of a natural person”
  • Adding relatively standard definitions of “decisions that produce legal or similarly significant effects”; “precise geolocation”; and “sensitive data” and amending the definitions of “profiling” and “targeted advertising”
  • Amending the transparency notice requirement to remove “the identity of each third party” recipient and replacing it with the disclosure of “categories of third party” recipients.
  • Narrowing the opt-in consent requirement to “sensitive personal data” rather than just “personal data.”
  • Creating a right to opt-out of data sales, targeted advertising, and significant profiling, that may be exercised through user-enabled privacy controls.
  • Reducing the restrictions on the use and retention of personal data to clearly permit internal business operations and compliance with legal obligations.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

Best Consent & Preference Management Platform Features

Managing your consumers’ consent and preferences can be complex, but it doesn’t have to be a strain on your team. Consent management platforms help organizations comply with local and global data privacy regulations. Using a platform to streamline the process can ensure you remain compliant in the face of new and changing legislation while expediting data collection.

Those searching for a solution find that the best consent and preference management platforms not only streamline privacy operations, but also support marketing, sales, and customer engagement. This helps organizations to comply with privacy laws without exhausting organizational resources like time and money.

In this post, we’ll review what to consider when searching for a consent and preference management solution:

  • Who can benefit from a consent and preference platform?
  • What are the essential features to look for in a solution?
  • Build vs Buy: Considerations between building and buying a solution

Who Can Benefit From a Consent and Preference Management Platform?

Any organization that is handling consumer data should consider a consent and preference management platform to track user consent and preferences and personalize customer experience. There are some organizations in particular that would benefit greatly from the streamlined services a consent and preference management platform offers.

Organizations that do any of the following should consider a platform in order to reduce risk associated with non-compliance:

  • Use website visitors personal information to personalize ads, content, and marketing campaigns
  • Use personal data to provide users with special access (i.e., form submissions)
  • Collect data from consumers in certain geographical areas (i.e., Europe or California)

Organizations that don’t use a consent and preference management platform (CMP) are also at higher risk of losing consumer trust, which can significantly impact business revenue.

Essential Features of a Consent and Preference Management Platform

An effective consent and preference management platform simplifies the collection and governance of consumer requests. It should facilitate the process of informing consumers about the type(s) of data being collected and the intended use. It should also allow consumers to easily grant or deny the organization permission to collect their information and enable consumers to modify their preferences including cookies and other tracking technologies.

The best consent and preference management platforms allow organizations to:

  • Simplify the data collection process
  • Customize consent windows
  • Collect consents and permit consent and preference adjustments
  • Store a record of collected data

Simplify the data collection process

CMPs streamline privacy operations by providing brands and consumers with an easy to use interface for communicating consents and preferences. A consent and preference management platform also allows companies to stay compliant as global privacy legislation continues to evolve. Organizations can continue to collect data while putting the onus of compliance on the CMP and the privacy experts specialized in each regulation.

Customize consent windows

Consumers can access websites from anywhere in the world and depending on their location, the data privacy requirements might be different. Many data privacy laws and requirements have the same foundation, but there are still many differences between them. For this reason, it’s important that a CMP supports the creation of customized consent and preference portals and privacy experiences. A customized consent window provides the user with a relevant and simplified consent and preference experience.

Collect consents and permit consent and preference adjustments

Allowing consumers to provide their consent by opting in or out enables your organization to achieve data privacy compliance. Additionally, users are given increased control with the ability to request, edit, and revoke any consent or data containing personal information which your company has stored. This gives consumers (and prospects) an improved attitude towards your brand, and helps to build trust.

Store a record of collected data

Organizations must identify and record details regarding their data collection practices. This means you must be able to show among other requirements, what data you are collecting, the reason for collecting it, and the source of that data. CMPs help to keep a record of this information like names of consumers, email addresses, the dates and times when consent was received or revoked, and what exactly the consumer has consented to. It provides a clear indication of whether consent was given, and the legal basis for data collection at any point in history.

WireWheel’s Essential Consent Management Platform

As the demand to give consumers more control over their data grows, so does the need for a solution that makes managing consent and preferences easier for both consumers and companies. WireWheel’s consent management platform can help your company comply with consumers’ requests and privacy regulations today and into the future.

  • Marketing
  • Privacy

Benefits of a Consent & Preference Management Platform (CMP)

Consent and preference management are vital in the data privacy field as they allow companies to acquire data fairly and transparently, while also giving consumers better control of their personal information.

Consent management is the process of requesting and obtaining consumers’ permission to collect, process, and store their data.

Preference management is the process that enables consumers to voluntarily give their information and customize the method and frequency of brand communications they want to receive, whether they be emails, website pop-ups, or other experiences.

Why Consent and Preference Management are Important for Organizations and Businesses

Effective customer service has always been the focus of successful companies. Consent and preference management not only allow companies to comply with privacy regulations, but also create the necessary framework to deliver consumer-centric experiences that increase brand trust, marketing opportunities, and revenue.

Consumers are more protective of their information today. They want to be confident that the company they give their data to will use it with the best intentions. They also want to dictate what data can be collected. Giving consumers control is one more step towards enhancing customer service.

While the inherent risks of privacy program management are ever increasing, teams must find the right path when navigating through the regulations and user expectations of data privacy. Fortunately, the benefits can be mutual for both organizations and consumers.

Challenges of Consent and Preference Management

The pressures from regulations, consumers, and business interests can make it difficult for companies to effectively and efficiently collect and use data. To successfully navigate the data privacy landscape, a company must adhere to legal and ethical obligations, while also balancing what is best for their business and their customers.

All of the pressures are sometimes at odds with one another. Regulations and consumer demand might run counter to a company’s desire for comprehensive customer data so they can optimize marketing to grow their brand’s visibility and revenue.

Compounding the stress of this new world are new and changing regulations. Although policies may be in flux, compliance must remain constant. Staying up-to-date requires vigilance and the ability to adapt to new standards.

