Welcome to the first installment of the Ketch news roundup, where we gather the latest and greatest data privacy and compliance information to share with you! This week, we have our eyes on the newly appointed head of the FTC Lina Kahn, and what her role means for the privacy space, Colorado’s comprehensive privacy legislation is awaiting the Governor’s signature, Florida has sent a new TCPA-style law to the governor for signature, and Senator Kristin Gillibrand's strengthened DPA proposal.
Look out Big Tech: Lina Khan’s arrived
While FTC regulations are certainly a possibility, if history is any indication - the path towards any type of FTC owned regulation is long (FACTA rules on ID Theft and TSR come to mind) How many years have we been waiting for fed privacy legislation though? FTC regulations may take year(s), but at the end of the day that could be the shorter path. Our question is - will they still be relevant by the time they pass? Read the article
Colorado, Colorado, Colorado!
In case you hadn’t heard, the Colorado Senate recently voted to pass House amendments to their privacy bill. They’re currently waiting on an Exec. signature. Once that’s been signed, we can add Colorado privacy law to the roadmap list. If you haven’t already begun adjusting your privacy program to accommodate these types of rapid changes - give us a call. Read the article
Florida’s new TCPA Law: consent required or risk a lawsuit
The Florida legislature recently passed legislation that significantly expands the state’s existing telemarketing laws. Most notably, the legislation adds a private cause of action for any violations of the Florida Do Not Call Act and requires prior express written consent for automated or prerecorded calls or texts (without defining what automated means). The law was recently sent to the Governor for signature, and if signed will go into effect on July 1, 2021. Read the article.
Sen. Kristen Gillibrand, D-NY, recently released a new and improved draft of her Data Protection Act. The act motions to establish a new regulatory agency solely focused on enforcing federal privacy laws and addressing the growing data privacy crisis in America. Give the article a glance to understand the proposed improvements and the three core goals of the proposed agency. Read the articleNew Adequacy Decisions for the UK
Additional “News You Should Know”
Interested in Privacy & Compliance? Schedule some time with our privacy experts to find out how Ketch is revolutionizing the space.
Under the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, California residents have the right to opt-out of a business selling or sharing any of their personal information.
That means that if you are a for-profit entity with an annual gross revenue in excess of $25 million and handling personal information of more than 100,000 California consumers or households, you are required by law to provide a clear and conspicuous way for your customers to opt-out. But what exactly does the right to opt out mean, how is it implemented, and how can you ensure your business complies?
What Does it Mean?
When you give customers the option to opt out, it limits the extent to which your company can sell or share a customers’ personal information. Under CCPA/CPRA, personal information is considered any information that identifies, relates to, or could be linked to an individual or household. This includes information like name, social security number, email or IP address, Internet browsing history, product purchases, geolocation data, and professional or employment-related information—essentially any information that is not publicly available via federal, state or local government records. According to Section 1798.140 of the CCPA, personal information also includes any information used to create a customer profile that reflects preferences, characteristics, behavior, or attitude.
The opt-out requirement doesn’t preclude you from collecting personal information in the normal course of doing business. After all, your business needs personal data to fulfill purchases and enable transactions. Opting out just means that you can’t sell or share this information with any other entity—unless it is a service provider that is necessary to perform a business function.
It’s important to note that any disclosing of personal information deemed as providing monetary or other valuable consideration is considered a “sale” under CCPA. While often disputed, this broad definition includes the use of third-party advertising and analytics cookies that track a user’s browsing behavior. This does not apply to first-party cookies required to perform essential functions on your website, like remembering which products a customer has placed into an online shopping cart.
How is it Implemented?
Under CCPA/CPRA, businesses needing to comply must provide two or more methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous “Do Not Sell or Share My Personal Information” link on the business’ homepage. Other acceptable methods include a toll-free phone number, designated email address, forms submitted in person or by mail, and user-enabled privacy controls such as a browser plugins or settings.
One way of providing an opt-out method is via an interactive cookie banner on a website that allows users to decline or accept any non-essential cookies that collect personal information. Some also get a bit more specific and allows users to select only necessary cookies that enable core functionality to help improve the customer experience while preventing the sale or sharing of data for marketing analytics or targeted advertising.
