BBB National Programs Insights

  • Privacy Shield Compliance Tip #1: Navigating Your Annual Re-Certification

    Re-certification is the process by which you annually re-affirm to DOC your Privacy Shield self-certification. Your annual Privacy Shield re-certification is essentially a process of re-approval, much the same as the initial process of becoming approved under Privacy Shield. The required steps are almost identical to those you went through to secure initial approval of your Privacy Shield self-certification, including verifying that DOC has copies of your most up-to-date disclosures and policies. After submission, your account receives a thorough review by a Privacy Shield team member.
    May 20
  • What is the California Consumer Privacy Act?

    Most Americans are unsure about how their personal data is collected, used, and shared (collectively, processed) by companies, and desire government-mandated protections to ensure they are not harmed by this activity. In the absence of federal consumer privacy legislation, the California State Legislature has stepped in to protect its residents’ privacy. The California Consumer Privacy Act (CCPA) empowers state residents to learn more about how companies process their personal data, demand that companies delete their data, and prohibit companies from selling their data.
    May 20
  • What the Draft CCPA Regs Could Mean for Your Privacy Shield-Compliant Notice

    On October 10, 2019 the California Attorney General released the long-awaited draft regulations under the California Consumer Protection Act (CCPA). CCPA goes into effect on January 1, 2020. The draft regulations interpret and clarify the CCPA. Among these clarifications are detailed descriptions of the requirements of the privacy notices that should be provided to California consumers.
    May 20
  • Consent under the GDPR

    Processing of personal data takes many forms. At times, the entire point of the service that a business provides requires the business to process its customers’ personal data. If someone orders a pair of shoes online, the business must receive and process the person’s physical address in order to complete the delivery. Thus, for the purpose of order fulfillment, the collection and processing (and perhaps even sharing with shipping providers) of the person’s physical address is necessary. Perhaps in a soft sense of “consent,” such a transaction involves the consent of the consumer.
    May 20
  • Why Brexit Matters to Your Privacy Shield Business

    You may have heard that the United Kingdom is expected to exit the European Union soon in a process that many are calling “Brexit.” (For background, this article offers a no-frills Brexit explainer.) The Brexit process continues to be politically contentious, and, though the U.K. is scheduled to leave the EU on March 29, 2019, it is not yet certain whether or not this will happen by that date, either partially or fully.
    May 20
  • The GDPR and Privacy Shield: Two Important Links in Your Privacy Compliance Chain

    As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.
    May 20
  • Age Ain’t Nothing but a Number, Unless You Are Collecting It for Age-Screening Purposes

    Many of today’s tech-savvy children know that you must be at least 13 years old to use certain websites or mobile apps. This begs the question, is there a point to online age screening at all? The Federal Trade Commission (FTC) is asking the same thing in its recent review of the regulations for the Children’s Online Privacy Protection Act (COPPA). In its last review in 2013, the FTC added a new category to the definition of “an online service directed to children” that allows operators that do not target children as their primary audience to age-screen and only comply with notice and consent requirements for users under 13. COPPA does not tell operators how to age-screen but does provide guidance in its publication, “Complying with COPPA: Frequently Asked Questions.” In the current review, the FTC asks whether the Rule should be more specific about the appropriate methods for determining the age of users.
    May 20
  • Privacy Shield’s Second Annual Review: A Good Report Card

    The report is a result of the Annual Review that was conducted by the United States government, the European Commission, and the EU data protection authorities in Brussels on October 18 and 19, 2018. The primary objectives of the joint review were to monitor the current U.S. administration’s work on, and industry’s compliance with, the Privacy Shield, and to influence the privacy discussion in the United States. The report’s findings were also influenced by surveys that the Commission sent to U.S. trade associations and advocacy groups.
    May 20
  • EU Privacy Shield Year In Review: 2017

    The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.
    May 20
  • A Reminder from the FTC: Making False Statements about Privacy Shield has Consequences

    The U.S. Federal Trade Commission has always taken very seriously any company’s statement about certification, membership, or participation in recognized privacy and security programs. For example, the Commission has cracked down on numerous companies over the years for making incorrect statements about their participation in APEC-CBPR and the Safe Harbor Frameworks.
    May 20