There are a number of reasons that organizations might struggle with consent and preference management. Common obstacles include:

  • Data Privacy Knowledge – Before you can build a solution, you need to fully understand the problem to address it. Not many people are data privacy experts. It’s relatively new, and the landscape is expected to fluctuate even more as new legislation is introduced/passed.
  • Technical Expertise – It’s important to have team members that are also technically savvy. Without this, it is very difficult to identify and track what types of data are being stored or processed. Building a technical solution for consent and preference management also requires an investment in designing, building, testing, and launching a solution that meets applicable privacy law requirements.
  • Data Silos – When consumers opt-in or out of marketing communications, they expect organizations to honor those wishes. A large conglomeration with multiple teams can easily overlook consumer preferences if they lack an integrated system that enables all of their communications according to those preferences.

Benefits of a Consent and Preference Management Platform

Consent and preference management presents several challenges, all of which can be handled effectively with technology that accelerates compliance and advances privacy programs. Here are some benefits that come with leveraging a consent and preference management platform:

Assured Privacy Compliance

One of the primary benefits of using a consent and preference management platform is that it supports your organization with achieving privacy compliance. This is a primary driver for many teams because it helps to avoid fines from noncompliance, as well as preventing PR disasters that could ruin a company’s reputation.

Augmenting Your Team of Experts

Not many people are privacy professionals or savvy enough to manage and track changes in data privacy laws and regulations. Privacy is a global issue that needs to be addressed from a holistic perspective. There is no need for organizations to reinvent the wheel when there are existing consent and preference management solutions that were built by privacy experts, and a designated engineering team.

Revenue & Sales

An added trickle-down benefit of consent and preference management is more revenue. When consumers trust a brand, it improves how they are perceived by the public. While it’s much harder to become a paragon for data privacy activism, becoming just the opposite is too easy. It takes just one data privacy incident to give the impression of untrustworthiness. This can make a large, lasting impact for companies like lost sales, and budget cuts to fund marketing campaigns to offset any public mistrust.

Market & User Insights

Companies can also leverage user preferences to perform market and user research. All of this user data collection began in hopes of uncovering insights that would boost revenue in the first place. Why should preferences be treated any differently? Companies could potentially use this data to uncover more patterns in user preferences and behaviors without the need for overstepping boundaries. This could be something as simple as gauging consumer preferences around which methods of communication, what types of information, and how often consumers are being served. Companies are using these consent and preference insights to gain an edge over competitors who are slow to embrace the shifting data privacy movement.

Taking into account all of these insights informs teams to build better, sound strategies that improve consumer engagement.

Overcome Consent and Preference Management Challenges

As the demand for data privacy compliance grows, organizations must answer the challenges preventing their teams from effectively managing consents and preferences. Leveraging a consent and preference management platform provides teams with another option to accelerate privacy compliance, lower risk, and build better customer relationships that support sales.

  • Privacy Law Update

Privacy Law Update: May 31, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

Trends in Data Privacy Regulation: Dark Patterns

Have you tried to unsubscribe from a recurring service and given up? Have you opted to “accept all” cookies on a website to access the content without an annoying banner covering half of the page? Nearly all web users have encountered some form of what is commonly known in the data privacy community as a “dark pattern”: an interface designed to nudge user behavior toward choices he or she might not normally make if the options were presented differently. Although businesses and their web or app designers may feel tempted to explore employing these methods, the increased regulatory focus on dark patterns makes it more important than ever to consider the avoidance of dark patterns as a legal obligation, not just a best practice.

Twitter Agrees with DOJ and FTC to Pay $150 Million Civil Penalty and to Implement Comprehensive Compliance Program to Resolve Alleged Data Privacy Violations

The Department of Justice, together with the Federal Trade Commission (FTC), announced a settlement that, if approved by a federal court, will require Twitter Inc. to pay $150 million in civil penalties and implement robust compliance measures to protect users’ data privacy. The settlement will resolve allegations that Twitter violated the FTC Act and an administrative order issued by the FTC in March 2011 by misrepresenting how it would make use of users’ nonpublic contact information.

European Commission Publishes Q&A on SCCs for Data Transfers

The European Commission published a Q&A on standard contractual clauses for data transfers under the EU General Data Protection Regulation. On Dec. 27, a new set of SCCs for international data transfers will replace existing SCCs. The Q&A offers practical guidance on the use of SCCs and assists stakeholders in compliance efforts, the Commission said, adding the document is “intended to be a ‘dynamic’ source of information and will be updated as new questions arise.”

EU MEPs Visit US to Discuss Trans-Atlantic Data Privacy Framework; NOYB Issues Open Letter

A delegation of several members on the European Parliament’s Civil Liberties Committee will visit Washington, D.C., May 23 to 26. Led by Chairman Juan Fernando Lopez Aguilar, the delegation plans to discuss possibilities for the new EU-U.S. Trans-Atlantic Data Privacy Framework.

Google Offers Updates on Privacy Sandbox for Android

Google released updates on its Privacy Sandbox for Android, which is on track for a beta release by the end of 2022. The lead third-party cookie alternative being trialed in the sandbox, “Topics,” was made available for a developer trial in April. Google will preview the “First Locally-Executed Decision over Groups Experiment” and “Attribution Reporting” concepts in May or June. On the beta release, Google said, “key components” of the sandbox “will be distributed as mainline modules” to Android devices in order to allow for improvements “in a seamless way.”

Privacy Legislation

California: The California Privacy Protection Agency (CPPA) held a board meeting on Thursday, May 26. The ‘New Rules Subcommittee’ (board members Le and de la Torre) announced that it is planning to release an initial rulemaking package covering (1) the Agency’s audit authority and (2) administrative enforcement processes. The Subcommittee will continue to work on a separate rulemaking package covering (1) cybersecurity audits, (2) privacy risk assessments, and (3) automated decision-making. Furthermore, Maureen Mahoney, formerly of Consumer Reports, was announced as the CPPA’s new Director of Policy. Separately, video from the CPPA’s May 4-6 public stakeholder sessions is now available online here.

