CCPA regulations. The fourth set of proposed modifications

Following previous modifications in October 2019, and in February and March 2020, the latest updates landed in December, delivered by the California Department of Justice.

Table of Contents

CCPA regulations. The fourth set of proposed modifications

Each set of the previous modifications results from taking account of, and action on, the comments made to each of the developments in the earlier sets.

This latest, fourth set of modifications is primarily concerned with:

1. The right to opt-out

The proposed modifications concerning the right to opt-out are concerned with businesses selling personal information gathered in offline situations.

The new regulation dictates that companies should provide an opt-out of selling personal data in that same situation.

It delivers strong examples here—if the data is gathered during a phone call, the call must include dialogue that makes the subject aware that their data may be sold and an opportunity to opt-out from its selling. In this situation, the opt-out is verbal, as is the rest of the conversation and its arrangements and agreements.

The same must be provided then, in written arrangements, verbal methods in other situations (face-to-face, in-store, or video calling, for example), and during any other offline method.

2. The re-introduction of a company opt-out button

The use of an opt-out button looks to have been standardized by introducing a uniform logo that all companies should use when implementing the option. There are supporting instructions relevant to its use—once again, to keep the system standardized across the market.

An opt-out button was included in the first set of the CCPA regulation modifications, yet was removed due to negative feedback.

CCPA regulations. Opt-out button regulation updates

The following paragraphs were added to create a new section of the regulations, the first covers a smaller simple blue coloured tick/cross image, and the second the same image with the Do Not Sell My Personal Information wording to its right-hand side:

  1. May be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link as required by; and
  2. Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.
  3. The button shall be approximately the same size as any other buttons used by the business on its webpage.

3. Processing consumers requests to opt-out

The final modification includes instruction into streamlining the opt-out process as much as possible.

This subsection details that the method to opt-out should be just as simple as opting in, with no additional steps included in the process. Both options should contain the same number of steps in their process.

Comments to modifications closed on December 28th 2020.

For the full set of changes and modifications can be viewed here.

Data protection is at the heart of what our PrivacyRun system has been designed to manage. But what is it, exactly? And how do the laws, legislation, bills, and breaches of the Data Protection Act and GDPR affect your business?

Well, hopefully, we’re about to answer all of your questions. For further, more specific issues that our introductory guide doesn’t cover, we’d love to hear from you. Our team are experts in the field and will happily guide you through all aspects you don’t quite understand and show you how our PrivacyRun package manages them for you.

Table of Contents

What is data protection?

Data protection is designed to ensure that anyone sharing information with a business or organization is protected and that their data will be used and held responsibly and legally.

What is data protection law?

Data protection law is the combination of legislation and regulatory acts and bodies that govern how your information is collected and utilized. The Data Protection Act is one part of the legislation. The other key area is GDPR (General Data Protection Regulation), the most comprehensive data protection legislation worldwide.

What is the purpose of the Data Protection Act?

The DPA protects us from our personal information getting into the wrong hands. We share so many sensitive details with different vendors and providers that we want to stay private. The act’s job is to make sure they stay that way.

What is the Information Commissioner’s Office (ICO)?

The Data Protection Act (DPA) is a UK Act of Parliament, passed in 1988, to develop the control of our information.

The DPA is monitored and regulated by the Information Commissioner’s Office (ICO). The ICO offers advice and guidance, promotes good practice, manages audits, reports, complaints, and breaches, also delivering enforcement and action where required.

What are the principles of the Data Protection Act?

GDPR, the ICO and the Data Protection Act sets out a range of key principles for lawful personal data processing. So, what are the 7 data protection principles?

These principles dictate how businesses and organizations collect, organize, structure and store our information. They also detail their proper communication, removal and destruction. They also cover what happens when anyone breaks those rules.

What data is covered by the Data Protection Act?

The DPA covers the processing of all personal data relating to a living individual (also known as the data subject) that can be used on its own or with other information, to identify them.

It covers data held electronically or as a hard copy, and wherever it’s stored.

What type of information does the Data Protection Act apply to?

Personal data includes the more typical types of private information, for example, a subject’s name, address, medical, and banking details.

Sensitive data digs a little deeper, including such information as race and religion, political opinions, criminal activity, your sex life, and more.

What is a breach of the Data Protection Act?

According to the ICO:

“A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”

This definition covers a vast range of possible incidents—from accidental delivery of personal data to incorrect recipients and unauthorized access by a third party to loss of hardware containing personal data, and the loss of availability of any data.

There are also different guidelines and regulations for different types of service providers. You can find more information about each area and how to react to a data breach in each of them on the ICO website.

What happens if a company breaches the Data Protection Act?

If you suffer any kind of breach, then you have to decide whether you need to report the problem. Not all breaches need reporting, so the ICO provides a self-assessment form to help data controllers determine whether they need to register each incident or not.

For all incidents that need reporting, they must be presented to the relevant supervisory authority within 72 hours of the event discovery.

If the event is likely to present adverse effects on its data subjects’ rights, the business must inform those individuals without undue delay.

Of course, each organization must ensure that they have appropriate systems to limit any breach risk. Such a system should include breach detection, investigation, and internal reporting procedures.

What are the consequences of breaching the Data Protection Act?

The ICO has the power to prosecute all offences. They deliver a range of fines and even prison sentences for deliberate breaches. For issues that can be rectified within the law, enforcement notices are provided and should be carried out accordingly.

The prosecutors consider various criteria before delivering each fine. They include the nature, gravity, duration, and character of the infringement. They also examine the type of personal data affected and any previous violations. Finally, the punishment can also reflect how cooperative the business has been throughout the process.

Claims for damages

The data subjects can also claim compensation for damages due to a breach. So, as well as being fined by administrators, data controllers and processors are vulnerable to being sued by individuals. Those data breach costs just keep on growing!

