Privacy is the hottest new job market for attorneys and non-attorneys. Even more so when you consider the full range of data protection jobs. A few weeks ago, we spoke to Jared Coseglia with TRU STaffing about recruiting for functions in privacy. In this episode we look at the other side. What is it like for someone to get started in privacy, not by sheer coincidence like K Royal and Paul Breitbarth did many years ago, but by deliberate choice? Where do you get this crazy idea that a privacy career might be fun, what steps do you take and what is it like to start in privacy and data protection in 2020?
Our guest, Tom Besore, is an experienced Chicago-based lawyer, who identifies as Irish and American. In his own words, he has a long history in computers, electronics, radio and technology. In 2020, he shifted his primary interest to privacy and started executing on achieving that dream. As Tom says – success in this field takes passions, laser-focus, and the drive to niche opportunities. Listen in as we discuss why one would turn to privacy from a different career-focus and how to do so. This episode can be heard on our website or streamed below.
With the continued compliance challenges surrounding the CCPA, including the August 14, 2020 final regulations approval, companies are looking to their peers to see how they are understanding, assessing, and complying with the CCPA requirements. In May 2020, TrustArc conducted a first-ever Global Privacy Benchmarks Survey which explored ongoing privacy challenges, changes, and opportunities that have arisen in the complex world of data protection and privacy. The CCPA Readiness Market Report 2020, is one part of our overall findings from the Global Benchmarks Survey.
Here are some key findings from the report:
CCPA Readiness. When surveyed before the deadline, three quarters of respondents (76%) believed they are very likely (36%) or somewhat likely (40%) to be ready for the July 1, 2020 enforcement date.
GDPR Prep. 82% of our respondents have leveraged their knowledge of and planning for GDPR to work through CCPA issues, particularly in the United States.
COVID-19. Leading up to the July 1st deadline, many companies were anticipating delays in implementation due to the pandemic and may have been “banking” on the California Attorney General delaying enforcement.
Challenges. When asked which elements of privacy management have been the most challenging, overwhelmingly respondents pointed to: the challenges of staying current with privacy and security regulations and managing privacy risks.
What’s your confidence level on your CCPA preparedness? Download this report now to compare yourself against your peers!
Now this story is all about how our lives got flipped – turned upside down. We’d like to take a minute, just sit right there, we’ll tell you all about the privacy laws passed down there.
Today, we are traveling virtually to the sixth largest country in land area and in its honor, we are flipping parts of the show. We are upside down, since we are going Down Under. Since the beginning of the year, Paul Breitbarth and K Royal have mainly covered privacy developments in the United States, the broader Americas and in Europe. But the privacy community extends beyond the two Atlantic coasts. What is actually going on in Australia and New Zealand? What does the privacy landscape look like in the Asia Pacific region and what are the main differences with the laws we have become so accustomed to, like CCPA and GDPR.
Our guest, Annelies Moens, is based in Sydney Australia, and was one of the co-founders of the IAPP in Australia and New Zealand, back in 2008. She worked for the Office of the Australian Information Commissioner, has held various roles in the private sector and now leads her own consultancy, Privcore.
Listen in as we discuss how the APAC region compares to the rest of the world, privacy law developments, and recent events in privacy law that might surprise you. In particular, we discussed how the recent Schrems-II decision out of Europe impacts activities in Australia and New Zealand, business exemptions for enforcement, and COVID-19 contact tracing. This episode can be heard on our website or streamed below.
With all the recent changes in privacy laws, it seems like a whole new world. Or perhaps not. In this episode, we connect with Travis LeBlanc, a well-seasoned professional with insight into government actions, to discuss recent privacy developments through the lens of past actions. He was the chief of the Federal Communications Commission’s (FCC) Enforcement Bureau in the Obama years, worked as senior adviser to former California Attorney General – and now Vice-Presidential nominee – Kamala D. Harris and as special assistant attorney general of California. Today, he is the vice chair of Cooley’s cyber, data and privacy practice, a role he combines with the membership of the Privacy and Civil Liberties Oversight Board.
Listen in as Paul Breitbarth and K Royal discuss the changing world of privacy in this episode. Given the overlapping years, where Paul was with the Working Party 29 in Europe and Travis was with the FCC, Paul and Travis re-lived some of their shared experiences. But the conversation was not limited to regulator reminiscing – we discussed a variety of issues, from Schrems-II, the possibility of U.S. federal legislation on the horizon, and the CPRA, which also led to social justice issues. This episode can be heard on our website or streamed below.
Final CCPA regulations approved and now effective immediately
On August 14, 2020, the California Office of the Attorney General (“OAG”) sent out a notice that the final CCPA regulations have been approved by the California Office of Administrative Law (“OAL”) and filed with the California Secretary of State. Effectively immediately, all organizations subject to CCPA statutes must comply with both the statutes and the regulations.
In the Addendum to Final Statement of Reasons, the OAG noted several changes from the version of the draft regulations submitted on June 1, 2020 to the OAL. The changes were described as “non-substantive” as the OAG deemed them not to materially change “the requirements, rights, responsibilities, conditions, or prescriptions” contained in the June 1, 2020 version. Some of the changes do, however, appear to change the requirements for businesses subject to the withdrawn provisions as described below:
- Effect of withdrawn provision § 999.305(a)(5) – Businesses will not be required to directly contact consumers and obtain explicit consent if they plan on using their personal information for purposes that are materially different than those disclosed in the privacy notice at the time of collection.
