Online shopping concept

Privacy and security are quickly becoming top concerns in ecommerce. Its growing popularity has attracted unwanted attention from cybercriminals online. In fact, a study by Trustwave claims that the ecommerce industry is the second most targeted sector by cyberattacks in the past year.

Many malicious third-party organizations are after the myriad of data found in your system. This includes customer personal information, bank and card details, and more, leaving both your consumers and business vulnerable to fraud, scams, hacking, and identity theft. Your best protection from such attacks would be proper knowledge and precaution against the different types of threats in ecommerce.

With that, here are some ways data privacy will reshape ecommerce in the years to come.

1. Increase in privacy regulations

Different parts of the world are starting to take data privacy seriously. The European Union, for one, has introduced the General Data Privacy Regulation (GDPR). Some parts of the U.S. have also adopted their own privacy regulations like the California Consumer Privacy Act (CCPA).

As the trend of security breaches continues to rise, other countries are seeing the need to implement their laws as well. Currently, over 25 states in the U.S. are in the process of refining and executing their own consumer protection standards. In fact, 132 out of the 194 countries have already put in place legislation for the protection of data and privacy.

2. Rise of data portability

Data ownership and control often fall in the hands of businesses. However, more and more consumers are demanding that they, too, should have a say over their own data. As a result, the concept of data portability might soon become a reality in the next few years.

Through data portability, consumers can obtain and reuse their personal data for their own purposes across different services. In short, they have full control over their data. They can decide when, where, and how they will use it. Likewise, it gives them the power to delete and curate the data they give away. This shift in data ownership can change the way ecommerce businesses promote their brand, products, and services to their customers.

3. Demands for data transparency

Instances of ecommerce security breaches can strain the relationship between consumers and businesses. To gain back their trust, businesses must find a way to become more open and transparent about the data they collect and the types of ecommerce security & privacy  they can provide.

The demand for data transparency is rising. Some governments are even pushing for it in their privacy regulations. Consumers want to know what type of information they are sharing, how it is used by brands, and their impact on their privacy. If done correctly, businesses will not only gain their customers’ trust but their loyalty as well.

4. Tightened security in ecommerce platforms

Technological innovations are always around the corner. There is always something new in the ecommerce industry, such as new platforms, channels, and tools. It also means that more ecommerce threats solutions will become accessible for online brands in the coming years. 

Nowadays, there is a steady rise of smarter data protection solutions for ecommerce platforms out there. Privacy Software solutions like Secuvy are powered by artificial intelligence for better data governance, risk assessment, classification, security and reporting.

Aside from solutions, many brands are also innovating their processes to protect their consumers’ privacy. For one, Apple offers an option to hide their consumers’ personal email whenever they create an account in an app or website.    

5. Personalization will find a way

Data collection is essential in creating a personalized experience for your consumers. However, the emerging privacy standards across the world might make it more difficult for ecommerce companies to do so.

Nonetheless, many believe that personalization is here to stay in the coming years. While most regulations make it easier for consumers to opt out of having their data collected, it doesn’t mean that companies can no longer do so. In fact, most markets will focus on improving personalization alongside data security and privacy. They can do this by leveraging the benefits of data analytics software to help better understand consumer behaviors and demands.

Securing the future of ecommerce

The threats to data security and privacy in ecommerce are not going away anytime soon. Your business needs protecting from ecommerce threats. With each new technology and innovation, there are new ways for hackers to take advantage of the loopholes in the digital space. It is high time you start prioritizing data security and privacy for both your consumers and your business.

As business owners, you must be prepared for what the future might bring. New privacy laws are emerging, demanding that you provide better protection for your consumers. While these privacy laws might pose a challenge for your business when it comes to data collection and personalization, it might prove beneficial not only to your customers but to you as well in the future.

Read More
January 4, 2021 0 Comments
Personal data protection concept

Five Privacy trends to watch in 2021

Read More
December 30, 2020 0 Comments
Hands waving flags of India

India Data Privacy law.

Read More
December 14, 2020 0 Comments
World map information

Cross Country Data Transfers

Read More
December 5, 2020 0 Comments

While Californian businesses are still coping with becoming compliant with the California Consumer Privacy Act (CCPA), the government has implemented another privacy law – California Privacy Rights Act. And this new law is said to be the strictest privacy law the state has seen till date. Does this mean more work and stricter compliance laws for the organisations dealing with personal data in California? What happens to the CCPA? How do the two laws compare? Let’s find out.

