By Brandon Tuley Archives - Zasio

Building a RIM Program From the Ground Up

Zasio — Fri, 22 May 2026 14:13:03 +0000

Every organization generates records daily, and without a records and information management (RIM) program, those records become a liability the moment a regulatory audit, lawsuit, or merger arrives.

Key RIM Program Takeaways:

A legal records retention schedule is the anchor of every successful RIM program.
Clearly defined ownership and cross-functional buy-in are required to move from policy to action.
Technology should support established, documented workflows, not replace them.
Start with small, departmental wins to build momentum for organization-wide implementation.

4 Pillars of Successfully Building a RIM Program

Whether you’re building from scratch or maturing an informal program, four pillars determine whether your RIM program holds up or falls apart: a records retention schedule, people, process, and technology. Nail these, and your organization gains a defensible, scalable foundation that protects against risk, supports compliance, and grows with your needs.

Pillar 1: Records Retention Schedule

A records retention schedule is the legal and operational blueprint that governs how long your organization keeps each record type, when to destroy it, and how to meet regulatory obligations without holding records longer than necessary. The records retention schedule (RRS) anchors your entire RIM program. It defines what records your organization creates, how long to keep them, and when to dispose of them. Without it, retention decisions vary from person to person, driving inconsistency and increasing compliance risk organization-wide.

Strong retention scheduling software starts with five key components: function, record series title, description, examples, and a global baseline retention period. Legal citations map to each record series, grounding retention periods in specific requirements. When jurisdictional differences arise, you can create country exceptions tied to those citations.

Watch for these common gaps when building or evaluating your RRS:

Retention periods lack ties to legal or regulatory requirements, leaving your organization exposed.
The RRS exists on paper but no one has communicated, trained on, or adopted it across the organization.
Years have passed without a formal review or update, causing the schedule to fall out of step with current laws and business operations.

Pillar 2: People

People are the engine of any RIM program: the designated owners, cross-functional stakeholders, and trained employees whose daily habits determine whether your policies are ever truly followed. Without a clear owner, a RIM program doesn’t stall, it quietly fails. Assign a designated owner, whether that sits under Legal, Compliance, IT, or a dedicated RIM function, and make that accountability visible across the organization.

From there, build a cross-functional team. RIM touches every department, and stakeholders across the business hold critical knowledge about how teams create, use, and store records. Engage them early. Their input shapes a more accurate and practical program, and their involvement builds the buy-in needed to sustain it.

Training is not an afterthought; it is how accountability becomes action. Without it, even a well-designed program breaks down in execution. Develop a deliberate training strategy that reaches every level of the organization, and tailor materials to your audience: end users need different guidance than records coordinators or senior leadership.

Pillar 3: Process

Process refers to the standardized workflows and documented procedures that govern how your organization creates, classifies, stores, retains, and disposes of records. Without consistent, repeatable steps, even the best policies collapse under human variability. Inconsistent practices across departments create compliance gaps and retrieval challenges. Standardized workflows for classification, retention, and disposition reduce reliance on individual knowledge and eliminate the guesswork that leads to costly errors.

Start by mapping how records flow through your organization, from creation to disposition. Identify where records originate, where they live, and how they move between systems and teams. Use that map to shape workflows that fit how your organization truly operates.

Document everything. Standard operating procedures (SOPs) ensure your processes are repeatable and don’t depend on a single person’s institutional knowledge. Define who does what, when, and how for each key RIM activity.

Pillar 4: Technology

Technology encompasses the systems and tools, from document management platforms to AI-assisted classification, that enable your RIM program to operate at scale. The right tools make the difference between a program that works in theory and one that works in practice. Technology supports a RIM program; it doesn’t build one. Before evaluating tools, establish your policy, people, and process foundations. Organizations that implement a system before laying that groundwork often face poor adoption and wasted investment.

Modern tools, including AI-assisted classification, can accelerate and support this work. AI can help surface patterns, suggest classifications, and flag inconsistencies at a scale that manual review cannot match. But AI works best when you have already defined your underlying processes. It reinforces good process; it does not replace it.

Consider scalability. The tools you choose today should grow with your program, not constrain it. Also, pay close attention to integration. Siloed technology creates new records management challenges rather than solving existing ones. Assess how any new tool connects with your current business systems before committing.

