Suddenly, the world came to an almost complete standstill. What few expected to happen in these modern times of continuous global travel and interconnectedness, did happen after all. COVID-19, or the Coronavirus, has caused governments to close national borders, issue ‘shelter at home’ warnings, and cancel public and private group gatherings and events. Many companies have adopted policies and remote work practices requiring or allowing their employees to work from home in situations where their responsibilities can be managed off-premise.
At TrustArc, we receive a lot of questions about the privacy implications of the COVID-19 pandemic. What are employers allowed to do to control the spread and mitigate the effects of the virus, and what additional data can they process about their employees? How do employers ensure good data protection and governance practices for employees working from home? In this blog, we address the most common challenges organizations currently face.
Health Data on the Work Floor
Even in times of crisis (perhaps particularly in times of crisis), the law still applies. This is the case for labour laws, for medical legislation, and also for privacy and data protection laws. Safeguards cannot just be thrown out of the window. That said, in many jurisdictions, the law permits organizations to process additional data to assist public health efforts by keeping employees safe and healthy, provided that certain safeguards and requirements are met.
Guidance from the Regulators
One frequently asked question by both governments and employers relates to the collection and use of medical data, like body temperature. Earlier this week, the Executive Committee of the Global Privacy Assembly (GPA), a worldwide consortium of privacy and data protection regulators, released a statement on this issue:
“We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic. The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects. Data protection authorities stand ready to help facilitate swift and safe data sharing to fight COVID-19.”
The GPA also published a special webpage where guidance from national regulators and other authorities on how to deal with COVID-19 related data issues is posted. This guidance is not limited to specific regions or regulators but rather covers GPA members worldwide.
What Employers Should Know
Even though we recommend you review the specific guidance available for the country where your organization operates, there are a few general rules that can be deduced from the regulator guidance on COVID-19.
- A distinction needs to be made between data that governments can collect and use and data that private entities can collect and use and the permitted legal basis for each. Governments in general will have more room to maneuver when processing personal data in the public interest (e.g. to safeguard public health) or even to process personal data in the vital interest of an individual. Under the GDPR and various other laws, these are identified explicitly as grounds to process personal data. For private entities, collection and use of personal data in the public interest can also be possible, but there needs to be a clear, direct and demonstrable link with the public interest.
- When processing medical and other health data data, which includes noting if employees have been diagnosed as infected by or show symptoms of COVID-19, organizations should show restraint in only processing the minimum personal data necessary to carry out their obligations related to safety of the workforce, customers, and the public. In general, data protection and labour laws restrict the amount of detail on employee illnesses that can be registered by employers. When it is necessary and proportional (i.e. if there is no other option but to collect data on (suspicion of) COVID-19 infections in the workplace), as a best practice, data minimization and confidentiality must be respected. This means that as little information as possible should be collected and that this information should only be accessible to specific persons (not departments of groups) with a legitimate need to know it. For example, identifying victims of COVID-19 by name generally should not be allowed. Companies should also show restraint when processing data from visitors to its premises. There might be a good reason to measure the temperature of a visitor before allowing access, but that doesn’t mean the temperature reading or data related to whose temperature was read should be retained following the decision to provide access or not. In many jurisdictions, the processing of medical or other health data may require an organization to complete a privacy or data protection impact assessment and implement additional procedural safeguards and security controls.
- Whatever data is collected and used in the fight against COVID-19, organizations should be upfront and transparent about what data they process for which reasons. Under almost all data protection regulations around the world, the transparency requirement is a key principle. Information should be accessible, easy to understand and include the reasons why (additional) data needs to be processed.