We continue to track various privacy-related bills in California. Today is the last day for bills to move out of their chamber of origin. Two significant bills sponsored by Reps Wicks (D) and Cunningham (R) have advanced:

  • AB 2273 would establish an ‘Age-Appropriate Design Code’ requiring online products and services likely to be accessed by children (under 18 years old) to implement various default limits on data collection & use, profiling, etc. On May 26 the bill passed the State Assembly by a 66-0 vote.

  • AB 2408 the ‘Social Media Platform Duty to Children Act’ would prohibit social media platforms from ‘addicting’ child users and authorize private lawsuits with civil penalties up to $25,000 per violation ($250,000 per knowing violation). On May 23 the bill passed the State Assembly by a 51-0 vote. Senate amendments are reportedly possible.

Numerous privacy bills are set to fail to pass their chamber of origin including SB 1189 (biometric data), AB 1651 (workplace privacy), AB 2871; AB 2891; SB 1454 (extending the CPRA employee data carve-outs), SB 1059 (data brokers), and AB 2486 (establishing a CPPA office for the protection of children).

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received its second hearing in the House and Governmental Affairs Committee on May 17, advancing on a 9-2 vote. While scheduled for floor time in the House multiple times over the past week, the bill has been deferred to Tuesday May 31 for a potential chamber vote.

While initially closely following the Utah Consumer Privacy Act, Deshotel has amended the bill to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. Louisiana’s legislative session adjourns on June 6.

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors received an informational hearing in the House Consumer Affairs Committee on Wednesday May 25. No action was taken and no formal announcement for next steps was made, but the Chair appeared interested in remaining engaged on the bill and considering additional exemptions. This is a fairly unique privacy bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Marketing
  • Privacy

What Are Consent and Preference Management?

Consent management and preference management are closely aligned with each other. However, they are not the same. The terms are not interchangeable although the solutions to provide both are typically all-in-one platforms.

Consent and preference management are vital elements for promoting effective data privacy strategies that benefit both businesses and their customers.

What is consent management?

Consent management is a system that enables consumers to give or withdraw consent for the personal data they are willing to share with a company. Consent management helps ensure compliance by informing consumers about a company’s data collection and usage practices and honoring those choices.

What is preference management?

Preference management is a system for allowing consumers to choose how companies communicate with them. Preference management keeps consumers in control of the methods and frequency of communications as well as keeping companies compliant with regulations. Additionally, preference management can also include preferences about content. For instance, consumers can notify companies of their preferences on how often and where to receive communications including newsletters, updates about new products and services and marketing emails.

What are the key differences between consent management and preference management?

Consent management enables consumers to opt-in or out of communications. Preference management lets consumers pick how often companies contact them, the specific content, and the methods of contact.

What impacts do consent management and preference management have on a business?

Consent and preference management can keep companies compliant with current and emerging data privacy regulations, reducing the chances of being fined.

Companies that practice consent and preference management can create brand trust and credibility by letting their customers have a say in if, how, and when their personal data can be used. Companies can also improve their marketing efforts when customers request particular information about products and services.

What are the requirements around consent management?

Consent management should address:

  • what data is being collected;
  • how it is being used;
  • who is collecting;
  • And when the data expires

This information must be easily provided to consumers. The ability to deny permission to collect information must also be offered. Companies must also prove that their customers have consented.

What do privacy laws and regulations say about consent and preference management?

The EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are the cornerstones of data privacy guidelines. Companies must denote and record where and when consent is required. They must identify who they are, what type of data they wish to acquire, and why they want the data. They must also grant consumers the right to withdraw consent at any time and provide the methods to do so.

In addition to the principles set forth by the GDPR, the CCPA empowers consumers to deny companies from selling their data to a third party.

What industries are affected by consent and preference management?

Any industry that wants to collect consumer data must employ consent and preference management strategies.

For example, publishers, who make their money by selling advertising, must disclose should fully disclose how they are collecting personal information, how it will be used, all while giving readers the option to opt-out.

Another example concerns retail businesses. Companies might provide their customers with product updates. To facilitate this, companies can collect search and purchase histories, information that their customers might not want to be disclosed.

How is consent and preference management being enforced right now?

The GDPR primarily affects the European Union, although it influences privacy laws around the world. Member States appoint a Data Protection Authority that oversees enforcement. Since its inception, the GDPR has seen a rise in effective privacy practices. The overall sum of fines is just over 1.6 billion euros.

CCPA enforcement falls to the California Office of the Attorney General. If this trend holds for the United States, then each state will be responsible for enforcement as they enact regulations. Since it came into effect, compliance has increased.

What types of trends are there in consent and preference management?

Accuracy and efficiency drive data privacy demands. The biggest trend in consent and preference management is the use of automated platforms to help guarantee compliance. A consent and preference management platform like the one WireWheel offers lets companies comply with global privacy laws by allowing their website visitors to control their cookie preferences. Since many companies serve a worldwide community, they must maintain compliance with every regulation where they do business otherwise they can face fines and other disciplinary actions. Consent and preference management platforms can make this task easier to complete, saving companies from punishment.

What trends are there regarding user expectations around consent and preference management?

A recent survey found that 71% of consumers want to manage their data. Nearly the same percentage would share their information if they maintained control over it. The vast majority demand the right to delete their data whenever they want.

These statistics show that the most powerful trend among users is their desire to control their data how and when they see fit. Their information belongs to them and they want to exercise their rights to govern what happens to it.

What solutions exist right now for consent management?

An automated consent and preference management platform can increase transparency, a critical component that consumers seek. Compliance can be accurately maintained, limiting the gaps within many data privacy management systems, especially those that are operated by understaffed companies and undertrained professionals. Mistakes can create opportunities for breaches and lawsuits. As more states and countries add regulations to protect data, a consent management platform can keep companies up-to-date and scale functionality easier than a piecemeal system.

