Insights

Data Privacy Preference Management: Building Customer Trust

by Ashley Smith
May 12, 2022

Building Customer Trust Through Data Privacy Preference Management

LevelUP Consulting Partners guides clients through the murky waters of data privacy compliance and risk management into the clear seas of information governance. In this journey, an area that is growing in importance is consumer consent management.

The combination of new privacy regulations emerging in the U.S. and abroad with often conflicting obligations and record keeping requirements, make it seem like properly gathering consumer consent is functionally impossible. Nationally and globally, privacy regulations requiring compliance via consumer consent vary from vague to overly detailed. This adds tough administrative efforts to your already heavy workload. But not to fear. LevelUP has developed methodologies, tools, and techniques to steer our clients through these challenges into operational solutions that satisfy legal demands.

Consent by Jurisdiction

One of the key questions organizations ask when sifting through consent requirements is, do the relevant jurisdictions require opt-in or opt-out consent?  It’s an important question. One technique assumes a default of consent, while the other explicitly requires active assent. The opt-out versus opt-in question is also the central differentiator between U.S. state privacy law requirements and international regulations like the GDPR.

Data Privacy: Consent in the United States

Five states across the U.S. either have new data privacy laws in force or have passed laws that will come into effect in 2023. These states are California, Virginia, Colorado, Utah, and Connecticut. With the economic behemoth, California, first entering the privacy regulation ring, other states have quickly followed suit and largely followed its lead in writing their laws, with a few nuances of note.

In general, Americans tend to lean toward the opt-out framework when dealing with consent, assuming consent unless the consumer explicitly states otherwise.

For example, California’s CCPA Section 1798.120(a-b) reads: “A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out,” and, “A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.”  Although California appears to remain the strictest of the five state policies currently passed into law, the other four also follow an opt-out framework for consent.

GDPR and Other Global Policies

In stark contrast, as the widely considered world leader on data privacy management, the European Union applies an opt-in framework when it comes to consent. 

The GDPR specifically states: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” 

Following suit, many other countries and jurisdictions have utilized the opt-in framework for collecting consent. Argentina, Brazil, China, and India being good examples, all having also implemented an opt-in strategy for gathering consent to collect user data.

Preference Management Functionality

To the untrained eye, opt-in jurisdictions may look like an overwhelming design and maintenance burden on already overtaxed business admin resources. And that the ubiquitous pop-up banners and questionnaires are the only solution. But that is not always the case.

First, remember that opt-in jurisdictions do not require consent for strictly necessary data collection, which exempts mandatory business information from processing procedures. Additionally, most consent can be gathered in a straightforward way online through the right legal language crafted with counsel.

Record keeping and legal language are intertwined and must be consistent when gathering and documenting consent. With proper design of your organization’s policies and procedures to show due diligence, good record keeping practices, thoughtful risk management, and understanding of jurisdiction requirements you will be on the right side of defensible information governance standards.

Conclusion

Over the years LevelUP has leveraged our compliance expertise to provide clients steady navigation through uncertain waters and arrive to safe compliance shores. We help clients create and implement customized, comprehensive, yet straightforward consumer consent programs which demonstrate compliance and build consumer trust.

For more information on this topic or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: dave.cohen@levelupconsult.com

Insights

The Utah Consumer Privacy Act – And Then There Were Four

by Ashley Smith
April 27, 2022

Utah’s Consumer Privacy Acts Makes the Fourth US State to Create It’s Own Privacy Law

In our previous post, New State Privacy Laws – What’s Required?, we commented that although California led the way, Virginia and Colorado passed privacy laws on the heels of this landmark legislation, and twenty states had privacy legislation in the works. Since this writing, Utah has become the newest state to pass privacy legislation. Utah’s Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022.  And, although the law does not take effect until December 31, 2023, there are compliance obligations to keep an eye on. Here’s a look at how to begin preparing for the country’s newest state privacy requirements.