From Pillars to Practice: Putting It All in Motion

The four pillars reinforce each other. A well-crafted RRS means little without people trained to follow it. Clear processes lose their value without technology to support them at scale. And technology investments fall flat without the policy and process foundation to guide them.

Building a RIM program is only half the work. Sustaining it requires ongoing governance. Schedule periodic program reviews to assess what works, what has shifted, and where gaps have emerged. Refresh your RRS on a regular cycle, typically annually or biennially, to reflect changes in regulation, business operations, and technology. Establish a rhythm of executive reporting as well. Leadership visibility into program health keeps RIM on the organizational agenda and secures the resources it needs to remain effective.

Start small and scale deliberately. Launch in one department, refine your approach, and expand from there. Set clear milestones so you can measure progress, recognize early wins, and maintain momentum across the organization.

A RIM Program Built to Last

Building a RIM program is not a one-time project; it’s an ongoing commitment. Organizations that lay the right foundation today position themselves to navigate regulatory changes, adopt new technologies, and manage records with confidence as they grow.

The path forward doesn’t require perfection. It requires a starting point. Choose your first pillar, take that first step, and build from there. The long-term value of a well-built RIM program far outweighs the effort it takes to get one off the ground.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Building a RIM Program From the Ground Up appeared first on Zasio.

Psychology of Change: Why Employees Resist RIM—And How to Overcome It

Zasio — Fri, 31 Oct 2025 14:41:22 +0000

In today’s fast-paced digital landscape, organizations rely on records and information management (RIM) solutions to enhance compliance, protect data, and boost efficiency. Yet, despite these advantages, employee resistance remains common. Fortunately, with strategic change management, clear communication, and ongoing engagement, organizations can address this resistance.

Understanding the Root Cause of RIM Pushback

Employee pushback often stems from three factors: limited awareness, fear of change, and concerns about added workload. Many employees don’t grasp the strategic importance of RIM, particularly in compliance, risk reduction, cost savings, and efficiency. Because RIM touches every department, employees often view it as an IT or legal responsibility rather than a shared organizational responsibility.

Changes to established workflows can also create discomfort and a sense of lost control. Employees may view RIM as an administrative burden without immediate benefit. Misconceptions grow when employees misunderstand the time and effort needed to classify, store, or dispose of records. While implementation can feel cumbersome, most RIM processes become streamlined or automated, reducing manual effort over time.

Strategies to Overcome Resistance

Overcome resistance to RIM starts with communicating its value, early stakeholder involvement, small steps, and adaptability.

Communicate the Value: Employees support RIM when they understand its impact. Share real-world examples—such as data breaches or compliance failures—to illustrate the benefits of an effective program.
Early Wins Build Momentum: Launch a pilot program in one department to test and refine your approach. Recognize champions who support the initiative. This encourages broader buy-in.
Stay Flexible and Responsible: As organizational needs evolve, new requests will arise. Respond promptly to encourage collaboration.

Metrics to Track Adherence

Finally, organizations should track key metrics to measure success and maintain long-term compliance. Consider these indicators:

Classification Accuracy: The percentage of records correctly classified, reflecting user understanding and reducing misfiling risks.
Disposition Compliance: The volume of records disposed of according to retention policies.
Audit Findings and Remediation: Track audit outcomes and resolution speed to evaluate control effectiveness and responsiveness.
Training Coverage: Tracking the number of users trained on RIM policies and tools highlights the reach and effectiveness of educational efforts.

These metrics provide valuable insights that informs decision-making and drives continuous improvement.

Final Thoughts on Resistance to RIM

Employee resistance to RIM-driven change is natural but not unstoppable. By identifying the root causes such as limited awareness, fear of change, or perceived workload increases, organizations can apply targeted change management strategies that build trust and collaboration. Clear communication, phased rollouts through pilot programs, and celebrating early successes are essential for gaining support. Pair these efforts with adherence metrics to monitor progress and ensure alignment with organizational goals. With a deliberate, inclusive approach, resistance can be transformed into lasting buy-in—allowing your organization the full benefits of a robust RIM program.

The post Psychology of Change: Why Employees Resist RIM—And How to Overcome It appeared first on Zasio.

Common Pitfalls in Retention Schedule Refreshes and How to Avoid Them

Zasio — Tue, 13 May 2025 20:34:51 +0000

Introduction

You started from scratch with the goal of crafting a comprehensive records retention schedule (RRS). After months of analyzing regulatory requirements, gathering feedback from stakeholders, and fine-tuning details to align the policy with your organization’s needs, the dust has settled. Now, it is time to refresh your retention schedule. While this task may seem overwhelming, avoiding these four common pitfalls can make the retention schedule refresh process more efficient and less painful.

