Forgot Password

Not a Member? Sign up here!

Office Phone: 217-239-0975

Termageddon Blog

Privacy Policy best practices

Having a Privacy Policy is very beneficial – it can help you comply with privacy laws, thereby helping you avoid privacy-related fines and lawsuits, and it can help you should your customers that you care about their privacy. If you are not a privacy attorney though, you may be wondering about Privacy Policy best practices and how to ensure that your policy meets your goals. In this article, we will outline the five Privacy Policy best practices that you should follow to ensure that your Privacy Policy adequately protects your business.

Privacy Policy best practice 1: review your website

While we will discuss in more detail who privacy laws apply to in the next section, privacy laws generally apply to websites that collect Personally Identifiable Information (PII). PII is defined as any information that could identify someone. Examples of PII that are commonly collected by websites include:

  • Names;
  • Emails;
  • Phone numbers;
  • Physical addresses; and
  • IP addresses.

Since privacy laws regulate the collection of PII, the first Privacy Policy best practice is to review your website to see what PII is collected where. You should pay particular attention to these features on your website as they are often used to collect PII:

  • Contact forms;
  • Email newsletter sign up forms;
  • Account creation forms;
  • eCommerce portals where consumers can make purchases; and
  • Analytics programs such as Google Analytics.

Once you have reviewed your website for these features and determined what PII you collect, you should also ask yourself:

  • How do I use the PII that I collect?
  • Who, if anyone, do I share this PII with?

Once you have reviewed your website, it is time to determine what privacy laws apply to you.

Privacy Policy best practice 2: determine which privacy laws apply to you

Privacy laws dictate the disclosures that your Privacy Policy needs to contain so the second Privacy Policy best practice that you need to undertake is to determine what privacy laws apply to you. A Privacy Policy that is not based on the laws that apply to you will not have all of the disclosures required by those laws and thus can leave you vulnerable to hefty fines and even lawsuits.

While privacy laws have a very broad application in the sense that they apply to businesses outside of the states or countries in which they are passed, they also have certain criteria that you need to meet for the law to apply to you. Therefore, you should not just assume that every privacy law applies to you, but should instead review the below list of laws and criteria to determine your obligations:

  • California Online Privacy and Protection Act of 2003 (CalOPPA): applies to operators of commercial websites that collect the PII of California residents;
  • California Consumer Privacy Act (CCPA): applies to for-profit entities that do business in California, collect, share or sell the PII of California residents and meet one or more of the following criteria:
    • Has annual gross revenues of $25,000,000 or more;
    • Buys, receives, sells or shares the PII of at least 50,000 California consumers, households or devices; or
    • Derives at least 50% of its annual revenue from selling the PII of California consumers.
  • Nevada Revised Statutes Chapter 603A applies to data brokers and operators of commercial websites that collect the PII of Nevada consumers that purposefully directs their activities towards Nevada, consummates a transaction with the State of Nevada or a resident of Nevada, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution;
  • Delaware Online Privacy and Protection Act (DOPPA): applies to operators of commercial websites that collect the PII of Delaware residents;
  • Virginia Consumer Data Protection Act (VCDPA – goes into effect on 1/1/2023): applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
    • During a calendar year, control or process the PII of at least 100,000 residents of Virginia; or
    • Control or process the PII of at least 25,000 Virginia consumers, and derive 50% of gross revenue from the sale of PII.
  • Colorado Privacy Act (goes into effect 7/1/2023) applies to controllers of PII that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
    • Control or process the PII of 100,000 or more Colorado consumers during the calendar year; or
    • Derive revenue or receive a discount from the sale of PII and collect or process the PII of 25,000 or more Colorado consumers.
  • General Data Protection Regulation (GDPR): applies to you if you:
    • Are located in the European Union;
    • Offer goods or services to European Union residents, regardless of your location; or
    • Monitor the behavior of European Union residents, regardless of your location.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. PIPEDA can also apply to non-Canadian companies that collect, use, or disclose the PII of Canadian residents.
  • Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they have turnover of less than AUD $3,000,000 per year:
    • Private sector healthcare providers;
    • Businesses that sell or purchase PII;
    • Credit reporting bodies;
    • Contracted service providers for Australian government contracts;
    • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
    • Businesses that have opted in to comply with the law;
    • Businesses that are related to a business covered by the law; and
    • Businesses prescribed by the Privacy Regulation 2013.

The above list can be intimidating but if you use the Termageddon Privacy Policy generator, the first set of questions that you are asked will help determine which privacy laws apply to you and thus what disclosures your Privacy Policy needs to contain, making achieving this second Privacy Policy best practice much easier. After determining what privacy laws apply to you, your next step will be to ensure that your Privacy Policy contains all of the necessary disclosures.

Privacy Policy best practice 3: include the necessary disclosures

The next best practice is to ensure that your Privacy Policy contains all of the disclosures required by the privacy laws that apply to you. Since each law had a very specific set of disclosures that are required, if you are drafting your Privacy Policy yourself, you will need to read those laws and make lists of the disclosures that you need to add. Depending on what laws apply to you, you may need to include some or all of the following information:

  • The effective date of your policy;
  • Your name and contact information;
  • What PII you collect;
  • Sources from which you collect the PII;
  • Purposes for which you will be using the PII;
  • Whether you share PII and, if you do, the categories of third parties with whom you share it;
  • How your website responds to Do Not Track signals;
  • How you will notify users of changes to your Privacy Policy;
  • Whether you sell PII – fi you do, you may need to make further disclosures regarding such sales;
  • Whether you use PII for targeted advertising and how individuals can opt out (this disclosure will start to be required in 2023);
  • A list of the privacy rights provided to consumers;
  • How a consumer can exercise their privacy rights;
  • How a consumer can appeal a decision made regarding a privacy rights request (this disclosure will start to be required in 2023);
  • How a user can complain to the authorities if they feel like their privacy rights have been infringed upon;
  • Legal bases under which you process PII;
  • How long you store PII;
  • Whether you use PII for direct marketing;
  • Whether you use PII for automated decision making or profiling;
  • Whether you transfer PII outside of certain countries or to an international organization;
  • Whether you have a Data Protection Officer. If you do have a Data Protection Officer, you will need to include their contact information in your Privacy Policy;
  • How you protect the PII that you collect;
  • Whether you use any type of analytics on your website such as Google Analytics; and
  • Whether you use cookies or other tracking technologies on your website.

While your Privacy Policy may not need all of the above disclosures, it is imperative that it does contain all of the disclosures that are required by the privacy laws that apply to you. Missing just one disclosure can mean that your Privacy Policy is not compliant, leaving you in danger of heavy fines or even lawsuits. Termageddon’s Privacy Policy generator will help you build a Privacy Policy that has these disclosures by asking you a series of questions. Your answers are then used to build a Privacy Policy that is specifically based upon the privacy laws that apply to you and your privacy practices.