Decoding the CPRA – What Makes it the Ultimate Privacy Law?

To begin with, we need to understand that CPRA is not a different law, it is an extension of the CCPA, which aims to introduce stronger consumer protection practices and clarify some of the unclear aspects of the law for the organisations. The CCPA was designed with a less restrictive approach. The absence of certain consumer rights in the law bothered some privacy advocates, which led to the introduction of CPRA. The idea was to supplement the privacy protections found in the CCPA and address issues within the existing law.

The CPRA favors the creation of a new government agency to handle the compliance and enforcement of new privacy regulations. It means companies will now be responsible for any action other companies take using the personal data of California residents, collected by the former and shared with the latter. It would not be wrong to say that California will now see more compliant businesses in the near future, and stricter enforcement penalties. 

CCPA Vs CPRA – How Do the Two Compare?

Even though CPRA is just an expansion of CCPA, the two do have some definitive distinctions. Let’s understand those in detail.

Scope

Under CCPA, the following three thresholds determine if a for-profit entity is a business –

  • Has $25M+ revenue.
  • Collects personal information from more than 50,000 consumers, households, or devices.
  • More than half of revenue is from third-party disclosure of personal information.

As part of the CPRA, the revised threshold for collection of personal data will be 100,000 consumers. The idea is to target the large corporations and take the burden off smaller organisations. In CPRA there is also provision for a new ‘business’ category, which includes entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s enforcement agency. Thanks to this provision, small businesses which otherwise don’t fall under the scope of CPRA can now self-certify to align with the law and use it as a business differentiator. 

Sensitive Personal Information

The classification of personal information varies in both CCPA and CPRA. While under CCPA indirect and direct identifies, geolocation data, biometric data, sensitive information, and internet activity are classified as personal information, CPRA categorizes all of these as ‘sensitive personal information’. And this sensitive information is subject to stricter privacy requirements under CPRA. For instance, consumers have the right to limit the processing of sensitive personal information and organisations must provide consumers with the opt-in link to ‘Limit the Use of My Sensitive Personal Information’. Besides, organisations cannot use sensitive personal information for any purpose other than providing the requested good or service, unless consented by the consumer. 

Enforcement Agency

Under the CPRA, there is a provision for a new enforcement agency – the California Privacy Protection Agency (CPPA) – that will have the power to audit privacy practices of covered entities and issue new regulations. Currently, the California Attorney General regulates the CCPA.

Penalties for the Violation of Minors’ Personal Information

The CCPA provisions for a fine of $2500 per violation for violations involving personal information of minors – this is the same as the penalty charged for violation of adult personal information. Under CPRA, this fine is set for $7500 per violation. 

Private Right of Action

CCPA allows for consumers to take civil action in case their personal information is subject to unauthorized access, theft, or disclosure. Under CPRA, this private right to action is strengthened with a provision of statutory damages for any breach that falls in the confines of California law. There is no change in the proposed fine of $750 per consumer for damages.

Cure Period

The CPRA eliminates the 30-day ‘cure’ period that was proposed in CCPA to pursue any actions on the alleged non compliance violation. This is because according to CPRA the implementation and maintenance of reasonable security procedures and practices after a breach is not a remedy enough. 

Definition of Sale

CCPA has the mandate for organisations to provide consumers certain disclosures and the right to opt-out of the ‘sale’ of their personal data, when they ‘sell’ consumers’ personal data. CPRA provides some more clarity on these lines. It empowers the consumers by giving them the ability to also opt-out of the “sharing” of personal information with third parties. Also, as a provision in the CPRA, companies will now need to place a link titled “Do Not Sell or Share My Personal Information” on their website, when running targeted advertising campaigns. 

Consumer Privacy Rights

Right to Access Personal Information: While under CCPA organisations were commissioned to share with consumers their information of preceding 12 months, in CPRA they are required to provide consumers access to their information from beyond 12 months, unless it is impossible or would need strenuous effort on part of the organisation.  

Right to Delete Personal Information: This right remains the same even in CPRA – businesses must delete the personal information of consumers and direct service providers, as and when requested. 

In addition to the above, CPRA enlists a few more new consumer rights. These are as follows – 

Right to Information about Automated Decision-Making: Consumers have the right to opt out of the use of automated decision-making technology and profiling by a business.

