CNIL established that when users visited the “Yahoo.com” site, the cookie banner featured multiple buttons to obtain consent for cookie deposition. However, despite the absence of explicit consent, about twenty advertising cookies were still deposited on the user’s device.

Moreover, CNIL discovered that, as users of the “Yahoo! Mail” messaging service attempted to revoke their cookie consent, the company informed them that doing so would lead to a loss of access, including to the messaging service.

CNIL emphasized that linking non-essential cookies to a service is acceptable as long as consent is freely given, and there is no harm to the user for refusing or withdrawing consent. In this instance, however, Yahoo failed to provide an alternative for users to withdraw their consent, forcing them to forgo the use of the messaging service.

Substantial fines entail significant financial risks for companies. Beyond the financial aspect, reputational risks often accompany such penalties, which can be even more severe. Recognizing these dual challenges, the following recommendations can be a way to proactively navigate and mitigate risks tied to your organization’s cookie practices, ensuring both fiscal prudence and the preservation of the company’s good reputation. The CNIL’s decision involved European data privacy law issues, which don’t apply to every organization. But even absent a regulatory mandate, these recommendations should be considered best practices:

1. Receive correct user consent for all non-essential cookies.

There are two types of cookies – essential and nonessential. Essential cookies are critical for fundamental functions like user authentication, session management, language preferences, and overall security measures and can be set without explicit user consent. All other cookies fall into the non-essential category. This includes cookies utilized for analytics, advertising, or preferences. It is imperative to set these non-essential cookies only after obtaining clear and informed consent from the user.

In addition to obtaining consent for non-essential cookies, it is important to allow users to select the cookie categories to which they’re consenting. This customization enables individuals to align their privacy preferences with personal comfort levels and specific interests.

2. Consent should be free and regularly renewed

Users should have the autonomy to make choices without undue pressure. Additionally, withdrawing consent should be as simple as giving it, emphasizing a user-centric approach to data control. However, withdrawing consent cannot result in a denial of services unrelated to non-essential cookies.

Keep in mind that consent should be periodically renewed. According to the European Union ePrivacy Directive, this renewal should occur at least once a year.  However, specific data protection authorities (DPAs) may set different timelines. The French CNIL recommends, for instance, renewing consent every six months.

3. Do not use cookies for purposes not covered by consent.

Once user consent is obtained for a specific purpose (such as analytics or personalized advertising), you must not repurpose these cookies for unrelated functions.

4. Remember the retention period for cookies.

The retention period for cookies typically cannot exceed what is necessary for the purpose for which the cookies are used. However, some DPAs specify a particular duration. For example, in France, Luxembourg, and the Netherlands, this period may range from 6 to 13 months from the moment cookies are set (and a user’s consent is provided).

5. Add a privacy or cookie policy to disclose details about cookies and how to manage them.

Implementing a privacy or cookie policy is essential to transparently communicate information about cookies and their management. This practice serves as a valuable resource for users, offering insights into the types of cookies used, their specific purposes, and guidance on how individuals can control or opt out of cookie tracking.

A well-crafted policy not only enhances user understanding but also demonstrates a commitment to privacy, fostering trust and compliance with data protection regulations.

6. Do not use dark patterns:

Dark patterns are tricks used in designs to mislead users or persuade them to do things they don’t want to do. The following are a few examples of dark patterns to avoid:

• The “Accept” button is more prominent than the “Reject” button.
• Consent for non-essential cookies is pre-selected by default.
• The text on the banner is unreadable due to a pale color and small line spacing.

Utilizing dark patterns not only undermines user autonomy but also violates principles of transparency and informed choice. This can erode users’ trust and potentially lead to non-compliance with data protection regulations.

Conclusion

The CNIL decision against Yahoo EMEA Limited highlights the need for robust data privacy practices. It provided recommendations for proactive measures to navigate and mitigate risks and signify a commitment to preserving user trust and a company’s reputation.

Recognizing the dynamic nature of data privacy, organizations need to remain adaptable. When questions arise about cookie usage, seeking guidance from data privacy specialists ensures thorough compliance with evolving standards.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Mastering Data Privacy: Best Practices in Cookie Management appeared first on Zasio.

In this webinar with ARMA International, Zasio experts Rick Surber, Sr. Analyst and Licensed Attorney, and Warren Bean, Sr. Sales Engineer and Product Development Manager, explore privacy and security—highlighting how a little targeted granularity goes a long way in reducing risk. We’re also teamed up with Kayla Greenman, Lead Records Management Specialist from Idaho Power, as a guest panelist to provide real-world experience in a highly-regulated industry.

The post Poking Holes in Big Buckets — The Impacts of Data Privacy and Security on Simplified Retention Schedules appeared first on Zasio.