Legal and Regulatory Changes

To minimize the risk of quickly failing out of compliance, start by reviewing legal and regulatory changes. These include new requirements not previously considered and updated requirements previously considered. Organizations often monitor legal and regulatory updates through software tools or vendor assistance. By keeping abreast of these changes, you ensure your RRS remains up to date. During the retention schedule refresh, set up a dedicated group of people to track these changes. This proactive approach helps seamlessly integrate legal and regulatory updates into the refreshed RRS.

Technology Advancements

Technology advancements can significantly impact how records are managed and stored. By failing to keep up with technology, your records management practices risk becoming outdated. Additionally, you may miss opportunities to streamline the process. Therefore, evaluate new technologies and emerging trends, such as cloud storage solutions, digital archiving, and automated retention tools. Technology assessments and collaboration with vendors help understand the capabilities and limitations of untapped resources. Moreover, consider both standalone and integrated products to improve records management during the retention schedule refresh.

Business Operations Changes

Organizational restructuring may add or remove portions of your retention schedule. Accordingly, consider any changes in business operations when reassessing your RRS to ensure it reflects the current organizational structure and processes. For instance, review current organization charts to identify relevant stakeholders and potential adjustments to the RRS. Furthermore, discuss potential operational changes with each department to identify impacts on the RRS early on and allow for timely adjustments. Document key details to ensure changes are reflected in the refreshed RRS.

Lack of Stakeholder Engagement

Engaging stakeholders is vital for a successful retention schedule refresh. Without their input, you may overlook critical aspects of recordkeeping specific to different departments or functions. Thus, actively involve stakeholders throughout the refresh process with an inclusive approach to address their needs and concerns. Structured feedback mechanisms, such as surveys and one-on-one meetings, allow individuals to provide valuable contributions. Additionally, leverage your previous list of contacts when working through your refresh.

Final Thoughts on RRS Refresh

Refreshing your RRS is just as important as creating it. By proactively addressing common pitfalls, you can streamline the refresh process and enhance the effectiveness of your RRS. Regularly monitor updates, evaluate new technologies, reassess business operations, and actively involve stakeholders to maintain an up-to-date RRS. This not only helps mitigate risks but also promotes collaboration within your organization.

Lastly, establish a clear timeline for your retention schedule refresh process with defined milestones and deadlines. This helps keep the project on track and ensures prompt completion of all necessary updates. Additionally, regularly review your progress against these milestones to ensure your refresh stays on schedule.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Common Pitfalls in Retention Schedule Refreshes and How to Avoid Them appeared first on Zasio.

How Identifying Personal Information Can Help Boost Your RIM Program

Zasio — Tue, 23 Apr 2024 14:30:21 +0000

Identifying the record series in your retention schedule that contain personal information is a strategic step to advance your records and information management program. Not only will you be more mindful of the record series that contain personal information, but you’ll also gain a more detailed understanding of the sources from which you acquire personal information.

So if you’re looking to further your organization’s RIM program, considering the types of personal information in your RRS is a wise step forward. Once you determine the types of personal information within your organization’s records cache, legal requirements, operational needs, and risk considerations will determine the impacts to your RRS.

Types of Personal Information

There are a variety of different flavors within the big bucket of personal information. Specific types under the GDPR include genetic data, biometric data, data concerning health, and special categories of personal data.[1] As shown in the table below, these are not defined as broadly as their umbrella, “personal data.”

GDPR – Personal Data Type	Definition
Personal data	Any information relating to an identified or identifiable natural person.
Genetic data	Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Biometric data	Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.
Data concerning health	Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Special categories of personal data	Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

With an increased operational footprint comes the added complexity for organizations to understand how the definitions of specific types of personal information change based on various privacy laws. Organizations subject to both California’s CCPA as well and the EU’s GDPR must understand how specific types of personal information are defined differently under each law.

Specific types of personal information under the CCPA include sensitive personal information and biometric information.[1] The table below illustrates the complexity of these definitions.

CCPA – Personal Information Type	Definition
Personal information	Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Sensitive personal information	Personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership; genetic data; or mail, email, and text messages contents unless the business is the intended recipient of the communication.
Biometric information	An individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity.