What is the fine for breach of data protection?

The ICO can issue fines of up to £500,000, yet it’s GDPR that delivers the biggest fines.

For the most serious GDPR violations, fines can reach a maximum of €20 million or 4% of the organization’s total annual worldwide turnover.

For less serious breaches, the maximum fine drops to €10 million or 2% of the organization’s worldwide turnover. That’s still quite a fine to face, however big your business operations are.

As you can see, the fines are considerable—and so they should be. Our data and its protection need managing with the highest respect and security. Such substantial fines should hopefully reflect the serious nature of any inaction, the consequences of what happens if you breach the Data Protection Act, and the importance of implementing the right system to avoid them.

What does a data protection officer do?

Each business or organization must appoint a data protection officer to manage their data protection processes. That includes the personal data of its staff, customers, providers, and any other individual in compliance with the various data protection regulations.

A data protection officer will be hired based on their expert knowledge of the subject, as well as their personal and professional qualities. Understanding how their specific business/organization operates and handles the different data types within their system is also a key factor.

A data protection officer ensures that controllers and subjects are informed of their rights, obligations and responsibilities. They deliver advice and recommendations to the business about the interpretation and application of the rules and register operations with the correct institutions.

What is a data protection risk assessment?

Data managers, controllers, and officers need to understand precisely where their business or organization could be falling short of the Data Protection Act or GDPR. A risk assessment can highlight areas where your system doesn’t incorporate the appropriate protection levels for your data subjects.

Risk assessment is another key area covered by the ICO. They provide data protection impact assessments (DPIAs) to help businesses systematically analyze, identify and manage the data protection risks of any project or plan. The key word here is ‘help’. They don’t guarantee to eradicate all risk, but they help minimize risk to an acceptable level.

There are data processing areas that automatically demand impact assessment, and areas that the ICO considers likely to result in high risk. For further information, check out the relevant pages on the ICO website.

What does high risk mean?

In this context, risk debates the potential for significant physical, material or non-material harm to individuals. An assessment evaluates the likelihood and severity of any potential harm to individuals.

Risk implies more than a remote chance of some harm.

High risk implies a far higher threshold. It could result from more severe damage, or greater chances of being put at risk—or both.

DPIAs are both flexible and scalable, so suit all sectors and projects. The importance of running regular risk assessments, or an IPO impact assessment, should be obvious. Just consider the fines you could be subject to, and then the added repercussions of failing to provide adequate data security and management systems. You’d be remiss not to have every angle covered.

Summing up…

We hope the above FAQs deliver an enlightening introduction to what personal data is, the Data Protection Act, and what happens if you break the Data Protection Act law.

Having a system in place that manages every angle according to the requirements of the ICO and GDPR is vital in today’s business. Fortunately, we’re here to help you every step of the way, so why not drop us a line to find out how we can provide you with the ultimate protection today?

A privacy policy is a statement of how the website operator collects, stores, protects and utilizes its users’ personal data.

Much of the consumer data is gathered automatically with the delivery of cookies, yet there are other, more obvious tools, including sign-up forms, newsletter subscriptions, new account registrations, and more.

Every user has a right to their privacy and to understand how businesses will use their information. It’s also their right to retract their decisions at any point navigating your website.

A privacy policy outlines all the elements required to comply with the latest data privacy laws.

Table of Contents

GDPR. How do I add a privacy policy to my website?

Many modern website systems feature automated placements, implementing the legal policies to your website framework, yet others will rely on you to create your pages and insert them manually.

There are plenty of templates and online generators that will show you how to make a privacy policy for your website, delivering a document specific to your operations on completion.

If you’re unsure of exactly what you need, how to create a privacy policy specific to your business, or where to host it, the following information should steer you in the right direction. If you’d like a more personal touch or specific answers to how our system can help you develop and manage your company privacy policy, we’d love to help.

GDPR. Organizing cookie and privacy policies

How to add a cookie policy to a website is a very similar process. In some cases, a single directory will contain both policies and the links to each feature in most of the same places.

Why do websites show cookie policy separate to privacy policy? Well, with websites legally having to gain consent for their site cookies before they deliver them and activate the functions they control, they have grown into a considerable area of data privacy.

There’s a lot to cover, so it makes sense for providers to create separate policies for cookie use and delivery, and that of general data processing through other means, such as contact forms and mailing lists.

How to write a company privacy policy

According to GDPR, privacy policies must be:

To collect information directly from an individual, a privacy policy must include:

The most typical elements you’ll see covered by standard privacy policies, therefore, are as follows. However, depending on the data you gather, and how you use it, there are often areas unique to specific business practices that aren’t covered below.

GDPR. Privacy policy best practices

Your users need to understand exactly what’s good and bad practice, and the wrong and right ways of delivering information.

Be direct, instructional, and informative, leaving no room for doubt. Qualifiers such as may, might, some, and often should be replaced with will, won’t, must, mustn’t, all, none, always, and never.

If you plan to use the data for research or develop new services, you must be clear when describing the type of research and what each new service is intended to provide.

You should write in clear, easy to understand English (or the native language for the website). Using legal or technical jargon is frowned upon, as your users won’t necessarily be specialists in your industry.

Always aim to write in the active tense using well-structured sentences and paragraphs.

Clear and defined headings make documents easier to navigate, while bullet lists deliver easier to digest information than large text blocks.

How to add a privacy policy to your website or app

The following suggestions outline the essential placements for links to your policy page. Ideally, you should try to provide access from every page of your website or app, as your policy needs to be easily accessible to visitors at all times. This promotes transparency and inspires trust. Not only that, more often than not, it’s a legal requirement.

In footer links: Traditionally, most privacy policy links will be found in the footer menu, appearing on every page the site. They could even sit with the legal details on the copyright line. This provides the instant access your visitors need, wherever they are within the site.