While privacy and confidentiality may seem interchangeable, both terms refer to different points in the data lifecycle. Let’s start with how these concepts overlap. Both privacy and confidentiality pertain to how, when, and why information is stored or collected. However, privacy allows an individual to control what of their personal information an organization may collect, maintain, and share.[i] Confidentiality on the other hand protects personal and sensitive information, once collected, from unauthorized use, access, or disclosure.[ii] This means, to maintain confidentiality for both client and employee information, a business must identify both the information it needs to carry out certain tasks, as well as what it will do with that information once collected.

Data Privacy

Implementing privacy control measures requires a company to be very intentional about the data it collects, and ultimately, how it integrates that data into the records it retains. A company should have a clear, articulated purpose for each bit of data it collects, and appropriate permissions from the data’s owner to carry out how it is used.[iii] Legislation in the United States governing personal data has become more common, following the data privacy trend set by the European Union’s General Data Protection Regulation (GDPR).[iv] While a federal general privacy law has not been enacted in the United States, various industry-specific federal laws contain privacy principles that apply to personal data. Privacy-specific laws are a growing trend, with many states seeing bill proposals at various stages of the legislative cycle (such as recent enactments in California and Virginia)[v].

A solid institutional plan for what data an organization collects, as well as how and why it uses that data, are all great first steps towards operationalizing good data management.

Data Confidentiality

Once privacy boundaries are established by controlling what data an organization collects and why, that data must be managed and protected. This is where confidentiality comes in. One of the most common examples of a confidentiality law is the Health Insurance Portability and Accounting Act (HIPAA), which governs, for example, personal health information (PHI). Looking at HIPAA, confidentiality can be achieved when a business limits access to a patient’s hospital records to only those employees or data processors with a legitimate business need to access this information. This happens through a variety of different recording mechanisms, including access permissions, handling requirements, and retention requirements. For example, a records handling requirement may state geographically where the records containing PHI will be stored (at a principal place of business, perhaps), or what format the records will be stored in (electronic files or hard copy). Additionally, security measures are necessary (and increasingly, are legally and contractually required) to prevent damage, theft, or unauthorized access of a business’s records. All of these various measures, when implemented correctly and thoughtfully, protect data confidentiality and help insulate a business from expensive risks such as litigation, monetary penalties, and reputational damage.

Privacy and Confidentiality is Not the End of the Records Management Journey

Once data is collected and procedures are put in place to protect it, privacy and confidentiality requirements are not over. After a business has gathered the data and determined that it has a business or legal value, it then often gets preserved in a record. These records are subject to a variety of regulations and laws, as well as principles of records and information management (RIM). Sometimes, depending on the record type and jurisdiction, certain records must be destroyed in a certain way (for example, by shredding). How a record must be destroyed though, doesn’t paint the whole picture of a record’s retention lifecycle. A mandatory destruction requirement typically states the maximum time period the record should be kept before destroying it. This handling requirement represents a ceiling, as the record can be destroyed at any point before the maximum period. Retention requirements can also create the opposite, as a floor or bare minimum time period a record must be retained for before destruction can even be considered. For example, a regulation may require a business to maintain a given record for a minimum of three years after a triggering event. How a record is handled, and for how long it is retained, protects the data that is preserved in that record.

Proper RIM procedures and schedules create enormous value for a business. Data management and records retention policies, when implemented correctly and thoughtfully, protect the confidentiality of retained data and insulate a business from expensive risks such as litigation, monetary penalties, or even a damaged reputation in its industry. Having a records retention schedule tailored to individual business needs that recognizes the relationship between data and records takes the guesswork out of information governance and reduces a host of risks caused by improper data management and collection.

Conclusion

Data is an incredibly valuable asset to any business. When a business knows what data it collects and why it’s needed, and then applies good RIM policies and procedures to that data, it will achieve better business outcomes. Information governance can ensure privacy and confidentiality when a records retention schedule is built in a way that treats records as consolidated collections of granular data points. If your organization is ready to create a record retention schedule, contact Zasio today to see how our innovative products and services can help meet your record-keeping and information governance needs.

[i] Mike Chapple, Security, Privacy and Confidentiality: What’s the Difference?, EdTech (Oct. 10, 2019), https://edtechmagazine.com/higher/article/2019/10/security-privacy-and-confidentiality-whats-difference#:~:text=Confidentiality%20controls%20protect%20against%20the,maintains%20and%20shares%20with%20others.

[ii] Id.

[iii] Mary T. Costigan, CPRA Series: The Importance of Data Retention Schedules and Records Management, The National Law Review, Dec. 29, 2020. https://www.natlawreview.com/article/cpra-series-importance-data-retention-schedules-and-records-management-policies.