Privacy Policy best practice 4: review your Privacy Policy

Once your Privacy Policy has been created with all of the right disclosures, the next Privacy Policy best practice is to review it. While having a Privacy Policy is an excellent first step towards compliance, you also need to follow your Privacy Policy and the promises contained therein. For example, if your Privacy Policy states that you do not sell PII, you should not sell it until you update the policy and obtain appropriate consents from your customers where needed. In addition, your Privacy Policy will also state where individuals can send their privacy rights request and how soon you will respond to those requests. Thus, it is important that you review your Privacy Policy and have a strategy in place for responding to consumer privacy rights requests and other requirements imposed by the privacy laws that apply to you.

Privacy Policy best practice 5: strategy for keeping your Privacy Policy up to date

Unfortunately, the days of putting your Privacy Policy on your website and never updating it again are over. With over 20 proposed state privacy bills in the United States, Canada’s proposed update to its privacy law, PIPEDA, and the United Kingdom considering an overhaul of its privacy legislation, it is more important than ever to have a strategy for keeping your Privacy Policy up to date with new laws and changes to Privacy Policy requirements. If you do not have the time to spend hours on tracking privacy bills across the world and for updating your Privacy Policy whenever those laws change, you can use Termageddon’s Privacy Policy generator – we will track privacy bills and laws for you and make updates whenever a new privacy law is passed or an existing privacy law is amended, saving you time and headache.

As you can see, there are several Privacy Policy best practices that will help you ensure that your Privacy Policy meets your goals of compliance with privacy laws. From reviewing your website, to determining what privacy laws apply to you, to keeping your Privacy Policy up to date, we hope that this guide has helped you make your Privacy Policy better.

The post Privacy Policy best practices appeared first on Termageddon.


Privacy Policy vs. Terms and Conditions

If you have been paying attention, you have probably noticed that most websites that you visit have a Privacy Policy and Terms and Conditions (also referred to as a Terms of Service or a Terms of Use). You have probably also asked yourself what these documents are, how they differ from each other, and whether your website needs them as well. In this article, we will break down the differences between a Privacy Policy vs. Terms and Conditions and explain why you need to have both to protect your website and your business.

What is a Privacy Policy?

A Privacy Policy is a document that explains your privacy practices such as how you collect, use, and disclose Personally Identifiable Information (PII). A Privacy Policy is usually required by law for websites that collect PII such as names, emails, phone numbers, physical addresses or IP addresses through tools such as contact forms, email newsletter sign up forms, eCommerce portals and analytics.

Each privacy law that applies to you dictates the disclosures that your Privacy Policy needs to contain, which is why it is crucial to start the policy creation process with determining what privacy laws apply to you. The following laws can apply to websites that collect PII:

  • California Online Privacy Protection Act of 2003 (CalOPPA) – a privacy law that applies to any website that collects the PII of California residents;
  • California Consumer Privacy Act (CCPA) – a new privacy law that protects the PII of California residents;
  • General Data Protection Regulation (GDPR) – a privacy law that protects the PII of European Union residents and applies to businesses outside of the European Union as well;
  • United Kingdom Data Protection Act 2018 (UK DPA) – a privacy law that protects the PII of United Kingdom residents and applies to businesses outside of the United Kingdom as well; 
  • Delaware Online Privacy and Protection act (DOPPA): a privacy law that applies to any website that collects the PII of Delaware residents;
  • Nevada Revised Statutes Chapter 603(A) – a recently amended privacy law that protects the PII of Nevada residents;
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – a privacy law that protects the PII of residents of Canada;
  • Australia Privacy Act of 1988 – a privacy law that protects the PII of residents of Australia;
  • Colorado Privacy Act – a privacy law that protects the personal data of residents of Colorado and goes into effect July 1st, 2023.
  • Virginia Consumer Data Protection Act (VCDPA) – a privacy law that protects the personal information of residents of Virginia and goes into effect January 1st, 2023.

It is important to note that the application of privacy laws is not based upon where you or your business is located but rather on whose PII you are collecting, where your customers resident, where you offer goods or services, and who you track on your website. Thus, the privacy laws listed above can apply to you even if you are not located in those states or countries.

Your Privacy Policy will also need to be updated from time to time as new privacy laws are passed or existing privacy laws are amended, requiring new disclosures to be made. For example, there are over 20 proposed privacy bills in the United States alone and other countries such as Canada are proposing complete overhauls of existing privacy legislation, all of which would require Privacy Policy updates. Lastly, not having an up to date Privacy policy can lead to severe consequences as privacy law violations can lead to heavy fines starting at $2,500 per website visitor to €20,000,000 or more in total.

In conclusion, a Privacy Policy is a document that helps you comply with privacy laws and avoid privacy-related fines and lawsuits by explaining your privacy practices to consumers.

What are Terms and Conditions?

Terms and Conditions (also called Terms of Use or Terms of Service) are a statement that details the rules of using your website, thereby helping you protect your business and limit your liability. While technically not required by law for all websites, Terms and Conditions is extremely valuable as it can help you:

  • Get approval to use third party payment processors such as Stripe or PayPal;
  • Answer commonly asked customer questions regarding returns, refunds, and cancellations and thus help move customers towards making a purchase;
  • Lessen your liability by specifying what warranty, if any, you offer on the website or on purchases made on your website;
  • Protect your intellectual property and help reduce the likelihood of costly intellectual property infringement lawsuits;
  • Save costs by specifying where disputes will be resolved;
  • Lessen the amount of damages that you may be responsible for in case of a dispute;
  • Maintain control over your website and its users.

Depending on where your business is located, your Terms and Conditions may also need to include clauses on warranties, returns, refunds, and cancellations that comply with your country’s consumer protection laws.

In conclusion, Terms and Conditions are used to answer commonly asked customer questions, limit your liability, and protect your business.

While there are quite a few differences between a Privacy Policy vs. Terms and Conditions, both of these documents work together to help you avoid fines and lawsuits and limit your liability, thus helping you protect yourself and your business. If you do not currently have these policies in place or if your policies are outdated or incomplete, use Termageddon’s Privacy Policy generator and Terms and Conditions generator to create your comprehensive policies today.

The post Privacy Policy vs. Terms and Conditions appeared first on Termageddon.


Colorado Privacy Act Compliance Guide

The Colorado Privacy Act (SB190) is a privacy law that was signed into law on July 8, 2021 to protect the privacy of residents of Colorado. The law achieves this goal by providing privacy rights to residents of Colorado, requiring certain websites to have a Privacy Policy and imposes heavy fines for failure to comply. This law will go into effect on July 1, 2023.

In this Compliance Guide, we will discuss the following as it relates to the Colorado Privacy Act:

  • Who needs to comply with this law;
  • How the Colorado Privacy Act defines personal data;
  • The privacy rights provided by this law;
  • Colorado Privacy Act Privacy Policy requirements;
  • The penalties for failing to comply.

Who does the Colorado Privacy Act apply to?

