When I wrote a column on the nexus between communications and privacy last year, I figured I’d be providing an update. What I did not expect was to be writing it from my basement home office during a global pandemic.
Though the world is a much different place than it was just six months ago, the debate about privacy–what it means and how much it is valued as a commodity–continues. Moreover, the laws and regulations about what can be done with personal data evolve almost daily.
CCPA Was The Beginning, Not The End
Companies around the country, indeed the world, scrambled to develop privacy programs that would be compliant with the California Consumer Privacy Act (CCPA) before the July 1, 2020, enforcement date. The CA attorney general issued draft regulations earlier this year that are fully in effect now. But lacking complete regulations did not stop enforcement action against companies. And remember, this law has teeth in terms of fines and even a private right of action ( aka you can be sued) for data breaches.
What does this mean for PR? If you have data from CA residents, you need to know what you have, where you keep it and what you do with it. Under this law, CA consumers can ask you for their data, correct it if it’s wrong and demand that you delete it. Pay particular attention if you sell, share or trade data with a third party. That’s considered a sale under the law and you have to disclose that and offer Californians the option of Do Not Sell.
Some companies have found it easier to allow consumers not in CA to exercise rights under CCPA, finding it’s good for the brand to be a privacy leader. It’s also easier to have privacy by design when working with data instead of trying to bolt on privacy compliance on the back end.
But, as the man on TV says, ‘Wait, there’s more.’
CCPA was only the beginning, not the end, of the privacy debate in California. CCPA-like laws are being proposed in many states. And now in CA, an expansion of privacy rights will be on the ballot in November. The California Privacy Rights Act of 2020 (CPRA) would expand rights under CCPA, create a category of sensitive information, form a state privacy agency for enforcement and bring CA even more in line with the European Union (EU) and GDPR.
Is that good for PR? It depends on whom you ask.
What Do We Do With EU Data Now?
Until July, many of us in communication probably were not familiar with the EU/US data transfer mechanism, Privacy Shield. Well, it’s gone now as a result of a lawsuit brought before the European Union Court of Justice. Companies that the US Department of Commerce certified under the Privacy Shield program could transfer data from the EU to the US.
The Court, however, ruled that the US does not provide adequate protection for EU data (remember Eric Snowden?); EU citizens do not have effective redress if their data is shared with government authorities. As a result, the Privacy Shield was deemed invalid. So, what does that mean for communicators and their global operations? Though the Court ruled Privacy Shield invalid, Washington has told businesses operating under its guidelines they still must comply.
There are, however, other Court-approved ways to move data from the EU...sort of. One way is via Standard Contractual Clauses. These EU-approved agreements explain how data can be moved and protected. The court, however, called these into question because the same concerns about Privacy Shield also apply to them–nothing can stop US intelligence agencies from grabbing data on national security grounds.
Confused yet? You are not alone. Businesses around the world are scrambling to find a solution to this problem with many recognizing that data transfers are in a state of limbo. EU authorities have offered some guidance, but no one knows yet how this will play out. US and EU officials have started work on an agreement to replace Privacy Shield. Without a strong federal privacy law in the US, it remains to be seen how a replacement would pass EU legal muster and not end up in court all over again.
Cookies and cookie walls
Does your company’s website use cookies? Most do, but if it is in the EU or offering goods/services to EU citizens, you need to be careful about how you use cookies and what you do when a website visitor declines to allow them.
Remember, under GDPR you cannot deny access or degrade service when someone refuses to allow cookies. You must tell them what the cookies are used for and how long they last. In addition, you must seek their consent and it must be explicit. Regulatory authorities have offered guidance, like the European Protection Board, but the best advice is to seek consent for cookies, and don’t be surprised when a visitor says no. Do not build a cookie wall because that will get noticed and GDPR fines can be substantial.
There is much happening in the world of privacy that touches on PR. If you don’t have someone monitoring regulations, you should. The penalties under a lot of these laws can be severe and no one wants protracted litigation with the brand damage and costs that go along with it.
But please remember, I am not an attorney. The views in this column are mine and the advice I give is not a replacement for legal counsel. In the words of the late, great Warren Zevon, “Send lawyers, guns and money. The stuff has hit the fan!” Stay safe.
CONTACT: [email protected]