Global companies are increasingly more concerned with ensuring the privacy and security of the information they hold. Not only is complying with international privacy regulations and frameworks important to avoid fines, but it is also critical for building trust with customers, mitigating risks, and protecting the company’s reputation. One way that companies can demonstrate compliance is by adhering to a recognized international privacy framework, such as the Asia-Pacific Economic Cooperation (APEC) framework as demonstrated by the APEC Privacy Recognition for Processors (PRP) certification.
Like the APEC Cross Border Privacy Rules (CBPR) system (which applies to data controllers), the APEC PRP system is a voluntary, enforceable program designed to ensure the continued free flow of personal information while maintaining meaningful protection for the privacy and security of personal information for data processors. The U.S. became the first formal participant in the PRP system with the Federal Trade Commission (FTC) serving as the first enforcement authority in 2018 with more expected to follow.
A significant portion of the world’s economy is based in the region represented by the Asia-Pacific Economic Cooperation (APEC). Companies acting as data processors in the Asia Pacific region can comply with the PRP program requirements in order to process personal data efficiently, securely, and safely while respecting data privacy. In addition, the PRP system enables businesses that operate as data processors to demonstrate their commitment to global privacy standards.
Two examples of companies who have achieved this certification are Workday and Envestnet | Yodlee.
Workday and Envestnet | Yodlee have worked with TrustArc to demonstrate compliance with the APEC PRP certification standards.
Barbara Cosgrove, Chief Privacy Officer at Workday said: “Maintaining the privacy and security of customers’ data in compliance with privacy laws is of critical importance to our business. By partnering with TrustArc to achieve the APEC CBPR and APEC PRP certifications, we’ve been able to further demonstrate our commitment to privacy and qualifications to process data in compliance with the APEC privacy framework.”
“Envestnet | Yodlee wanted a way to demonstrate the rigor of our privacy programs to our clients, prospects and the market. Security-focused certifications, like the APEC PRP, provide objective reliable evidence that Envestnet | Yodlee adheres to applicable privacy standards,” said Brian Costello, Chief Information Security Officer at Envestnet | Yodlee. “TrustArc is a trusted advisor for our entire global privacy program – we leverage their expertise for general certification as well as the APEC certifications.”
To prepare companies for an APEC PRP (and/or CBPR) Certification, TrustArc works in partnership with clients following a three-phase process leveraging a combination of in-house privacy experts and proven assessment methodology powered by the TrustArc Privacy Platform that accelerates and assists in documenting compliance.
- Phase I – A review of the company’s privacy practices against the APEC requirements and creation of a detailed privacy findings report.
- Phase II – A collaborative review of the findings, implementation of remediation recommendations, and documentation of action item resolution.
- Phase III – Certification activation of the TRUSTe APEC PRP (and/or PRP) Privacy Seal and Dispute Resolution Services.
For more information about TrustArc privacy tools and solutions, click here.
The California Consumer Privacy Act (CCPA) will be effective January 1, 2020, but the 12-month “look back” requirement means that companies will need records of personal information collected dating back 12 months before January 1, 2020, which is January 1, 2019.
While January 2020 seems far away, creating and maintaining data inventories and flows beginning January 2019 to meet the “look back” requirement will take time. With less than two months to go, companies should secure a budget, develop a process, and evaluate tools to help implement the process.
The budget should take into account supplying your team with the resources necessary to address the requirements around access, accounting of disclosures, and transparency requirements. For example, companies will have to identify any personal information previously collected by the business about the consumer, so the process should ensure that business processes that collect personal information are recorded in a data inventory. A company will need to be able to identify the type of personal information being collected; there are 11 categories enumerated in the CCPA and the company would have to choose the one that most closely describes the personal information. The company will also need to know why it collected the personal information (the purpose); which categories of personal information were sold; and which categories were disclosed for a business purpose. Keeping up-to-date and detailed records will be key.
Having a process in place will make it easier to maintain up-to-date records of how your company uses and shares data. The process should involve stakeholders across the organization because building business process flows and a comprehensive data inventory will involve multiple departments.
Using tools to automate parts of the process can save an immense amount of time. Using a centralized, secure tool with reporting capabilities can save teams from having to manually enter and find data in spreadsheets, which can be very time consuming.
TrustArc offers three different options to help companies meet CCPA requirements.