[iv] See generally id. The California Privacy Rights Act of 2020 (CPRA) implements the GDPR’s storage limitation principle, as in, data must be stored only as long as necessary to achieve it’s stated purpose for being collected in the first place.

[v] Sarah Rippy, US State Privacy Legislation Tracker, IAPP (last updated May 26, 2021), https://iapp.org/resources/article/us-state-privacy-legislation-tracker/.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Privacy and Confidentiality — a Sound Investment for Any Business appeared first on Zasio.

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post CNIL Fines Google, Company Vows Appeal: Clarity, or Confusion? appeared first on Zasio.

In recent months, Louisiana, Vermont, and Colorado have passed amendments to their existing data breach and notification laws. The changes range from expanding the definition of personal information to regulating activities of data brokers. Amid these changes, a proposed initiative in California titled “The California Consumer Privacy Act of 2018” is receiving a lot of attention due to its breadth and potential impact nationwide.

The California Consumer Privacy Act of 2018 was an initiative backed by privacy advocates that sought to provide consumers with visibility into and control over personal information collected and sold by businesses. The measure faced substantial opposition from the tech industry. Despite this, its supporters announced that they had received enough signatures to qualify for the November ballot. On Thursday, June 21, 2018—before the Secretary of State completed the signature verification process—a tentative agreement was announced whereby the initiative would be withdrawn in exchange for the passage of an alternative bill, the “California Data Privacy Protection Act.” But, there is still uncertainty because both houses must pass the bill and it must be signed into law by the governor by June 28, 2018. If this deadline is not met, the initiative will move forward for vote in November.

While the framework of the initiative and the bill contain similarities, there are critical differences. Key changes include the:

• threshold for covered businesses
• scope of personal information
• ability to request personal information be deleted and exceptions to that right
• opt-out and anti-retaliation provision
• number of penalties (decrease)
• number of exemptions (increase)

While the state of privacy in California is unclear, from an information governance perspective, some universal steps can help achieve compliance. Read on to learn about a few of these steps.

Know Your Information

The piecemeal approach to privacy in the United States can make compliance difficult because of variances in the laws. One key difference is often in the definition of personal information (and any noted exemptions), which dictates what information the covered entity can collect, store, and use. Accordingly, it’s critical to understand the scope of coverage and then map the flow of personal information to discharge both obligations and accountability effectively.

In this case, because of the uncertainty of the state of the privacy law in California, the scope is undecided. However, both the initiative and the bill lay out a definition of personal information, along with exemptions based on coverage under existing laws (e.g. protected or health information subject to the Health Insurance Portability and Accountability Act). This definition sets the guardrails for the personal information framework, which can be used to conduct a gap analysis for existing programs or, if initializing in response to the proposed initiative or bill, to create the foundation for a new program.

Identify New Records

Besides records that contain personal data, there are typically records associated with privacy-related activities. These records are not explicitly called out but are largely inferred. This leaves their exact nature and the extent of records unique to each covered entity. Once identified, retention schedules must be assessed to find any existing record series that govern over its retention or if new records must be created and assigned retention.

Consider that under both the initiative and the bill, a covered entity must respond to a “verifiable consumer request.” The steps for verification will be based on the rules and procedures as set by the Attorney General. However, this consists of either a request submitted through a password-protected account while the consumer is logged on or, where no account is maintained, a way for the covered entity to authenticate the consumer’s identity. This process is further complicated by the fact that an agent of the consumer can make a request. Consumers can even request on behalf of a minor child. Accordingly, operational records developed to comply may include procedures for how to verify consumer identity, scripts for verbal or electronic requests, the capture of the requests, and confirmation of delivery or other response, to name a few.

Furthermore, as these records do not have a defined retention period within the initiative or the bill, they will need to be addressed with knowledgeable stakeholders. When the operational need for retention aligns with an existing record series, it’s ideal to use the existing series. However, be mindful of those records that contain personal information before you determine the retention period. If you can’t align the retention, you might need to create of a new record series.

Identify Applicable Legal Requirements

It is not uncommon for data privacy laws to contain exemptions from the law or exceptions from limitations to retention based on a general caveat (e.g. unless provided by another law). In this case, while neither the initiative or the bill contains a specific retention period for personal information or related operational records, there are exemptions. Hence, to properly discharge its obligations, these other laws must be reviewed to determine the scope of coverage and compliance.

Even where the operational records are not identified or covered, there may be other overlapping laws that define retention based on broad categories. Therefore, determine the jurisdictional scope and survey laws to ensure assigned retention or records handling processes related to personal information management are compliant.