What solutions currently exist for preference management?

An automated platform to aid in preference management is probably the most significant solution businesses can use to ensure compliance and prove to consumers that they respect their privacy decisions.

Companies can use a preference management platform to collect preferences with newsletter and email sign-up forms, website pop-ups, and subscription enrollment windows. It is also possible to use the information consumers give to them to deliver personalized content that the consumers ask for. This alone can drive customer loyalty.

A platform to manage preferences can also provide you with insights around what products and services consumers are most interested in. This can aid marketing efforts in finding the best direction for a brand. Companies can be more confident about how they do business.

Conclusion

Consent and preference management are no longer optional aspects of today’s business world. Laws and regulations like GDPR and CCPA have made their implementation mandatory, and even more states and countries continue to implement their own. Solutions can help companies overcome their data privacy programs’ shortcomings. They ease the burden of compliance, foster consumer trust, and provide better customer service.

  • Privacy
  • Privacy Tech

Innovating DSAR Fulfillment: A conversation with Microsoft

Many of the rights enumerated in the GDPR first came to the U.S. with the passage of California’s CCPA (January 2018) and the right to access data was one. The Data Subject Access Request (alternatively DSAR, SARS, and DSR) is how consumers exercise that right.

And while 29 states have introduced nearly 60 bills – many of which have failed, others still in committee – California to date has been joined by Utah (March 2022), Virginia (March 2021), Colorado (June 2021), and most recently Connecticut (April 2022). All have the right of access.

“But while they all have a lot in common – they’re all steeped in GDPR principles –  there are many things that make them unique,” reminds WireWheel’s CPO Buck, and this of course adds to the compliance challenges: responding to DSARs, and in particular the challenge of unstructured data, has proven to be a resource intensive and costly one.

Joining WireWheel CPO Rick Buck to discuss the operational challenges in responding to DSAR requests are Hammad Rajjoub, Director of Product Marketing, Microsoft Purview and Priva Ecosystem and Sheridan Clemens, WireWheel’s Senior Engagement Manager who provides a live demo of the WireWheel–Microsoft integrated solution.

The Challenge of Unstructured Data when Responding to DSARs

When data lives in [structured] environments it’s very easy to query and then go back and honor the subject requests. Where it gets complicated is in unstructured data.

—Rick Buck, WireWheel

 

Simply knowing what options to present to people when they come to you to exercise their rights, is perhaps the first challenge in DSAR fulfillment. It can be managed at the state level, or at the national level as an all-encompassing response that would likely be based on the most restrictive jurisdiction in which the organization operates.

But a key challenge is that data lives in a number of places. It resides in structured data environments as predefined, fixed formats which are easy to create rules around, control, and query. Even here though, understanding where all your data resides requires some leg work (think data mapping and asset inventory).

That said, where it gets really complicated is in unstructured data. Data that lives in places that are not predefined or in specific formats: The MS Word, PPT, PDF, spreadsheets, email, text, and chat, for example.

These are neither easy to query or to analyze. They don’t necessarily have manageable controls around how that data could be used, or where it goes. Importantly, unstructured data makes up about 80% of an organizations data. And when producing this data (which can often contain references to other data subjects) it must be redacted which further complicates DSAR fulfillment.

DSAR Fulfillment With WireWheel

And now in California, when the CPRA comes into effect in January 2022, DSAR rights are currently slated to  be expanded to include employees. And this gets a lot more complicated – especially in that it is highly likely that employee data not associated with the subject of the DSAR will become exposed as part of that query. Furthermore, emails and documents regarding an employee often contain information – such as commentary – that is out of the scope of the request. This information too must be redacted.

So, the challenge becomes: 

  1. Finding the relevant data (structure and unstructured)
  2. Removing (or redacting) the data that is irrelevant to the DSAR
  3. Producing that data in a safe and secure way
  4. Reporting in a readable format for the requestor (consumer or employee); and vitally
  5. Enabling the backend systems to honor any of the downstream implications (e.g., correct or delete).

In short, “it is a full lifecycle event” – whether tackled manually or through automation – notes Buck. And it is a WireWheel core competency.

 

Meeting the Challenge of Unstructured Data in DSAR Fulfillment

Privacy regulation applies to the entire data life cycle. From data collection to data storage to access to transfer through retention and diligence. It is a complex lifecycle and privacy applies to each and every one of those stages.

—Hammad Rajjoub

 

 

Rajjoub relates that research from ISACA “Privacy in Practice (2021), shows that

  • 10% of organizations have no privacy training.
  • Only 80% update their data map and flow regularly with 32% of those organizations doing so manually with email, spreadsheets, and in-person communication. And interestingly,
  • 97% haven’t fully automated DSAR management.

When working with their own customers (Priva is Microsoft’s privacy solution for unstructured data), Microsoft has identified these as key areas of opportunity. Particularly the need for scalability.

“And if you add attributes of confidentiality and identifying if the data is part of legal hold, the equation becomes that much more complex,” says Rajjoub. “We also learned from our customers [that they] find it very, very difficult to gain visibility into the personal data, especially for the unstructured data environments…this process is very complicated.”

Not having [DSAR fulfillment] automated at scale, organizations are spending a ton of money, time and resources…to respond to requests and that’s creating a lot of friction and challenges for our customers. And this is where the Microsoft perspective comes in.

—Hammad Rajjoub

 

The cost is significant:

  • $1,702.28 average cost per DSAR
  • 135.61 DSARs per month
  • $230,000+ per month on DSAR fulfillment on average

To meet these challenges, the WireWheel–Microsoft integration is focused on enabling organizations to automate the discovery of personal information and take immediate and necessary actions. Importantly, it also provides needed visibility into associated risks arising from such things as data hoarding and cross-border data transfers.

The goal is that when a DSAR is received, the relevant data within the Microsoft 365 environment (all that unstructured data) is automatically collected.