The TrustArc CCPA Readiness Assessment is meant to help companies that are just beginning the journey toward CCPA compliance. The assessment, managed by an expert TrustArc Consultant, and powered by the TrustArc Privacy Platform, includes a review against CCPA requirements, provides a detailed summary of gaps and remediation recommendations, and a prioritized, step-by-step implementation plan to achieve and maintain compliance.
For companies that have already developed a GDPR compliance program, the TrustArc GDPR to CCPA Readiness Assessment follows the same methodology as the CCPA Readiness Assessment, but helps companies to leverage existing processes and controls, while addressing the unique requirements of the CCPA.
The CCPA Implementation Package incorporates the TrustArc Platform to manage CCPA compliance requirements. The TrustArc Platform provides end-to-end privacy management through a series of integrated modules designed to address a wide range of privacy requirements, including CCPA, GDPR, HIPAA, and other global regulations.
To learn more about the California Consumer Privacy Act, read our solutions brief. To learn more about TrustArc California Consumer Privacy Act solutions, contact us today!
On November 8th in sunny San Jose, TrustArc was pleased to take part at the California Lawyers Association’s annual IP Institute. Speaking on a panel entitled GDPR: Lessons Learned from the Front Line, TrustArc shared tips and insights both for organizations still working towards GDPR compliance, and for those seeking to take their privacy programs to the next level, including for interoperability with other global privacy laws and frameworks.
Not lost in the discussion was the fact that many law firms, of all sizes, are likewise still looking to their own GDPR/privacy compliance, which is critical to their being viewed as trustworthy stewards of confidential client information.
During a discussion-based panel with lively audience questions, TrustArc Senior Counsel, Darren Abernethy, offered observations for companies and law firms based on TrustArc’s unique position in the privacy and data protection ecosystem–as a provider of privacy technology platform solutions, privacy consulting services, and certifications/verifications.
Some of the practical topics discussed included:
- Tips around successful internal data protection preparation strategies seen with TrustArc customers–from identifying privacy stakeholders to updating contracts.
- The criticality of thinking through all of an organization’s business process activities in order to map data flows and prepare GDPR Article 30 records of processing–while automating risk evaluations for possible Article 35 data protection impact assessments (DPIAs).
- Individual rights management issues, tips on setting up a program for data subject access requests (using centralized technology to do so), and verifications.
- Likely early GDPR enforcement issues from EU authorities, and how regulators around the world keep track more than ever of their counterparts’ privacy actions.
- How to manage records of consent across an org, whether via webform, cookie consent or other methods, such as in the Internet of Things environment. And, how consent records are increasingly important in mergers & acquisitions.
To learn more about how TrustArc can assist your company with technology solutions, consulting, privacy assurance programs, or the California Consumer Privacy Act contact TrustArc today for more information or to set up a demo.
Due to the high demand of our Privacy Workshop Series last year, we have held the series again this year. In addition to our own privacy experts, we have joined forces with privacy experts from the Department of Commerce too!
The topics include: EU GDPR, EU – US Privacy Shield Framework, and California Consumer Privacy Act (CCPA). Specifically, the speakers dive into: Data Mapping, Records of Processing, DPIA / PIA Management, International Data Transfer, Individual Rights / Data Subjects Access Rights Management, Consent Management, and Compliance Reporting. The workshops are designed to help businesses achieve, demonstrate, and manage ongoing compliance for the EU GDPR and other regulations and frameworks, including Privacy Shield and CCPA.
The workshops are incredibly valuable, offered for free and provide informative guidance, peer discussions, and practical solutions on how to operationalize privacy program management, along with examples of how companies are using privacy technology tools to help automate compliance.
The Department of Commerce participants include:
- Michelle Sylvester-Jose – Acting Director, Global Data Policy, U.S. International Trade Administration
- Andrew Steele – Policy Advisor & Administrator, Privacy Shield Team, U.S. International Trade Administration
- Andres Lahiguera – International Trade Specialist, Privacy Shield Team, U.S. International Trade Administration
TrustArc Workshop Schedule
- Boston – November 7, 2018
- Washington, D.C. – November 8, 2018
- New York City – November 14, 2018
To sign up for one of these workshops, request a seat now!
On September 28, 2018 California Gov. Jerry Brown signed into law two companion bills that regulate cybersecurity standards for Internet of Things (IoT) devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”) require that manufacturers of connected devices sold in California outfit their products with “reasonable” security features by January 1, 2020, the same date the California Consumer Privacy Act will also take effect.