Know Your Source

You may also acquire the same type of personal information from different sources. For example, health information may come from employees, patients, and customers. Identifying the source of a specific type of personal information can be useful for identifying the proper retention needs or record series for the information. For example, the basis for retaining health information of employees exposed to toxic substances differs from health information acquired from job applicants.

The types of personal information your organization retains as well as the source from which it’s acquired will impact the general structure and retention periods of your RRS. For example, the personal information of employees can include everything from medical or biometric information to access logs. And retention periods for employee biometric information or access logs can give rise to compelled destruction requirements, which can put a wrench in your RRS. Compelled destruction requirements often conflict with the retention period for other records grouped in the same record series. This is why creating specific carveouts in your RRS often make sense, or even become necessary.

Common RRS carveouts include biometric information, access logs, CCTV footage, and sensitive financial information. These carveouts provide your organization with the flexibility to decrease retention periods in line with risk considerations, as well as operational and legal needs. Additionally, carveouts help demonstrate to regulators that your organization is being compliant about not over-retaining personal information.

RRS and RIM Policies Impact

RIM policies and procedures will also be specific to the type of information and special considerations based upon the associated risk. Examples of policy components that may be changed by the type of information your organization maintains can include vendor requirements, methods of information destruction or deletion, training, and cloud storage.

Also, certain policy components may be driven by operational determinations, while others may be caused by legal requirements. For example, HIPAA requires that organizations “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information”[2] and “train all members of its workforce on the policies and procedures with respect to protected health information.”[3] These specific HIPAA provisions would drive policies and procedures related to employee training as well as protecting IT safeguards and access controls.

Risks and Obligations

Sensitive personal information like genetic, biometric, health, and special category data comes with major risks. Sensitive personal information is a more prized target for cyber criminals. Given this, over retaining sensitive personal information increases its vulnerability. Clearly identified record series for records with sensitive personal information can help alleviate the risk of over retention that comes from including this data in a broader records series.

Operational Needs

The Federal Trade Commission has successfully pursued enforcement actions involving over retaining sensitive financial information for up to thirty days after the business need expired, in violation of bank security rules.[4] In In re: BJ’s Wholesale Club, Inc, the US-based membership-only warehouse chain agreed to a settlement with the FTC in 2005 requiring the company to create and maintain a comprehensive information security program and carefully inventory and assess the risks associated with its personal information, among other things. The consent order BJ’s Wholesale Club agreed to was enforceable for 20 years, meaning in 2024, the company is still subject to its terms.[5] The FTC’s action in the BJ Wholesale Club matter is but one example of the very long-lasting consequences an organization can face from failing to set and enforce proper retention periods around sensitive personal information.

Legal Requirements

In addition to factoring business need retention periods into your RRSs, organizations must also know legally mandated disposition requirements. For example, Texas requires employers retaining biometric identifiers for commercial and security purposes to delete the biometric identifier no later than one year after the termination of the employment relationship.[6]

Risk Considerations

Organizations must also consider the risk from specific types of personal information. The array of risk considerations that come with the specific types of personal information are equally as vast as the variety of personal information your organization may retain. Such risk may be created by security considerations, storage costs, legal regulations, and data erasure requests.

Conclusion

Ensuring retention periods line up with your business’s operational, needs, legal requirements, and risk appetite is critical when taking the next steps to advance your RIM program. By identifying the types of personal information in your records, you can make the proper adjustments to your RRS based on legal requirements, operational needs, and risk considerations. Inventorying and assessing the types of personal information in your records inventory and determining the proper RRS adjustments may seem like an overwhelming task, but doing so is crucial for advancing a successful RIM program and ensuring your business isn’t exposing itself to unnecessary risks.

[1] See Cal Civ Code 1798.140.

[2] 45 CFR 163.530 (c)(1).

[3] 45 CFR 163.530 (b)(1).

[4] See, e.g., Complaint, In re BJ’s Wholesale Club, Inc., FTC File No. 0423160 (Sept. 20, 2005) (alleging the company created unnecessary risks to sensitive financial information by storing it for up to 30 days when it no longer had a business need to keep the information).

[5] In the Matter of BJ’s Wholesale Club, Inc., Federal Trade Commission Docket No. C-4148, Decision and Order (Sept. 20, 2005).

[6] Tex. Bus. & Com. Code 503.001.