Right to Correct: Under CPRA consumers have the right to correct inaccurate personal information stored by a business. Upon receiving a correction request, businesses must use “commercially reasonable efforts” to correct the inaccurate personal information.

Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can ask businesses to use and/or their sensitive personal information in a limited way. This means businesses can only use consumers’ personal information in the way they have consented for. 

How Can You Prepare for the CPRA?

The CPRA gives consumers a greater right over their personal data and its use, while modifying enforcement provisions and bringing into picture a lot more requirements and obligations, and uncertainties for organisations. Achieving compliance might be a completely different feat now. However, the good news is that CPRA will officially take effect only in two years from now. This gives organisations time to prepare for compliance. Here are a few things you can consider doing to become compliant in the future –

  1. Take a stock of your current privacy program and identify any gaps. CPRA being one of the strictest privacy laws out there, performing a privacy assessment and understanding the maturity of your current program would be a great first step in becoming compliant. 
  2. Ensure you fall in the scope of CPRA by reassessing the applicability of the CCPA. CCPA covers organizations that collect the personal data of more than 50,000 consumers, households, or devices, the CPRA broadens that scope to 100,000.
  3. Rethink your data mappings and data inventories. Identify how your organisation collects, uses, stores, and transfers consumer data. While performing this analysis, keep your focus on sensitive information (as defined by the CPRA), business-to-business data, employee data, and data flows between third-party vendors. 
  4. Stay up-to-date with the developments around CPRA. Staying on top of the developments will help you prepare better. 

Further, keep building on your compliance program to ensure that you have proper procedures and policies in place to comply with CPRA. These practices will help strengthen your existing privacy program and streamline compliance with the CPRA.

Read More
November 7, 2020 0 Comments

The long-awaited amendment in the New Zealand Privacy Bill, which proposes amendment in the Privacy Act 1993, finally got a green flag in the parliament in June this year. The said amendments come into effect on 1st December 2020, and are expected to bring about some of the most significant changes in the New Zealand Privacy Law till date. 

These changes come at an exciting time, when the global data protection landscape is witnessing significant disruption. With ever-growing cyber threats and stringent media attention on data breaches, cybersecurity and data protection are getting major attention from businesses across the globe. 

Seeing how the changes introduced as a part of this data protection act can transform the New Zealand data privacy law, it becomes imperative to understand them in detail.

Significant Reforms Listed in the Updated NZ Data Privacy Law

International Data Flow

The New Zealand Privacy Act 2020 proposed update restricts disclosure of personal data outside of New Zealand, without prior authorization from relevant individuals. In case of any offshore data transfer, the disclosing party must ensure that the information is protected by safeguards comparable to New Zealand’s privacy laws. 

Some ways organisations can become compliant with this update include –

  • imposing contractual data protection obligations on the recipient comparable to the protections in the Privacy Act; or
  • ensuring the recipient is subject to laws of another jurisdiction that provide comparable protection to the Privacy Act (countries can be ‘whitelisted’ in regulations, which will have a similar effect to a GDPR adequacy decision)

However, this update comes with an exception – if the personal information is transferred to an offshore data processor, it does not constitute an overseas disclosure.

Mandatory Data Breach Reporting

This is an international best practice that has been incorporated into the New Zealand data privacy law. According to the new update, if there is a data breach that causes or can cause serious harm to involved individuals, the responsible organisation must inform the Privacy Commissioner and the affected individuals. The act also lists some guidelines to assess the harm done by a breach – 

  1. any action taken to reduce the risk of harm following the breach;
  2. whether the personal information is sensitive in nature;
  3. the nature of the harm that may be caused to affected individuals;
  4. who obtained (or could obtain) the personal information as a result of the breach (if known); and
  5. whether the personal information is protected by a security measure.

Again, there is an exception to this amendment. The update lists a few circumstances where companies may delay notifying the individuals or not notify them at all in case of a breach. Here is what an instance stated by the Justice Committee following its review of an earlier draft of the amendments said – if an organisation’s security systems were shown to be vulnerable as a result of a privacy breach, notification could risk wider exploitation of the vulnerability, and should be delayed to prevent the risk of more harm (though the Privacy Commissioner would still need to be notified). 

It was, however, made clear by the Committee protection of its reputation is not a reason good enough to delay notifying the affected parties.

Extraterritorial Scope

It has been explicitly stated in the Privacy Act that it is applicable to any actions that an overseas organisation will take while conducting business in New Zealand, irrespective of where the information was collected or where the data subject is from. The definition of an organisation carrying business in New Zealand is if it earns money in exchange for goods or services, or makes profit from its business there. 