On sign-up forms: Another good practice is including the link to your privacy policy in the small print at the bottom of sign-up forms. This assures new subscribers that you’re acting according to appropriate laws and practices.

Checkout pages: Given the additional personal data collected from a consumer during a sale, many vendors will include their privacy policy at some point in the process. A privacy policy link will often appear alongside terms of service, cancellation, refund, and shipping policies.

Cookie consent banners: Cookie consent banners and pop-ups are now standard components on all websites, allowing the website operators to deliver the functionality they intend for their visitors and deliver the information they legally need.

Sign-in pages: Signing in or signing up to new services requires your personal data. Including a privacy policy link on these pages is another a healthy reminder of your users’ rights.

About menus: Where a website has a dropdown menu containing all of the company history and legislation information, this is another appropriate location for your privacy policy link.

How often should a privacy policy be updated?

The way we do business during the modern climate changes from one day to the next, and the way we expect our websites to keep up has become part of everyday life. If any of the systems we add, develop, instigate or amend, affect the way we gather or use our customer or subscriber data, then it must be reflected in the company policy.

Reviewing a privacy policy should be a regular practice, and wherever change is required, you must update your policy immediately. If you fail to keep it up to date, you could be in danger of breaking the terms you’re legally required to uphold.

Updating users and subscribers

You may be legally required to notify your users of updates. Even where that does not apply to your business, it’s still good practice and should be part of your process.

The primary overseers of data protection and privacy all require updates and notifications, each of which will leave organizations open to penalties if they fail to follow legislation.

It’s also an opportunity to engage with customers, clients, and subscribers with any additional messages you may want to share with them.

Email notifications, pop-ups, and site banner delivery

You can notify users and subscribers in a few different ways. Your website’s cookie consent generally operates as a banner or pop-up message, so another inclusion asking your visitors to review your policy could be the simplest way of highlighting them to it. In other schools of thought, it’s just one more task for your visitors to wade through before they can finally access the content they want to read.

Alternatively, you could fire out an email to all subscribers and customers, or add a blog or news page with the latest news. A link featured prominently on your homepage is enough to promote updates—that way it won’t interfere with your visitor’s ability to navigate freely through to the required content.

Wrapping things up…

With regulations for data protection and compliance playing such a vital role in today’s websites, isn’t it time that you handed over the hard work to a system that’s quick and easy to deploy and simple to use?

PrivacyRun delivers the efficient and cost-effective solution every business needs to manage its website users’ personal data.

Our solutions are compliant with CCPA and GDPR, helping users worldwide to stay within the limits of the law, avoiding penalties and hefty fines.

If you’d like to know more about how PrivacyRun works and the vital benefits it can deliver to your business, we’d love a chance to tell you all about it. Why not give one of our team a call today, or drop us an email and we’ll get back to you at an appropriate break in your schedule.

GDPR legislation mentions cookies in only a single instance throughout the 88 pages of its documentation, but that doesn’t mean they’re not incredibly important.

In fact, cookies are the cornerstone of how our data is collected and managed. It’s essential that businesses understand what they are, how they function, and the consequences of not delivering an appropriate cookie consent opt-in for their users.

Table of Contents

What are cookies?

Cookies are tiny text files placed in your web browser as you look at websites. They have a variety of uses and in themselves aren’t at all harmful. So, what’s the problem? And why does every website you visit have a cookie banner pride of place as the first thing you see?

Well, cookies store all kinds of data, which can be used to identify users without their consent, giving away private information that they’d prefer stayed private.

GDPR, the ePrivacy Directive (known as ‘cookie law’), and the European Data Protection Board (EDPB) dictate the practices every website must implement if they, at any time, will place cookies in a browser that gather the data of a European citizen.

Types of cookies

Based on duration

Based on provenance

Based on purpose

What is personal data?

For example: Names and surnames, home addresses, personal email addresses, identification numbers, location data, IP addresses, cookie IDs, mobile phone identifiers, and medical IDs.

For example: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, genetic data, biometric data, health and sex-life information, and sexual orientation.

Why do we need to provide cookie consent?

GDPR states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In simpler terms, it means that any data gathered that could be used to determine who we are should only be collected if we say that it’s okay to do so. Given that cookies collect precisely those types of data, and that it’s considered our right to keep that information private, the websites must ask our permission before any such gathering or utilization can happen.

What is the cookie policy?

Your cookie policy needs to tell your users which cookies are active on your website and how they’re used. It provides detail of the information you track and why and where it’s sent worldwide.

It will also contain the instructions your users will need to opt-in, opt-out, change their minds at any point, and subsequently their cookie settings. Legally, you must have a cookie policy if you’re to comply with GDPR and CCPA legislation.

What does your cookie policy need to include?

  1. The types of cookie you use.
  2. How long they stay in your browser.
  3. The data they track and the categories of personal information they store.
  4. The purpose of the cookie.
  5. Where the data is sent, and who it’s shared with.
  6. Instructions into changing those settings and rejecting cookies.

These are the determining factors of the cookie notice examples you see each day. Your policy may be linked to a banner or integrated into the cookie pop up requirements you need to consent to before accessing your desired pages.

Do I need a cookie policy on my website?

It would be incredibly unlikely that a website wouldn’t need a cookie policy. So few websites function without any essential cookies being placed, and for those cookies to be able to do their job, they need the user’s consent almost all of the time. And as we said earlier, it’s a legal requirement under GDPR and CCPA, so if you think you can get away without one, then think again.

There are still a few incredibly simple websites that don’t use cookies, and even then, it’s rarely worth the risk of skipping out on a cookie consent banner or alternate opt-in option, given the simplicity of adding them to most systems. You can’t be sure when you’ll implement a function that requires user consent, or a third party application that drops cookies that you didn’t realize.

