Ethyca Team
January 16, 2019Do These 3 Things for User Data Privacy Compliance
Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed.
Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed. Pioneers were only discovering boundaries long after traversing past them. Regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now, there are real consequences for actors that fail to follow regulatory requirements. Meaning the collection, storage, and exploitation of personal data.
The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s essential to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land sometime in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more critical. So, let’s assume that you aren’t yet able to pour over the fine print of each legislation to ensure compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?
Be Specific and Get Consent
To capture every piece of data under the sun and try to figure out how to use it after the fact is rapidly consigned to the dustbin of history. Article 7 of the GDPR states data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented “in a manner which is clearly distinguishable from the other matters…using clear and plain language.”
A logical, mandatory consequence is that consent for data collection and processing must be clearly stated. You can’t explicitly ask for consent to capture an undefined set of data. Personal data can only be collected for “specified, explicit, and legitimate purposes” (Article 5(1) of GDPR). The upshot for development teams is clear. Define specific data you want your system to capture and obtain affirmative consent from your users.
Be Aware, Users Can Withdraw Consent
Another vital point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time.” Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent.” What does this mean for your business? Well, most basically, your website/app/digital product must have a straightforward way for users to retract their consent. Your system must have built-in processes to guarantee it too. If users withdraw permission, the data cannot live anywhere in the infrastructure.
Remember You Can’t Keep it Forever
In the old days of only a few years ago, once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure,” and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure.
Does your system have controls in place to efficiently remove data after a certain period has elapsed? It better!
Published from our Privacy Magazine – To learn more, visit Privacy.dev
Engineering Data Trust at Scale: A Conversation with Adrian Galvan, Senior Software Engineer
Read MoreAdrian Galvan builds scalable, privacy-first integrations at Ethyca.
From Paper to Power: Reflections on the 2025 Consero CPO Summit
Read MoreAt the Consero CPO Summit, it was clear: privacy leaders are shifting from compliance enforcers to strategic enablers of growth and AI readiness.
JustPark Chooses Ethyca to Power Global Privacy and Data Governance
Read MoreJustPark has selected Ethyca to power its privacy and data governance, enabling trusted, consent-driven data control as the company scales globally.
Closing the AI Accountability Gap: Solving Governance with Data Infrastructure
Read MoreWithout infrastructure to enforce it, AI governance becomes costly theater destined to fail at scale.
The Engineer’s Burden: Why Trustworthy AI Starts with the Data Layer
Read MoreTrustworthy AI begins with engineers ensuring clean, governed data at the source.
Google Tag Manager Is Now a Legal Risk: German Court Ruling Redefines the Consent Perimeter
Read MoreKey takeaways from a German court ruling that redefines consent requirements for using Google Tag Manager.
Ready to get started?
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Speak with UsSign up to our Newsletter
Stay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.
