SafeGuard Privacy Partners with Third Party to Certify Customers’ Privacy Bona Fides
Now that adtech companies, data providers, brands, and publishers view a data privacy strategy as indispensable, every company in the digital media space seems to have slapped “privacy-safe” onto its website. But how can anyone tell who has really taken the necessary steps to protect consumer privacy?
SafeGuard Privacy believes it has an answer. The privacy compliance company is partnering with the non-profit privacy organization BBB National Programs to vet its customers for California Privacy Rights Act compliance. “Once compliance is confirmed, companies will receive a verification seal from BBB National Programs that they can display on their websites and materials,” a release says.
Street Fight checked in with Wayne Matus, co-founder, general counsel, and EVP at SafeGuard, to learn more about the move and how companies are approaching CPRA compliance.
What do most companies struggle most with when it comes to CPRA compliance?
The CPRA and its new proposed regulations add a level of administrative complexity and new compliance obligations. The administrative complexity comes from the sheer number of new requirements and the difficulty of keeping track of each.
The new compliance obligations arise from a new category of protections for sensitive data, new contract requirements for service providers, third-parties, a new category of “contractors,” restrictions on not just the sale but also the sharing of personal information, and a new right for the consumer to correct incorrect data.
Also very significant are new audit and risk assessment requirements for companies and their counterparties. Most companies are not ready for risk assessments and audits.
Do preparedness challenges differ much across brands, publishers, and tech/data companies?
The obligations vary depending upon whether the business is considered a “business,” “service provider,” “contractor” or “third-party,” or falls into more than one category. If you simply use data given to you by another entity at their direction, you have one set of obligations. If you then sell or share that data, you have additional obligations. If you determine how the data is used, you may have yet other obligations.
How does SafeGuard Privacy help companies get CPRA-compliant?
We help companies determine which rules apply to their business and what they need to do to comply with those rules. Using a series of carefully designed questions, we enable a company to focus on exactly what they need to be compliant with and then explain what they need to do to be compliant.
We also help companies address their responsibilities with other companies with whom they sell or share data.
I think a lot of journalists and privacy advocates are skeptical of the now-common industry term “privacy-safe.” It seems like every adtech company now calls itself or its solutions privacy-safe. I imagine you view the BBB audit as part of the solution to that problem? That is, getting BBB certified is a way to show that companies that use SafeGuard are actually privacy-safe.
Self-certification under the CPRA has limited value, if any. To meet the requirement to perform a risk assessment, a business needs to consider its data use and the security of its vendors. It is highly doubtful that a business that receives a self-assessment from its vendor will be able to use a regulator’s standard for a risk assessment. Some level of due diligence is required, and taking someone’s word for their compliance is not due diligence. The audit requirement is even more strenuous, and a self-assessment is not an audit.
Having a reputable third party’s certification should, however, meet these obligations in most circumstances. One should not forget potential third-party liability and fines. Getting a third-party attestation will go a long way toward mitigating a fine and would provide a jury with a reason to believe that your company is not responsible for the misconduct of a counterparty.