A Brief Background

Several years back we started to see various attempts by legislatures to help consumers understand how organizations use their data—what consumers know, how they use it, and their rights as consumers. In 2018, the General Data Protection Regulation (GDPR) was implemented in the European Union to protect consumers’ data . In the US, in 2019, we saw California adopt the California Consumer Privacy Act (CCPA).

Since then, many additional states have adopted some form of data privacy protections. These multiple frameworks can be challenging to follow if your organization works across states. While there have been pushes for national regulations, we are likely years away from such a law and/or set of regulations.

While there are challenges, and costs, in ensuring compliance with these regulations, Corona Insights supports the goals of greater transparency and giving consumers control over their personal data.

In the meantime, we offer some thoughts for our clients. *

Do these Regulations apply to you?

While data privacy policies generally have similar overarching goals as to what they are trying to achieve, who they apply to, what they cover, and when they apply can vary significantly. There are many differences between regulations and here are a couple of examples:

Location. The location and residence of an individual can determine how a data privacy framework applies to them. For instance, GDPR is location based—it covers people who are physically in the EU/EEA. If a European citizen covered by GDPR at home travels to the US, while in the US, they are not covered. Conversely, many state privacy policies are residency based. So, a California resident traveling in Colorado would in theory still be covered under CCPA.

Type of organization. Data privacy policies don’t always apply to all organizations. For example, in California, nonprofits were exempt from the CCPA, while in Colorado they are not exempt from the CPA. Additionally, some states base who it applies to on the number of consumers and revenue of an organization, while others may only base it on the number of consumers whose data they hold.

Other differences exist, and this space is constantly evolving.

One important thing to note is that the way these laws were written, you may not think they apply to your business when in fact they do. For example, here in Colorado where we are based, the law is written to say organizations that derive revenue from the sale of personal data are covered. Our firm doesn’t sell consumer data, such as marketing lists or sales data, but because we conduct so many surveys that collect data and the product is an aggregate of that data, our work technically falls under the CPA. If you hold any consumer data, even if just a donor or member list, it may make sense to consult an expert in the field to see if you fall under the regulations.

How is Corona addressing these challenges?

In our work, these challenges require extra time and steps, especially when starting work with a new client.  Over the years we have endeavored to simplify and streamline the process to make it easy for our clients to work with us while ensuring we’re all following the applicable regulations.

For our part, we regularly revisit our own research privacy policy, client agreements, and technology security, in addition to ongoing monitoring of laws and regulations. (With so many different frameworks now, we often design to the strictest regulations and/or to the state most applicable for our work.)

Additionally, beyond complying with the laws and regulations, we strive to:

  • Only request data we actually need. It’s common, and tempting, to just request everything when transferring member, customer, or other personal data. When working with a client, we only want the data we’ll need. For instance, this may only be name and basic contact information. If we don’t need their entire account history, then we don’t want it. And if we only need a random subset of their database, we can work with clients to transfer only the number of records needed rather than everything.
  • Have a data privacy agreement in place. To help ensure everyone is on the same page, we often create addendums to our contracts or other work agreements outlining specifically what will be transferred, how it will be used, and how we will store it.
  • Provide secure transfers. Emailing files may be the norm, but it’s almost never the most secure option. When transferring sensitive data we work with our clients to provide other options, such as a secure upload link.
  • Inform participants. We include our privacy policy in research invitations and inform them of who the client is (when possible). Our privacy policy outlines their rights and who to contact with requests or questions. When contacted, we reply promptly and document their request. When relevant, we have them opt-in to additional terms (such as for GDPR).
  • Not keep data indefinitely. While some projects may require retention of data (for tracking studies, as an example), we work with clients to determine if and when we should delete their data. For example, at the end of an engagement, we delete all client lists at their requests (or only keep key pieces needed for the future). Any time a client wants us to delete the data they provided, we are happy to do so.

A Final Note

We should also note that Corona never resells personal or client data. If a client provides us with their data (e.g., member list, prospective customer list, sales data), it is only used for their project(s). If we collect new data as part of our work together, that data is again only used for their purposes. Data is not sold in any form—raw data, repackaged into other reports, etc.—to another party.

Perhaps most significantly, it is important to understand that data privacy is an evolving space that requires continual vigilance, both from a regulatory standpoint and a technical one.

* Disclaimer: The information provided in this blog post is for informational purposes only and not for the purpose of providing legal advice.