[1] See EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

Disclaimer: The purpose of this post is to provide general education on Information Governance software topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post How Identifying Personal Information Can Help Boost Your RIM Program appeared first on Zasio.

Digitizing Records Considerations for RIM Professionals

Zasio — Tue, 23 May 2023 19:51:20 +0000

Considerations When Digitizing Records

A recent survey of over 500 records and information management (RIM) professionals revealed decision makers are intrigued by the benefits of transforming physical records into digital.[1] This is not surprising given technology’s influence on society.

With digital records, however, come several issues that RIM professionals should consider: (1) identifying documents that may be kept in electronic form; (2) specifications or conditions of electronic records; and (3) security measures that are in line with a record’s content medium. Navigating these issues can be difficult. Nonetheless, businesses must consider the implications of records digitalization.

Documents That May be Kept in Electronic Form

In the United States, the Electronic Signatures in Global and National Commerce Act created the general rule recognizing electronic signatures, contracts, and other records in or affecting interstate or foreign commerce.[2] With this general rule, there are some specific exceptions that do not recognize the digitalization of information. These include the cancellation or termination of utility services, product recalls or failures, cancellation or termination of health or life insurance benefits, and transportation or handling of hazardous materials like pesticides.[3] Determining what documents you can keep electronically is a strategic first step when transitioning to digital records.

Specifications For Digitalized Records

Ensuring specifications surrounding digitalized documents is another critical consideration when digitizing documents. For example, Hawaii requires computed tomography x-ray system licensees to retain images of spot checks in “digital form on a storage medium compatible with the computed tomography x-ray system.”[4] Another example is a federal provision requiring prescription drug licensees that maintain or transmit electronic records within closed systems to “employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records. . . .”[5] The procedures and controls required to be implemented include but are not limited to the ability to generate accurate and complete copies in physical and electronic form, as well as ensure that record changes do not obscure information that was previously recorded.[6]

Security Measure Considerations

Given the increasing number of consumer privacy laws, information security is a growing concern for businesses. For example, the CPRA amendments in California provide:

[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.[7]

The method used to protect information can vary depending on the medium in which the information is kept. Reasonable security measures for physical files often include lock and key or security cameras, but for electronic information include encryption and malware protection. What is reasonable may depend a lot on the type of information and the circumstances of its use, and a business should not overlook the necessary security adjustments that follow.

Conclusion

The transition from physical to digital information retention can be appealing for reasons such as a decreased administrative burden. It is essential, however, to understand the landscape of implications surrounding this transition, and this article discusses but a few. When weighing such a transition, don’t let the positives cause you to ignore these implications.

[1] Access, Access Releases Results of 2023 State of the Records & Information Management Industry Survey — Highlighting Trends on Challenges, Key Initiatives, Planned Investments, and More, (last accessed May 8, 2023) https://www.accesscorp.com/press-coverage/access-releases-results-of-2023-state-of-the-records-information-management-industry-survey-highlighting-trends-on-challenges-key-initiatives-planned-investments-and-more/.

[2] 15 USCS § 7001 (a) (2023).

[3] See 15 USCS § 7003 (a), (b) (2023).

[4] Haw. Code R. § 11-45-1 (2023).

[5] See 21 CFR 203.60 (2023); 21 CFR 11.10 (2023).

[6] Id.

[7] Cal. Civ. Code § 1798.81.5 (b) (2023)

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney

The post Digitizing Records Considerations for RIM Professionals appeared first on Zasio.

Connecticut Becomes the Fifth State to Enact Comprehensive Consumer Data Privacy Legislation

Zasio — Fri, 10 Jun 2022 22:12:04 +0000

State-enacted comprehensive consumer data privacy legislation is becoming more common across the United States. Connecticut is now the fifth state to enact such legislation, joining California, Colorado, Utah, and Virginia.[1] Public Act No. 22-15—The “Act Concerning Personal Data Privacy and Online Monitoring” (also referred to as the “Connecticut Data Privacy Act” or “CTDPA”)—will go into effect in July 2023. With a year to go before the law is implemented, it is important for consumers and businesses to understand their rights and responsibilities under the CTDPA, and to prepare accordingly.

The CTDPA shares a number of similarities with other comprehensive state privacy laws. One similarity of the CTDPA to the Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), and Virginia Consumer Data Protection Act (“VCDPA”) is that all of these laws do not apply to data that is collected in an employment or commercial context.[2] But the CTDPA also has its differences. One difference of the CTDPA from the UCPA and VCDPA is that the CTDPA includes both monetary and non-monetary consideration in the sale of personal data, while the UCPA and VCDPA includes only monetary consideration in the sale of personal data.[3]

What Rights Do Consumers Have?