The best way to understand what level of cookie control you need and how to protect yourself while gathering such data is to utilize a tool that determines the cookies in use on your website. With all the relevant information at your fingertips and a system that manages it for you, integrating the results directly into your policy, it means that you’ll never miss an instance that may leave you vulnerable.

How to deliver a website cookie notice

GDPR states that each website must adhere to the following requirements.

  1. Consent must be provided before any cookies are installed and activated, apart from whitelisted, necessary cookies.
  2. Users must be able to decide which cookies they activate and which they don’t. It must be more than a simple ‘all or none’ option.
  3. Consent must be freely obtained and given.
  4. A user should be able to withdraw their choices just as easily as they opted into them.
  5. All consent must be stored as legal documentation.
  6. Consent shouldn’t be open-ended; renewal should be obtained each year or at shorter intervals where appropriate.

You will have seen myriad ways of acquiring consent, during the numerous times each day you click ‘accept’ to remove the occasionally annoying cookie banner examples at the top or bottom of each page.

How you choose to present yours is down to the system you use to track and activate each of the cookies on your website and integrate them into your banner, pop-up, or policy.

What happens if you don’t comply with GDPR?

The first consequence of GDPR non-compliance is that your users’ data and privacy are available for violation, and harvesting by data collectors. The second, and of far more concern to website operators, are the hefty fines and penalties delivered by GDPR.

GDPR has the power to deliver fines of up to 4% of an organization’s global turnover, or a flat fine of €20 million—whichever is highest.

If you don’t think that such fines happen in the real world and are merely empty threats to force the powers that be back into line, don’t be so quick to judge.

Whether you’re operating at a level subject to merit such monumental figures or not, the fines associated with your operation’s size are often enough to damage your budget and the health of your business significantly. Nobody should be running that type of risk.

Wrapping things up…

Complying with legislation is a must if you want to protect yourself from potentially crippling fines and penalties.

PrivacyRun delivers an efficient and cost-effective solution that your business needs to keep your website data and cookie control in order.

Our package performs to all GDPR and CCPA legislation. Talk to one of our team about cookie consent examples if you’d like to dig a little deeper. It’s the complete package every data controller needs to continue trading with confidence, providing peace of mind for all partners—earning them a trouble-free night’s sleep, every night.

Personal data protection has managed to push itself to the forefront of how we do business, deliver information, and collect useful particulars of the people we do—and would like to do—business with.

With the rise of the Internet and its fast-paced growth, our information is more accessible than ever. Handing over names, addresses, and bank details are all definite candidates for protection. Yet, recently the CCPA and GDPR legislation has been compacted to protect us against any personal data breach, whether we’re visiting websites or physical businesses.

We’re here to look into what that personal data is, the difference between GDPR vs CCPA collections, the deadlines for data provision and removal, and of course, how our PrivacyRun tool will help keep you ahead of the curve at all times.

First, though, for anyone not in the know, what is GDPR and CCPA? Well, they’re the legislative acts that define how consumer data is monitored and regulated. The acronyms stand for General Data Protection Regulation and California Consumer Privacy Act.

GDPR is European legislation, and one of the most in-depth measures to control data throughout the world. It’s become the standard for the rest of the world to follow.

What about the CCPA? Why only California consumers?

In the absence of an overall US law or regulation to contain data use, selling, and privacy in the States, the CCPA is the best they’ve got.

Table of Contents

What are the GDPR and CCPA data rights?

Both organizations provide the data subject with similar rights, yet we’d be remiss if we didn’t outline the CCPA and GDPR differences.

The basic CCPA vs GDPR data rights are shown below.

So, how is CCPA different than GDPR when it comes to each of these rights? We’ll look at each one in a little detail to expand on what they mean.

Right to erasure

A consumer or data subject has the right to deletion unless in very specific circumstances. From the CCPA, the data needs to have been collected from the consumer to apply.

Exceptions from both legislations include freedom of speech, processing of personal data for research purposes, legal claims, and when complying with a legal obligation.

Right to be informed

The consumer or data subject also has the right to be informed at the point where their data is collected and processed. The information must include the categories of data, the purpose of its processing and the rights of the consumer. The CCPA demands that the ‘Do
Not Sell My Personal Information Page’ link is included on any inclusion where the business intends to sell or transmit the data to a third party.

Right to object

All consumers and data subjects have the right to opt-out of such data processing or selling. The CCPA, again, demands the inclusion of the ‘Do Not Sell My Personal Information’ link.
The GDPR stipulates that there should be several ways to opt-out of processing, by withdrawing consent or exercising their right to object.

Right of access

Another stipulation is the access and full visibility of the data that’s collected about each individual. Where access is granted, the information must be available to be transmitted back to the individual electronically, in a portable and useable format.

This pocket of information includes:

The CCPA also specifies consumers have the right to the categories of third parties their data has been shared with.

Right not to be subject to discrimination for the exercise of rights

This is a hard and fast rule of the CCPA, whereas, with the GDPR, it’s not exclusive. Yes, you can find provisions in several areas of GDPR that amount to a similar thing, more along the lines of discriminatory consequences derived from the processing of their data.

The CCPA, with its definite scope, protects the use of consumer data to prevent being denied goods or services. It also prevents consumers from being charged different prices or rates for goods and services, provided a different level of quality for the same, or even to have it suggested that they’d receive different prices and rates.

Right to data portability

Both laws offer fairly consistent rules and values about portability. The CCPA sees it as a right to access, while the GDPR considers it a separate and distinctive right.

What they do agree on is that data subjects and consumers have a right to a structured, easily transmitted, and machine-readable format of their data.

Applications require replies in specific timeframes, of which we’re about to detail.