Fines and Penalties: New Zealand Privacy Act 2020

The 2020 update of the NZ Privacy Act states that if an organisation fails to comply with the law or misleads another organisation/individual in a way that affects personal information, it can be levied with a fine of up to $10,000. While some may argue that this financial penalty isn’t enough, it is the potential damage to the reputation of the organisation that can be a cause of concern for those who are non-compliant. This can be better understood in the words of John Edwards, New Zealand’s privacy commissioner“We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy.

For help related to Privacy Data Risks, Please reach out via Secuvy’s Demo Page or email us at info@secuvy.com

Read More
October 11, 2020 0 Comments

In September 2020, Brazil finally implemented its General Data Protection Law or Lei Geral de Proteção de Dados (LGPD). While Brazil already has 40 sectoral privacy laws at the federal level, this is the first law to provide the legal bases that authorize the use of personal data in the country. 

The Brazil LGPD comprises 65 articles which lay down the enforcements that companies incorporated or trading within the country that use information of Brazilian nationals must comply with. Organisations that fail to follow the terms laid down in the law would be liable for a fine equal to 2% of their sales revenue, or even up to $50 million Brazilian Real (about USD 12 Million).

Understanding the Scope and Jurisdiction of Brazil Data Privacy Law

LGPD is applicable to organizations of all sizes operative or incorporated in Brazil. The few exceptions listed in the law in terms of scope include cases where data is collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense. As for the jurisdiction, the law provides for extraterritorial jurisdiction. According to Article 3 under Brazil LGPD, any data collected or processed within the country or for the purpose of offering goods/services in the country are subject to the law. Since the law is applicable if any one of these conditions is met, the location of the organisation becomes irrelevant when we talk about the jurisdiction of this privacy law. 

Explained: The Provision of Data Processing Under Brazil LGPD

Data processing under Brazil PGPD works in a similar fashion as it does in EU GDPR. Data processing is defined as the use of data, such as the collection, classification, processing, storage, sharing, transfer, elimination of personal data. According to the law, data processing entails three major roles – the operator, the controller, and the officer. Here’s a better explanation of the roles as defined under the law – 

The Controller – He/She is responsible for determining the relevant data processing policies and creating associated guidelines. 

The Operator – He/she ensures that the guidelines initiated by the controller are executed. 

The Officer – His/Her role is to fill the gap between the controller, the data owner or subject, and the government agency or authority.

Under Article 7, the LGPD lists 10 lawful bases for data processing. They are:

  1. To comply with a legal or regulatory obligation of the controller;
  2. With the consent of the data subject;
  3. To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
  4. To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
  5. To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
  6. To exercise rights in judicial, administrative or arbitration procedures;
  7. To protect health, in a procedure carried out by health professionals or by health entities;
  8. To protect the life or physical safety of the data subject or a third party;
  9. To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or 
  10. To protect credit (referring to a credit score).

Other Key Enforcements Under the Brazil LGPD – A Breakdown

Just like the processing of personal data, GDPR and Brazil LGPD agree on some other basics of data privacy. However, this doesn’t mean that the two laws have nothing apart. Let’s look at some of the key enforcements under the Brazil Privacy Law to understand it better. 

Definition of Personal Data – Just like in GDPR, the definition of personal data is not singular. The Brazil data privacy law clearly states that personal data could mean any data – as an individual entity or combined with other data – that identifies a natural person or subjects them to a specific treatment. 

Data Subject Rights – While GDPR has 8 fundamental rights defined for the data subjects, Brazil LGPD has 9 of them. However, almost all of these 9 rights touch upon the same principles as the subject rights defined in GDPR. Here are the subject rights of the Brazil LGPD – 

  1. The right to confirmation of the existence of the processing;
  2. The right to access the data;
  3. The right to correct incomplete, inaccurate or out-of-date data;
  4. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
  5. The right to the portability of data to another service or product provider, by means of an express request
  6. The right to delete personal data processed with the consent of the data subject;
  7. The right to information about public and private entities with which the controller has shared data;
  8. The right to information about the possibility of denying consent and the consequences of such denial; and
  9. The right to revoke consent. 