UCPA Overview

The UCPA was signed into law on March 24, 2022 and will take effect on December 31, 2023. The law defines consumers as individuals who are residents of Utah and acting in an individual or household manner. Notably, it does not include individuals acting in employment or commercial contexts. It defines controllers as persons doing business in the state who determine the purposes for which, and the means by which, personal data is processed. Processor is defined as a person who processes personal data on behalf of a controller, thus borrowing terms from the GDPR.

The UCPA applies to any controller or processor who:

  • Conducts business in the state
  • Produces a product or service that is targeted to consumers who are Utah residents
  • Has an annual revenue of at least $25 million and satisfies either: (1) during a calendar year, controls, or processes personal data of 100,000 or more consumers, and/or (2) derives over 50 percent of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers.

The UCPA grants consumer rights to access and delete personal data. It also requires written agreements between controllers and processors. Finally, it treats consumer rights as largely opt-out.

What Makes UCPA Different from other US State Privacy Laws? (CA, CO, and VA)

Although the UCPA is largely based on Virginia’s privacy legislation, it is distinct and arguably narrower than its predecessors. For starters, it appears to be the least restrictive of the four state data privacy laws passed to date.  First, the UCPA has a narrower scope of applicability than the other states’ laws. For a business to be in scope, it must meet the criteria above, AND satisfy one or more of the following thresholds:

1) during a calendar year, controls or processes personal data of 100,000 or more consumers, or

2) derives over 50% of gross revenue from selling personal data and controls or processes personal data of at least 25,000 consumers. 

The UCPA exempts non-profits, higher education, government entities, or entities processing personal data subject to federal privacy laws. Additionally, the UCPA does not apply to personal data of employees or business contacts, de-identified data, aggregated data, or information generally available to the public.

Second, like other state privacy laws, the UCPA grants consumers rights to access and delete personal data. It does not, however, grant consumers a right to correct personal data. In addition, it only allows for deletion of information obtained from the consumer by the controller. It does not allow for deletion of information inferred from what a consumer has provided, or from third-party information. The UCPA allows for an opt-out of targeted advertising like other laws, however it sticks to opt-out for sensitive data, instead of creating an opt-in provision like the Virginia and Colorado laws. 

Thirdly, the UCPA is lighter on security and data processing agreements than its predecessors in other states. Unlike California, Virginia, and Colorado, the UCPA does not require controllers to conduct formal data processing risk assessments prior to processing personal and even sensitive data. It also does not include provisions on dark patterns. Like the other laws, the UCPA does require a controller to execute an agreement with a processor but does not require provisions in the agreement allowing controllers to audit the processor or give controllers rights to object to a processor’s use of a subcontractor.

Finally, enforcement looks slightly different under the UCPA than its predecessors in other states. Under the UCPA, consumers are required to first submit complaints to the Utah Division of Consumer Protection, which then has the power to elevate a UCPA complaint to the Utah Attorney General’s office. In California, Colorado, and Virginia, the process starts in the Attorney General’s office.

Looking Forward

As more and more states pass data privacy laws like these four, it is only natural for companies to be intimidated by the potential of a tsunami of fifty separate privacy laws. While Utah clearly added its own twist to American privacy laws, and has some unique requirements, many have remained similar to established state laws.

Since the UCPA is narrower than its predecessors in California, Virginia, and Colorado, if a company is compliant or working towards compliance with any of these privacy laws, some work will have been accomplished toward compliance with the UCPA. 

As always, reviews, updates, and implementation of robust privacy programs, data mapping, consent practices and similar good data stewardship practices will serve companies well in complying with the UCPA, as it has for the other state privacy laws.

For more information on U.S. state privacy laws or how LevelUP Consulting partners can assist with your privacy and data security compliance needs, contact Dave Cohen, Senior Manager at: dave.cohen@levelupconsult.com

Youtube
Vimeo
Google Maps
Spotify
Sound Cloud