Compare GDPR and CCPA notice periods and active timescales

Right to erasure, right to data portability—notice periods and timescales

Both legislations allow the deletion of individuals’ data apart from where specific exceptions apply. The deletion applies to any data collected from the consumer. The rights are very similar, only the timescales and a few other specifics differ.

GDPR versus CCPA timeframes:

GDPR – Requests for removal must be replied to within 1 month of the data subject’s request. This deadline can be extended a further 2 months in complex cases with large numbers of requests. However, the deadline must be outlined in the initial reply.

CCPA – Requests for removal must be replied to within 45 days of the consumer’s request. This deadline can be extended a further 45 days when reasonably necessary. Again, the extension must be outlined in the initial reply.

Interested in our solution?

Let's talk

How PrivacyRun manages GDPR and CCPA compliance to keep you within the boundaries of legislation

PrivacyRun is the perfect solution to these CCPA GDPR problems. It’s fully compliant and built to make sure your business avoids missing deadlines—then becoming subject to the hefty penalties and fines.

It’s a personal data administrator’s optimum tool to monitor deadlines, responses, requests, and more.

The system dashboard delivers everything you’ll need in an easy to understand and digest presentation. It’s not just numbers and lists—it’s a clean and clear depiction of your process, including when and how your consumer requests are getting processed.

You’ll find neatly delivered graphs, sectioned and detailed with everything you need. PrivacyRun ecompasses consent management, data subject rights automation, personal data inventory and data mapping, all incidents of personal data breaches, and DPIA risk analysis. It covers both EU and US issues, and everywhere around the world where your data may arrive from or end up.

If you run several companies, we’ve got that covered too. Our compliance solution tool manages each organization independently, making sure you monitor and maintain your best practices, avoiding any failures in your data protection government.

Given the penalties of failing to adhere to regulations, can you afford not to have such a system in place?

And that brings us on to the CCPA GDPR differences in enforcement.

Enforcement of broken GDPR CCPA legislation

When it comes to enforcement, it’s not an area to be taken lightly. Those who fail to comply with the laws are at the hands of the US Attorney General and the National Data Protection Authorities.

Both authorities have different investigatory and enforcement powers, yet the fines are considerable, and avoidable with suitable best practices in place.

The difference between GDPR and CCPA fines are as follows:

The GDPR penalties for non-compliance can be up to 2% of the business annual turnover or €10 million, whichever is higher—or 4% of the global annual turnover or €20 million, whichever is higher.

The different fine rates depend on the violation under investigation.

The CCPA delivers civil penalties issued by a court, and, again, depending on the violation, you may be fined $2,500 for each accidental violation or $7,500 for each intentional violation.

There is no maximum amount set by the CCPA for the imposition of several penalties for each violation.

Interested in our solution?

Let's talk

Damages for individuals pursuing privacy violations

As if the penalties outlined above weren’t trouble enough, both bodies provide data subjects and consumers with the right to seek damages.

How is CCPA different from GDPR when it comes to costing violations? The GDPR allows action to be taken against any violation of the law, where the CCPA only provides cause for failure of security measures in context of data breaches.

The GDPR doesn’t outline potential figures for damages, that will be left to the adjudicating bodies.

The CCPA ruling only permits that non-encrypted and non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of security obligations.

The damages in such circumstances are to be no less than $100 or greater that $750 per consumer per incident, or a cost covered by actual damages—whichever is greater.

Conclusion

Looking into how GDPR vs CCPA chart their differences across their legislation, it’s easy to see plenty of similarities—but the overriding fact is that if you break the rules, you’ll pay for it.

Whether that’s missing deadlines for communication, selling data you shouldn’t, or failing to implement the correct information on your data collection points—they all add up to the same thing—costly penalties that you could have avoided.

PrivacyRun can help prevent all of that. It’s there to make sure you’ve got the systems to manage every piece of data and information within the remits of the law and the structures that govern them. If you don’t want to be caught short, then we suggest you speak to one of our team as soon as possible.

We put our all into everything we do. Because of that, we guarantee that our solutions are built to protect you—now, and far into the future.

Since the introduction of acts governed by GDPR and CCPA, there are now stricter rules on how many businesses and organizations are permitted to store our sensitive information.

The data retention law of both GDPR and CCPA outlines not only best practices but also how to stay in line with legislation, avoiding strict penalties and substantial fines.

These new penalties have hit some of the biggest brand names harder than they could have imagined, and for issues they didn’t realize they were even accountable. The time has come for businesses to examine how they’re storing data and if they’re complying with the new rules.

The best tool they can use to stay in line and on top of the procedure is an up-to-date, all- inclusive, data retention policy.

Table of Contents

What is a data retention policy?

It’s a set of guidelines that dictates how each business handles its data, how long they can hold records, and why. It also sets out what’s to be done with that data once it reaches the limit of its allowable retention period.

A company has to explain why they’re holding onto each gathered data, and it’s those reasons that dictate the retention period. For both GDPR and CCPA, there are few specified time limits to data retention, but each organization must have them, and be able to justify how they came up with each timeframe.

Why do we need data retention policies?

After the introduction of GDPR, we became inundated with requests from businesses we’d long-since forgotten, as well as those who we still utilized regularly. That’s because all of those businesses still held our information in their systems, and to keep doing it, they needed permission.

What’s the problem with older and out of use information sitting on servers? Well, despite everyone’s best intentions, data breaches and server hacks happen all the time, and it’s that data that becomes vulnerable or provides the hacker access in the first place.

To limit the opportunities for hacking and data breaching, regulators mandated that the organizations storing personal data could only hang onto it if they had a legitimate reason.

GDPR data retention policy

You can read more about the GDPR legislation that covers data retention to see how it would impact your systems and data retention. The key area is Article 5, Principles relating to processing of personal data.

With GDPR, there are no set periods. So how do you decide on an acceptable duration to hold onto your users’ details?