Data Protection Officer

This enforcement sets the Brazil LGPD apart from all other international data privacy laws. As stated under Executive Order no. 869/18, the required DPO to be appointed by each organization need not be a natural person. It could also be a committee, company or internal group. Alternatively, an organization may even outsource the position to a third party, such as a specialized data privacy as a service company or law firm.

How Secuvy Can Help You?

Secuvy’s AI-powered Privacy Platform solutions offer easy guidance to help you comply with the LGPD. Our privacy engineering and governance solutions evaluate your privacy data posture and recommend associated risks attached to sensitive data along with notification of remediation steps.

Secuvy provides detailed classification, analysis and reporting to associated risks across the data lifecycle including any gaps found and compliance with LGPD. Fast-track and automate your LGPD program using Secuvy’s privacy solutions. Please email us at info@secuvy.ai for free evaluation.

Read More
September 20, 2020 0 Comments

RegulationGDPRCCPA
Enforcement DateMay 25th, 2018Jan 1st, 2020
Who needs to complyAny Business that collects or processes the data of EU citizens and residentsAny business storing or processing California residents’ information
PenaltiesUpto 4% of the Company Annual Gross Revenue or 20M euros$7500 per incident, per person
Opt-out Right for Personal Information SaleGDPR does not include a specific right to opt-out of personal data salesMust include a “Do not sell my personal information” link in a clear and conspicuous location on a website homepage.
Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out
ChildrenGDPR default age for consent is 16, although individual member state law may lower the age to no lower than 13Children aged 13-16 can directly provide consent. Children under 13 require parental consent.
Children’s Online Privacy Act (COPPA) still apply on top of the CCPA’s requirement
Right to DisclosureData Subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processingConsumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information
Right to Deletion/EraseData Subjects have the right to request erasure of personal dataA consumer has the right to deletion of personal information a business has collected, subject to certain exceptions
Right to Restrict ProcessingRight to restrict processing of personal data, under certain circumstancesNone, other than right to opt-out of personal information sales

Read More
August 2, 2020 0 Comments

List of Global Privacy Laws

  • European Union
    General Data Protection Regulation (GDPR)
  • US
    California Consumer Privacy Act (CCPA)
  • Canada
    Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil
    General Data Privacy Law (LGPD)
  • Argentina
    Personal Data Protection (PDP)
  • Senegal
    Data Protection Act (DPA)
  • South Africa
    Protection of Personal Information Act (POPI)
  • India
    Personal Data Protection Bill (PDPB) – proposed
  • China
    Cyber Security Law
  • Australia
    The Privacy Act 1988
  • Philippines
    Data Privacy Act of 2012
  • Kenya
    Data Protection Law 2019

Read More
May 2, 2020 0 Comments

California Consumer Privacy Act (CCPA) came into implementation from Jan 1st 2020. In this blog post, we will talk about history of CCPA and How is CCPA Applicable to your Business.

What is CCPA?

CCPA applies to any global business, including any for-profit entity that collects consumers personal data, which does business in California, and satisfies at least one of the following thresholds:

  1. Have $25 million or more in annual revenue; or
  2. Possess the personal data of more than 50,000 “consumers, households, or devices” or
  3. Earn more than half of its annual revenue selling consumers’ personal data

CCPA History

For 2 years (2016-2018) Alastair Mactaggart, a real estate developer, created and led a ballot initiative for a privacy law that led to CCPA (Assembly Bill (AB) 375). On June 28th, 2018, the governor of California signed AB 375 into effect, establishing the most extensive consumer privacy legislation ever passed in the United States

Timeline:

June 28th, 2018AB 375 signed into law
September 23rd, 2018Senate Bill No. 1121 signed into law, modifying CCPA
October 10th, 2019California Attorney General released the proposed text for CCPA regulation
October 11th, 2019California Governor Signs CCPA Amendments into Law
January 1st, 2020CCPA goes into effect
July 1st, 2020Enforcement begins

California Residents Rights under CCPA

CCPA grants California residents, who are consumers, specific rights regarding their personal information businesses maintain. If you are a California resident, you have the right to request that a business inform you about its processing activities with respect to your personal information, to delete your personal information and to opt-out of the sale of your personal information.

Summary

Companies preparing for CCPA or are planning to implement must remember that a privacy program needs to adapt and change accordingly to applicable privacy law. If you are looking to build a privacy program it’s not too late to start preparing for CCPA compliance. To request a CCPA privacy software demo email us at info@secuvy.com or visit Secuvy.ai

Read More
April 2, 2020 0 Comments