As with other privacy laws, businesses do not need to be located in Colorado for this law to apply. The Colorado Privacy Act applies to controllers (persons that determine the purposes for and means of processing personal data) of personal data that:

  • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado; and
  • Satisfies one of the following thresholds:
    • Controls or processes the personal data of 100,000 or more Colorado consumers during a calendar year; or
    • Derives revenue or receives a discount on the price of goods or services form the sale of personal data and processes or controls the personal data of 25,000 or more Colorado consumers.

If you do not meet the thresholds above, it is important to note that the Act requires controllers to ensure that processors of personal data adhere to the requirements of the Act. Thus, if you are processing the data on behalf of a client that is subject to the Act, you may be required, via contract, to meet the obligations of this law even if it does not apply to you via statute.

How does the law define personal data?

The Colorado Privacy Act applies to controllers that collect and process personal data. In this case, personal data is defined as information that is linked or reasonably linkable to an identified or identifiable individual. Examples of personal data can include names, emails, phone numbers, and physical addresses, all of which are frequently collected by business websites via contact forms, email newsletter sign up forms, appointment setting forms and billing portals.

Colorado Privacy Act privacy rights

The Colorado Privacy Act protects the privacy of Colorado consumers by providing them with the following privacy rights:

  • Right to opt out – consumers have the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data or profiling in furtherance of decisions that produce legal or similarly significant effects;
  • Right of access – consumers have the right to confirm whether a controller is processing personal data concerning the consumer and to access their personal data;
  • Right to correction – consumers have the right to correct inaccuracies in their personal data;
  • Right to deletion – consumers have the right to delete their personal data;
  • Right to data portability – when accessing their data, a consumer has a right to obtain that data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit that data to another business.

Colorado Privacy Act Privacy Policy requirements

If the Colorado Privacy Act applies to you, you will need to update your Privacy Policy to include the following information:

  • The categories of personal data collected or processed;
  • The purposes for which the categories of personal data are processed;
  • How and where consumers may exercise their privacy rights, including the controller’s contact information and how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • The categories of personal data that are shared with third parties, if any;
  • The categories of third parties, if any, with whom the personal data is shared; and
  • If personal data is sold to third parties or processed for targeted advertising, then the Privacy Policy must disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

If this law applies to you, it is important that you update your Privacy Policy prior to the effective date to avoid potential infringements and fines.

The penalties for failing to compy

Once it goes into effect on July 1, 2023, the Colorado Privacy Act will be enforced by the Colorado Attorney General and Colorado District Attorneys. Non-compliance with the law is considered a deceptive trade practice, which can result in penalties of up to $20,000 per violation up to $500,000 for a series of violations. The Act does provide for a 60 day curing period but this period will be available only until January 1, 2025.

Termageddon will be making updates to client policies closer to the effective date to ensure that your Privacy Policy has all of the required disclosures. If you do not currently have a Privacy Policy or would like to have one that automatically updates whenever the laws change, check out the Termageddon Privacy Policy generator.

The post Colorado Privacy Act Compliance Guide appeared first on Termageddon.


Using Termageddon with Shopify Websites

Using Termageddon with a Shopify website is easy. The procedure is very similar to embedding a policy on a WordPress site except you will be doing this within your Shopify dashboard.

Something to note before we begin. Shopify provides a built-in area for legal policies. Although Termageddon doesn’t work directly with these fields, there’s a simple work-around that will allow you to display your Termageddon policies.  

Step 1. 

Log into the Termageddon dashboard and View the Embed Code

Step 2. 

Copy the embed code

Step 3.

Log into Shopify and Add a page

Step 4.

Switch to “code view” and paste the code. Repeat this for each policy page. 

Step 5.

Head over to the Navigation area and create menu items to each of your policy pages

Links to your policies will now surface on the front end of your Shopify theme wherever you’d like. We’ve opted to show them in the Sub footer menu of every page. 

Viewing one one of these pages reveals your Termageddon policy. 

Additional Shopify steps

Shopify automatically includes links to their built-in policy links on checkout pages. You need to make sure these links lead to your Termageddon policies. 

Step 1.

In order to connect these pages to your Termageddon policies, go to Settings (lower left) and click on Legal

Step 2.

Here you will find Shopify’s built-in policy fields. Currently these fields cannot accept Termageddon embed code. Simply create links in each field to their corresponding Shopify pages with your Termageddon policies. 

Clicking on one of these links displays a modal window with a link to your Termageddon policy

Thank you to the great people at Overlander and Project13 for allowing us to share this information with our audience!

The post Using Termageddon with Shopify Websites appeared first on Termageddon.


Virginia Consumer Data Protection Act: What you need to know

As consumers become more interested in the privacy of their personal data online, more and more states are proposing and passing their own privacy bills. These bills provide consumers with certain privacy rights, require websites to have a Privacy Policy that makes very specific disclosures, and impose heavy fines for non-compliance. With more than twenty proposed privacy bills, it is more important than ever to keep an eye out on these changing compliance requirements.

On March 3, 2021, VA S 1392, the Virginia Consumer Data Protection Act (VCDPA) was signed into law. In this article, we will discuss all that you need to know about the Virginia Consumer Data Protection Act, including who it applies to, how it defines “personal data,” the rights that it provides to consumers, and its enforcement mechanisms so that you can be ahead of the curve on preparing for this law.

Virginia Consumer Data Protection Act: Who it applies to

All of the privacy laws in the United States have a broad reach, potentially applying to business outside of the state in which they are passed, and VCDPA is no exception. The law applies to persons that do business in Virginia or that produce products or services that are targeted to Virginia residents and that meet one or more of the following factors:

  • During a calendar year, control or process the personal data of at least 100,000 Virginia consumers; or
  • Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

While at first glance, the law may seem to apply to larger businesses only, VCDPA defines “personal data” as “any information that is linked or is reasonably linkable to an identified or identifiable natural person.” Thus, if your website gets quite a few form submissions each year, you can easily meet this threshold. In addition, you may also be required to comply with this law if you are a vendor for a larger company that does meet the above thresholds.

Consumer rights

Virginia consumers are provided with the following privacy rights under this law:

  • To confirm whether the consumer’s personal data is processed and to access such personal data;
  • To correct inaccuracies in the consumer’s personal data;
  • To delete the consumer’s personal data;
  • To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller; and
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling.

The Virginia Consumer Data Protection Act requires controllers to respond to consumer requests to exercise their privacy rights within 45 days, making it imperative to develop streamlined procedures for responding to such requests.

Virginia Consumer Data Protection Act: Privacy Policy requirements

Similar to other privacy laws, VCDPA requires businesses to have an accessible, clear, and meaningful Privacy Policy that includes the following disclosures:

  • The categories of personal data processed;
  • The purposes of processing the personal data;
  • How consumers can exercise their privacy rights, including how a consumer can appeal your decision regarding their request;
  • The categories of personal data that you share with third parties, if any;
  • Whether you sell personal data or process personal data for targeted advertising, as well as how the consumer can opt out of such processing; and
  • One or more secure and reliable means for consumers to submit a request to exercise their privacy rights.

As you can see from the above list, this law requires updates to the Privacy Policies of many businesses.