Most importantly, we want to meet our customers, where they are in their privacy journey….That’s why we have built our privacy subject right request APIs that enable Microsoft solution to integrate with our customers’ existing infrastructure.

—Hammad Rajjoub

 

 

“Our Microsoft Priva integration with WireWheel is important because now,” concludes Rajjoub, “our joint customers can respond to subject access requests in a unified manner across the entire digital state covering both structured and unstructured data provides a ton of value: an automated, unified, and customizable complete lifecycle DSAR response – at scale – from request verification to production of structured and unstructured data including redactions.”

During the session, WireWheel’s Senior Engagement Manager, Sheridan Clemens, provides a brief demo of the integrated solution where he takes the audience from the consumer or employee’s request initiated in WireWheel’s Trust Center and through the integrated workflow management.

To request a demo or proof of concept, please contact WireWheel here.

DSAR Fulfillment With WireWheel and Microsoft Priva

  • Privacy Law Update

Privacy Law Update: May 16, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

US Senate Confirms Alvaro Bedoya to FTC as Fifth and Final Commissioner

After a series of delays during the confirmation process, the U.S. Senate approved the nomination of Georgetown University law professor Alvaro Bedoya to fill the remaining commissioner vacancy on the Federal Trade Commission. Bedoya’s confirmation now gives Democratic appointees a 3-2 majority on the FTC’s Board of Commissioners.

California Privacy Protection Agency Holds Pre-Rulemaking Stakeholder Sessions

The California Privacy Protection Agency (CPPA) in charge of implementing and enforcing the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA) held a series of pre-rulemaking stakeholder sessions over three days last week. Executive Director of the Agency, Ashkan Soltani, opened the sessions on Wednesday, May 4, welcoming those in attendance which included Professor Jennifer Urban, Chair of the Agency. Urban was appointed Chair of the five-person CPPA Board by California Governor Gavin Newsom in March 2021.

Potential Roe v. Wade reversal brings ‘urgent need’ for federal privacy law

U.S. Rep. Suzan DelBene, D-Wash., issued a statement explaining how overturning Roe v. Wade further amplifies the need to “swiftly pass a strong” federal privacy law. DelBene said Congress “can’t afford to wait” on a law because “our tech laws are so behind.” She also noted how the impacts on women’s online privacy from the pending Supreme Court decision could be best addressed through a national privacy standard. She said sensitive data risks include “internet searches about reproductive health care including abortions, menstrual tracking and other women’s health apps, and which medical facilities a woman has visited.”

Digital Advertising Alliance Launches Initial Certification Process for Addressable Media Identifiers

The Digital Advertising Alliance (DAA) announced the launch of its initial certification process for providers of Addressable Media Identifiers (AMIs). AMIs are used to enable relevant advertising, optimized outcomes, measurement tools, and other important functionality with new privacy safeguards for the ad-supported digital content and services enjoyed by millions of consumers worldwide.  “Over more than a decade, the DAA has built the advertising industry’s leading independent self-regulatory platform for interest-based advertising, and the AMI certification process is the logical next step for our efforts,” said Lou Mastria, CIPP/US, executive director of the DAA. “The DAA has continuously adapted our industry guidelines and consumer tools to keep pace with new technologies and industry changes, and we are proud to continue to evolve our program with important new cross industry privacy safeguards including prohibited data uses.”

UK announces data protection reform

The U.K. government announced in the Queen’s Speech its intentions to reform the country’s data protection regime, Euractiv reports. The speech did not include specific details regarding the extent of the reform, but those are expected in the weeks to come. The changes may affect EU-U.K. adequacy, as Centre for European Reform Senior Research Fellow Zach Meyers said the U.K. “was repeatedly found to have breached” EU data protection standards previously with its national security practices and further divergence may lead the European Commission to a withdrawal.

Privacy Legislation

California: The California Privacy Protection Agency (CPPA) heard public comments from approximately 100 stakeholders in a series of virtual sessions held from May 4-6. A brief summary of FPF’s presentations to the CPPA on the topics of automated-decision making, data minimization, and opt-out preference signals can be found here. The Agency heard from various representatives of industry and civil society, with commentary largely matching responses to the September 2021 request for comments. Alastair Mactaggart, proponent of the CPRA ballot initiative, spoke to reiterate his argument that the plain language of the CPRA requires that businesses recognize opt-out signals like the Global Privacy Control.

Connecticut: On Tuesday, May 10, Governor Lamont signed SB 6, An Act Concerning Personal Data Privacy and Online Monitoring in law. The majority of this comprehensive privacy legislation will take effect on July 1, 2023. FPF’s summary memo on the bill is available in our member portal here.

Florida: Florida’s special session is scheduled to run from May 23 to May 27. While the only formally announced topic for the special session is property insurance, rumors have circulated that data privacy may be added to the agenda. As a reminder, HB 9 passed the state House in early March (CCPA-style + graduated PRA).

Louisiana: The ‘Louisiana Consumer Privacy Act’ (HB 987) introduced by Rep. Daryl Deshotel (R) received a hearing in the House Commerce Committee on Monday, May 9. While initially closely following the Utah Consumer Privacy Law, the Committee adopted amendments offered by Deshotel to add correction rights, expand deletion rights, create risk assessment requirements; remove all carveouts for pseudonymous data, and expand responsibilities for biometric data. The Commerce Committee advanced the bill without objection.

Then, on May 11, HB 987 received an unexpected hearing in the House and Governmental Affairs Committee (the late amendment to include risk assessment requirements included the standard public records exemption, and all Louisiana bills that touch on public records must go through House and Governmental Affairs). Chair Stefanski (R) shared that he had heard concerns about the legislation and that action on HB 987 would be deferred until the Committee’s next hearing, Tuesday, May 17th.

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and CPA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals. The Pennsylvania legislative session adjourns on November 30.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update
  • Regulations

Connecticut Passes the Next U.S. State Comprehensive Data Privacy Bill

On May 10, 2022, Governor Ned Lamont signed the Connecticut Data Privacy Act (CTDPA).  Connecticut became the fifth state to pass a consumer privacy law. The CTDPA is similar to ColoradoVirginia, and Utah’s privacy legislation.