- Effect of withdrawn provision § 999.306(b)(2) – Businesses that primarily interact with consumers offline will not be required to provide notice of their right to opt-out of the sale of their personal information using an offline method.
- Effect of withdrawn provision § 999.315(c) – The provision that was withdrawn (1) required that a business’s opt-out method be “easy for consumers to execute,” and “require minimal steps to allow the consumer to opt-out,” and (2) prohibited using a method that intended or had the substantial effect of “subverting or impairing” a consumer’s decision to opt-out.” The withdrawal of these requirements does not mean, however, that a business may have a convoluted opt-out method or one that is designed or has the effect of subverting or impairing a consumer’s decision to opt-out.
- Effect of withdrawn provision § 999.326(c) – Businesses may deny requests from authorized agents who do not provide signed written permission from the consumer demonstrating they have been authorized to act on the consumer’s behalf. The withdrawn § 999.326(c) would have permitted businesses to deny requests from authorized agents who did not submit “proof” of the authorization, but the regulations specify in other sections what is specifically required as a method proof, including signed written authorization.
What has changed since the CCPA statutes went into effect?
Though “non-substantive” changes were made between the June 1, 2020 draft regulations and the August 14, 2020 final regulations, a lot has changed since the CCPA statutes went into effect on January 1, 2020. With the CCPA regulations now enforced, here are some important takeaways organizations subject to CCPA statutes will need to make note of:
- Notices provided online must follow generally recognized industry standards for accessibility, like the Web Content Accessibility Guidelines (WCAG) version 2.1.
- Notices must be easy to read and understand, using plain, straightforward language.
- Notices must be available in the languages in which the business ordinarily provides information to consumers.
- Notice must be given at or before the time of personal information collection or a business may not collect personal information from a consumer.
- Businesses may not collect categories of personal information not disclosed in its notice.
Individual Rights Requests
- Confirmation of requests to know or request to delete must occur within 10 business days, and businesses must provide a description of the identity verification process.
- Businesses must respond to requests to know and requests to delete within 45 calendar days of receipt. If identity cannot be verified within 45 calendar days, the request may be denied.
- Businesses may take an additional 45 calendar days to respond to a request to know or request to delete if necessary (for a total of 90 calendar days) if it provides notice and an explanation for the time extension.
- Certain types of personal information may never be disclosed, including for example, Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical identification numbers, and account passwords.
- Exceptions to complying with a request to delete include personal information on archived or back-up systems (unless and until the information is restored), deidentified personal information, or aggregated consumer information.
- Records of consumer requests, including responses, must be kept for at least 24 months.
Requests to Opt-Out of the Sale of Personal Information
- Businesses must comply with a request to opt-out within 15 days.
- Requests to opt-out needs not be verified.
- Browser plug-ins or privacy settings must be considered a valid request to opt-out.
- If a consumer who has opted out of the sale of personal information requests to opt-in, the business must use a two-step process requiring (1) a clear request to opt-in and (2) a separate step to confirm the choice to opt-in.
- Businesses are required to have a more stringent identity verification process for requests concerning high risk personal information.
- Businesses must avoid collecting new personal information for the purpose of identity verification where possible.
- Authentication through an online account may be used to verify identity, though a business must require re-authentication before disclosing or deleting a consumer’s data.
Financial Incentive Programs
- Businesses offering financial incentives, including price and service differences, related to the collection, deletion, or sale of personal information must provide in its notice:
- A summary and description of terms of the financial incentive and the value of the consumer’s personal information.
- An explanation of how the incentive is reasonably related to the value of the consumer’s data.
- A good faith estimate of the value of the consumer’s data that serves as the basis for offering the financial incentive and a description of the method used to calculate the value of the consumer’s data.
- Businesses offering financial incentives must provide instructions for opting in to the incentive and for withdrawing from it.
- Except in the case of offering financial incentives, businesses may not discriminate against consumers for exercising their rights under the CCPA or the regulations.
These are only some of the important takeaways from the regulations. If your business is subject to the CCPA, it is important to know the requirements which can be found here. With both the CCPA statutes and regulations now in effect, prioritizing compliance elements is key.
Companies are understandably in varying stages of preparedness. Whether you’re stalled, have some resource constraints, or just need a review of your plan, TrustArc is here to help. Contact us for a free CCPA Preparedness Assessment to assess your current program against CCPA requirements, identify gaps, and prioritize risk remediation.
The privacy job market is booming! Chief Privacy Officer, Data Protection Officer, Chief Data Officer, Privacy Engineer, GDPR Expert, CCPA Consultant, Data Privacy Counsel, Privacy Risk Officer… And this is just to get started. Do a vacancy search with the word ‘Privacy’ on LinkedIn or most job-search boards and you will be shown a huge variety of functions around the world for new and seasoned privacy professionals.
Paul Breitbarth and K Royal invited the founder and CEO of TRU Staffing Partners, a staffing company helping to fill vacancies in data privacy, e-discovery, and cybersecurity since 2010. By now, Jared Coseglia and his team have placed over 3000 professionals in full-time and temporary positions. Our main objective was to get a sense of the privacy job market, but to also discover insight about landing a position in privacy for people who are new to the field or transitioning. As a former theatre director, there was some curiosity on whether those skills transitioned into managing privacy professionals. Listen in as we discuss some of the expectations for privacy professionals, such as a love of reading a lot given the massive amount of information related to personal data that seems to change often. This episode can be heard on our website or streamed below.