Enforcement

The Virginia Consumer Data Protection Act is enforced by Virginia’s Attorney General. Upon the finding of a violation (e.g. not having a Privacy Policy), a company would have 30 days to cure the violation. Failure to cure would allow the Attorney General to issue fines of up to $7,500 per violation. In this case, “per violation” would mean per website visitor from Virginia whose privacy rights were infringed upon, meaning that fines could quickly add up to large sums.

If you are already a Termageddon customer, we will make updates to your Privacy Policy if such updates are needed prior to January 1st, 2023, which is the law’s effective date. If you are not already a Termageddon customer, check out our Privacy Policy generator to create a Privacy Policy that will update before this law goes into effect.

The post Virginia Consumer Data Protection Act: What you need to know appeared first on Termageddon.


Why a static Privacy Policy is not a good idea

Let’s face it, as a species, we do not deal well with change. We all have a favorite restaurant, a favorite meal, and a favorite pair of jeans that we would probably enjoy forever if we could. Also, there’s a certain satisfaction in completing an arduous task such as creating your Privacy Policy that instills a hope that you will never have to look at it again – we have all certainly been there.

A static Privacy Policy is one that stays the same and does not change over time. While this approach is certainly appealing, having a static Privacy Policy is simply not a good idea. Privacy is a field of constantly changing and evolving requirements, meaning that your static Privacy Policy can quickly become obsolete and non-compliant. This can put you at risk of privacy-related fines and lawsuits, costing you a significant amount of money and headaches. In this article, we will explore these changing requirements so that you can see why a static Privacy Policy is not a good idea. 

The new era of privacy

If you’ve had a website for many years, you may still have a Privacy Policy that you got from some free template online or that you copied from your competitor five or so years ago, And, the magic of that Privacy Policy was that you never had to look at it again. Why? Because no one really cared about your privacy practices or your Privacy Policy. If a static Privacy Policy was fine five years ago, what has changed to make this no longer the case? 

When you really get down to it, we have to thank Facebook and Cambridge Analytica for the change in consumer attitudes towards privacy, from lackadaisical to concerned and willing to do something about it. In 2018, multiple journalists reported on what we now know as the “Cambridge Analytica scandal”, an incident where millions of Facebook users’ Personally Identifiable Information (PII) was harvested without consent. That PII was then used for political advertising. The scandal opened up the eyes of consumers to the dangers of providing their PII to companies online and showed them just how easy it is to lose their privacy. In fact, the scandal was so upsetting to consumers that they started to pressure their state legislatures to propose and pass privacy laws that would prevent the loss of privacy online. 

The following study results clearly illustrate changing consumer attitudes towards privacy: 

  • 84% of respondents said that they are open to new state privacy laws; 
  • 91% of respondents said that the right to delete PII and know how their PII is used should extend to all US citizens; 
  • 52% of Americans will not use products or services that they believe have privacy issues; and 
  • 93% of Americans would switch to a company that prioritizes privacy. 

It is important to note that even though the Cambridge Analytica scandal concerned two large companies with access to the PII of millions of people, consumers have not identified privacy as an issue that only large companies need to deal with. As a result, small businesses have also been swept up in this regulatory storm as well. 

Current privacy laws and who they apply to

Currently, there are multiple privacy laws in place that concern websites that collect PII from consumers. If you are unsure as to whether your website collects PII, take a look at your forms. Do you have a contact form or a newsletter sign up form that collects names, emails, or phone numbers? Have you installed analytics that collects IP addresses? If you’ve answered “yes,” then your website collects PII and multiple privacy laws may apply to you. The privacy laws that are currently in place include: 

  • The General Data Protection Regulation (GPDR), which protects the privacy of residents of the European Union and will apply to you if you are offering goods or services to such residents or if you are tracking their behavior online through cookies, pixels, and analytics services; 
  • The California Online Privacy and Protection Act (CalOPPA), which applies to any website that collects the PII of California consumers; 
  • The California Consumer Privacy Act (CCPA), which is a new privacy law that protects the privacy of residents of California; 
  • The Delaware Online Privacy and Protection Act (DOPPA), which applies to any website that collects the PII of Delaware consumers; 
  • Nevada Revised Statutes Chapter 603A, which applies to websites that collect the PII of Nevada residents and that have sufficient connections to the state. Basically, you’ll need to comply with this law if you have customers in Nevada or if you are located in Nevada; and 
  • The Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the privacy of residents of Canada and will apply to websites that collect the PII of Nevada residents in the course of business;
  • Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they have turnover of less than AUD $3,000,000 per year:
    • Private sector healthcare providers;
    • Businesses that sell or purchase PII;
    • Credit reporting bodies;
    • Contracted service providers for Australian government contracts;
    • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
    • Businesses that have opted in to comply with the law;
    • Businesses that are related to a business covered by the law; and
    • Businesses prescribed by the Privacy Regulation 2013.
  • Colorado Privacy Act (goes into effect on July 1, 2023), which applies to controllers of personal data that:
    • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
      • Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
      • Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 or more Colorado consumers.
  • Virginia Consumer Data Protection Act (VCDPA) (goes into effect on January 1, 2023), which applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
    • During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
    • Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.

For those breathing a sigh of relief because they are not located in these states or countries, not so fast! Privacy laws protect consumers and not businesses. Anyone from anywhere could be submitting their PII to your website meaning that you may be required to comply with multiple privacy laws, even if you are not physically located in that state or country. When it comes to the application of privacy laws, the factors that matter are: 

  • Whose PII you are collecting; 
  • Where you do business; 
  • Where your customers are located; and 
  • Who you track online through cookies, pixels, and analytics services. 

So what does this have to do with your static Privacy Policy? If we assume that you last updated your Privacy Policy five years ago, it is not compliant with GDPR, CCPA, nor the Nevada Revised Statutes Chapter 603A because these laws have been passed or amended in the last five years. Since all of these laws require changes and additional disclosures to be made in your Privacy Policy, your static Privacy Policy is obsolete and could open you up to fines and lawsuits stemming from violations of these privacy laws. 

Your static Privacy Policy is not ready for what’s coming next

Let’s assume that your Privacy Policy was drafted yesterday and that it complies with all of the current privacy laws that apply to you. It’s perfect and compliant, and you cannot wait to never look at it again. Apologies for crushing your dreams but due to the fact that the likelihood of a federal privacy law in the US is slim, and due to consumer pressure, there are now over 20 proposed privacy bills in the United States. While all of these bills are different, they do share some similarities: 

  1. All of the proposed bills would apply to businesses outside of the states in which they are passed; 
  2. All of the proposed bills would require websites to have a Privacy Policy that makes very specific disclosures, requiring updates to Privacy Policies; 
  3. While some of these bills include an exemption for small businesses, most still require small businesses to comply; 
  4. All of the proposed bills would include new privacy rights for consumers. 

