Compliance for the average Joe part 1: Data privacy laws

It’s 2020 – we’re all supposed to be seeing clearly, right? Assuming that’s true, it’s time to get serious about data protection and privacy compliance laws.

With the litany of recent data breaches lawmakers both stateside and internationally have called for companies that handle personal data to be more accountable for managing that data appropriately. But often these laws are long, detailed and very nuanced to the point that only your legal department knows what’s going on. 

Well, we made it easy on you with a whole blog series dedicated to better understanding compliance regulations – both domestically and internationally.

TLDR: Get real about your business compliance goals with this handy dandy compliance checklist! Read it, implement it and achieve #compliancegoals

Here’s the skinny on the major rights and rules you need to be aware of: 

1. The right to know. Individuals have the right to know whether their personal information is being sold or disclosed and to whom. Businesses must also disclose what personal information is being collected either before or at the time of collection (i.e. site cookie notices or written consent for biometric data). This includes everything that could possibly link back to a customer from the most sensitive things (name, email addresses, biometric data) to the less obvious (browsing history, cookies and IP addresses). In the event of a data breach, a business must inform all individuals whose personal data they’ve collected within 72 hours of learning of and reporting a breach.

2. The right to access. Upon request, businesses must provide a copy of all collected personal information about an individual via mail or electronically free of charge within 30-45 days of receipt. Most data privacy laws agree consumers have the right to know:

  • Types of personal information collected
  • Where the information came from
  • Why the information was collected
  • The categories of any third parties the business has shared the information with (ex. advertisers, data brokers etc.)
  • What specific information has been collected

3. The right to edit. Individuals have the right to correct, revise, limit or remove any of their personal data at any point. This currently only applies for EU and New York audiences. 

4. The right to opt out. Individuals can opt out of their personal data being sold or shared with any third parties for a business’ reporting, email marketing or marketing efforts at any time. And, once received, the business must honor the request. At a minimum, the law requires that businesses provide at least the following:

  • A toll-free number that individuals can readily access
  • An opt-out (aka “Do Not Sell My Personal Information) link in site footer

5. The right of portability. Individuals have the right to receive and reuse their personal data in a structured, commonly used and machine-readable format (i.e CSV, XML and JSON file formats) that can easily be transferred.

6. The right to equal service and price, even if they choose to exercise their privacy rights. If a customer takes advantage of their privacy rights (i.e. opts-out of the sale of their personal information or requests to access their personal information) businesses cannot discriminate against these customers for doing so by charging extra, reducing the quality of customer service or refusing to provide a service. Businesses can, however, offer bonuses or financial incentives in exchange for individuals disclosing their personal information.

Long story short, there’s a lot to digest when it comes to ensuring your business complies with all the data protection and privacy laws out there. For that … there’s Koroberi.