This document provides an overview of privacy laws and regulations. It begins with definitions of key privacy terminology. Major privacy laws and regulations discussed include the GDPR, CCPA, and various other international laws. The presentation covers data protection principles, requirements for privacy policies, considerations for businesses operating globally or collecting data from EU/UK or US residents, and next steps for compliance. It concludes with an opportunity for questions.
4. Marketing Automation
Stack Simple Interface
Great Price
Premium Support
Built-in AI and Predictive
capabilities
The VBOUT
Stack
5. 10+Core Tools Working Together
Integrates well
1. Landing pages
2. Forms
3. Popups and site messages
4. Lead tracking
5. Automation sequences
6. Email campaigns
7. Social media listening
8. Social publishing
9. Retargeting
10. Analytics
11.Pipeline management
12.Calendar booking
The VBOUT Stack
11. Intro to speaker
Owner of US based
boutique firm focused
on compliance and
specialized
transactions.
Member of the
International
Association of Privacy
Professionals (IAPP).
Privacy and Digital
Communication
Protections lecturer
for Atlanta Business
Bureau.
Prior in-house
attorney for data
conglomerate
LexisNexis where she
led the CCPA
initiative for data
contracting unit..
Received Doctor of Law
from Emory University.
470| 610 5778 (o)
404| 957 8224 (c)
meghan@TRECLaw.com
www.TRECLaw.com
Meghan Thomas
Partner & Founder
TREC Law
Atlanta, GA 30354
13. 1. Personal data—any information relating to an identified or identifiable natural person.
2. Data subject—individuals to whom the personal data relates and who can be identified, directly or indirectly
from it.
3. Controller—the natural or legal person, public authority, agency or other body which alone or jointly with
others, determines the purposes and means of processing.
4. Processor—the natural or legal person, public authority, agency or other body which processes personal data
on behalf of the controller.
Terminology
15. • Regulate the collection, use, and sharing of customer or consumer data.
• Consumer data is “globally undefined” but can be virtually any information a business tracks concerning a
consumer and which is attributable to the consumer individually.
• Generally applies to information tracked through a virtual medium, but can also be applicable to information
tracked from live sources.
• Most readily implicated when consumer data is not volunteered. No implicit consent.
The basics
16. • Businesses are not automatically exempted from all mandates due to their size.
• Designed to prevent certain abuses in data practices.
• Applies to most companies in the digital age because most have websites, mobile applications, social media
platforms, etc., whereby data reports are given.
• Distinguished but has overlaps with other laws which regulate protected classes of data (such as health
information consumer credit data).
The basics
17. Major laws and territories
• Argentina
• Australia
• Benin Republic
• Brazil
• Canada –(Recently proposed GDPR-
type bill did not pass but new
proposed legislation is already
being revised. PIPEDA is still in
effect.)
• China
• Colombia
• European Union
• United Kingdom
• Hong Kong
• New Zealand
• Nigeria
• Singapore
• South Africa
• South Korea
• Turkey
• United States – California,
Colorado, Virginia
18. • Possibility of present or future loss/damage to an organization because of a failure to comply with laws,
regulations, or other applicable business standards.
• Appearance of non-compliance can be viewed as too risky for clients/customers.
• Globalization. Even small companies have a global reach and are subject to international regulations by
availing themselves to consumers in international jurisdiction.
• Public awareness. Every time there is a major data breach, the public hears about the breach.
• In summary, a business could face regulatory sanctions, financial loss, damage to reputation, market share,
customer base, or contracts.
Non-compliance RISKS
19. • Lawfulness, fairness and transparency.
• Disclosure of purpose limitation.
• Minimization of activity and data sharing.
• Accuracy of shared data.
• Limitation on storage.
• Integrity and confidentiality (security).
• Accountability.
Core principles of regulation
20. • A privacy policy addresses the mandates of various privacy regulations.
• Specifies a company's practices regarding the collection, use, and sharing of customer or consumer data.
• It is a required document for businesses which collect consumer data. Even if a business does not collect
consumer data, app marketplaces such as iOS, and some Android markets require one.
The privacy policy
21. • Consumers look to privacy policies for the Double-D’s: Disclosure & Deletion.
• Should be viewed as a binding, enforceable agreement even though many consumers cannot sue for breach
of contract under a privacy policy.
• Regulators may bring actions and impose penalties for violation of privacy laws for inadequate or false
disclosures under a privacy policy.
• In the US, the Federal Trade Commission also brings claims for deceptive trade practices for false disclosures
under a privacy policy.