Consumers can exercise six different rights with respect to their personal under the CTDPA.[4] These include the right to: confirm the processing of personal data; access personal data; correct inaccuracies in personal data; have personal data deleted; obtain a copy of personal data in a portable and readily usable form; and opt out of processing of personal data for targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects involving the consumer.[5] This latter right is similar to the right to opt out of automated decision making found in Article 22 of the GDPR.[6]

For a consumer to exercise any of their rights under the CTDPA, the consumer must do so by way of “secure and reliable means” established by the data controller.[7] Children do not have the authority to exercise the CTDPA’s six consumer rights, but a parent or legal guardian may do so on a child’s behalf.[8]

What Requirements Do Businesses Have?

For a business to be subject to the CTDPA, the business must first meet at least one of two numeric thresholds, and then fall within the definition of a “controller.”[9] A business falls within the CTDPA’s requirements if during the preceding calendar year, the business controlled or processed the personal data or more than one hundred thousand consumers (not including data that was controlled or processed solely for the purpose of completing a payment transaction); or controlled or processed the personal data of more than twenty-five thousand consumers and more than twenty-five percent of the gross revenue of the business cause from the sale of personal data.[10]

Businesses are a “controller” of personal data if they solely or jointly with others determine the purpose and means of processing personal data.[11] Controllers must do a number of things, some of which include: limiting the collection of personal data to what is “adequate, relevant, and necessary” in relation to the purpose of processing that is disclosed to the consumer; implementing safeguards to protect the confidentiality, integrity, and accessibility of personal information; and not processing a consumer’s sensitive personal data without first obtaining the consumer’s consent.[12]

Who Has a Right of Action?

The CTDPA provides that the Connecticut attorney general’s office possesses the exclusive authority to enforce violations.[13] Thus, consumers do not have a private right of action for CTDPA violations. From July 1st, 2023, until December 31st, 2024, the attorney general must provide a notice of violation before bringing an action, but only if it is possible to cure the violation.[14] If it is not possible to cure the violation, the attorney general can immediately prosecute the violation.[15] Then, beginning on January 1st, 2025, the attorney general may consider five factors when determining whether to allow an opportunity to cure an alleged violation.[16] These six factors include: (i) the number of violations; (ii) the size and complexity of the controller or processor; (iii) the nature and extent of processing activities; (iv) the substantial likelihood of injury to the public; (v) the safety of persons or property; (vi) and whether the alleged violation was caused by human or technical error.[17]

Conclusion

Although Connecticut is the most recent state to have passed comprehensive consumer privacy legislation, it is certainly not the last. With the increasing number of states that have enacted comprehensive consumer privacy laws, and the similarities and differences that can exist between these laws, compliance can be difficult. Contact Zasio today to see how our innovative products and services can help you remain compliant across the growing patchwork of state data privacy laws.

[1] Cheryl Johnson et al., Connecticut’s New Privacy Law: What You Need to Know, JD Supra (May 23, 2022), https://www.jdsupra.com/legalnews/connecticut-s-new-privacy-law-what-you-8578081/.

[2] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[3] Devika Kornbacher and Marcus Lind-Martinez, A “New Haven” for Privacy: Connecticut Enacts Data Privacy Act, JD Supra (May 13, 2022), https://www.jdsupra.com/legalnews/a-new-haven-for-privacy-connecticut-6142711/.

[4] 2022 Conn. Acts 15 Reg. Sess.

[5] 2022 Conn. Acts 15 Reg. Sess.

[6] See 2022 Conn. Acts 15 Reg. Sess.; see Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), art. 22, 2016 O.J. (L 119).

[7] 2022 Conn. Acts 15 Reg. Sess.

[8] 2022 Conn. Acts 15 Reg. Sess.

[9] See 2022 Conn. Acts 15 Reg. Sess.

[10] 2022 Conn. Acts 15 Reg. Sess.

[11] 2022 Conn. Acts 15 Reg. Sess.

[12] 2022 Conn. Acts 15 Reg. Sess.

[13] 2022 Conn. Acts 15 Reg. Sess.

[14] 2022 Conn. Acts 15 Reg. Sess.