Working from Home
For many organizations, the Coronavirus crisis is the first time they will allow large groups of employees to work from home. In addition to impacting IT resources, it also requires organizations to consider a renewed approach to their data use and data protection practices. Even for organizations where employees are used to working from home, it is advisable to review and, where relevant, revise policies and procedures to ensure that personal data will remain secure at all times. This review should also include an assessment of the organizational, physical and technical risks involved in working from home and accessing systems and data remotely and the security measures that may be advisable, such as using secure Wifi networks and company-authorized VPNs. Though there may not be an alternative to working from home, conducting a privacy or data protection impact assessment of the working from home processing may help identify the risks to the rights and freedoms of your employees, customers and business partners. It also allows you to identify mitigation steps that your workers at home can implement, like the implementation of certain technical and organizational measures.
We have created two top-10 lists with recommendations for both employers and employees on what to take into consideration when employees are working from home. Download the following tips:
Last week, the California AG’s office released proposed regulations implementing key provisions of the CCPA (”CCPA Regulations”). In the CCPA Regulations, the California Attorney General (AG) offered businesses clarifications–and, in some cases, new obligations–around consumers’ individual rights requests under the CCPA. In Issue 1, we provided an overview of the themes addressed by the regulations. In Issue 2, we gave a recap of the requirements related to Notices to Consumers. In Issue 3, we provided best practices for handling consumer requests . In today’s CCPA Week Issues, we address a range of topics such as training, metrics, verification and minors.
Among the proposed provisions of the CCPA Regulations are expanded requirements for training those individuals responsible for handling consumer inquiries regarding the business’s privacy practices or compliance with the CCPA. The CCPA Regulations expand the training scope from specific sections of the CCPA to all of the requirements of the CCPA and the CCPA Regulations. Additionally, businesses that buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 4,000,000 or more consumers must establish a training policy to govern the implementation of these training requirements.
Verification of Requests
CCPA, similar to GDPR, requires businesses to take steps to verify the identity of the consumer making the request to ensure the consumer is indeed the consumer that the data pertains to and to protect against unauthorized access. Notably, the CCPA Regulations do not extend the verification requirement to requests to opt-out of the sale of personal information.
The CCPA Regulations establish general rules for verification, as well as verification rules for three specific scenarios: where consumers have a password-protected account, where consumers are not account-holders, and where a consumer uses an authorized agent to submit a request.
Identity verification methods should be reasonable.Two primary approaches are provided: (1) match identity information with personal information already maintained by the business, or (2) use a third-party identity verification service. The proposed approach seeks to address concerns raised in recent months about the risks associated with responding to access requests by establishing six factors, such as the sensitivity of the data and the potential risk of harm to the consumer, for assessing the methodologies to use. Additionally, the rules establish purpose limitation and security controls to further mitigate the risks associated with verification and clarify that the requirements for providing access to or deleting personal information do not apply to de-identified information.
The approach for identity verification where the personal information is accessible via a password-protected account leverage established authentication approaches, such as user authentication to access the account, user re-authentication to delete personal information, and additional authentication checks where fraudulent or suspicious account activity is detected.
Using an Authorized Agent
The proposed rules address scenarios where one person may submit a request to know or a request delete on behalf of another person. Where the person making the request on behalf of a consumer has a power of attorney, those requirements will be honored. For other requests, an authorized agent may be appointed and the business may require evidence of written permission from the consumer granting the agent this status as well as verifying the consumer’s own identity.
Special Rules for Minors
There is ongoing recognition that information collected from minors requires special protections. CCPA is no exception. The United States put protections in place in 1998 by the passing of the Children’s Online Privacy Protection Act (COPPA) that requires verifiable parental consent prior to collecting personal information directly from children under age 13. The General Data Protection Regulation (GDPR) Article 8 requires parental consent prior to processing personal information collected from children. While COPPA focuses on collection and GDPR focuses on processing – CCPA requirements focus on the sale of children’s data and obtaining the appropriate opt-in consent from either the parent or the minor aged 13-16.
The CCPA Regulations provide specifications on how businesses should handle the two different groups of minors: those under 13 years of age and those 13-16 years of age.
