Overview

The last several years have been very active on the consumer data protection front. Most recently, you may have noticed a flurry of privacy policy updates at the end of 2019 from websites related to the California Consumer Privacy Act (CCPA). In 2018, it was the General Data Protection Regulation in the European Union that had all the headlines.

Add to that the Telephone Consumer Protection Act (TCPA), which creates challenges for research via cell phones in particular, and rules around pharma in some cases (mainly around if you’re allowed to incentivize doctors to participate in research), and our operating environment seems to get more complex by the day.

All of these regulations, as well as smaller or state-specific rules, have had significant ripple effects. Even if you don’t think you do business within these geographic boundaries, you are likely impacted by their reach. Even in our home state of Colorado, we have had new laws surrounding consumer data.

The challenges

While any mandated change and increased regulation can cause businesses headaches, perhaps the more overarching challenge here has been the multiple frameworks and rules that businesses must comply with. There are efforts to push for a national regulation in the United States, but we are likely years away from one coming to fruition. In the meantime, we must stay informed about the different regulations and with whom and where they apply.

Despite challenges, Corona is not against these steps and believe consumers should have greater awareness of, and control over, their personal data.

How is Corona addressing these challenges?

For our own work, these challenges are surmountable. It can often slow things down, especially with up front data transfer agreements and so on, but stopping to think about what data you need, and how it is transferred and stored, as well as other measures, is not necessarily a bad thing. As businesses get more comfortable with the new regulations we feel this process will become quicker and not generally slow things down.

For our part, we regularly revisit our own privacy policy, client agreements, and technology security, in addition to general monitoring of laws and regulations.

Additionally, beyond complying with the laws and regulations, we strive to:

  • Only request data we actually need. It’s common, and tempting, to just request everything when transferring member, customer, or other personal data. When working with a client, we only want the data we’ll need. For instance, this may only be name and basic contact information. If we don’t need their entire account history, then we don’t want it. And if we only need a random subset of their database, we can work with clients to transfer only the number of records needed rather than everything.
  • Provide secure transfers. Emailing files may be the norm, but it’s almost never the most secure option. When transferring sensitive data we work with our clients to provide other options, such as a secure upload link.
  • Inform participants. We include our privacy policy in research invitations and inform them of who the client is (when possible). When relevant, we have them opt-in to additional terms (such as for GDPR).
  • Not keep data indefinitely. While some projects may require retention of data (for tracking studies, as an example), we work with clients to determine if and when we should delete their data. For example, at the end of an engagement, we delete all client lists at their requests (or only keep key pieces needed for the future). Any time a client wants us to delete the data they provided, we are happy to do so.

We should also note that Corona never resells personal data. If a client provides us with their data, it is only used for the project. If we collect new data as part of our work together, that data is only used for their purposes.

Perhaps most significantly, it is important to understand that data privacy is an evolving space that required continued vigilance, both from a regulatory standpoint and a technical one.

Disclaimer: The information provided in this blog post is for informational purposes only and not for the purpose of providing legal advice.