[15] 2022 Conn. Acts 15 Reg. Sess.

[16] 2022 Conn. Acts 15 Reg. Sess.

[17] 2022 Conn. Acts 15 Reg. Sess.

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney

The post Connecticut Becomes the Fifth State to Enact Comprehensive Consumer Data Privacy Legislation appeared first on Zasio.

How Nevada Doubled Down on Privacy Legislation

Zasio — Mon, 01 Nov 2021 20:14:05 +0000

The Privacy of Information Collected on the Internet From Consumers Act (NPICICA) and Security of Information Maintained by Data Collectors and Other Businesses statute (SIMDC) are Nevada’s two main online consumer privacy laws (together, Nevada’s Privacy Laws). Although lesser-known and considered less comprehensive[1] than the California Consumer Privacy Act (CCPA), Nevada’s Privacy Laws are still impactful among privacy laws in the United States. Recent amendments to Nevada’s Privacy Laws provide consumers far more protection. Below is a summary of the framework of Nevada’s Privacy Laws along with recent amendments.

What Information is Protected?

The NPICICA defines “covered information” as any: first and last name, address (containing the name of a street and city), e-mail address, phone number, social security number, or identifier that enables contact with a particular individual (either in person or online). Covered information also includes:

[a]ny other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.[2]

This definition of “covered information” increases the threshold for what qualifies as personal information established under the CCPA because the CCPA only requires that information be at least “reasonably capable of being associated with or could be reasonably linked” to a particular individual.[3]

Who Must Comply with The Law?

The NPICICA defines an “operator” as any person who:

owns or operates a website or online service for commercial purposes;
collects and maintains covered information from consumers who reside in Nevada and use or visit the operator’s website or online service; and
purposefully directs its activities toward the state, consummates some transaction with the state or a state resident, or purposefully avails itself of the privilege of conducting in activities in Nevada.[4]

Recent changes to the law (effective October 1st, 2021[5]) added “data broker” as a regulated party.[6] A “data broker” is defined as a person whose primary purpose is purchasing covered information regarding consumers, and whom there is not a direct relationship with the consumer.[7] The addition of “data broker” is significant for consumer protection because previously, consumers could only submit an opt out request to operators, and not to data brokers.[8]

Who Has a Right of Action?

The NPICICA does not provide consumers with a private right of action.[9] However, the Nevada Attorney General may bring an action against an operator for failing to provide a consumer with sufficient notice of the consumer’s covered information that the operator collects, as well as for failing to comply with a consumer’s request to not sell the information.[10] The Attorney General may also bring an action against a data broker,[11] but only for failing to cooperate with a consumer’s opt out request.[12] The maximum civil penalty for both operators and data brokers is $5,000 per violation.[13]

Conclusion

Although the NPICICA is not as comprehensive as other state privacy laws, it is helping lead the charge to strengthen online consumer privacy. Recent changes to Nevada’s Privacy Laws will only increase data privacy.

Online consumer privacy laws can be difficult to navigate, in large part to the different requirements among states. Contact Zasio today to see how the products and services that we offer can help your organization comply with evolving consumer privacy laws.

[1] Sarah Rippy, US State Privacy Legislation Tracker, IAPP, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Sept. 16, 2021).

[2] Nev. Rev. Stat. § 603A.320 (2021).

[3] Cal. Civ. Code § 1798.140(o)(1) (2021).

[4] See Nev. Rev. Stat. § 603A.330(1)(a–c) (2021).

[5] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).

[6] Chris Brook, Changes to Nevada’s Privacy Law Includes Requirements for Data Brokers, Digital Guardian, https://digitalguardian.com/blog/changes-nevadas-privacy-law-includes-requirements-data-brokers (July 7, 2021).

[7] Nev. Rev. Stat. S.B. 260, § 2 (Oct. 1, 2021).

[8] Nev. Rev. Stat. S.B. 260, § 3 (Oct. 1, 2021); Nev. Rev. Stat. § 603A.345 (2019).

[9] Nev. Rev. Stat. § 603A.360(3) (2021).

[10] Nev. Rev. Stat. § 603A.360(2) (2021).

[11] Nev. Rev. Stat. § 603A.360(3) (2021).

[12] See Nev. Rev. Stat. § 603A.360(3) (2021).

[13] See Nev. Rev. Stat. § 603A.360(2–3) (2021).

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney

The post How Nevada Doubled Down on Privacy Legislation appeared first on Zasio.