And here is the real issue that makes having a static Privacy Policy a bad idea – the Privacy Policy will not update when new privacy laws are passed. First, this means that you will have to keep track of privacy bills yourself. Since privacy laws can apply regardless of where your business is actually located, you will need to keep track of privacy bill proposals in all states and even in other countries. Second, once a privacy law is passed, you will need to read it, interpret it, and adjust your Privacy Policy accordingly. Lastly, you will also need to update your Privacy Policy when new regulations are issued, when cases clarify compliance requirements, and when authorities issue new compliance guidelines. If you’re worried about your time, you should know that the regulations for the California Consumer Privacy Act have already been modified four times. That’s a lot of changes for a law that’s been enforceable since July 1st, 2020!

Having an up to date Privacy Policy is important because privacy laws impose heavy penalties for non-compliance. Collecting PII without a Privacy Policy can lead to fines from $2,500 per violation to €20,000,000 or more in total. In this case, “per violation” means per website visitor whose privacy rights you infringed upon. These fines can easily add up to a large amount, even if you have a few hundred website visitors per month. In addition, some of the proposed privacy laws, if passed, would allow consumers to sue businesses directly for violations, exponentially increasing the risk of costly litigtation. 

By failing to update when new privacy laws are passed and when existing privacy laws are amended, your static Privacy Policy puts you in great jeopardy of privacy-related fines and lawsuits. While it may be convenient to file your Privacy Policy away in a dusty corner of your website, this approach simply does not work anymore. When choosing the right policy provider for your business, make sure that you use Termageddon’s Privacy Policy generator, which not only allows you to create a policy that has the required disclosures that you need today but also updates your Privacy Policy when things change, which they will. 

The post Why a static Privacy Policy is not a good idea appeared first on Termageddon.


Is your WordPress Privacy Policy compliant?

Whether you are building a website for yourself or for a client, you have probably run into WordPress. WordPress is a free and open source content management solution that can be used to build websites with a wide variety of features, from a simple blog to a complex online store and everything in between. WordPress has long been one of the favorites of website builders, not only due to its ease of use and adaptability to your needs, but also for its large and supportive community. This community regularly meets at WordCamps to share knowledge, make new friends, and volunteer to work on the WordPress project.

One relatively new feature of WordPress is the ability to create a Privacy Policy using WordPress’ Privacy Policy template. WordPress’ team of volunteers that has created this template is full of wonderful and knowledgeable individuals. The template is meant to raise awareness of the requirement for websites to have a Privacy Policy and it does a phenomenal job at raising such awareness. However, how does the template stack up to actual privacy law requirements? Keep reading to learn more about WordPress’ Privacy Policy solution, whether it actually complies with privacy laws that can apply to you, and whether using it can subject you to privacy-related fines and lawsuits. 

To access the WordPress Privacy Policy template, log in to your admin dashboard, click “settings”, select “privacy”, and click “create new page.” The first and perhaps most important issue with the template is that it does not help you determine what privacy laws apply to you, nor does the template state what privacy laws it helps you to comply with. There are several privacy laws in the United States and the rest of the world that may require your website to have a Privacy Policy. Each of these privacy laws has very specific requirements as to what a Privacy Policy needs to contain. As with any compliance effort, the first step is to determine what laws actually apply, and then a Privacy Policy is created to ensure that the disclosure requirements of these laws are met. 

As WordPress’ Privacy Policy template does not help you determine what privacy laws apply to you, nor what privacy laws the template attempts to comply with, it is up to you to determine: 

It is important to note that just these first two tasks could potentially take up hours of your time if you are attempting to complete them without help. 

Since the template does not state what privacy laws it helps you comply with, the following chart analyzes WordPress’ Privacy Policy template against the requirements of the following privacy laws: 

Disclosure requirementRequired by which law(s)? Does WordPress’ Privacy Policy template include this disclosure? 
Effective dateCalOPPA, DOPPA and Nevada Revised Statutes Chapter 603ANo
Your name and contact informationCalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, PIPEDA, and Australia Privacy Act of 1988.No, although the WordPress Privacy Policy Guide recommends that you should include this information.
What Personally Identifiable Information you collect (note that some privacy laws require you to disclose the categories of PII that you collect, while others state that you need to provide the specific pieces of PII that you collect)CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. Yes
Sources from which you collect PII CCPA, PIPEDA, and Australia Privacy Act of 1988.No
Purposes for which you will be using the PII CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. No
Whether you share PII and, if you do, the categories of third parties with whom you share the PIICalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act 1988. No, although the WordPress Privacy Policy Guide recommends that you should include this information.
How your website responds to Do Not Track SignalsCalOPPA and DOPPANo
How you will notify users of changes to your Privacy PolicyCalOPPA, DOPPA, and Nevada Revised Statutes Chapter 603ANo
Whether you sell PII and, if you do, what rights consumers have regarding such salesNevada Revised Statutes Chapter 603A and CCPANo
The privacy rights afforded to consumers CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. Yes. However, the suggested text does not include the full list of privacy rights afforded by each of these laws. 
How consumers can exercise their privacy rights CCPA, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. No, although the WordPress Privacy Policy Guide recommends that you should include this information. 
How consumers can make a complaint to the relevant authorities about your privacy practicesGDPR, UK DPA 2018, and PIPEDANo
Legal bases for processing PII GDPR and UK DPA 2018.No, although the WordPress Privacy Policy Guide recommends that you should include this information. 
How long you store PII GDPR, UK DPA 2018, and Australia Privacy Act of 1988. Yes. The template states that certain PII is retained indefinitely, which can be a violation of GDPR’s data storage requirements. 
Whether you plan on using PII for direct marketing purposes and, if you do, how consumers can opt out of such direct marketingGDPR, UK DPA 2018, and Australia Privacy Act of 1988. No
Whether you plan on using PII for automated decision making and profiling. If you do, you must disclose the logic underlying such processing. GDPR and UK DPA 2018.No, although the WordPress Privacy Policy Guide recommends that you include this information. 
Whether you plan on transferring PII to a third countryGDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. No, although the WordPress Privacy Policy Guide recommends that you include this information. 
If you have a Data Protection Officer, their name and contact details GDPR and UK DPA 2018.No, although the WordPress Privacy Policy Guide recommends that you include this information. 
How you protect the PII that you collect PIPEDA and Australia Privacy Act of 1988. No, although the WordPress Privacy Policy Guide recommends that you include this information. 
Your other policies, procedures, standards and codesPIPEDANo
Your use of cookies and other tracking technologies CalOPPA, CCPA, DOPPA, Nevada Revised Statutes Chapter 603A, GDPR, UK DPA 2018, PIPEDA, and Australia Privacy Act of 1988. Yes
Whether you are required to collect the PII by an Australian law, court or tribunal order. Australia Privacy Act of 1988. No
Whether you subscribe to any Australian Privacy Codes and if so, which ones.Australia Privacy Act of 1988.No
Whether you participate in any Australian external privacy dispute resolution scheme and if so, which one. Australia Privacy Act of 1988.No
Whether you combine or link other PII that you hold about an individual. Australia Privacy Act of 1988. No