Timely Dispose of Personal Information

The more personal information you manage, the more you need to track and account for. Otherwise, you might experience loss or mishandling of information, or even become a target for security breaches. To reduce exposure, monitor and audit personal information to make sure it is disposed of properly. This helps ensure information isn’t retained beyond the use for which it was collected. If subject to retention for longer based on a legal requirement, retain it for no longer than that period. Also, keep in mind that disposal applies to all copies and duplicates, regardless of format. Use a data map to understand the flow of personal information and develop a plan for disposition.

Conclusion

While this article focused on managing personal information citing to commonalities from the California initiative and bill, the pointers are universal to adapt in this area of law. As you identify or reassess your compliance plan, it is critical to understand the scope of personal information collected, used, and stored. Your compliance plan should be supported by good records management practices to assure that records are accounted for, and timely disposed of in line with legal requirements or operational needs, with specific care to reassess the retention of those records that contain personal information. Finally, continue to monitor and audit on a regular basis to stay compliant moving into the future.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Using Information Governance to Comply with California’s New Privacy Act appeared first on Zasio.

About Soo Kang

Soo Kang is the Director of the Consulting Division at Zasio. In this role, he manages a team of analysts that work closely with corporations to develop their information governance and records management programs. In addition to his role in the Consulting Division, Mr. Kang serves as General Counsel. This means he’s responsible for all legal affairs of the company. He provides strategic guidance to the senior executive team and offers legal support and solutions to the company’s internal stakeholders. Mr. Kang is licensed to practice law in the state of Idaho, a Certified Information Governance Professional, and a Certified Information Privacy Professional [with an emphasis on U.S. and European (GDPR) privacy].

The post Global Privacy Summit 2018 appeared first on Zasio.

For our purposes, we’ll address the principle of “data retention periods,” which requires businesses to retain personal data only as long as necessary to achieve the purpose for which it was collected. This creates tension with the competing interests of records retention programs—where legal requirements generally set the floor—with the operational needs of the business. These operational needs often eclipse retention periods with deletion practices mandated by data protection laws that set a ceiling for retaining personal data. Accordingly, it is imperative to consider both and then effectively communicate clear guidance to employees to avoid unnecessary risk and exposure.

The main policy document for managing the lifecycle of records is the retention schedule, which identifies a period before a record is subject to disposal. Recent trends call for a “functional” schedule, whereby records with a similar purpose are grouped together and assigned a retention period. A subset of records (e.g., rejected job applications) or personal data within those functional groups are subject to mandated deletion practices. Consequently, unless specifically called out, end users that abide by the retention schedule may retain personal data for longer than permitted, which exposes the corporation to liability in the form of penalties, fines, and legal action.

To avoid this liability, we recommend the following actions:

• Effectively Communicate. Because the retention schedule is the primary document referenced for record retention, incorporate personal data restrictions in the published schedule. To do this, identify records and personal data subject to legal requirements, such as the GDPR and jurisdiction-specific restrictions, and offer a separate retention period for impacted records. Alternatively, citations specific to personal data restriction and the records impacted by them can be addressed in a separate document. This is attractive, as data protection restrictions often contain information that relate to the management of personal data and records that aren’t in the scope of a retention schedule e.g., exceptions to deletion or continued retention. However, for this approach to be effective, you must take steps to ensure there is continuity between the retention schedule and the separate data protection document.

• Identify and Train. Whether the restrictions are incorporated into the retention schedule or in a separate data protection document, train employees to read and interpret the subject documentation, as well as appropriate actions to execute their responsibilities.

• Understand Data Flow. You must understand how data flows and where information is ultimately stored, with a focus on personal data. This provides insight into the applications and systems through which personal data travels, as well as access points. Accordingly, understanding the data flow may identify a subset of employees that have access to the personal data or records that require more detailed processes, training, and communications.

• Augment Metadata. You may need to enhance information stores with additional metadata fields to capture personal data restrictions at the record level to help identify records so you don’t retain them longer than the law allows. For example, you may need to add a ‘PII’ flag to make queries for PII data within your repositories easier to obtain.

The GDPR and its impending effective date brings new awareness and urgency to businesses to assess current practices. However, these restrictions account for only part of the laws that currently exist from jurisdictions in and outside of the European Union. To avoid confusion amongst the workforce, restrictions on retaining personal data must be carefully vetted against current retention practices and associated documentation. You can identify and align the competing interests where they intersect by implementing sound strategies, some of which are noted above. Failure to proactively take these steps will lead to out-of-compliance-programs subject to severe sanctions.

Contact Zasio today to see how our consulting services can help you stay complaint and minimize risk.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The Impact of Personal Data on Records Management appeared first on Zasio.