Effective Date: July 1, 2023

Applicability: CTDPA applies to:

  • Individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; AND
  • That in the preceding year, controlled or processed the personal data of at least
    • 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or
    • 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data

Exemptions: CTDPA does not apply to:

  • State and local government entities
  • Nonprofits
  • Higher education
  • Financial institutions subject to the GLBA
  • Covered entities, business associates,and protected health information under HIPAA
  • Information regulated by FCRA
  • Personal data regulated by the FERPA

Consumer Rights: Consumers are defined as Connecticut residents who are not acting in a commercial or employment context (employees).

  • Rights may be exercised directly or through an authorized agent
  • Information must be provided to the consumer free of charge, once per 12-month period

Consumers have the following rights:

  1. Know if a controller is processing their personal data
  2. Access to their personal data
  3. Correction
  4. Deletion
  5. Portability
  6. Opt-out of the processing of personal data for Sale, targeted advertising, or profiling.
    • Consumers may opt out through an opt-out preference signal such as Global Privacy Control.
    • This is optional until January 1, 2025, when it becomes mandatory
  7. To appeal when their consumer requests are denied.

Sale of Data: Sale is defined as “the exchange of personal data for monetary or other valuable consideration.”

Assessments: Impact assessments are required when a controller’s processing activities present a heightened risk of harm to a consumer including:

  • Targeted advertising
  • Profiling
  • Sale of personal data
  • Sensitive data

Consent: Consent is required for the following:

  • Processing of sensitive data
  • For those under 16 years of age
    • The sale of data
    • Targeted advertising
  • Secondary use of data

Dark Patterns: CTDPA prohibits dark patterns. Dark patterns are manipulative decision-making or choice techniques that falsely influence consumer choices.

Controller Obligations: Controllers are required to:

  • Practice data minimization
  • Only process personal data for necessary purposes or for the purposes to which the consumer consented
  • Have reasonable administrative, technical, and physical data security practices
  • Provide a mechanism for consumers to revoke consent that is at least as easy as for providing consent
  • Provide reasonably accessible, clear and meaningful privacy notice

Privacy Notices: Controllers must provide consumers with a privacy notice with the following information:

  • Categories of personal data processed
  • Purposes for which the categories are processed
  • Categories of personal data shared with third parties
  • Categories of third parties the controller shares personal data with
  • An active email address or online mechanism for the consumer to contact the controller
  • How to exercise rights

Enforcement: The Attorney General has exclusive authority to enforce violations

  • No private right of action
  • Cure period – 60 days
    • This will be optional beginning July 1, 2023, and until December 31, 2024
    • Will be mandatory January 1, 2025

Exploratory Task Force: CTDPA requires the Connecticut General Assembly’s  General Law Committee, to establish a task force to provide additional recommendations on important privacy related issues.  A report of its findings and recommendations must be presented by January 1, 2023.  Recommendations will consider the following topics:

  • Healthcare
  • Algorithmic decision-making
  • Children’s privacy

 

What should you do to get ready for this new law?

While Connecticut may be the next state to enact a data privacy law, it won’t be the last.  Complying with this law will in many ways be consistent with what you are doing in California, Virginia, Utah, and Colorado.

If you’ve mapped to those requirements you’re pointed in the right direction to comply with CTDPA.  There is however still work to be done including: updating your policies, vendor agreements and subject request mechanisms.

WireWheel offers a complete solution to help manage the requirements of CTDPA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

  • Privacy

Risks and Challenges of Data Privacy Program Management

As the world slides farther into a fully-digital landscape, consumers want to know how the companies they interact with handle their data. Names, addresses, financial data, and other sensitive information should be handled carefully in order to protect consumers. Data privacy programs can help regulate access and give consumers more control of the data they submit.

The results of a recent survey drive home the need for data privacy programs:

  • 47% of respondents were troubled by the prospect of their information falling victim to cyber-criminals.
  • 40% were uncomfortable with their information being sold and used without their permission.
  • 31% had no idea what companies do with all the information they collect.

Erasing consumers’ worries, giving them control over their data, and having transparent policies are key reasons why companies should initiate data privacy programs.

Organizations looking to build out privacy programs may run into a few obstacles at the outset. Common barriers to successful privacy program implementation include recruiting the right professionals in addition to organizational resource constraints. Unqualified professionals and limited resources can expose organizations to financial and legal penalties, reputational damage, preventable errors, and a false sense of security.

Financial & Legal Consequences

Financial and legal consequences are two widely known risks of mismanaged privacy programs. The 2021 Annual Privacy Governance Report published by the International Association of Privacy Professionals and EY found that a company’s average privacy budget is $350,000. Depending on the size of the company, this figure can send a budget out of control.

Consider what toll a data breach would exact. In 2021, compromised companies spent just over $4 million for each incident. While the primary goal of an effective data privacy program is to achieve legal compliance with applicable regulations, it’s hard to ignore the financial risks that come from non-compliance (i.e., legal fees, fines, settlements, public relations, etc).

Organizations must be prepared to meet and report on the requirements for compliance in order to reduce their financial and legal risks.

Reputational Damage

In addition to financial and legal ramifications, privacy program mismanagement can also lead to reputational damage.

When mishaps occur, the manner, speed and efficacy at which a team handles the crisis has a large impact. In addition to coming across as irresponsible for an initial mishap, a team that is unable to effectively respond can appear to not care for their customer’s best interests. In an effort to combat negative sentiment surrounding a brand after a privacy mishap, organizations often have to resort to costly PR campaigns as a means of damage control.

Reputational damage can place companies with the greatest products and services at critical risk since consumers are just not willing to provide personal information to an organization that can’t be trusted. It is important for organizations to understand compliance requirements to avoid the brand damage that can stem from mismanaged privacy programs.

