Companies Must Look ‘Behind the Curtain’ for Privacy Compliance, Lawyers Say

There are “hidden compliance mechanisms” backstage that “play a crucial role in safeguarding consumer data and helping businesses steer clear of legal trouble,” said Chiara Portner and Bushra Samimi.

Third-party vendors, cloud providers, marketing platforms and other companies that businesses employ “can trigger privacy law obligations.” For example, several state privacy laws consider sharing “personal data with vendors without proper contracts" a "sale" or "sharing," which triggers consumer opt-out rights. Other states have similar laws that “emphasize consumer opt-out rights with respect to targeted advertising.”

Mapping data flows to understand data's path, who has access, why data is processed, and other similar questions is important for businesses as well, since data chains are “scrutinized under privacy laws,” said Portner and Samimi: Businesses also should develop processes to respond to consumer privacy requests or inquiries.

Data Privacy Impact Assessments (DPIAs) help companies evaluate risks, and are “unsung heroes of privacy compliance,” the lawyers added. DPIAs can also help demonstrate “accountability and foresight,” beyond compliance.

Having a cookie banner is insufficient, the bloggers said. Companies must ensure on the backend that the tools are configured properly and effectuate consumer privacy rights.

In addition to these tips, the lawyers noted that the privacy landscape is always evolving, so “businesses must treat privacy policies, vendor contracts and internal procedures as living documents to be updated and enhanced over time.”

“By managing what happens ‘behind the curtain,’ businesses can build consumer trust while also reducing legal risk.”