As you can see from the chart above, WordPress’ Privacy Policy template does not include the disclosures required by any privacy laws. Thus, if you need to comply with one or more privacy laws and use this template, you would not be in compliance and would be at risk for privacy-related fines and complaints. The following can serve as illustrative examples as to why this Privacy Policy template should not be used: 

  • The template states that you will export any PII that the user has provided to you and delete any PII upon request. If you do not need to comply with certain privacy laws, you would not be obligated to erase or give access to PII, which is a fairly big obligation. Fulfilling this obligation would require you to do an overhaul of your operations, including training staff, figuring out how to actually delete PII, and responding to requests. On the other hand, if you do need to comply with a privacy law that provides consumers with privacy rights, your Privacy Policy needs to list all of the privacy rights that consumers have. This Privacy Policy template fails to provide that full list. 
  • While the template starts off by providing suggested text, multiple paragraphs toward the end consist of nothing more than a title. While a guide is provided, you are responsible for filling out most, if not all of this Privacy Policy template yourself. This endeavor could literally take you days. And, at the end of the process, you could still end up with a Privacy Policy that does not contain all of the required disclosures. 
  • The suggested text includes language that is in direct violation of certain privacy laws. For example, the suggested text states that certain PII is retained indefinitely. However, this is in direct violation of the GDPR, which requires PII to be kept for a certain time period only (e.g. 1 year) or to state the criteria that will be used to determine the storage period for PII (e.g. we retain your PII until you unsubscribe from our emails). 

Finally, the WordPress Privacy Policy template states that you are responsible for keeping it up to date with changing and new privacy laws. The template will not update, nor will you receive a notice when new privacy laws are enacted that require changes to that Privacy Policy. With over twenty privacy bills that have been proposed in the United States, keeping track of these bills and updating your Privacy Policy yourself will be a very time consuming task. Most small businesses simply do not have the time, nor the resources to keep their Privacy Policy up to date themselves. 

WordPress’ Privacy Policy solution is unfortunately lacking in the key areas necessary to comply with the various privacy laws that can apply to your small business website. Using the template means that you are putting yourself at risk of privacy-related fines and lawsuits. And, at $2,500 per violation (per website visitor) or more, the amount of fines that you could be subject to further emphasizes the fact that a free Privacy Policy template created by a team of volunteers is not appropriate for business websites. This template will consume much of your time and resources in setting it up and keeping it up to date, making it a non-viable bandaid to your problem of complying with privacy laws now and in the future. If you are serious about privacy compliance, speak with a privacy attorney or consider using a Privacy Policy generator.

The post Is your WordPress Privacy Policy compliant? appeared first on Termageddon.


Privacy Policies for law firms

Law firms and lawyers are no strangers to compliance requirements – you watch your CLE’s, make sure that you renew your license registration, and advise your clients on legal entities, contracts, and business licenses. However, an important compliance requirement that often falls through the cracks is the law firm Privacy Policy. Most law firm websites collect Personally Identifiable Information (PII) such as names, emails, and phone numbers through contact forms, where potential clients can contact you and inquire about your services. If you have a contact form on your website or if your website uses an analytics tool such as Google Analytics, you may be legally required to have a law firm Privacy Policy.

There are several privacy laws that protect the PII of consumers, provide those consumers with privacy rights, and require certain websites to have a Privacy Policy that makes very specific disclosures. Privacy laws are relatively unique in that they protect consumers and not businesses. Due to the fact that anyone from anywhere could contact you through your website, you may be required to comply with the privacy laws of multiple states or even countries, even if you do not physically reside there. The privacy laws that may require you to have a law firm Privacy Policy are as follows:

In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia. In assessing whether an entity carries on business in Australia, the following factors need to be considered:

  • California Online Privacy and Protection Act of 2003 (CalOPPA), which applies to any commercial website that collects the PII of residents of California;
  • California Consumer Privacy Act (CCPA), which applies to for-profit entities that do business in California, collect the PII California residents, and meet one or more of the following criteria:
    • Has annual gross revenues of $25,000,000 or more;
    • Buys, receives, sells, or shares the PII of at least 50,000 California consumers, households, or devices; or
    • Derives at least 50% of its annual revenue from selling the PII of California consumers.
  • Nevada Revised Statutes Chapter 603A, which applies to operators of commercial websites that collect the PII of Nevada residents and enters into transactions with residents of Nevada or otherwise has sufficient connections with the state;
  • Delaware Online Privacy and Protection Act (DOPPA), which applies to any commercial website that collects the PII of residents of Delaware;
  • General Data Protection Regulation (GDPR), which applies to you if you:
    • Are located in the European Union;
    • Offer goods or services to European Union residents, regardless of your location; or
    • Monitor the behavior of European Union residents, regardless of your location. This clause will make GDPR applicable to you if you have an analytics tool such as Google Analytics installed on your law firm’s website because analytics tools track the behavior of everyone who visits your website.
  • Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. This law can also apply to you even if you are not located in Canada, as long as you are collecting the PII of Canadians;
  • The Australia Privacy Act 1988 applies to organizations outside of Australia that have an Australian link and to Australian organizations with annual turnover of more than AUD $3,000,000. It also applies to the following Australian organizations even if they have turnover that is less than AUD $3,000,000 per year: 
    • Private sector healthcare providers; 
    • Businesses that sell or purchase personal information; 
    • Credit reporting bodies; 
    • Contracted service providers for Australian government contracts; 
    • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009; 
    • Businesses that have opted in to comply with the law; 
    • Businesses that are related to a business covered by the law; and 
    • Businesses prescribed by the Privacy Regulation 2013. 
  • Colorado Privacy Act (goes into effect on July 1, 2023), which applies to controllers of personal data that:
    • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
      • Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
      • Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 or more Colorado consumers.
  • Virginia Consumer Data Protection Act (VCDPA) (goes into effect on January 1, 2023), which applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
    • During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
    • Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.

If they apply to you, all of the privacy laws enumerated above will require your website to have a law firm Privacy Policy. Your Privacy Policy will need to state what PII you collect, what you do with that PII, who you share it with, and many more obscure disclosures required by these laws. Seasoned attorneys will remember the days when a law firm Privacy Policy was quickly drafted and forgotten, with no regular review, nor updates needed. Unfortunately, this practice is no longer a viable option as states are proposing and passing new privacy bills on a regular basis.

In fact, there are currently over twenty privacy bills that have been proposed. All of these bills would apply outside of the states in which they are passed, require firms and lawyers to have a law firm Privacy Policy, and impose heavy fines for non-compliance. In addition, some privacy bills, if passed, would allow consumers to sue businesses directly for not having a compliant Privacy Policy, increasing the risk of litigation. It is important to note that failure to comply with current privacy laws can lead to high penalties, ranging from $2,500 per violation to €20,000,000 or more in total. In this case, per violation means per website visitor whose privacy rights you infringed upon. It is easy to see how these fines could add up to an astronomical amount, even if you only have a few hundred website visitors per month. Therefore, you don’t just need a law firm Privacy Policy that complies with current privacy laws, but a strategy for keeping that policy up to date. Use Termageddon’s Privacy Policy generator to determine what privacy laws apply to you, include all of the required disclosures in your law firm Privacy Policy, and keep that policy up to date with changing laws, rules, and regulations.

