Any company that may store customer or client information needs to be aware of the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR), and a range of global data privacy regulations. Many organizations use these standards to institute strict data safety policies and adjust their technologies to prevent data theft and mismanagement.
The only way to keep up with the competition and avoid compliance issues is by understanding data management standards and how they impact your obligations regarding securing sensitive information. Whether your company uses social media paid advertising, search engine marketing (SEM), pay-per-click (PPC), or other strategies, chances are you’re collecting and storing customer information at some point.
This guide to CCPA, GDPR, and other global data privacy requirements can help you start strategizing ways to comply without negatively impacting your business.
What Are CCPA and GDPR?
CCPA is a law designed to strengthen data privacy by letting California consumers know what information a business can collect. GDPR is a European Union law consisting of mandatory rules that dictate how organizations and businesses use personal data.
The term “personal data,” which applies to CCPA, GDPR, and other global regulations, refers to any information that could identify a person. For example, it could include:
- Name
- Phone number
- Address
- Social Security number
- Interests
- Information about past purchases
- What they do online
- Health information
- Biometric data, such as fingerprint or iris scans
GDPR and other regulations govern how organizations and entities process data, which includes:
- Collecting
- Organizing
- Storing
- Using
- Erasing
- Destroying
- Disclosing
- Sharing
If an organization engages in any of these activities, it must do so according to the standards that apply to the part of the world where it operates. While there’s a lot of overlap when it comes to the data processing requirements of global standards and CCPA, CCPA focuses more on protecting the rights of customers when it comes to:
- The right to know which data businesses collect, where it comes from, how it’s being used, which third parties have access, and whether it’s sold to others.
- The right to delete personal data that a business has stored about the person.
- The right to opt out of selling or sharing their data.
- The right to correct incorrect data a business has about them.
- The right to limit the use and disclosure of sensitive personal data.
If your business deals with customers from California, you have to abide by CCPA’s requirements. By the same token, when dealing with international customers, you may have to follow a range of other regulations.
Now, let’s explore what these regulations stipulate.
How Do GDPR, CCPA, and Other International Standards Impact Companies?
International data privacy regulations make all companies legally liable for how they manage the data of residents in their jurisdiction. Also, even if a company that doesn’t collect the data of applicable citizens mismanages data entrusted to them by one that does, they could be exposed to substantial fines.
Therefore, paying attention to the following sections is important to ensure smooth, compliant data management, no matter which countries you do business in.
Why Are CCPA and Other Data Privacy Standards Necessary?
These regulations are necessary because they clarify that people’s personal data belongs to them, and the organizations these citizens give it to have an obligation to protect it. In addition, these regulations obligate companies to safeguard data from thieves, hackers, and those who may use it for extortion.
In many ways, international data privacy regulations provide people with more than just privacy—they also enhance their safety. Hackers constantly pursue personal data because they can use it to defraud people and organizations, pretending to be someone else. They can also leverage your personal data to steal from your financial accounts or commit crimes while pretending to be you.
Because CCPA and other standards require companies to protect and safely manage data, they can reduce the chances of data thieves harming individuals who share their information with businesses.
What Do the Latest Global Data Privacy Standards Require Businesses to Do?
Here are some of the high-level objectives of major global data protection regulations so you can start looking at your data management through this critical lens. The high-level principles outlined below apply to the following standards, but other countries are likely to create similar standards:
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) of the United States
- Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada
- General Data Protection Law (LGPD) of Brazil
- Personal Data Protection Bill (PDPB) of India, which is still in draft form and was introduced to Parliament in August 2023
You Can Only Store Data When Necessary for Business Activities
Under the above regulations, you can store data if it’s absolutely necessary, but you can’t store it just in case you need it in the future.
For example, suppose you own an apartment building and sign an agreement with a catering service vendor. The contract may contain personal data such as the person’s name, business address, phone number, and tax ID number. You inform the individual that you’re storing their data, and they provide consent. Because you need this data to establish your contract with the individual, and they gave consent, this would be considered acceptable under major data protection standards.
However, let’s say you think you may want to rent an apartment to this individual in the future. To make it easier to perform a background check, you also want to ask them for their social security number. This could put you out of compliance because you don’t actually need their social security number to do business with them then.
People Have the Right to Know How You’re Processing Their Data
Whether you’re dealing with someone covered by CCPA or any other jurisdiction, at any given moment, if they ask about how you’re using their data, you have to inform them. They also have the right to prevent you from using their personal data any time.
For example, let’s say you work for a bank, and the bank asked a loan applicant for their social security number so they could check their credit history. The bank decides to deny the application. If the person contacts you and asks you to delete their name and social security number, you must comply.