You need to consider two main areas:

You can’t hold onto information just for the sake of it, but where you have a valid reason to, you could keep it indefinitely.

Legal or regulatory reasons include such things as for tax purposes, audits, or where it manages compliance with industry standards. Other reasons can include processing data for archiving reasons, where the information is relative to public interest, scientific, or historical research value.

Once you exceed an acceptable timeframe, that data needs to be removed or amended, so there’s no possible way of tracing it back to the user.

Interested in our solution?

Let's talk

CCPA data retention policy

The CCPA delivers its guidelines under Section 1798.105, the right to deletion. Each consumer can request a copy of the data stored, and where requested, have it deleted.

To be bound by CCPA legislation, a business must either:

How long a business or organization can retain a user’s data is dictated by the following:

These all look relatively straightforward at first glance, but applying an appropriate timeline to many can cast grey areas over a businesses’ view of the situation.

Items to include in a typical data retention policy example

Here’s a quick guide for data retention best practices. We cover, in 3 simplified steps, the things to consider when putting your retention policy in place.

Classify your data

The first thing you need to understand is the type of data your organization utilizes. Classifying data between industries will govern the stipulation you’re accountable to.

Not all data has the same retention ruling. GDPR compliance demands the classification of data types. It also categorizes ‘special’ data, such as race, ethnic origin, political opinion, biometric data, and health data. With that in mind, data controllers need to know how to label their specifics correctly—including public, proprietary, or confidential classifications.

Legal requirements

Both GDPR and CCPA have taken prime positions in data management and processing debates over the past couple of years, but there are more regulatory organizations than just those.

When it comes to data and retention policy, you must understand which frameworks and regulations apply to your business or industry.

Deleting data that’s no longer required

A misconception within organizations is that holding each data is safer than deleting it, in case they need it again later. Holding onto data longer than required can:

To operate effectively and within the law, you must remove data at its expiry date.
Understanding when that date is is down to your retention policy.

Interested in our solution?

Let's talk

What should you do with that out-dated data?

With GDPR, you have two options of what to do with your out-of-date accounts. You can delete it or anonymize it.

Deleting data

If you choose to delete it, you must guarantee to remove all copies. That’s both digital and hard copies, and from every location, server, or drive where it appears. Tracking down hard copies to shred or similar is easier to guarantee, but digital copies can find a way of cropping up in other, long-forgotten locations, or manual and automated back-ups.

If you’re found with such copies after the expiry date—anywhere on your systems—you’ll be in breach of legislation terms and vulnerable to their fines and punishments.

Anonymizing or pseudonymizing data

These are methods used to retain areas of useful information without being linked to the user that submitted it. It jumbles, masks, encrypts, or removes the connection to the
individual so that the data can’t be traced back to the consumer.

Anonymizing data destroys any way of identifying the individual and is irreversible.

Pseudonymizing data substitutes the identity of the individual so that with the correct key or encryption, you can reverse the process and establish the original data suppliers.

When pseudonymizing data records, it shouldn’t be possible for a third party to connect them to an identifiable subject. If you can detach the individual from the data, then GDPR allows you to hold onto that data indefinitely.

However, if associated data is held elsewhere within the business that could identify the subject, then the data hasn’t been sufficiently anonymized, and you could still be liable for their fines and penalties.

Managing your data retention policy with PrivacyRun

When it comes to data retention, PrivacyRun is a data controller’s best friend. The system manages the stipulation of both GDPR, CCPA, and other regulators’ legislation, keeping you informed and updated of the status of your data accounts and your position within the eyes of each legal body.

With automated processes monitoring your data retention periods, it continuously verifies the validity dates of your accounts, and where they exceed your parameters, the software automatically takes the dedicated course of action.

For customer accounts that have expired, it checks for the governing conditions. Where they meet them, they are automatically deleted, anonymized or pseudonymized.

PrivacyRun works on the client side of individual IT systems. So, as well as automating data removal for expired accounts, it’s simple to set up built-in rules that also remove an individual’s data on their request. There are rules to govern a range of tasks that include the removal or editing of an individual’s data.

By empowering your business, it aids you to navigate easily avoided penalties and fines, and by reducing business risk, it organically improves the work of your compliance teams.

Not only is it incredibly effective, but it’s quick to deploy and easy to use. With each built-in process managing previously manual tasks, your company will deliver immediate customer satisfaction and at the same time freeing up your workers to get on with more important tasks.

Table of Contents

First things first: what is multi-tenant software?

In the simplest of terms, a multi-tenant installation, when it comes to a piece of software or digital system is one that manages all of the associated businesses, companies, or organizations under the umbrella of the organization’s top-level administration.

Of course, for such a group of companies, there are distinct advantages to running their operations as separate entities instead of one huge corporation. On the flip side, there are always going to be a few disadvantages thrown into the mix to balance things out.

We’re here to consider the latest wave of privacy laws, data management, and their regulations. Whether you’re a sole operator or a host of interconnected businesses, the new rules and regulations apply.

If you’re not playing ball with the latest legislation, you could stand to face some pretty hefty fines. You might prefer managing your data requests company to company, or all at once with a tool that operates along the lines of the aforementioned model.

PrivacyRun handles precisely these issues and areas. Our cutting-edge data privacy software runs everything you need it to, seamlessly and effortlessly. We’re going to tell you exactly just how much simpler it stands to make a life for its data administrators and officers. Also, how much peace of mind it will bring to your lawyers and accountants when it comes to dodging those mighty data breach penalties.

Managing data under the latest GDPR and CCPA regulations

GDPR and CCPA have been with us for a few years now: GDPR since 2018, and CCPA since January 2020. We were given plenty of warnings and provided with the guidelines—all well in advance. That should have provided the time we needed to adjust our systems into operating within the new policies and the new laws that govern us.

