New TrustArc Survey Data Shows Nearly One-Third of Organizations Are Just Starting CCPA Planning

TrustArc has announced the results of its “Global Privacy Benchmark” survey on how organizations are protecting and leveraging data, their most valuable asset. One of the most extensive surveys ever conducted on data privacy, it polled more than 1,500 respondents from around the world at all levels of the organization. Survey results examined a wide range of  topics, such as organizational commitment to privacy, the measures and investments companies are making to embed privacy, and company readiness for looming privacy regulations, such as CCPA and its July 1 enforcement date.

“There are more than 900 global privacy laws to which organizations must adhere, making privacy management an ongoing and dynamic challenge,” said Chris Babel, CEO, TrustArc. “The TrustArc survey highlights just how difficult it can be to comply with even a single new regulation, such as CCPA, let alone the entire list of existing laws. The results also show how the COVID-19 pandemic and its attendant technologies, such as video conferencing, have exacerbated an already difficult privacy challenge and forced respondents to rethink their approaches.”

CCPA Compliance Readiness Mostly Lacking; Prior GDPR Preparedness a Boost

Nearly one-third of survey respondents (29%) say they have just started planning for CCPA. 

  • More than 20% of respondents report they are either somewhat unlikely to be, very unlikely to be, or don't know if they will be fully compliant with CCPA on July 1.
  • Just 14% of respondents are done with CCPA compliance. Nine percent have not started with CCPA compliance, and 15% have a plan but have not started implementation. 
  • Of respondents who reported as being slightly or very knowledgeable about CCPA and GDPR regulations, 82% are leveraging at least some of the work they did for GDPR in implementing CCPA requirements. 

Privacy Professionals Still Use Inefficient Technologies for Compliance Programs

Though 90% of respondents agree or strongly agree that they are “mindful of privacy as a business,” many privacy professionals are left building privacy programs without automation. 

  • 19% of respondents report they are most deficient in automating privacy processes. 
  • Just 17% of all respondents have implemented privacy management software, which matches the 17% who are still using spreadsheets and word processors. 
  • In addition, 19% are using open source/free software and 9% are doing nothing. 
  • Even in the U.S., which boasts the highest rate of privacy management software adoption, just 22% of respondents use privacy management software as their primary compliance software. 

Respondents understand the importance of data privacy and continue to invest in ongoing privacy programs. However, many are still attempting to implement these programs using manual processes and technologies that do not offer automation. Moving forward, the companies that can leverage automation to simplify data privacy can protect their most valuable asset—data—and use it to drive business growth.

Pandemic, New Technologies Present Additional Challenges to Compliance

With the move to all-remote workforces, companies are increasingly turning to technologies, such as video conferencing and collaboration tools. These tools present new avenues for data creation that privacy professionals must consider in their company-wide plans. 

  • Twenty-two percent of respondents said personal device security during the pandemic has added a great deal of risk to their businesses. “Personal device security” received the highest proportion of “a great deal of risk” responses, compared to the other four response options. 
  • A majority of respondents said that third-party data, supply chain, personal-device security, unintentional data sharing, and required or voluntary data sharing for public health purposes all added at least a moderate amount of risk to their businesses.
  • Seventy percent of respondents say video conferencing tools have required a moderate or great change to their privacy approach, and 65% of respondents say collaboration tools have required a moderate or great change to privacy approaches.

Despite Financial Impact of Pandemic, Privacy Compliance Remains a High Priority 

Though many respondents expect a significant decrease in their company’s revenues as a result of the COVID-19 pandemic, they are still prioritizing privacy-related investments.

  • Forty-four percent of companies expect a decrease or steep decrease in overall company revenues for the balance of 2020 as a result of COVID-19.
  • Just 15% of respondents report they plan to spend less or a great deal less on privacy efforts in 2020 as a result of the pandemic.
  • Nearly half (42%) of respondents plan to spend $500,000 or more in 2020 on CCPA efforts alone.

Boards of Directors Actively Involved in Privacy Management

The mandate for increased privacy investments is coming from the very top of organizations.

  • Eighty-three percent of respondents indicate their board of directors regularly reviews privacy approaches.
  • An impressive 86% of respondents say that everyone from the board of directors to the front-line staff knows their role in protecting privacy.
  • Four out of five respondents view privacy as a key differentiator for their company.