Manual Error & Oversight

Data privacy compliance can be intimidating for those not familiar with all of the work that goes into it. Without privacy automation processes set in place, organizations risk making manual errors. Even practiced experts, tasked with managing programs by themselves, might struggle to effectively keep up with the rigors of the job. Maintaining an entire program that is consistently compliant across numerous areas, each with different regulations, is a tremendous undertaking.

With so much data being collected and transferred between systems, it becomes unscalable to track varying data flows without the support of technology and automation. For an effective privacy program, it is critical to understand the type(s) of data being stored, how it is classified, the policies that govern the data, the location of that data, and who has access to it. Automating some of this work can help to lower the risk of human error and further prevent oversight that may stem from teams that are spread too thin.

False Sense of Security

Another privacy management risk is a false sense of security. Being able to objectively assess the current situation that your privacy program is facing is a difficult task, even for seasoned privacy professionals.

For this reason, it’s valuable to have a fresh set of eyes to provide additional perspective and support for privacy program health. This is even more important when a team lacks the expertise of more senior privacy experts that know what to look for and how to read between the lines in a scenario that might appear normal to a novice privacy team.

Reduce Privacy Risk & Overcome Challenges

Managing your own data privacy program doesn’t have to be burdensome. Managed data privacy services are a great solution for organizations that may not have the resources available to manage a full end-to-end privacy program in-house. Having an additional resource with subject matter expertise can make the difference between sustained operations and multi-million dollar lawsuits and settlements.

 

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy Law Update

Privacy Law Update: May 2, 2022

Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!


Newsworthy Updates

Connecticut Senate Passes Comprehensive Privacy Bill

The Connecticut Senate voted 35-0 to advance Senate Bill 6, an act concerning personal data privacy and online monitoring, to the House. The bill features provisions for “dark patterns,” recognition of global opt-out mechanisms, explicit children’s privacy measures, a right to cure that sunsets, and a July 1, 2023, effective date. A strike-all was adopted in the final Senate vote that moved the coverage threshold up to companies holding data on more than 100,000 users and a clarified definition for biometric data. The House will move right to floor consideration once the bill is transmitted.

Congress Pushing Forward With Federal Privacy Law Talks

The Wall Street Journal reports on a bipartisan appetite within the U.S. Congress to take action on federal privacy legislation. Talks among key U.S. Senate and House committees are reportedly finding more areas of compromise toward guardrails for collection, storage and use of consumers’ personal information. Discussions around preemption are fluid and include perspectives from TechNet, a Big Tech lobby group working with Congressional leaders and previously lobbying at the state-level for laws modeled after Utah and Virginia’s privacy laws. “The engines are revving on this in a way they haven’t in a long time,” TechNet Senior Vice President Carl Holshouser said.

Political Agreement Reached On Digital Services Act

EU institutions announced a political agreement on the final text for the Digital Services Act. The legislation includes provisions for various prohibitions on targeted advertising, specifically, the targeting of minors and ads based on sensitive personal data. European Commissioner for the Internal Market Thierry Breton said the DSA shows “the time of big online platforms behaving like they are ‘too big to care’ is coming to an end,” while European Commission President Ursula von der Leyen said the regulation “will upgrade the ground-rules for all online services in the EU.” The DSA will immediately take force once adopted but applies to platforms 15 months after its entry.

Sneaking into the Data Business

One of the benefits of GDPR and similar U.S. state privacy laws is that many companies are forced, cajoled, or encouraged to ask permission before capturing, analyzing, repackaging and selling the information they gather about you. Apps delivered under the new laws call attention to behind-the-scenes data activities, when past versions would have quietly hide the evidence.  So now we are more likely to see when a website grabs our personal information and to decide whether we like it. Score one for transparency.

US Commerce Dept. Announces ‘Historic’ Global CBPR Forum for Data Transfers

Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections. 

Calling it “a historic moment for international cooperation in the digital sector,” U.S. Department of Commerce Secretary Gina Raimondo announced Thursday the creation of the Global Cross-Border Privacy Rules Forum along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei.

Customer Experience And Data Privacy Need To Go Hand-In-Hand

Consumers are burnt and disenchanted with privacy in the 21st-century digital world that has seen endless data breaches, spats about cookies and walled approaches, the pandemic and nonstop disinformation. They’re fed up with tech companies, advertisers and marketers that use their data however and wherever they like. It’s a tenuous relationship at best and their inaction only fuels consumers’ demands for accountability, transparency and change.

United States and 60 Global Partners Launch Declaration for the Future of the Internet

The Internet has been revolutionary. It provides unprecedented opportunities for people around the world to connect and to express themselves, and continues to transform the global economy, enabling economic opportunities for billions of people. Yet it has also created serious policy challenges. Globally, we are witnessing a trend of rising digital authoritarianism where some states act to repress freedom of expression, censor independent news sites, interfere with elections, promote disinformation, and deny their citizens other human rights. At the same time, millions of people still face barriers to access and cybersecurity risks and threats undermine the trust and reliability of networks.

Privacy Legislation

California: The California Privacy Protection Agency’s pre-rulemaking public stakeholder sessions have been scheduled for May 4-6 via Zoom. The CPPA reports that 140 stakeholders have registered and will have 7 minutes each to speak. FPF team members will present on consumer opt-out rights; automated decisionmaking; and data minimization.