The post Privacy Policies for law firms appeared first on Termageddon.


Cybersecurity through balanced information security policies

Simply defined, personally identifiable information (PII) is any information that can be used to identify a particular person. Examples include an individual’s full name, Social Security number, driver’s license or ID number, passport number, bank account numbers, e-mail addresses, IP addresses, and geolocation information. In 2008, Illinois led the way and became the first state in the U.S. to regulate processing of biometric information, acknowledging the risks associated with the widespread application of biometric identifiers in business settings e.g. facilitate financial transactions, manage employee attendance records or administer employee access to the physical facilities or organization’s digital assets. Data aggregators should be aware that processing of PII comes with government regulations aimed at protecting such PII from reasonably anticipated threats and unnecessary disclosures. If your business collects, retains, generates, uses, transforms, shares, or disposes of PII at any point in your business operations, you should consider developing comprehensive information security management policies as part of your business plan and risk management strategy.

The Federal Trade Commission (theFTC” or “Agency”) is the major cybersecurity federal enforcer in the United States. As of today, the FTC has not issued one separate legally binding comprehensive federal regulation that would serve as a clear prevailing guideline when it comes to information security in the U.S. Businesses should turn to filed complaints, final decisions, and consent decrees in the past FTC’s information security enforcement actions for guidance on what the Agency considers inadequate information security protection and adjust their practices accordingly if necessary.

An increasing number of data processors rely on recognized information security standards published by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the Center for Internet Security (CIS) as guidelines for developing information security management programs to address administrative, technological, and physical PII security safeguards. Here, I will cover some of the general guidelines and recommendations of various U.S. federal and state government agencies, such as the Federal Trade Commission (FTC), the Health and Human Services Department (HHS), the New York Department of Financial Services (NY DFS), and the Massachusetts Department of Consumer Affairs (MA DCA) for creating comprehensive data security policies to protect PII from cybersecurity incidents. The FTC’s findings from its enforcement actions, combined with regulations passed by the states, are the main sources of the regulatory framework when it comes to securing PII in the U.S.

1. Industry-wide Standard Security Measures. A number of enforcement actions based on inadequate information security measures brought by the FTC in the last two decades were due to the failure of businesses to implement readily available industry-wide security applications. Processors of PII should consider employing widely-used information security practices such as encryption, multifactor authentication for access, strong passwords, firewalls and SSL (Secure Socket Layers), VPN (Virtual Private Network) for remote access, TLS (Transfer Layer Security) for data transfers, etc. If your business commits in its Privacy and/or Information Security Policy to take reasonable steps to secure its client’s PII, government regulators anticipate that business will abide by its commitments and take steps to invest sufficient resources to implement reasonable information security measures.

2. Access Controls. The FTC recommends managing access to PII sensibly. Not all employees should have equal access rights to the information a business collects. A manager in a human resources department may have a permissible purpose to access other employees’ PII, such as Social Security number or date of birth. However, granting such access to an intern in the public relations department would not appear to be necessary or justifiable. Businesses must conduct comprehensive assessments to determine individuals who have a permissible “need to know.” Based on such assessments, organizations should be prepared to:

i) Develop clearance procedures to determine who must be granted access to what information.

ii) Implement access control policies efficiently. A Rule of Two for accessing sensitive PII.

iii) Set up internal procedures for sanctioning non-compliant employees.

      Identifying and efficiently controlling who can justifiably access specific PII assets minimizes the risk that PII may end up in the wrong hands and used for unauthorized purposes.

3. Segment Your Network. Not all information collected from data subjects, namely your customers and clients, is PII and requires the same security measures. Knowing your information inventory and classifying information according to the level of its sensitivity helps to prioritize the resources to safeguard it. Specific information security requirements imposed by the government typically depends on the type of information that business processes. Data breach notification requirements often depend on the specific type of data that was accessed without authorization.  It is recommended to keep more sensitive PII separate from other information and to implement more stringent security measures to protect it.

4. Designate an Information Security Officer. Information processing comes with accountability. Businesses must have at least one individual within the organization’s management structure who is responsible for creating, implementing, and keeping security policies up to date.  In some states, cybersecurity regulations impose a requirement to appoint a Chief Information Security Officer (CISO). New York State Department of Financial Services Regulations passed in 2017 mandate covered financial institutions to have a CISO who is responsible for “compliance with the cybersecurity regulations and who must submit a written report to the Board of Directors, at least annually, that documents the company’s cybersecurity program and risks.” (N.Y. Comp. Codes R. & Regs. Tit. 23, Section 500.04).

5. Information Security Awareness Training. Once information security policies are developed, businesses should communicate them internally to the entire workforce and then conduct information security awareness training sessions. Periodic employee training might cover lessons learned from previous information security incidents, updates on the regulatory framework, and any developments with internal information security policies. All such training sessions should be tailored to the employees’ job responsibilities. Other potential topics covered in the sessions may include general information security reminders, summaries of the sensitive data inventory held by the business and a recap of specific baseline security measures employed to protect it, information about log-in monitoring, password management, emerging issues, and bring your own device (BYOD) policies.

6. Require Contractual Assurances from Third Parties. If your business uses third-party subcontractors, vendors, or service providers and such providers could have access to the PII of clients and customers in the process, you should require information security clauses in the contracts with such third parties. Typically, a primary PII collector is ultimately responsible if the information is used improperly. Requiring third parties to contractually ensure that they employ minimum information security standards should become one of the conditions to do business with you.

7. Preparedness for Information Security Incidents. Developing a proper data breach response plan should be an integral part of your information security policy. Once an information security incident is discovered and confirmed, an investigation to determine the scope and impact of the breach must be conducted and documented. The recovery plan and damage control measures should be implemented. In some data breach cases, affected data subjects and government agencies must be notified. Early preparation to adequately document post-incident efforts in compliance with government regulations is recommended.

8. Address Vulnerabilities Without Delay. Government regulators do not expect recommendations for information security measures and testing for known vulnerabilities to apply to all businesses uniformly. Businesses with more financial and human resources will be able to do more. Information security programs should be tailored to the size, scope, and type of business, the amount of data that is collected and stored, and the level of sensitivity of PII. Business enterprises with large repositories of sensitive information should be prepared to allocate more resources to protect their PII assets. One of the lessons learned from past FTC’s inadequate information security enforcement actions is that following data breaches, businesses must adjust their information security programs and address identified vulnerabilities without unreasonable delay. Failure to address such vulnerabilities promptly may attract unwanted attention from government regulators.

9. Collect Only What You Need. The data collection limitation principle is part of the Fair Information Practice Principles (FIPPs) which are considered the Northern Stars of Data Protection practices. Businesses are encouraged to limit the collection of PII to information that they need for some defined and justified purpose. There should be no intentional or accidental collection of PII without a clear purpose. Businesses are safe-keepers of PII they collect. The fewer data that is collected, the fewer efforts and resources that are needed to protect it.