To download the entire report, click here.

 

COVID-19 Privacy Resources

The global pandemic caused by COVID-19 has affected most companies and for many requires operational changes in order to move forward. In light of the uncertainty, TrustArc has provided access to the latest guidance and other helpful information to assist companies as they plan to reopen.

COVID-19: Privacy Risks & Considerations eBook

As the conversation shifts from how to create a remote workforce to how to reopen the physical office, this eBook provides privacy risk guidance for businesses during the COVID-19 pandemic. Download the free eBook here.

Comparison Chart

The COVID-19 Comparison provides summarized analysis from 100 regulators on the following topics:

  • Whether certain legal exceptions apply, such as for public health, healthcare, public interests, or vital interests;
  • What can be collected from employees and visitors;
  • Requirements related to disclosure of confirmed cases; and
  • Processing of location data

Download the Comparison Chart here.

Regional Maps

TrustArc has developed regional maps showing regulators' guidance on returning to work after COVID-19. Download the PDFs: United States, Canada, European Union & United Kingdom 

TrustArc Blog 

  • Providing guidance for employers navigating privacy and security issues; and
  • Discussing the privacy implications of new mobile technologies tracking individuals to prevent the virus’ spread.

Serious Privacy Podcast 

Serious Privacy podcast discusses COVID-19’s impact on privacy in the following episodes: COVID-19 Part 1, COVID-19 Part 2, Tech Talk: Innovation during COVID-19, Privacy on the Front Lines: A View from LA, and Returning to Work.

Privacy Insight Series Webinar

Watch our on-demand COVID-19 webinar to learn how employers can ensure good data protection and governance practices in these special times.

 

Serious Privacy Podcast – Wildly Successful: An Unexpected Career in Privacy

blank

Describe your perfect privacy career. Do the words “vibrant,” “brilliant,” and “high energy” come to mind?  Back when we still had privacy conferences and trade shows, you could sometimes meet someone that was so vibrant, so enthusiastic and so interesting, they would make the whole event. Emerald de Leeuw, Privacy Lead in EMEA for Logitech is that kind of person. She is a fellow Dutchie to Paul and calls Ireland her home. She is an entrepreneur with a brilliant privacy mind, but allegedly also serves up a mean cocktail.

We speak about building out a career in privacy, being underestimated and staying sane while working hard. We also talk about the challenges that a woman in privacy and tech faces, whether at the beginning of her career, or even when she is established and successful. Being underestimated is just one of those challenges. Emerald also opens up about her career champions and the importance of being authentic as a professional. Listen to this week’s episode on our website or stream the episode below.

The California Privacy Rights Act of 2020

blank

Background

Alastair Mactaggart, the driver behind the current California Consumer Privacy Act (CCPA) in 2018 (CCPA, published a new version of a consumer privacy act in September 2019). Since then, it has been modified and is being submitted to California county governments for inclusion on the California ballot for voting. In California Elections Code, Article 3, Section 9035 requires that initiative measures for statutes be presented to the Secretary of State with a minimum number of signatures, at least 5 percent of the total numbers of registered voters in the most recent gubernatorial election, in this case, no less than 623,212. 

The Office of the Attorney General released the title and summary of the initiative back in December 2019 as one of the first steps in a ballot initiative. On May 4, 2020, the Californians for Consumer Privacy announced that it was submitting over 900,000 signatures for qualification of the California Privacy Rights Act of 2020 (CPRA) as a ballot initiative and is now submitting the petitions to all counties for inclusion on the ballots in November.  If passed, the CPRA would take effect January 2023 with a one-year look back to January 2022. Some provisions, however, are presented for 2021, such as a new state privacy agency responsible for implementing and enforcing the CCPA.

Previously, this same group sponsored CCPA to be on the November 2018 ballot. However, the California Legislature passed its version of the CCPA in June 2018, which was signed into law – and has been amended twice since then. To date, the regulations to implement the CCPA have not been issued, yet enforcement is slated to begin July 1, 2020.