You Are Responsible for How Your Suppliers Manage the Data You Give Them Access To
CCPA, GDPR, and other international data privacy regulations also require that you obligate your vendors to follow protection laws when they handle data you entrust to them. This holds true whether or not the vendor is within the jurisdiction of the applicable law. For example, if you operate a company in India and share data with a company in China, both you and that company have to abide by India’s Personal Data Protection Bill (PDPB).
You Have to Report Data Breaches
If an unauthorized individual accesses, discloses, steals, or changes someone’s personal data, you have to report the incident. This applies even if the breach impacted one of your suppliers and that supplier has the personal data of some of your customers.
For example, let’s say you hire a company that does video production and over-the-top (OTT) advertising. They want to understand your target client better, so you make a PowerPoint that outlines the personas you want to market to and share it with the ad company in a Teams meeting. However, the person who made the PowerPoint used real customer profiles instead of fictional ones.
You then hear that a ransomware attacker accessed all the computers connected to the ad company’s internal network and stole their data to extort a ransom payment. A quick phone call reveals that your customer’s data was also stolen.
In that case, you’d have to inform those customers of the incident and which data the attackers stole.
How Should New Global Data Standards Affect the Way You Manage Data?
To stay in line with international data standards, you must take a few precautions and set up some data processing policies and systems. In many cases, the technology needed to properly process data is relatively inexpensive and readily available.
Let Customers Know How You’re Collecting and Managing Their Data
By informing customers about the kind of data you collect, you ensure they know you follow international data security requirements. This is often done using a written data privacy notice.
Below is a list of topics you should include in your notice. By answering these questions and filling in the required information, you both align your policies with global data protection standards and foster a more trusting relationship with your customers:
- What data do we collect?
- How do we collect your data?
- How will we use your data?
- How do we store your data?
- Marketing
- What are your data protection rights?
- What are cookies?
- How do we use cookies?
- What types of cookies do we use?
- How to manage your cookies
- Privacy policies of other websites
- Changes to our privacy policy
- How to contact us
- How to contact the appropriate authorities
Put Systems in Place for Complying with Customer Data-Oriented Requests
If a customer objects to the collection of their data or changes their mind at a later date, you need to be able to respond to this request promptly. This would require a data management system that gives you the agility to quickly delete and update the information you collect.
For example, you may have a customer relationship management (CRM) system in place and give those who process the data customers submit on your website access to it. If a customer says they no longer want you to keep data they’ve already provided, this person could quickly go into your CRM and delete it.
In addition to having technological solutions for agile data management, you also have to ensure everyone on your team understands their responsibilities when managing customer information.
For example:
- Your sales team needs to understand what to do and how to deal with someone refusing to have their date stored.
- Your IT team needs to understand which data encryption technologies they need to use when establishing connections for remote employees.
- Whoever is responsible for reporting data breaches has to know who to contact, what triggers a mandated notice, and how to word these communications.
Establish Systems for Requiring Vendors to Conform to Data Protection Standards
A breach caused by a vendor, regardless of your jurisdiction, can have significant financial and reputational implications. If you haven’t done so already, you should set up a system to ensure all vendors understand their responsibilities regarding handling any data you share with them.
For example, under GDPR, you can have a vendor sign a data processing agreement (DPA) to ensure they understand their obligations.
In addition, you should reinforce to them that they must let you know if there’s a breach or if someone discloses data to someone who wasn’t authorized to receive it.
Maintain a Data Inventory
Your data inventory is important for keeping your data management system organized and fulfilling any potential audit requests related to how you process data.
Your inventory should contain the following information:
- The types of data you collect
- Who has access to the data
- How your organization uses the data
- How long you store data
- Who’s in charge of maintaining the integrity and security of the data
- The technologies you use to secure the data, such as firewalls or encryption
Analyze Your Data Risks
Your risks will vary depending on:
- The information you collect
- How you store it
- Ways you use it
- Your industry
- Likely attack vectors
- Vulnerabilities
By performing a risk assessment, you can identify weak points hackers could try to take advantage of and address them before you suffer a breach.
A risk analysis may also surface ways you can better safeguard data. For example, remote employees may need to connect via a virtual private network (VPN), which encrypts data while in transit, instead of sending information through unencrypted channels.
Start Aligning with International Data Protection Standards Today
By establishing a compliant data processing system, you build stronger relationships with customers and pave the way for doing business with a broader array of clients.
J&L Marketing adheres to a range of data privacy standards, which means any information you share is appropriately managed and protected. Whether you share data for display advertising, discovery advertising, or any of our digital ad services, you can rest assured that the information is safe and handled appropriately. To learn more about our marketing services can give you a competitive edge, connect with us today.