Minors Under 13 Years of Age
In addition to meeting the applicable requirements under COPPA, the CCPA Regulations require additional steps beyond obtaining consent as required under COPPA to determine that the person authorizing the sale of the child’s personal information is the child’s parent or guardian. Measures for ensuring the person is the child’s parent or guardian include mechanisms similar to those allowed under COPPA for obtaining verifiable parental consent such as obtaining a signed consent form, using a credit card in conjunction with the transaction, communicating with trained personnel via a toll-free phone line or video conference, or verifying a government issued ID. General requirements relating to verification as described outlined in Article 4 of the CCPA Regulations apply. The business, upon receiving authorization from the parent, will inform the parent that they can opt-out of the sale of the child’s personal information at a later date and provide instructions for doing so. This is consistent with COPPA, giving the parent the right to withdraw consent to the collection and further use of the child’s information at any time.
Minors 13-16 Years of Age
If the business has actual knowledge it maintains personal information from children aged 13-16, then the business must establish, document, and implement a reasonable process for obtaining the minor’s opt-in consent for the sale of the minor’s personal information. The business must inform the minor that he or she may withdraw consent to the sale of their personal information at any time and include instructions for doing so.
Notices for Minors
To learn more, watch the webinar “Update Your CCPA Plan with Practical Insights into the Proposed Regulations, 2019 Amendments to the Law, and More.”
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform.
Content publishers, media and other advertising-supported websites have already had to grapple with the privacy requirements put forth in the EU General Data Protection Regulation (GDPR). Similar regulations are also in force in a number of other countries in the Americas, Europe and Asia. In addition, at the start of 2020, publishers will have to comply with the California Consumer Privacy Act (CCPA). Still more privacy regulations are being advanced and debated in other U.S. states, and around the world. In fact, more than ten different U.S. states, including Massachusetts and Texas, are in the process of considering privacy laws along the lines of the CCPA. With these unfolding developments, it is increasingly critical that publishers understand and manage the risks associated with consumer data privacy.
The financial risks of non-compliance with these regulations are significant. For example, under the CCPA, businesses are subject to civil action by the California Attorney General’s Office and can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation, if not cured within 30 days of being given notice of such violation. The CCPA also provides a private right of action to California residents where their personal information is subject to unauthorized access, theft, or disclosure. In addition to financial penalties from a violation, the resulting negative publicity can also cost a publisher or media company through loss of consumer goodwill and brand trust, with an accompanying reduction in revenues and brand value.
In order to manage these risks and support your compliance efforts, the privacy experts at TrustArc recommend the following specific practices and TrustArc solutions. The solutions offer a broad range of configuration options to enable publishers to move forward with a comprehensive privacy compliance program that balances your risk profile with current and planned monetization strategies.
- Conduct privacy assessments (PIAs, DPIAs) and understand where and why your practices may not align with regulations so you can define remediation with Assessment Manager
- Build a data inventory and data flow maps with Data Flow Manager to help assess vulnerabilities and risks involving the flow of consumer data throughout your ecosystem
- Consent for tracking cookies – Use Cookie Consent Manager to gain consumer consent to collect and share data, which is a key provision in many data privacy regulations
- Self-Regulation via industry ad program – Become part of the digital advertising industry’s self regulation program AdChoices and manage users’ advertising preferences in both cookie and non-cookie environments with Ads Compliance Manager
- Manage individual rights to meet legally mandated requirements for data subject rights requests with Individual Rights Manager
- Independent certification helps ensure a publisher or media company has effectively addressed privacy concerns and advances brand credibility; learn more about TrustArc certifications
- Consent for direct marketing – Support requirements under GDPR and other regulations that mandate consumer consent to engage in direct marketing surveys, newsletters and other consumer communications with Marketing Consent Manager
To learn more read our new solutions brief Publishers and Privacy. This brief provides an overview of privacy laws and regulations – for example the California Consumer Privacy Act (CCPA) – and how they affect ad-supported websites and media companies along with recommended best practices and solutions to support your compliance and privacy risk management efforts.
To learn more about the TrustArc solutions, visit https://www.trustarc.com/products/.