The Bills require a manufacturer of a connected device, to “equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” The legislation goes on to offer examples of a “reasonable” security feature, such as making the pre-programmed passwords unique to each device manufactured and requiring a new means of authentication before access can be granted to the device for the first time.
Under the new law “manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. A “contract with another person to manufacture” on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. The scope of coverage of the new law applies to the person who manufactures or contracts with someone to manufacture the connected device for sale or offered for sale in California. For example, an electronic retailer such as Best Buy, does not have an obligation to review or enforce compliance with the bills.
According to Gartner, an estimated 20 billion devices will be online by 2020. As the first state or federal law to address IoT security, the California legislation will effectively become a standard for manufacturers of these devices. Currently, the IoT industry is largely self-regulated and governed by best practices as well as the Federal Trade Commission enforcement actions and guidance under its broad authority to police deceptive security practices.
As companies increasingly rely on data to drive business, it is key to incorporate Privacy by Design practices, international laws like the GDPR, and forthcoming domestic legislation into privacy programs. TrustArc has privacy expertise and powerful technology to help your company navigate this increasingly complex landscape – contact us to find out more.
On June 28, 2018, the California Consumer Privacy Act (CCPA) was unanimously passed. It is slated to go into effect January 1, 2020, and it is set to be the toughest privacy law in the United States. It broadly expands the rights of consumers and requires businesses within its wide scope to be significantly more transparent about how they collect, use, and disclose personal information. While it is a California law, a business outside of California must also comply if it conducts business with residents (natural persons) of California. 1
As expected, it was recently updated to address some technical issues. After a 2 month period of lobbying, SB 1121 includes 45 amendments which are intended to be technical edits to correct drafting errors while maintaining the substance of CCPA. Additional regulations are expected six months after CCPA’s effective date. We highlight a few of the amendments in SB 1121 here.
One of the amendments clarifies the definition of “Personal Information”, which is still broadly defined. SB 1121 amends the definition of Personal Information to read: “[Personal information includes the following] if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household…” With this change, the list of information that was automatically considered Personal Information has been clarified as potentially being Personal Information. Under the amended definition information that can be used to potentially identify an individual or a household, such as IP address, will now be considered Personal Information if it can be associated with an individual or household. 2
Because CCPA is a new law, there are many questions about its requirements and its applicability in various situations. One common question TrustArc has received about CCPA relates to this definition of Personal Information. For example, our privacy experts have been asked whether public information is considered “Personal Information” pursuant to CCPA. If information is publicly available and it is lawfully made available to the general public from federal, state, or local government records and is used for a purpose that is compatible with the purpose for which the data is maintained is exempted from the Act. “Publicly available” does not include consumer information that is de identified or aggregate consumer information.
As shown in the above example of deciding what is personal information or not, having your privacy team up to speed on the law and its amendments is critical for complying by January 1, 2020.
Another amendment that SB 1121 contains defers the deadline that the attorney general has to draft and adopt the law’s implementing regulations from January 1, 2020, to July 1, 2020. The bill also delays the Attorney General’s ability to bring enforcement actions.
The Attorney General shall not bring an enforcement action under this title until six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.
As businesses review their plans for CCPA compliance and the impact of these amendments, businesses need to continue to move forward with their plans because the substance of CCPA is not expected to change. Similar to GDPR, the path to CCPA compliance requires businesses to have solid knowledge of:
- where their data sits,
- what data they have and
- what is then shared with third parties.
Data inventory and data mapping projects, policy updates and shoring up third party vendor management are all foundational compliance items companies need to be working on now. Using technology to manage these items in the ever changing and complex world of Privacy and Data Governance needs to be a part of that compliance plan.
Team TrustArc is available to help you further review your CCPA readiness and walk you through how our award-winning technology solutions can help your business streamline and manage ongoing compliance with CCPA and other privacy regulations, such as the GDPR. To find out more information on options that meet your business needs, visit https://www.trustarc.com or call 1-888-878-7830.
(1) (c) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(2)“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The Act specifies that PI includes, but is not limited to: (i) identifiers, such as names, aliases, addresses, and IP addresses; (ii) characteristics of protected classifications under California or federal law; (iii) commercial information, including records of personal property, products or services purchased, or consuming histories or tendencies; (iv) biometric information; (v) Internet or other electronic network activity information, such as browsing history; (vi) geolocation data; (vii) audio, electronic, visual, thermal, olfactory, or similar information; (viii) professional or employment related information; (ix) education information; and finally, (x) any inferences drawn from any of the information identified to create a profile about a consumer.