Changes to the California Consumer Privacy Act of which Consumers Should be Aware

Zasio — Wed, 16 Jun 2021 20:45:53 +0000

Data privacy regulations have been a hot topic in the ever-changing discussion of consumer privacy. So far in 2021, 27 bills have been proposed in states which seek to implement new or change existing data privacy laws.[1] By comparison, only two state-level bills were introduced in all of 2018.[2]

One of those 2018 bills was the California Consumer Privacy Act (CCPA), a wide-reaching statute designed to enhance online consumer privacy for California residents.[3] On November 3, 2020, just nine months after the CCPA became enforceable,[4] California voters passed Prop 24 (also known as the California Privacy Rights Act or “CPRA”), which contains several significant changes to the CCPA.[5] However, businesses still have some time to study and adapt to these changes. The CPRA will only apply to personal information collected by a business on or after January 1st, 2022, and the CPRA does not become operative law until January 1st, 2023.[6] While not yet effective, there is no doubt the CPRA enhancements to the CCPA will be very impactful. Among other things, the CPRA changes what entities are required to comply with the CCPA and also establishes the California Privacy Protection Agency.[7]

CPRA Changes to Regulated Entities

To be regulated under the CCPA, a “business” as defined under California law must satisfy at least one of the following three conditions: (1) has annual gross revenue above twenty-five million dollars; (2) alone or in combination is involved in the buying, selling, or sharing of personal information of fifty-thousand or more consumers, households, or devices; or (3) derives fifty percent or more of its annual revenue from selling consumer’s personal information.[8]

The CPRA makes three fairly significant changes to these jurisdictional conditions.[9] The first is that the numeric threshold of “fifty thousand or more consumers, households, or devices” will be increased to one hundred thousand.[10] The second is that devices will no longer be considered when calculating the jurisdictional threshold.[11] The third is the addition of the phrase “or sharing” to regulate entities that derive fifty percent or more of their annual revenues from selling or sharing personal information.[12] In other words, entities will no longer be able to avoid compliance by claiming that more than fifty percent of their annual revenue comes from sharing information, and not selling it.

Creation of The California Privacy Protection Agency

Currently, the CCPA only allows individuals and the California Attorney General to bring claims alleging CCPA violations.[13] Despite the California AG having the authority to bring claims, though, that office is only equipped to handle a handful of cases per year.[14] Section 24 of the CPRA creates the California Privacy Protection Agency,[15] which will not only administer and enforce actions involving the CCPA but also promote public awareness of online security and provide guidance to consumers and businesses regarding their rights and duties under the CCPA.[16] The creation of an agency funded with ten million dollars to issue sanctions to companies that violate the CPRA should lessen the burden that is currently placed on the California Attorney General.[17]

Conclusion

The CCPA and CPRA have placed California at the forefront of state online consumer privacy laws. Given the large number of California residents (roughly one in eight U.S. residents live there) and businesses subject to these laws’ reach, the CPRA no doubt will increase the CCPA’s already profound impact on only consumer privacy protection. Time will tell the impact California’s approach will have on how other states create and change their consumer privacy laws. Such legislation likely has the impact to cause a ripple effect of creating guidelines as to what entities are governed as well as the creation of enforcement agencies. Contact Zasio today to see how our innovative products and services can help you remain compliant.

[1] David McCabe and Cecilia Kang, As Congress Dithers, States Step In to Set Rules for the Internet, N.Y. Times (May 14, 2021), https://www.nytimes.com/2021/05/14/technology/state-privacy-internet-laws.html.

[2] Id.

[3] See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018), https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html.

[4] Id.

[5] See Cal. Legis. Serv. Proposition 24 (West 2020).

[6] Id.

[7] Id.

[8] See Cal. Civ. Code § 1798.140(c)(1)(A–C) (West 2020).

[9] See Cal. Legis. Serv. Proposition 24 (West 2020).

[10] Id.

[11] Id.

[12] Id.

[13] See Cal. Civ. Code § 1798.150–155 (West 2020).

[14] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

[15] Cal. Legis. Serv. Proposition 24 (West 2020).

[16] Cal. Legis. Serv. Proposition 24 (West 2020).

[17] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020), https://www.nytimes.com/2020/10/28/opinion/california-prop-24-privacy.html.

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney

The post Changes to the California Consumer Privacy Act of which Consumers Should be Aware appeared first on Zasio.