The privacy policy
23. Paul is the owner of the small bakery in the UK named
Village Bakeshop. Village Bakeshop has been a
favourite sandwich and hot beverage cafe for the
Waverly Park Community for over 20 years.
Village Bakeshop offers discount rewards to customers
who drop their names and email addresses into a glass
jar located by the register. Customers which provide
their home addresses get a free birthday card and a
coupon for a free cup of coffee sent to their home
each year. Village Bakeshop does not have a website,
mobile application nor any other virtual presence
other than being indexed on Google. Paul stores
Village Bakeshop’s customer list on his hard drive of
his Mac within an Excel spreadsheet.
Is Village Bakeshop subject to any privacy laws?
Is Village Bakeshop required to have a privacy
policy?
Scenario
24. Q: Is Village Bakeshop subject to any privacy laws?
A: Possibly. Businesses that “track” or “collect”
information about a consumer are generally subject to
privacy regulation. Paul should at least be thinking
about privacy considerations. Awareness is key.
Q: Must Village Bakeshop have a privacy policy?
A: Probably not although it may be a good idea to have
one if a customer asks. If Village Bakeshop does not
track or sell any data, then it may not have any thing
to disclose. The data Village Bakeshops stores (name,
email address and home address) is also volunteered by
its Customers. So, as a practical matter, Village
Bakeshop already informs Customers of what is
collected. However, Privacy Laws require a full
disclosure of what data is stored and information could
be captured in less obvious ways. So it may be a good
idea to have an abbreviated policy.
Answer
25. What if Paul learns that Village Bakeshop’s customer
list (name, home address and email address) could
make Paul more money than selling baguettes, and he
decides to monetize (sell) the list to a third party?
Will Village Bakeshop need a privacy policy then?
Scenario
26. Q: Must Village Bakeshop now have a privacy policy?
A: Yes. Privacy Laws require a disclosure of what
data is stored and how it is used. (Note: It does not
matter that Village Bakeshop does not have a website.
The point of this altered scenario is to highlight
that these mandates apply regardless of a businesses’
virtual presence. Most privacy regulations are
relatively new and are still developing, however the
trends favour clear and transparent disclosure.)
Answer
27. • Became directly applicable and enforceable on 25 May 2018.
• Applies to the processing of personal data:
Which is obtained wholly or partly by automated means or other than by automated
means, where that personal data forms part of; or
Is intended to form part of, a filing system.
• Key exclusions include:
anonymous data, data relating to deceased persons or legal persons, personal data
contained within files or sets of files, which are not structured according to specific criteria,
personal data processed for purely personal, household activities.
Global considerations - EU/UK
28. Territory:
• Establishment test—organisation is in the EEA.
• Goods and services test—organisation is not in the EEA but offers goods and services to EEA data subjects.
• Monitoring test—organisation is not in the EEA but monitoring of EEA data subjects’ behaviour takes place of
behaviour in the EEA.
Global considerations - EU/UK
29. Peeta owns an exotic pet store in Madagascar called
Peeta’s Pets. Peeta’s Pets ships rare birds all over
the world and has a small share of the exotic bird
market in Portugal.
Peeta’s Pets hosts cookies on its website that
provide Peeta’s with valuable information from a
customer’s buying behavior to determine which add-ons
Peeta’s should offer its sites customers.
Is Peeta’s Pets subject to any privacy laws?
Is Peeta’s Pets required to have a privacy policy?
Scenario
30. Q: Is Peeta’s Pets subject to any privacy laws?
A: Yes. GDPR certainly applies since the store uses
cookies to track buying behaviour which is a facet f
personal information.
Q: Is Peeta’s Pets required to have a privacy policy?
A: Yes. Peeta’s Pets should disclose that it tracks
buying behaviour and be specific about the type of
behaviour.
Answer
31. Must have a lawful ground to obtain and collect data. Can be:
• Performance of a contract
• Compliance with a legal obligation
• Vital interests
• Public interest
• Legitimate interests (not for public authorities though).
• Consent
Global considerations - EU/UK
32. • Consent means any freely given , specific , informed and unambiguous indication of the data subject’s wishes.
• Silence, pre ticked boxes or inactivity do not establish consent.
• Withdrawal of consent as easy as giving it.
• Explicit consent for special category personal data (overlap between other data laws).
• Parental consent required for minors. Content must be able to be understood by children under transparency
requirements.
Global considerations - EU/UK
33. Marta-Hannah has a brick and mortar clothing store in
France where she sells trendy fast-fashion to today’s
youth. She calls her store MH.
