BBB EU Privacy Shield: Privacy Best Practices

Aug 2, 2019, 14:00 PM by BBB National Programs

While consumer privacy seems to be a trending topic almost every day, once a year Data Privacy Day gives businesses a chance to take stock of recent developments and benchmark their privacy practices. This Data Privacy Day marks eight months since the General Data Protection Regulation (GDPR) came into force in the European Union (EU), with the news that Google’s alleged privacy missteps have drawn a fine of 50 million euros (nearly $57 million USD) from the French Data Protection Authority (CNIL). While this represents the first major penalty against a U.S. company, it is one of numerous enforcement actions by European Data Protection Authorities under the updated EU privacy rules. By one count, Germany alone has issued 41 fines so far. The CNIL also recently published guidance making it clear that more fines will be forthcoming if online marketers do not adjust their privacy practices.

What do European headlines have to do with your U.S. business?  EU law recognizes that consumers have several fundamental rights with respect to their personal data collected and held by private companies. Though these rights may not yet be enumerated in any omnibus U.S. privacy law, they correspond to privacy best practices that pre-date European data protection regulations. With the passage of the California Consumer Privacy Act of 2018 (CCPA), which many are calling a GDPR-style privacy law, as well as ongoing discussions toward passing a U.S. federal privacy law, businesses are well advised to review their privacy commitments, whether they do business domestically or across borders.

In many cases, businesses are also considering incorporating consumer privacy “rights” into their data-handling practices. This trend responds to consumer demands for accountability in the data privacy space. We see this every day in the many consumer complaints we process related to data privacy practices. Many of these consumers wish to access, correct, or delete data, at times referring to redress option such as the EU-U.S. Privacy Shield, for which consumers in the U.S. do not qualify. Such trends show a marked increase in consumer demand for options when it comes to data privacy. Today, if your business touches personal data, privacy protections should be part of your process and culture.

To that end, responsible businesses should periodically check up on the health of their privacy programs. This all may sound daunting, so for Data Privacy Day we prepared a few tips.

 

  1. Check your public promises.
    • Review your privacy policy and the disclosures you provide when collecting data.
    • Ask yourself whether your public commitments match your actual practices.
    • Do you promise opt-in choice or an opt-out mechanism from the collection of certain types of data? If so, have you built out these mechanisms? Do you have ongoing processes in place to ensure that they function as described?
    • Do you promise customers the ability to access, correct, or delete their data? If so, do you have processes in place to determine whether a request is legitimate and how or when such requests will be honored? Do you know which vendors you will need to contact to complete such a request?
    • If your public commitments do not match your actual practices, you may hear from the U.S. Federal Trade Commission.
  2.  
  3. Be your own customer (or data subject) for a day.
    • For one day, think like an everyday consumer, not like a lawyer or marketer. Reevaluate your company’s transparency about privacy protection throughout the entire lifecycle of the business-customer relationship.
    • When a person signs up for your service (and/or before you first collect their data), does the person know what personal data will be collected, how it will be used, and whether it will be shared? How easy is it for a person to find out?
    • If a customer were to take a hard look at your data practices, would they be surprised by what they find? One rule of thumb: if a particular data collection or use may surprise some consumers, it is a good idea to disclose it right up front. (As one example of this, review the enhanced notice rules for online interest-based advertising.)
    • Do you collect any sensitive data? How about data from children?
    • If your operations are primarily B2B, first review your own practices, but also check up on what your clients’ customers see. Are they aware that you receive their data?
  4.  
  5. Check up on your compliance.
    • Privacy rules are always evolving. Review your business practices to consider whether you need to comply with a variety of privacy regulations, from GDPR to CCPA to COPPA.
    • For example, your business may already be required to provide EU-style privacy rights if you have customers in the EU. One common scenario comes about when companies transfer personal data from the EU to the U.S. (or receive such data from other companies), relying on the EU-U.S. Privacy Shield Framework with its requirement to designate a recognized Independent Recourse Mechanism to legitimize the data transfer.
    • Local laws, regulations, and self-regulatory codes may require you to fine-tune your business practices, adjust your disclosures, or implement mechanisms for customers to exercise choice.
  6.  
  7. Check your contracts.
    • Do your contracts with other businesses commit you to certain practices with regard to personal data?
    • Do your internal practices match your contractual commitments?
  8.  
  9. Follow the data. Perform a data mapping exercise by considering  the full lifecycle of your customers’ data and ask yourself:
    • Who has access to personal data? Who is responsible for its custody?
    • What data do we collect and use? What steps are we taking to safeguard and track data?
    • Where did this data come from? Can we legitimize our sources?
    • When are customers notified of our data practices?
    • Why is this data collected, processed, and retained?
    • How long will we retain this data?

Suggested Articles

Blog

Unpacking Misleading Advertising Claims in the Children’s Space

Advertisements may seem simple on the surface, but certain aspects of the ad business, including advertising law, are complex. The role of monitoring ads directed to children is especially complex. It seems straightforward: advertisers are not allowed to lie in their advertisements, but an advertiser is also responsible for all reasonable interpretations of the claims it makes and not just the messages it intended to convey. This blog outlines how to make sure your advertising passes the truthfulness test.
Read more
Blog

A Beginner's Guide to Reading Privacy Policies

Privacy policies are complicated and can be frustrating to read, especially when you are trying to learn about your child's data privacy online. The Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices.
Read more
Blog

Q&A: What is an SRO? A Beginner’s Guide to International Advertising Self-Regulation

Advertising is a cutting-edge industry, so it is no surprise that the ad business has been at the forefront of a global trend building for almost 60 years – independent industry self-regulation. In the U.S., the National Advertising Division is the industry’s widely recognized “truth-in-advertising” body, an independent third party that enables competitors to resolve disputes outside the courtroom. It is the self-regulatory organization (SRO) of the U.S. In this Q&A with Mary Engle, Executive Vice President, Policy, here at BBB National Programs, we dig into what industry self-regulation looks like in other parts of the world.
Read more
Blog

Substantiating Advertising Claims in Three Steps: A How-To Checklist for Advertisers

Substantiating advertising claims is important, both to comply with the law and to avoid regulatory scrutiny or a potential challenge from a competitor in court or in a proceeding before the National Advertising Division (NAD). NAD examines the fit between challenged claims and the substantiation provided. What follows is not legal advice but a basic one-two-three checklist for advertisers concerned about substantiating their advertising claims.
Read more