But did we? And what were those new regulations we needed to be most aware of? Well, the main ones to sit up and take notice of were about how we collect data, how we make our data sources aware that it’s being collected, how we provide them with the access to it that they’re permitted, and not using all that information we’ve gathered in any way that isn’t considered sensitive or acceptable.

That said, there were plenty of the biggest names to pay the price of not taking the changes seriously enough. Just ask Marriott and Google. They both made assumptions that as US companies, they didn’t apply to the latest European legislation. However, with masses of data coming from users throughout Europe, they’ve been struck with penalties of $123 million and $56 million, respectively. What a wake-up call. And not only for them. There have been others who’ve fallen foul of equally troublesome fines. It’s a warning for anyone making the same assumptions that haven’t been brought into the fray just yet.

The time is now for data privacy software companies to step in and show the appropriate organizations the best way to stay on top and in charge. For those of you who aren’t sure whether your current data management is up to the job, it’s time you ran some data-mapping exercises and checked your policies. Alternatively, buying into a service that already understands and works to the new regulations should take a huge weight and a lot of work off your shoulders.

With clean and clear updates into the latest and upcoming privacy laws, isn’t it worth developing some new best practices to avoid any penalties, and overloads to your existing teams and their workloads?

Benefits of operating multi-tenant operations and software

Security

A single server contained on secure hardware creates fewer opportunities for infiltration or unwanted access.

Cost

One multi-tenant installation incurs a simpler, single cost as opposed to that of multiple independent installations, services, and licenses. Cutting down on associated overheads: equipment, housing, IT resources, and sharing the single cost over many businesses, will offer even greater value by spreading the expense over all of your accounts.

Data aggregation/data mining

One of the key benefits of a multi-tenant operation is that data from multiple sources is managed, searched, and edited from a single administration point. Running queries becomes far simpler, patterns easier to detect, and plans for the future become easier to implement, track, and monitor.

Easy integration with other cloud-based operations

Hosting a single data arena over a cloud environment dictates that integration with other software services and APIs suddenly becomes far simpler to manage.

Benefits of using PrivacyRun to manage your multi-family data privacy requests

Let’s take a quick look at what PrivacyRun does for all of its users.

As the framework around data protection expands, you need to be able to guarantee compliance with each of the governing bodies.

PrivacyRun handles the intake and fulfilment of customer requests around those data privacy rules and regulations. It keeps you within the law, it’s easy to use, and it delivers the peace of mind you need to get on with the rest of your operation.

Interested in our solution?

Let's talk

What makes PrivacyRun special for its multi-tenant operators?

The extensive authorization that PrivacyRun operates on provides the ability to support multiple entities in one business model, in one installation, while ensuring full separation of data at the authorization level.

Let’s dig a little deeper. Here are some of the key components that make it a standout package for multi-tenant operation.

So—when you need to create amendments; you can. When you need to generate reports detailing your plans and where you stand; you can. When you need to opt-out any individual from any of your associated organizations or update their information; you can do that too.

And that’s not all. You can track consent, avoid unauthorized data sales, review, manage and update your data policies in line with regulations. If you have an operation to carry out to any of your data, we’ve got it covered. PrivacyRun is everything you need to conform to the latest legislation governing your data efficiently, with masses of automation to streamline your workflow better than ever, and with all of your data sets under one roof.

We think we’ve thought of everything. If there’s something you need and it isn’t covered, let us know, and we’ll get right onto it.

Interested in our solution?

Let's talk

Who is PrivacyRun made for?

Ultimately, PrivacyRun can aid any organization that needs to stay true to data privacy laws.

Our clients include retail operations, cooperative banks, insurance companies, and more.

And these are all business models that utilize our multi-tenant installation to their advantage.

In these instances, we’ve created platforms that manage multiple client areas for:

That’s how we can help you too with data privacy

We’re still less than a year into abiding by the new ways of CCPA and only a little longer into GDPR. Over that time, we’ve seen confusion amongst businesses and organizations, and the delivery of easily avoidable fines.

If you collect data and believe you need to take note of the new ways into practising its management, then you shouldn’t leave it any longer.

Check your current systems. Examine your data; how you collect it; how easy it would be to access individual entries, package it up and deliver it to their owner. Do you hold the right to
share it? Should you be selling it? And have you got the capacity to process masses of data requests if you suddenly become inundated at any point in your operation?

It would help if you were certain you could operate efficiently, legally, securely, and in line with current policy.

PrivacyRun was built to help. Don’t struggle along in the dark. Shine some light into your system. You’ll be glad of the peace of mind and the freedom it brings.

Exploring the differences between test automation (TA) and robotic process automation (RPA), as we head into the future in current markets, TA (test automation) and RPA (robotic process automation) operate independently of one another. In this article, we’re going to look at the differences between the two processes. This should answer questions such as:

What is robotic process automation? What is test automation? And how does robotic process automation work? What we uncover, through this, are the considerations of each and how a better, more advantageous, combined solution for businesses can exist as we move into the future.

Table of Contents

The early introduction of test automation strategy

The test automation framework was introduced to improve the quality of our IT systems. Each change and improvement, however, required testing that added significant personnel and technical resources—delivering higher costs into the process.

This required operatives to prepare and maintain test material, and to carry out the tests. Repeating the process only added to the expense, so the idea of automating those processes and reducing their associated costs set the path in place for more beneficial automation.

What the system needed was a way to speed up testing, extend testing periods, and boost the repeatability of the processes. After a great deal of investigation, new tools were introduced to automate the testing processes.

However, testing is a complicated procedure. Software engineers revealed a selection of tests to be carried out at various points of the process, to understand where to introduce positive changes to improve performance.