About the CPRA

The CPRA’s intent is to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. Key provisions include:

  • Enhanced obligations on third parties, including service providers and contractors
    • Providing notice where data is collected (businesses acting as third parties) 1798.100(b)
    • Contractual obligations to comply with the law and to provide certain levels of privacy protection Section 1798.100(d) 
    • Cooperate on consumer requests, including deletion and flowdown obligations 1798.105(c)(3)
  • Explicit security provisions (reasonable as appropriate to nature of information) 1798.100(e)
  • New right of correction 1798.106
  • New right to limit use and disclosure of sensitive personal information 1798.121
  • Addition of definitions of “consent,” “contractor,” “sensitive personal information,” and “share” (as proposed §1798.145(h), (j), (ae), and (ah) respectively). Each of which carries new or enhanced obligations. A summary of these new definitions are listed here, with the exception of “sensitive personal information” which is provided in full below.
    • “Consent” must be freely given, specific, informed and unambiguous, with a clear affirmative action or statement and includes what does not indicate consent, such as acceptance of general terms or muting or closing a piece of content. (h)
    • “Contractor” is very similar to a service provider.(j)
    •  “Sensitive personal Information” means: (1) personal Information that reveals (A) a consumer's social security, driver's license, state Identification card, or passport number; {B) a consumer's account log-In, financial account, debit .card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocat/on; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer's genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer's health; or {C) personal Information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal Information that Is “publicly available” pursuant to paragraph {2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal Information or personal information. (ae)
    • “Share,” “shared,” or “sharing” is very much like selling, but in regards to cross-context behavioral advertising. (ah)
  • Additional element of data sharing to the definition of “business” for those who share control and branding with a business subject to the CCPA, Section 1798.140(d)(2) 
  • Creation of a California Consumer Protection Agency. Section 1798.199
  • Requiring an annual cybersecurity audit for businesses whose processing of personal information presents a significant risk to consumers – and submitting risk assessments to the new Consumer Privacy Protection Agency. Section 1798.185(a)(15)
  • Subjecting violations involving the personal information of individuals known to be under the age of 16 to the increased penalty level of $7,500 each violation. Section 1798.155(a)

These are certainly not all of the changes proposed by the CPRA and one should read the complete text to understand the potential impact.

Next steps

Under the previous initiative, which became the CCPA, negotiations were held to enact state law in lieu of the ballot initiative proceeding. It is unknown whether similar discussions are being held about the CPRA. As permitted under California Constitutional Law, the CPRA will be listed on the ballot in November as long as the remaining requirements are met.\

 

Serious Privacy Podcast: Returning to Work

blank

What do you get when a European and an American discuss concerns about returning to work after the recent quarantines? This week on the Serious Privacy podcast, co-hosts Paul Breitbarth and K Royal give listeners an inside view on what privacy professionals are thinking about. After two months, the worst of the Corona Crisis in many countries seems to be behind us. Slowly, countries and states are opening up, releasing roadmaps on relaxing their quarantine measures and taking steps to allow people to go back to work. Nevertheless, for the time being, it seems “continue to work from home where possible” will remain the best practice around the world. But whenever employees return to the office on a regular basis, it is already clear companies will need to prepare. The new normal of the six-feet-society and social distancing will cause a challenge in itself to be accommodated in offices, but there is also a lot to consider from a privacy and data protection perspective.  Listen to this week's episode on your favorite podcast platform or stream the episode below.

Serious Privacy Podcast – A Walkin’, Talkin’ EU Rep: An Open Conversation

blank

What is a representative under GDPR?  Why do I need one? What do they actually do? Are these questions familiar to you? Does it sound like we are reading your mind? Then join us for this exciting unscripted conversation with Tim Bell, Managing Director of the DPR group – a walking, talking, EU representative.

If a data controller or processor does not have an establishment in any of the member states of the European Union, they have to appoint a representative. This is stipulated by article 27 GDPR. But does this really happen? The EU Member States seem to have concerns. In their evaluation report of the GDPR, they say it is uncertain to what extent controllers and processors from third countries have complied with the Representation obligation. 

Apparently, there are cases where a representative has not been designated. Reason enough to dive a bit deeper into this topic and discuss the role of the representative and how to appoint one.  In this podcast, we address a variety of topics such as the complexities of current EU representatives established in the United Kingdom and what that means for companies who will need a UK representative in the EU or vice versa. Listen on your favorite podcast platform or stream the episode below. 

div>