BBB National Programs Insights
BBB EU Privacy Shield: Privacy Best Practices
While consumer privacy seems to be a trending topic almost every day, once a year Data Privacy Day gives businesses a chance to take stock of recent developments and benchmark their privacy practices. This Data Privacy Day marks eight months since the General Data Protection Regulation (GDPR) came into force in the European Union (EU), with the news that Google’s alleged privacy missteps have drawn a fine of 50 million euros (nearly $57 million USD) from the French Data Protection Authority (CNIL). While this represents the first major penalty against a U.S. company, it is one of numerous enforcement actions by European Data Protection Authorities under the updated EU privacy rules. By one count, Germany alone has issued 41 fines so far. The CNIL also recently published guidance making it clear that more fines will be forthcoming if online marketers do not adjust their privacy practices.
What do European headlines have to do with your U.S. business? EU law recognizes that consumers have several fundamental rights with respect to their personal data collected and held by private companies. Though these rights may not yet be enumerated in any omnibus U.S. privacy law, they correspond to privacy best practices that pre-date European data protection regulations. With the passage of the California Consumer Privacy Act of 2018 (CCPA), which many are calling a GDPR-style privacy law, as well as ongoing discussions toward passing a U.S. federal privacy law, businesses are well advised to review their privacy commitments, whether they do business domestically or across borders.
In many cases, businesses are also considering incorporating consumer privacy “rights” into their data-handling practices. This trend responds to consumer demands for accountability in the data privacy space. We see this every day in the many consumer complaints we process related to data privacy practices. Many of these consumers wish to access, correct, or delete data, at times referring to redress option such as the EU-U.S. Privacy Shield, for which consumers in the U.S. do not qualify. Such trends show a marked increase in consumer demand for options when it comes to data privacy. Today, if your business touches personal data, privacy protections should be part of your process and culture.
To that end, responsible businesses should periodically check up on the health of their privacy programs. This all may sound daunting, so for Data Privacy Day we prepared a few tips.
- Check your public promises.
- Ask yourself whether your public commitments match your actual practices.
- Do you promise opt-in choice or an opt-out mechanism from the collection of certain types of data? If so, have you built out these mechanisms? Do you have ongoing processes in place to ensure that they function as described?
- Do you promise customers the ability to access, correct, or delete their data? If so, do you have processes in place to determine whether a request is legitimate and how or when such requests will be honored? Do you know which vendors you will need to contact to complete such a request?
- If your public commitments do not match your actual practices, you may hear from the U.S. Federal Trade Commission.
- Be your own customer (or data subject) for a day.
- For one day, think like an everyday consumer, not like a lawyer or marketer. Reevaluate your company’s transparency about privacy protection throughout the entire lifecycle of the business-customer relationship.
- When a person signs up for your service (and/or before you first collect their data), does the person know what personal data will be collected, how it will be used, and whether it will be shared? How easy is it for a person to find out?
- If a customer were to take a hard look at your data practices, would they be surprised by what they find? One rule of thumb: if a particular data collection or use may surprise some consumers, it is a good idea to disclose it right up front. (As one example of this, review the enhanced notice rules for online interest-based advertising.)
- Do you collect any sensitive data? How about data from children?
- If your operations are primarily B2B, first review your own practices, but also check up on what your clients’ customers see. Are they aware that you receive their data?
- Check up on your compliance.
- Privacy rules are always evolving. Review your business practices to consider whether you need to comply with a variety of privacy regulations, from GDPR to CCPA to COPPA.
- For example, your business may already be required to provide EU-style privacy rights if you have customers in the EU. One common scenario comes about when companies transfer personal data from the EU to the U.S. (or receive such data from other companies), relying on the EU-U.S. Privacy Shield Framework with its requirement to designate a recognized Independent Recourse Mechanism to legitimize the data transfer.
- Local laws, regulations, and self-regulatory codes may require you to fine-tune your business practices, adjust your disclosures, or implement mechanisms for customers to exercise choice.
- Check your contracts.
- Do your contracts with other businesses commit you to certain practices with regard to personal data?
- Do your internal practices match your contractual commitments?
- Follow the data. Perform a data mapping exercise by considering the full lifecycle of your customers’ data and ask yourself:
- Who has access to personal data? Who is responsible for its custody?
- What data do we collect and use? What steps are we taking to safeguard and track data?
- Where did this data come from? Can we legitimize our sources?
- When are customers notified of our data practices?
- Why is this data collected, processed, and retained?
- How long will we retain this data?