Managing Customer Data Under New Privacy Regulations

You’re the new Privacy Analyst at a U.S. retail company. Your manager just asked you to ensure the company is compliant with the California Consumer Privacy Act (CCPA), but you quickly realize there’s no data inventory or record of what personal data is being collected, where it’s stored, or who it’s shared with. How would you even begin? First, you’d start by building a data inventory — that means identifying what personal data the company collects (names, emails, browsing history, etc.), how it’s collected (forms, cookies, third-party platforms), and where it lives (CRM, marketing tools, cloud storage, etc.). You’d likely send out a questionnaire or meet with key teams (marketing, IT, sales) to gather this info. Then, you’d map the data flows — what systems touch this data, who has access, and whether it gets sent to vendors or service providers. This is essential for understanding risk and creating compliant privacy notices. Finally, you’d document it all and check it against the CCPA requirements — can users request access to their data? Can they delete it? Is there a way to opt out of data selling? This is GRC work in action.. breaking down compliance into trackable steps and helping the business stay accountable.

California's recent "do not sell" and "do not share" privacy enforcement sweep targeted streaming services, but it has relevant reminders and lessons for all companies.    1️⃣ "Selling" isn't just trading personal data for money--it can also be sharing data with vendors to make products work or for advertising. "Sharing" encompasses many data exchanges for #DigitalAdvertising.   2️⃣ "Selling" and "sharing" requires specific disclosures before the data is collected, including that the data will be sold or shared and opt-out process details.      3️⃣ Opt-out processes need to be available in the context that consumers interact with the company. Different processes may be required in-app, with connected services or devices, on websites, and in physical locations.   4️⃣ Opt-out processes need to be frictionless, with minimal steps to take.   5️⃣ Opt-out processes need stop the "sales" and "sharing" on a go forward basis across all methods by which the specific customer's #PersonalData is "sold" or "shared".    6️⃣ Starting late next month, detailed regulations regarding technical and operational processed to respond to, honor, and persist preferences (including for known customers) from opt-out signals like the #GlobalPrivacyControl become enforceable. To date, these regulations have been delayed by court order.   If your company has not looked at these issues recently, this quarter is a good time for a tune-up, especially with the California and Connecticut AG record of enforcement in this area, and the forthcoming Washington My Health My Data and #litigation risks that involves.   Here's a tune-up action plan:   ☑️Validate you understand all methods used to transmit data to third parties. Consider offline sharing, server-to-server integrations, SDKs in your apps, and #pixel/tracker/cookie based sharing. ☑️Confirm your process for identifying the third parties that data is disclosed to is current and working. ☑️Check in that protocols for disclosing data to third parties are defined and working, including with your opt-out processes. ☑️For necessary data disclosures that cannot be opted out of, test that #contracting processes are getting the necessary contract terms for sharing with those vendors and partners not to be a "sale" or "sharing" under the law. ☑️Confirm your data practices align with your commitments to customers (including in privacy policies, #cookiebanners, etc.). ☑️Probe that the methods in which customers provide data to your company that may be "sold" or "shared" are also contexts where they can opt-out. ☑️Explore the opt-out processes offered to determine that there isn't unnecessary friction. ☑️Test that your opt-out processes are working, including within the specified timelines.  ☑️Validate opt-out processes respond to the Global Privacy Control, adjusting as needed under privacy regulations such as to associate signals with known customer records. #MHMDA #privacy #privacyoperations #CCPA #donotsell

Last week, the California Privacy Protection Agency fined a retailer $345,000 for failing to effectively effectuate consumers’ opt-out preference signals to prevent the sharing of their personal information (see decision below). The remedies outlined in the settlement are a clarion call for #privacypros. In short, the CPPA says privacy tech alone is not enough, just as Teresa (T) Troester-Falk wrote in an op-ed published by the IAPP today https://lnkd.in/eNqYpD4x. The CPPA alleges that the retailer relied on third-party privacy management tools without assessing their limitations, validating their operations or monitoring their functioning. They also allege the retailer required consumers to provide too much personal information (including sensitive information) to process their opt-out requests. Privacy tech is often critical today – there are far too many consumer requests, data sources, third-party partners, and assessments to manage manually – but it is equally vital to have a knowledgeable #privacypro building and overseeing the privacy program around it. This will only get more important as AI achieves its potential and scales across society. So what does the CPPA settlement require specifically? Beyond correcting the alleged deficiencies, the CPPA specifically requires the retailer to: -       “develop, implement, and maintain procedures” to identify disclosures and ensure it processes opt out requests appropriately -         “establish and implement, and thereafter maintain policies, procedures, and technical measures designed to monitor the effectiveness and functionality” of its methods for complying with opt-out requests -         “develop, implement, and maintain procedures to ensure that all personnel handling Personal Information are informed of the Business’ requirements under the CCPA and its implementing regulations relevant to their job functions” – i.e. conduct #privacy training -         “maintain a contract management and tracking process to ensure that contractual terms required by the CCPA are in place with all external recipients of Personal Information” Lots for privacy pros to focus on as they gain efficiencies and scale with privacy and #AI governance tech.