TrustArc is proud to present the next Privacy Insight Series webinar “10 Steps to CCPA Compliance – Building and Implementing a CCPA Privacy Program” with WilmerHale Partner / Big Data Practice Co-Chair Reed Freeman and TrustArc Senior Privacy Consultant Janalyn Schreiber, CIPM, CISSP. This webinar will take place on Wednesday, April 17th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about the California Consumer Privacy Act (CCPA) – register today!
The CCPA is set to be the toughest privacy law in the United States and a trailblazer for future state and potentially federal legislation. The Act expands the rights of consumers and requires businesses falling within its scope to be significantly more transparent about how they collect, use, and disclose personal information. Any business in scope are required to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 deadline – which is less than 9 months away!.
This webinar will review:
- 10 step plan to reach CCPA compliance by the end of the year
- Key CCPA areas still under discussion and feedback from open forums
- How CCPA enforcement will work; private action and regulator enforcement
Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar! Click here for answers to the most commonly asked webinar related questions.
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!
Learn more about TrustArc CCPA compliance solutions here.
The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.
To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. The online survey was fielded to IT and legal professionals at a fairly-evenly mixed target group of small (500 to 1,000 employees), mid-sized (1,000 to 5,000 employees) and large (over 5,000 employees) companies. Half the companies were subject to both the GDPR and CCPA, and the other half were only subject to the CCPA. A total of 250 executives, team managers and individual team contributors from companies in the financial services, technology, manufacturing, business services, energy and utilities, healthcare and other key industries completed the survey. All respondents were from the US.
Some sample questions we set out to answer with the survey were: Approximately how much of your GDPR program do you expect to leverage for CCPA? What areas will your company be investing in to prepare for CCPA? How much does your company expect to invest in CCPA-related privacy compliance expenses in 2019? How is the need for technology and tools used to manage data privacy changing at your company?
In part one of this 3 part blog post series, we will share highlights on the current state of CCPA compliance readiness:
Key Takeaway # 1: Only 14% of companies report being CCPA compliant
The CCPA was signed on June 28, 2018, is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020. It has many similarities to the GDPR, from its extraterritorial reach to its expansive rights for individuals, and will impact tens of thousands of businesses worldwide that have customers or employees located in California.
Businesses that have prepared to comply with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start. But, under the CCPA, all companies in scope will need to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 effective date.
Of the 250 survey respondents, 50% were impacted by both the GDPR and CCPA, and 50% were impacted by only the CCPA. Results showed that 21% of respondents that have worked on GDPR compliance are ready for CCPA. However, out of the companies that haven’t worked with GDPR, only 6% are ready for CCPA. The overall compliance rate is currently 14%.
Download the full report here.
TrustArc has a comprehensive set of privacy management solutions to help you manage your data privacy management program. We have solutions to help you with all phases of CCPA and GDPR compliance. We can help you build a plan and processes; implement controls and tools; and manage and demonstrate ongoing compliance. Solutions include the TrustArc platform and consulting services. To learn more about TrustArc solutions can help your company prepare for the CCPA, request a demo today!
In a special webinar event, TrustArc Senior Privacy Consultant Ralph O’Brien presented “Current State of Brexit and Data Protection Impact.” This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
The impact of a potential “Brexit” will play an important role on the data protection strategy of many companies and a lot will depend on what is decided in the next few days and weeks. This is why understanding the current state of Brexit is so critical right now.
You will learn in this on-demand webinar:
- What is the current state of play between the UK and EU?
- What are the options for Brexit resolution
- “No deal” Brexit
- “UK PMs deal” Brexit
- Other options
- The Data Protection Act (DPA) 2018 and its relationship with GDPR
- What are the consequences of Brexit for the ICO?
- What are the consequences of Brexit for business?
- What impacts will there be on international data transfers?
- What are the steps to take now?
If you want to understand better what the current state of Brexit is and what its implications to data protection are, watch this webinar today!
The TrustArc privacy consulting team has decades of combined compliance experience in the European market and can help you assess your situation and develop a Brexit action plan along with the supporting processes. Request a consultation today!