CCPA/CPRA also has more restrictive “opt-in” requirements for children. This means that businesses cannot sell or share personal information for consumers less than 16 years of age without specific affirmative consent, with parental consent required for anyone under the age of 13. Unlike the opt-out option, opting in means that consumers are opted out by default and must take action to opt in. While this is contingent upon the business having knowledge of the age of the consumer, CCPA/CPRA does not allow a business to deliberately disregard a consumer’s age. Any business that targets children would therefore be wise to only use the “opt-in” option or implement a means to identify age to turn off any default selling or sharing of information for anyone under 16.
How Can You Ensure Compliance?
It is also recommended to conduct a thorough data mapping to identify all the ways your business and its systems handle personal information. This can help you determine if any third-party cookies are enabled on your website or if any of your data handling constitutes selling or sharing personal information. Because even if you think you aren’t selling or sharing personal information, it’s not always as obvious as disclosing data to third-party advertisers—think credit checking, identify verification services and other cloud-based services. And if you are unknowingly selling or sharing personal information, you’re still liable.
To see just how compliant (or not) your business is with CCPA/CPRA opt-out rights, start with a free assessment of your website at www.privacygrader.com.
Today the Ketch team is excited to introduce PrivacyGrader, a tool that helps solve the complex and critical problems of consumer data privacy and security.
It’s no secret that data protection is one of the biggest and hardest challenges we face today. This year, data breaches continued to be constant headline news. By one account, the average cost of a breach to a U.S. company is now more than $8.5 million.
In addition to the direct costs of data breaches, the ripple effects of decreased consumer confidence in e-commerce and online media could have severe impacts on our economy – especially at a time when online experiences have never been more essential to our lives.
This is a big, complicated problem that even the biggest companies struggle to manage. Many small and medium-sized companies don’t even know where to begin.
That’s where PrivacyGrader comes in. It’s a starting point for companies to diagnose their data privacy performance, and then to begin the process of improving it. With simple, practical steps.
This is the kind of challenge our team loves: Tackling big problems and coming up with elegant solutions that serve an important purpose.
PrivacyGrader works by analyzing your website's collection and use of personal data. It assesses multiple elements of your privacy procedures and doesn’t just help you find the problems – it identifies the steps you need to take to address them. We provide the analysis to any company at no cost.
Trust is vital for all of us as we deepen our commitment to an increasingly connected, digital lifestyle. At Ketch, we don't see a zero-sum world where consumer privacy is protected and online businesses lose. We believe that both consumers and businesses can prosper together, and we built PrivacyGrader to help bridge the divide. We hope you’ll give it a try and let us know what you think.
The Switchbit team is driven by a belief in two key principles. First, privacy is an essential human right that all businesses should have the ability to respect and enforce. Second, data is property. Like land and other physical property, data must be protected and controlled according to the time, terms, and conditions of its owner’s choosing.
We don't see a zero-sum world where consumer privacy is protected and businesses lose. We believe that both consumers and businesses can prosper together. We're determined to help businesses honor the data dignity of their customers, while also giving them the privacy and security tools that let them preserve and unlock the power of data for core operations and AI-enabled business processes.
Since our inception, we’ve been working hard to achieve the radical simplification of data privacy, which we believe is among the most critical imperatives facing our economy and our society. Undeniably, we are in the midst of the Data Rights Revolution.
As tends to be the case with revolutions, optimism and commitment are all mixed up with complexity and confusion. In our experience, most businesses want to embrace and implement a consumer-first privacy paradigm--the question is How to get there?
We are committed to building powerful-but-simple infrastructure that guides our customers through the maze of laws and regulations, while at the same time recognizing and capitalizing on the opportunities along the way--opportunities hiding in plain sight.
Of course you need to achieve compliance and get the details right. But the companies that win this revolution will be those that go beyond, by creating privacy experiences that inspire customer satisfaction and trust. We help you imagine, design, and offer those experiences.
One of the many hurdles here is that the maze isn’t static. It changes as laws are born and evolve. All the energy you spent getting prepared for CCPA and GDPR? Congratulations! Your prize is…. CPRA and LGPD!. Data privacy is a dynamic challenge. That’s why we’re always focused on giving our customers a dynamic, deploy-once-comply-everywhere solution.
In this relentless pursuit of simplicity in the face of change, we’ll be with you every step of the way. And today, we’re practicing what we preach: We’ve decided our name adds more where less will do, and do better. Today, we’re saying goodbye to “Switchbit” and introducing you to “Ketch.” Strong and simple, just like our product and our mission.
Ketch is blazing a path in the Data Rights Revolution. Join us in fighting for privacy as an essential human right, and data as property to be preserved and protected.
And if you don’t know, now you know.