We continue to track a series of privacy bills in California, some of which would amend the CPRA directly and others that would create new obligations for regulated entities. A non-comprehensive list of recent legislative activity on significant bills follows:

  • AB 2273 filed by Reps Wicks (D) and Cunningham (R) would establish an ‘Age-Appropriate Design Code’ requiring services likely to be accessed by children (under 18 years old) to establish the age of consumers with a level of certainty appropriate to risks and to implement default limits on profiling, collection & use, ‘dark patterns,’ etc. This week the bill was significantly amended, including removal of the “best interests of the child” standard from its operative text (covered in detail by Amelia Vance here). The bill previously passed the Privacy & Consumer Protection Committee by a 9-0 vote on April 19.
  • SB 1189 filed by Senator Wieckowski (D) would impose new BIPA-style requirements on biometric data (with a 1 year retention schedule and statutory damages capped at $1,000 per day). On April 5 the bill passed the Senate Judiciary Committee by a 7-2 vote. On April 25 it was heard in the Senate Appropriations Committee and advanced to the Suspense File.
  • SB 1276 filed by Sen. Durazo (D) would provide that “shared mobility service data” is not covered by CalECPA and would authorize government agencies to require that providers of shared mobility services turn over vehicle and trip data. The bill sponsor removed the bill from the agenda of a committee hearing scheduled for Tuesday, April 26.

Connecticut: On Thursday 4/28 SB 6, an Act Concerning Personal Data Privacy and Online Monitoring passed the Connecticut State House by a 144-5 vote. The bill will now travel to Governor Lamont for his signature, which would make Connecticut the fifth U.S. state to enact comprehensive privacy legislation.  The bill is closely based on the Colorado Privacy Act.

Florida: There are increasing indications that Florida may take up privacy legislation in a special session, though no formal announcement has yet to occur. It is unclear what legislative approach to privacy a special session may take, though as a reminder, HB 9 passed the state House in early March (CCPA-style + limited PRA).

Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and VCPDA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
  • Privacy

Benefits of Managed Privacy Services

Consumers want to do business with organizations and companies they trust. With data privacy being a prevalent subject in the global news sphere, people worry about who has their information and how it can be exploited.

One way companies can alleviate their customers’ concerns is to form and implement programs that ensure compliance with consumer expectations and data privacy legislation. Fortunately, more organizations are increasing their data privacy practices to gain consumer trust. The 2021 Annual Privacy Governance Report published by the International Association of Privacy Professionals and EY found that 45% of surveyed organizations plan to hire one or two privacy professionals.

Taking action now can prevent future breaches, increase compliance, and enhance brand reputation. However, not every organization has the resources to start, update, or maintain its data privacy programs. It takes time, training, and competence to plan and execute a program. Some businesses forgo securing their customers’ information to keep their profit margins within reach. This risky practice can backfire.

Managed privacy services like the ones offered by WireWheel are designed to support struggling programs. Companies initiating or already running routine operations can come to appreciate the benefits of managed privacy services.

 

What Are Managed Privacy Services?

Managed privacy services streamline and optimize data privacy programs. They are cost-effective options that can replace or support untrained staff. The best services also keep organizations compliant with new and changing regulations.

Removing uncertainty and increasing efficiency can facilitate the running of privacy programs, no matter how robust they are. Companies that do not have to focus on managing their programs can instead spend their time improving their businesses in other ways.

 

What Are Some Challenges of Data Privacy Programs?

When data privacy programs are running at peak efficiency, companies can rest easy knowing their customers’ information is securely being used for the intended and approved purposes under which it was collected.

 

What would create a weak data privacy program?

Limited resources

Time and money are two of the most valuable commodities. Companies usually do not want to waste either – if they can spare them in the first place. Prioritizing other aspects of business over data privacy because of expenses can doom a program.

Employing experts takes time and costs money. Setting up a suitable infrastructure requires a notable investment. It is critical that organizations dedicate the resources necessary to develop a sound privacy program. Taking shortcuts due to limited resources might result in a lackluster program that can do more harm than good.

Evolving regulations

Data privacy has grown to be a major concern in recent years. Governmental entities have been forced to catch up with technology. As they scramble to set guidelines that give consumers better control of their private data, new regulations are continuously being planned and enacted. Current ones sometimes see changes. For a data privacy program to successfully function, constant compliance is mandatory.

Many companies can not keep up with all of the changes while some do not even try. Without assistance, these organizations fall further behind and take a back seat to competitors that have employed managed privacy services.

Insufficient expertise

Privacy professionals must help ensure that companies collect only the personal data that they need for the disclosed and specific purpose.  They have to help manage and categorize the data for its intended collection, use and deletion at the end of its life cycle. In doing this your exposure should there be a breach is minimized. They need to know how to ask the right questions without

 

What Are Some Benefits of Managed Privacy Services?

Privacy programs in any stage of operation can benefit from a managed solution. By offloading a bulk of the heavy lifting and complex operations that come with running an effective privacy program, organizations can reduce the number of hassles they deal with every day. They don’t have to stress about high overhead, and tarnished reputations.

What are some major benefits of managed privacy services?

Low impact on resources

Companies don’t have to hire more staff and pay to train them if they supplement their privacy program with outside resources. Building your own data privacy program is ideal if you want the largest amount of control and oversight to your privacy operations, but that can take a lot of time and resources to get there. The benefit of managed privacy services comes with adopting an already-built framework with processes that have been optimized, along with the expertise of a team to ensure that your privacy program is on track.

Access to experts

Experts with years of experience can support a program better than a team put together at the last second at a cut-rate price. Experience can be just as valuable as time and money.  Companies can be confident their programs are in capable hands if they use technology that is backed by privacy authorities.

Quicker compliance

Technology and expert advice can accelerate compliance. Companies can automate their compliance using configurable tools. Leveraging automation can not only cut time but reduce risk since the technology is strengthened by industry expertise.

Adaptability

Another advantage of leveraging a platform to meet privacy challenges is that it will most likely not require an overhaul of existing processes. Choosing a service that supplements what is already in place can make a noticeable difference and eliminate the fear of something new taking over.

Excellent customer privacy experiences

Any organization that fulfills consumer data requests, collects consent preferences, and displays privacy notices should do so clearly and promptly. Consumers can feel better knowing the company they’re doing business with cares about their needs.

 

Are Managed Privacy Services Worth the Investment?

A complete solution like WireWheel’s Managed Services can run a privacy program efficiently and effectively. Companies of any size can automate and scale privacy to stay up-to-date with modern standards and demands.