Data Privacy FIRST
Solutions for Compliance with Data Privacy & Anti-Spam Regulations
Global data privacy and anti-spam regulations are changing the way organizations communicate with their contacts. Any company that collects contact data from Clients or prospects in Canada, Europe and now California may be impacted by data privacy laws, and more countries and US states are considering similar laws. Canadian Anti-Spam Legislation (CASL) in Canada, the General Data Protection Regulations (GDPR) in Europe and now the California Consumer Privacy Act (CCPA) may impose substantial fines on companies for violations.
CASL became effective July 1, 2017.
Companies doing business with or contacting Canadian contacts, that haven’t yet acted to obtain implied or express consent from those contacts, may be at risk. Companies must also keep detailed records of consent that include the method of consent such as completing a sign-up form. Under CASL, implied consent must be renewed every two years or converted to express consent. Violations of CASL can result in fines up to $10 million per violation. The first company found in violation of CASL was fined $1.1 million!
GDPR became effective May 25, 2018.
Companies doing business with or contacting EU contacts must have a process in place to gain express consent to collect and store information on those contacts, as well as send communications. They must also have an adequately secure data storage methodology for maintaining their contacts’ information and consent data. GDPR applies to all personal data collected by companies, not just contact information. Companies must keep detailed records of consent that include the date and method of consent – or be subject to enforcement penalties. Fines can be up to 20 million euros, or up to 4 % of total global revenue, whichever is higher. Total fines collected for GDPR violations as of December 2019 exceeded $475 million.
CCPA is effective January 1, 2020.
CCPA covers residents of California and, like GDPR, is not dependent upon the location of the company. Companies doing business in California are directly subject to the CCPA if they meet any one of the following criteria:
- Gross revenue exceeds $25 million
- The company processes the data of 50,000 consumers, households or devices within a single year
- 50% or more of its total annual revenue comes from the sale of consumer’s personal information
While CCPA does not require express consent like GDPR, businesses are required to inform consumers what data is being collected and the purpose for collecting that data and these specific disclosures must be included at the point of collection and in the company’s privacy policies. In the event of violations, the California Attorney General could impose fines up to $7,500 per record. In addition to enforcement by the Attorney General, in the event of a data breach, the CCPA also provides statutory damages for consumer suits, including class action claims, for up to $750 per violation.
What You Must Do to Comply with the New Regulations
- Identify contacts residing in the EU, Canada or California.
- Decide how to collect and store consent data for those contacts. Then establish your processes for continually updating the consent information.
- Ensure that your company’s systems are secure.
- Implement processes for the proper handling of personal data.
- Call CLIENTSFirst! Our Data Privacy First! program can help you create a plan for compliance, including:
- Auditing current data and data storage
- Sharing best practices for collecting and storing consent information
- Crafting consent emails and subscription forms
- Creating automated processes to ensure compliance and minimize impact on employee time