Global Data Regulations

Privacy regulations are evolving around the world at a fast pace. New and developing laws in the EU, UK, Canada, Brazil, India, and states such as Virginia and California continue to set the pace for the rest of the world. Understanding and respecting these regulations is crucial not only due to the potential penalties imposed by the law but also because of the grave repercussions to any brand's reputation.

Data Protection Regulations

Information privacy, data privacy, and data protection laws provide a legal framework for obtaining, using, and storing personal data. The rights of consumers to have transparency and exercise control on who uses their data and for what purposes are increasingly required by modern regulations. Among other requirements, new regulations often include the right for consumers to get details on which data is stored, for what purpose it is stored, and to withdraw consent and request data erasure.

Data privacy regulations encourage organizations that collect personal data to do so in an ethical, lawful and respectful manner, with consent and transparency at the centre of the customer experience.

GDPR

The General Data Protection Regulation (GDPR), in effect since May 25, 2018, is the current European Union (EU) data protection law that aims to harmonize local data protection laws across Europe. Since its inception, the law has triggered organizations to bolster privacy policies and establish data protection best practices across the globe. The GDPR requires organizations to manage and secure any operation that involves processing EU personal data to protect against unauthorized access.

One of the purposes of the GDPR is to offer EU citizens more control over their personal data, as well as to unify and simplify the EU's privacy regulations. The GDPR establishes a number of essential principles for the processing of personal data, as well as individual rights that data subjects can exercise in relation to their personal data.

This means that any company not based in the EU is subject to the same laws as a EU company when it comes to processing EU data subjects and that GDPR is of global importance. For more information on GDPR and its requirements, be sure to check out the European Commission’s Data Protection Law page.

CCPA & CPRA

The California Consumer Privacy Act (CCPA) is a California state data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA was January 1, 2020 and it is the first law of its kind in the United States. CCPA applies to any for-profit business in the world that sells the personal information of more than 50,000 California residents annually, or that has an annual gross revenue exceeding $25 million, or that derives more than 50 percent of its annual revenue from selling the personal information of California residents.

The California Privacy Rights Act (CPRA) is an addendum to the CCPA designed to further strengthen the data privacy rights of residents of California. It provides consumers greater opportunity to opt out and requires deliberate data privacy management from businesses, and further regulates behavioral advertising. You can read Proposition 24 from the November 2020 General Election (also known as the CPRA) on Jake Snow’s site.

Schrems II and Cross-Border Data Flows

In 2020, the Court of Justice of the European Union imposed a ruling on US companies processing EU citizen data that invalidated the use of Privacy Shield. Privacy Shield was a previously established framework providing a mechanism to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US. In the same ruling, SCCs (Standard Contractual Clauses), the other legal way to conduct trans-Atlantic trade in compliance with GDPR, was confirmed to stay valid. In November 2020, the EPDB asked for additional safeguards to be implemented in order to transfer EU PI to other countries. Those safeguards called mostly for data residency to be driven by the idea that companies should collect, process and store personal data in the same country that the citizens originate from.

Other Regulations

Canada’s CPPA, Quebec’s Bill 64, Virginia’s CPDA, Brazil’s LGPD, and others offer similar protections to consumers, with common themes of consent, disclosure, transparency and control.

How to Comply

Work with your legal and business teams in order to understand and ensure that you comply with data protection and privacy regulations worldwide.

How Optable Fits In

This section describes the ways in which Optable helps your business address various global regulation requirements insofar as the processing of personal data that you load into your DCN from your various sources.

GDPR

The GDPR defines requirements for data controllers and data processors. Optable considers itself a data controller on its marketing website, but a data processor when it comes to serving its customers as a vendor. Optable offers its customers a Data Processing Agreement (DPA), as an addendum to its Master Services Agreement, clarifying its role and obligations with respect to the customer's personal data processing under the GDPR.

Authorized DCN users are able to handle GDPR data subject requests concerning the personal data handled by the DCN, through both the DCN UI and API. This is explained in further detail here.

CCPA & CPRA

In the context of the CCPA and the revised CPRA, when it comes to serving its customers as a vendor, Optable considers itself a service provider.

Authorized DCN users are able to handle CPRA data subject requests concerning the personal data handled by the DCN, through both the DCN UI and API. This is explained in further detail here.

Schrems II and Cross-Border Data Flows

Despite the Court of Justice of the European Union's 2020 ruling invalidating Privacy Shield as a means of transferring data from EU to the United States, the CJEU reaffirmed that the Standard Contractual Clauses (SCCs) remain a valid method of transfer. Optable offers Standard Contractual Clauses (SCCs) as a means of meeting the regulatory requirements of GDPR in its role as a data processor and to address international data transfers.

Privacy Policies

The Optable Products and Services Privacy Policy explains how Optable processes information for customers as a service provider. It is provided in the interest of transparency to the general public.

It is important to note, however, that with respect to the personal information that Optable's DCN software processes on behalf of your business, that your business is the controller. The handling of that personal information is therefore governed by the privacy policies and statements of your business, and by our service agreement and any of its addendums.

In the special context of operating its marketing website and developing its products, Optable acts as a controller of some personal information that it directly collects via its websites, Email, and other means. You can find the related privacy policy details in Optable's Website Privacy Policy.

Data Subject Requests

Your DCN provides a UI and API enabling you to process access and erasure requests on behalf of data subjects, concerning personal data handled by your DCN. Access and erasure requests help you to comply with data-related obligations that you have to users, as part of the requirements of many global regulations such as GDPR, CPRA, and others.

You can find details regarding the data subject request processing related functionality of your DCN here.