10. Dispose of Unnecessary PII. Once a business has used information for an intended purpose, it should put protocols in place to securely dispose of such information without delay. Storing sensitive data for no valid purpose exposes business entities to unnecessary risks. In the event of a data breach, storing less PII means that businesses will have to spend fewer resources to comply with data breach notification requirements. Some of the U.S. states have statutes that impose minimum information disposal requirements. It would not be considered reasonable to dispose of the sensitive PII in a way that such information may be later recovered by a third party and potentially used for an unauthorized purpose. If a third-party vendor is used to dispose of PII, such vendor shall contractually commit that it complies with minimum state requirements for PII disposal.

11. Develop Reasonable Physical Safeguards to Protect your PII. Information protection starts with securing access to the physical facilities where PII is stored. The following recommendations are mandated for PII processed within the healthcare sector but may be applied to any business with facilities storing PII:

i) Limit physical access to facilities.

ii) Establish contingency operations and plans for restoration of lost data.

iii) Develop procedures and policies to physically safeguard equipment and prevent physical access and limitations to access of the facilities.

iv) Document repairs and modification to doors, locks and other physical access components that lead to the physical location where data is stored.

v) Develop physical safeguards to restrict access to authorized users.

vi) Develop procedures to restrict physical removal and transit of devices that store PII.

(45 C.F.R Section 164.310)

12. Periodic Evaluations. Government regulations change, software companies issue security updates, lessons are learned from PII security incidents, and new and more effective information security standards are developed and made available by the information security industry. Therefore, regular evaluations of policies are necessary to identify new vulnerabilities that pose threats to PII assets. The risk of an incident may not be completely avoided. However, being up to date may significantly minimize exposure to such risk.

A rising number of data breaches and the increasing sophistication of criminal elements online have become a major concern to businesses struggling to keep up to date with mounting information security regulations and advances in the information security industry. Investing adequate time, financial and human resources in developing and implementing balanced information security policies may significantly minimize the likelihood of reasonably foreseeable information security incidents. In addition to costly post-breach compliance requirements, failure to act in a timely way exposes to reputational risks as well. Data subjects are increasingly wary of the risks associated with sharing their PII with businesses. Not completing the necessary risk assessments and implementing the recommendations discussed above may also expose businesses to expensive and time-consuming enforcement actions from government authorities charged to police data security violations and protect PII. Being ahead of your competition when it comes to the protection of PII may give your business a competitive edge. Inaction when it comes to reasonably protecting PII is not an option.

The post Cybersecurity through balanced information security policies appeared first on Termageddon.


CCPA toll-free phone number requirement

The CCPA: California Consumer Privacy Act provides consumers with the opportunity to make a number of requests to businesses that collect personally identifiable information (“PII”). Specifically, consumers may request that the business disclose what PII has been collected, what PII has been sold, and take action to delete the consumer’s collected PII. 

In order to process these CCPA requests, the law requires that businesses make “reasonably accessible” processes available to consumers. The CCPA specifies that two or more methods for submitting requests must be available for consumers to use. One of these methods must, at a minimum, include a toll-free telephone number. This article will provide an overview of the requirements pertaining to this toll-free phone number. Becoming familiar with these requirements will be critical in preparing your business to efficiently respond to CCPA consumer requests in a compliant manner. 

This article will discuss the following three topics: 

  • An overview of the CCPA’s toll-free number requirements 
  • Additional guidance from the California Attorney General 
  • Preparing to comply with the toll-free number requirements 

An overview of the CCPA’s toll-free number requirement

First, businesses are only required to furnish a toll-free number if they are a covered entity under the CCPA. Provided that the business is a covered entity under the law, the CCPA generally requires the business to provide consumers with the ability to make a variety of requests pertaining to their PII. 

In response to consumers’ requests for disclosures related to the PII collected, used, and sold by the business (requests to “know”) and requests to delete collected PII, businesses must make available to consumers two or more designated methods for submitting the requests. At a minimum, one of these methods must include a toll-free number and if the business has a website, a website address. Other acceptable methods, in addition to a toll-free number, include a designated email address, an in-person form, or a form submitted in the mail. 

Additional guidance from the California Attorney General 

Per the CCPA draft regulations, businesses are not required to provide a toll-free number under certain circumstances. For this exception to apply, the following two requirements must be met: 

  • The business must operate exclusively online 
  • The business must have a direct relationship with the consumer

The regulations do not specify exactly what constitutes operating “exclusively online.” However, one could reasonably conclude that businesses with no physical locations or storefronts, and instead provide products or services via a website, most likely qualify under this requirement. Additionally, a “direct relationship” may constitute an interaction such as an online purchase request made directly to the business. Provided that this purchase does not materially involve a service provider as defined by the CCPA acting as a sort of “middleman,” it is likely that a “direct relationship” is present under the regulations. 

Provided that these two requirements are met, businesses are only required to make an email address available for submitting requests to “know.” This means that disclosure requests pertaining to what PII the business has collected, used, and sold may be made exclusively via email. Businesses that do not meet these requirements must comply with the text of the CCPA and provide two or more designated methods for submitting requests, including a toll-free number at minimum. 

The regulations offer some additional guidelines for businesses to follow when assessing what methods to provide for submitting both right to know and deletion requests. Specifically, businesses should consider the methods by which it “primarily interacts with consumers.” For example, if a business primarily interacts with consumers in-person, then an acceptable approach would be to provide some sort of document containing the business’s toll-free number for exercising consumer rights under the CCPA. 

Preparing to comply with the toll-free number requirement

Ultimately, whether your business is required to furnish a toll-free number will depend on a number of factors. Provided your business is a covered entity under the law, this necessarily means that consumers must have the ability to issue a number of requests relating to their PII. If your business is operated exclusively online and rarely works with service providers, there is a good chance that your business will not be required to provide a toll-free number. This is predicated on the CCPA regulations finalizing. If the regulations are not finalized, you should prepare to provide a toll-free number to consumers, irrespective of whether your business operates exclusively online or not. 

Provided that your business is required to provide a toll-free number, best practices would include implementing a system for logging requests made via the toll-free number so that your business will be ready to comply by the CCPA enforcement period beginning July 1st, 2020. This logging system could provide a number of benefits, including allowing your business to categorize requests based on the information requested by the consumer and respond to these requests in a timely manner. 

Additionally, businesses should provide clear instructions for making CCPA requests within an online Privacy Policy. These instructions should clearly specify the steps consumers may take to request disclosures, request the deletion of PII, and opt-out of the sale of their PII. Termageddon’s Privacy Policy generator helps to create CCPA ready Privacy Policy and avoid fines or even lawsuits. 

The post CCPA toll-free phone number requirement appeared first on Termageddon.


TextMeMan

TextMeMan is an easy-to-use, cost-effective text messaging marketing tool for your business. Connect directly with your customers with SMS or MMS alerts to their mobile phones. No Setup Fee, Sign Up Online and start building your Text Club Database Today!

Stay Protected Online