MH also has an online storefront where customers can
order online and have products shipped directly to
them. However, M&H considers itself to be a great
respecter of privacy and no consumer data is
collected online nor does MH employ the use of
cookies on its site. However, while in-store, MH uses
micro laser technology to track the movement of its
customers from fashion collection to fashion
collection to gauge customer interest in certain
product lines and then to offer discounts in those
areas.
Is MH subject to any privacy laws?
Is MH required to have a privacy policy?
Scenario
34. Q: Is MH subject to any privacy laws?
A: Yes. The GDPR certainly does apply. GDPR applies
to businesses which track data that informs them
about something concerning a consumer. Note: the
phrase consumer is not only limited to customers. In
fact, in 2020 HM paid €35.3m for illegally
“surveilling” employees tracking their movements with
cameras and compiling certain classes of data without
disclosure or purpose in violation of GDPR.
Q: Is MH required to have a privacy policy?
A: Definitely.
Answer
35. Pseudonymizing is key:
• Personal data that can no longer be attributed to a specific data subject without the use of additional
information. Provided that additional information is kept separately and safeguarded with technical and
organizational measures.
• Helps to reduce risks to data subjects.
• GDPR does not apply to anonymous data.
Transfers outside of the EU or UK:
• Appropriate safeguards, e.g. (model contract clauses).
• Derogations, e.g. (explicit consent or necessary for performance of the contract).
Global considerations - EU/UK
36. • The Federal Trade Commission Act (FTCA) prohibits unfair and deceptive trade practices, and the FTC has
taken the position that the use or dissemination of personal information in a manner different from what is
indicated in a posted privacy policy is a deceptive trade practice.
• California Consumer Privacy Act (CCPA) requires the operator of a commercial website or online service that
collects PII about a California resident to post a privacy policy.
• States of Virginia and Colorado have laxed privacy mandates which mostly only affect certain types of
businesses.
Global considerations - US
37. • Modelled after essential elements of GDPR.
• Requires a substantial privacy policy.
• Requires the privacy policy to disclose its practices regarding information collected online or offline, in any
format, and from any source.
• Requires the operator of a commercial website or online service that collects PII about a California resident to
do the following:
Identify the categories of PII it collects and the categories of third parties with whom it shares such information.
Describe how a site visitor can access and change information previously submitted
Describe how the operator responds to do-not-track signals from a user's browser –and–
Discloses whether it permits third parties to collect information about site visitors' online activities over time and
across other websites.
Global considerations – US CCPA
38. Remember Paul and the Village Bakeshop from earlier?
Paul, tired of the mundane, decides to take Village
Bakeshop international instead of only having the
Waverly Park store.
Paul opens a new location in Las Vegas, Nevada which
is just outside of the sunny US State of California.
Paul gets many customers from California who leave
their email addresses and home mailing addresses in
the glass jar. Although it seems like Paul has taken
VBS into the twenty first century, Village Bakeshop
still does not have a website, mobile application nor
any other virtual presence other than being indexed
on Google.
Does Village Bakeshop need a privacy policy which
addresses special requirements of California law?
Scenario
39. Q: Does Village Bakeshop need a privacy policy which
addresses special requirements of California law?
A: Probably not although it may be a good idea to
have one if a customer asks. The standards of
California’s CCPA are taken from various portions of
the GDPR. Think of the CCPA as a mini GDPR. So if
Village Bakeshop has a privacy policy for GDPR
purposes, it makes sense to have it updated for CCPA
requirements in the event Paul wants to expand his
enterprise. A good privacy policy will provide enough
bandwidth for a business to grow with it and not have
to make constant updates.
Note: It does not matter that Village Bakeshop is not
located in California for this example as the CCPA
applies to businesses that collect information from
California residents.
Scenario
40. The GDPR applies to your business if your business:
• Handles personal data (most companies handle a component of personal data today);
• Offers goods or services to individuals in the EU.
The CCPA applies to your business if your business:
• Handles personal data (most companies handle a component of personal data today) obtained digitally; and
• From individuals in the State of California
Review
41. • Make sure the decision makers, key people in your
organization and your employees are aware of the
extensive obligations imposed by the data
protection regime.
• Ensure regular briefings and updates on the
organization's compliance with privacy regs and are
aware of areas that require further work.
• Deliver staff training if necessary.
• Record:
What personal data you hold;
What is done with that data, where and on what basis;
and
What data subjects are told about the data stored.
Next steps
42. QUESTIONS!
470| 610 5778 (o)
404| 957 8224 (c)
meghan@TRECLaw.com
www.TRECLaw.com
Meghan Thomas
Partner & Founder
TREC Law
Atlanta, GA 30354