Performance, ergonomics, and safety testing were relatively rare, whereas validation, regression, and integration tests, were carried out repeatedly during each session.

Those first testing tools, developed in the 1990s, are still evolving today. For years, the market was dominated by commercial solutions, yet, over the past decade, non-commercial software solutions into automated testing has driven real dynamic growth throughout the industry.

Limiting the amount of human operation during the process

Existing production staff supported the early process testing methods. Without their assistance, the updates and delivery couldn’t be guaranteed to deliver the anticipated results. With introductions into automated testing, staff involvement could be significantly reduced.

However, the production of the testing code was in the hands of the programmers, who often didn’t have the necessary expertise and knowledge of each industry. With the experienced workers being able to monitor and understand the new testing process—often via an easy-to-understand graphical interface—they could see how the results of the tests could affect their daily production.

Slowly, and purely down to the results of the new testing process, new, improved machines became part of the business operations. This was considered the introduction of RPA. However, it would be quite a while before that term would be introduced and accepted as the standard.

Why do we use framework in test automation?

Automation framework is a combination of tools and processes working together to support the testing of an application. You can see here, with the RPA and TA systems being so closely linked, how important this framework is.

The clickers that grew into RPA

These early test machines were referred to as ‘clickers’. The developers were to make dozens of these production robots during that time, and for two main reasons.

The first was that they offered swift implementation—significantly faster than the standard path via change requests in project management.

The second was the cost. Robots were considerably cheaper than changing each IT system. Where an organization already held a test automation team, they could consider the implementation of a dedicated bot to be cost-free.

How to create robotic process automation successfully?

Initially, the IT departments were skeptical. The new methods disrupted the standard processes of introducing changes. Their worries included data security issues, bot access to the company’s primary systems, faith that the machines would operate as intended en mass after the orchestration or rescaling of their production machines. It became necessary to adjust the corporate governance to include the safe functioning of robotics within the company.

Another issue was how integrating test tools might pose new threats to production systems.

Modern RPA interactivity and development

Considerable time has passed since those early testing days, and RPA, along with its new tools and dedicated ways of thinking, has added value directly to the businesses that have chosen to utilize it.

The key points still stand:

Until recently, this was still very much the accepted system; yet, cracks are beginning to come to light.

It appears that certain RPA implementations aren’t delivering the envisioned spectacular successes. While they may not be delivering complete failures, they are experiencing problems achieving their expected benefits.

One of the issues is down to the details in the coding process. Those writing the code need proficiency in both code and experience in the field of operation. Poorly written code creates negative implications when implemented and stabilizing bots in production. Even introducing simpler drag-and-drop code-creation systems doesn’t change the underlying code of each operation.

Performing the simplest operations, without taking into account all the operational factors, too often results in problems producing the desired quality during production.

The robots that affect change to the organization’s system are also subject to those changes in the system. The cost of implementing such changes can absorb all of the benefits of robotization if the code isn’t created correctly.

The robotization process is a software lifecycle system immersed in other processes.

  1. Analysis
  2. Design
  3. Coding
  4. Testing
  5. Implementation
  6. Stabilization
  7. Maintenance

The relevant IT services and technical expertise are required to fulfil each of the steps of the process. If all parts of the system operate as expected, only then will the long- and short-term benefits be realized as intended.

Interested in our solution?

Let's talk

Are TA and RPA so radically different from other automated business processes?

When we look into how automation affects testing as it does other businesses’ operations, well, it isn’t too far removed. The original tester is replaced by a system, in just the same way as other work tasks will be replaced in the organization’s operation.

To create the most powerful opportunities, the robots must be tested before placed into production. The robots’ tests, therefore, need a test environment mapped from the production environment as the target area of their work.

Each robot must perform to complement the organization’s regression testing. In the same way, the automated test code written during the TA process needs to perform in a whole or as part of the robot about to be implemented in the RPA process.

In other words, both processes overlap, using each other’s resources.

Where there is a change in the process managed by the RPA, it’s necessary to incorporate it in the bots. If the TA/RPA process is created along the lines of the suggested outline, any amendment required in one particular area should replicate through all of the bots in that area. That way, standard production bots can operate in various business processes.

You can see how many similarities they hold, as shown in the following comparison:

Requirements/features RPA process TA process
Replacing human work without the need to change existing information systems. YES YES
Operates in the initiative > analysis > cycle > designing > coding > testing > implementation > stabilization > maintenance. YES YES
Has business stakeholders, where the business is the beneficiary. YES YES
Requires the correct level of reporting. YES YES
Requires a strictly defined error/anomaly handling process. YES YES
Affects production and test systems. YES YES
Requires mechanisms for prioritizing tasks. YES YES
Requires scaling mechanisms and working in time regimes. YES YES
Requires broad mechanisms of orchestrating machines’ work, e.g., scheduling, triggers of various types, grouping, etc. YES YES
Uses dedicated technical components, e.g., database support, files, API, GUI, etc. YES YES
Requires a process-based approach to the security of sensitive data. YES YES

Our conclusion

TA is a subset process of RPA. Manual testing is an area of human activity and interaction that has the potential to be automated, as many other analogue processes in so many other areas already are. However, to take advantage of the synergy provided, and each RPA robot test, we can’t treat RPA and TA separately.

Interested in our solution?

Let's talk

What does that mean for the future?

We believe that the future will be dominated by MI/ML solutions, based on the vast data sets fed into BigData. Creating code will move to LowCode solutions, and as AI systems absorb more knowledge, their efficiency will boom.

New solutions will be able to deconstruct business processes, to find each of their optimization points, performing qualitative and quantitative analysis of the processes, and automatically generating the code to map out the process using the bot.

Our role will be reduced to merely correcting the AI system operation results and creating updates from code blocks. From there, automatic bot factories will produce sections or entire business processes, ready for implementation into their systems.