What is Regulatory Compliance?
Regulatory Compliance consists of a business or organization following all state, federal and international laws that are relevant to their operation. Regulatory compliance laws and regulations are rules set by the government to protect consumers and their rights when it comes to data.
Examples of regulatory compliance laws include:
- The U.S. Health Insurance Portability and Accountability Act (HIPPA) of 1996
- The Sarbanes-Oxley Act of 2002
- European Union’s General Data Protection Regulation (GDPR) of 2016
- California Consumer Privacy Act (CCPA) of 2018
GDPR and CCPA have caused the most headlines as of late and are under the most scrutiny.
The Differences Between GDPR and CCPA
The California Consumer Privacy Act (CCPA) was created by the California Government in 2018, as a data protection law for California residents. This law went into effect on January 1, 2020. However, the California attorney general noted that the state would not begin enforcing the law until July 1, 2020.
In April 2016, the European Union also implemented the General Data Protection Regulation (GDPR) as a data protection law for European citizens. GDPR then went into effect in 2018 and was the catalyst behind CCPA.
GDPR and CCPA are laws that protect certain people when it comes to the use and storage of their data. Both laws enforce penalties if broken. However, there are some differences when it comes to what exactly these laws cover in their protection. To highlight a few differences:
CCPA Applies To:
- California residents or an organization that does business in California.
- Businesses with annual gross revenue of at least $25 million.
- Organizations that collect information on 50,000 or more people, households, or devices.
- Businesses that make over half of their revenue from selling consumer data.
- For-profit organizations
- Businesses that collect consumers’ personal information, or collect on behalf of an organization.
GDPR Applies To:
- Organizations that offer goods, services, or monitor the behavior of any EU resident.
- For-profit and non-profit organizations
- Specific categories of personal data
- Data controllers who are not aware of a child’s age.
- Personal data processing only when there is a legal ground for it.
- Living persons, but not necessarily only EU citizens
- Medical information, information collected as part of a clinical trial, sales of information to or from consumer reporting agencies, publicly available personal information, any personal information under the Gramm-Leach-Billey Act, and any personal information under the Driver’s Privacy Protection Act.
- Exceptions provided to businesses that do not have knowledge of a child’s age.
- No stipulation on how much revenue a business makes
- Organizations must keep a record of data processed.
- The supervisory authority must be notified within 72 hours of data breaches.
FoundSM is proud to be a OneTrust Strategic Partner. OneTrust programs are compliant with CCPA, GDPR, LgPD, PDPA, ISo27001 and several other privacy and security laws across the world.
As a OneTrust Strategic Partner, FoundSM has the ability to work with OneTrust to provide comprehensive privacy management programs to our clients to help keep data secure and compliant.
The State of Regulatory Compliance
Currently, there is no federal law in the United States that protects data, but the future is uncertain. Even if future laws have no direct impact on your company, it is important to be aware and keep up-to-date with developing regulations—they may impact you eventually.
In order to ensure future compliance:
- Note if your website contains any cookies, opt-ins, or data storage.
- Understand what data you are collecting and where it is going.
- Read and understand CCPA and GDPR laws.
- Investigate best practices by looking to see what other businesses are doing.
How to Be CCPA Compliant
What you need to do in order to comply with CCPA:
- Businesses must have a way for consumers to request personal data the company has collected about them and/or to have that data deleted. Businesses must also provide instructions on how to opt-out of data collection in the future.
- If your business sells or discloses personal information to any party beyond contracted service providers, you will need to provide a way for your consumers to opt-out.
- If your business gives any sort of financial incentive for personal information collected, you will need to explain what the incentives are in terms of services and price, and how consumers can opt-in or out at any point.
- If your business has carry-out rights requests, then you will need to explain how the process is handled internally and what the process entails for the consumer.
- If your business works with vendors that qualify as a “service provider,” you will need to clearly outline this service.
How to Be GDPR Compliant
What you need to do in order to comply with GDPR:
- Create a data register to keep a record of the process to meet regulatory requirements.
- Classify data to acknowledge any personally identifiable information (PII) that you may be collecting.
- Once you understand what type of data you are collecting, ensure that you are producing and protecting it correctly.
- Assess risks and establish processes.
- Establish procedures for reporting breaches.
- Anonymize collected data in order to protect privacy.
What is Personal Identifiable Information (PII)?
A common way that businesses violate CCPA, GDPR, or other regulations is that there is accidental identifiable information that appears in your analytics account. Personal identifiable information is information that can be used to contact, identify, or locate an individual.
Examples of PII include: name, face, address, email address, fingerprint, email, credit card number, date of birth, phone number, social security number, username, license plate number, and driver’s license, among others.
To make sure that your organization doesn’t have any identifiable information of your customers, we will recommend that our team conduct a PII Audit.
What is a PII Audit?
The team at FoundSM will work with you to conduct an audit of your marketing tools and analytics accounts to make sure they are compliant with current laws and regulations. In the audit process, our team will:
- Identify your company’s PII footprint.
- Identify, categorize, and tag company files that contain PII and make sure the information is stored, accessed and used in compliance with current regulations.
- Minimize current PII footprint.
- Encrypt necessary data.
The FoundSM Advantage
The impact that CCPA and GDPR have on businesses can be difficult to digest. The FoundSM team is here to help you understand if you are violating these laws and regulations.
With our specialists’ knowledge, you’ll know what impact they may have on your organization.
Let us help you grow your digital marketing strategy. Contact our expert analytics team today, and find out more about how we can help your business be compliant.
Looking for services that go along with regulatory compliance?