Blog

Should Utah's Privacy Law Be on Your Radar?

by Phillip Walters November 17, 2022

When it comes to privacy compliance, businesses will have a lot on their plate in 2023. Major changes to the California Consumer Privacy Act (CCPA) are going into effect (including the expiration of employee data exemption), as well as four new state privacy laws. Among these is the Utah Consumer Privacy Act (UCPA).

Read More

Connecticut’s Privacy Law: Does It Apply to Your Business?

by Phillip Walters November 10, 2022

As 2023 approaches and a new round of data privacy laws are slated to take effect, business leaders are scrambling to determine which laws apply to their companies and how to juggle multi-state compliance. The Connecticut Data Privacy Act (CDPA) is one of those laws, going into effect on July 1, 2023.

Read More

Global Privacy Control: A New Requirement for Compliance

by Phillip Walters November 7, 2022

A simple browser signal may have the power to reshape online privacy.

Read More

A Cookie Banner Isn't Enough for CCPA Compliance

by Phillip Walters October 27, 2022

There are a lot of misconceptions surrounding cookie banners and data privacy laws like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). The proliferation of cookie pop-ups and consent banners has led many to believe they are required, even when they are not (they are required in Europe, but more on that below). More dangerously, some believe that adding a cookie banner to their website is all that is required for privacy compliance, which is...

Read More

Why CCPA Compliance Matters to HR

by Phillip Walters October 21, 2022

Since it was passed in 2018, the California Consumer Privacy Act (CCPA) has been seen as mainly an issue for marketing and eCommerce teams—i.e., people who deal with customers and website visitors. Even though they handle large volumes of personal information, human resources departments have been spared many of the privacy law’s requirements because they deal exclusively with internal data from job applicants, employees, and contractors.

Read More

When Do the New State Privacy Laws Go into Effect?

by Phillip Walters October 18, 2022

Read More

New California Privacy Law Expands Protections for Children

by Phillip Walters September 26, 2022

Article Highlights: California Age-Appropriate Design Code Act extends beyond existing COPPA protections All minors under 18 years old are protected Major restrictions where online services are likely to be accessed by children

Read More

CCPA Exemptions for Employee & B2B Data Will Expire in 2023

by Phillip Walters September 8, 2022

Article Highlights: Exemption set to expire on January 1, 2023 Employee and B2B data will be treated like any other personal information Businesses should revisit several areas of their CCPA compliance

Read More

Takeaways from the Latest CCPA Enforcement Summary

by Phillip Walters August 31, 2022

Article Highlights: CCPA enforcement remains robust Case examples emphasize ease of user experience for consumers Exchange of personal information for services is considered a "sale"

Read More

Sephora Fined $1.2 Million Over CCPA Violations

by Phillip Walters August 26, 2022

Article Highlights: First major fine for violation of the CCPA Sephora website had no method to opt-out of sale of personal information & no implementation of the Global Privacy Control standard Fines likely to be more common as the mandatory 30-day cure period expires California Attorney General Rob Bonta announced that his office has recently settled a case with makeup retailer Sephora over a number of violations of the California Consumer Privacy Act (CCPA). The settlement requires Sephora...

Read More

Connecticut Passes America’s Fifth Data Privacy Law

by Phillip Walters May 25, 2022

The momentum of states passing their own privacy laws is showing no signs of slowing down. The Connecticut legislature recently passed the Connecticut Data Privacy Act (CTDPA), which was then signed into law by Governor Ned Lamont. A trend that began with Europe’s General Data Protection Regulation (GDPR) and then the California Consumer Privacy Act (CCPA) seems to be picking up pace—the CTDPA is the second such state law passed just in the first half of 2022, following right on the heels of...

Read More

The Utah Consumer Privacy Act

by Phillip Walters April 1, 2022

Recently signed into law by Governor Spencer Cox, the Utah Consumer Privacy Act (UCPA) is now the nation’s fourth data privacy law to go on the books. While it does not go into effect until December 31, 2023, it’s never too early to learn about the new law and how it compares to privacy legislation in other states.

Read More

CCPA: Attorney General Sets Sights on Customer Loyalty Programs

by Phillip Walters February 4, 2022

In a recent press release, California Attorney General Rob Bonta made it clear that customer loyalty programs are an enforcement priority for California Consumer Privacy Act (CCPA) compliance. His office sent out 30-day cure notices to a number of “major corporations in the retail, home improvement, travel, and food services industries.” Companies that fix any alleged violations of the data privacy law within that time period will face no further penalties.

Read More

An Introduction to the Colorado Privacy Act

by Phillip Walters August 31, 2021

The latest in an emerging patchwork of state privacy legislation in the United States, Colorado recently passed and signed into law the Colorado Privacy Act (CPA). It is mostly an iteration of Virginia’s Consumer Data Protection Act (CDPA), also passed this year, but it has a few of its own unique features. It also takes a number of cues from the California Consumer Privacy Act (CCPA), America’s first comprehensive data privacy law.

Read More

CCPA Enforcement in Its First Year

by Phillip Walters July 29, 2021

The California Consumer Privacy Act (CCPA) officially became enforceable on July 1, 2020, and according to the California Attorney General, actual enforcement began on that very same day. Just over a year later, the Office of the Attorney General (OAG) has recently released a list of examples of the enforcement actions it has taken against businesses and how they were resolved.

Read More

How Does Remote Work Affect CCPA Compliance?

by Phillip Walters July 19, 2021

After more than a year of remote work during the coronavirus pandemic, and with vaccines being more widely available, many businesses are now at a crossroads: Should they move their employees back to the office or continue working from home? Of course there are many considerations to take into account — everything from data security measures to how it changes the work environment — but for those businesses that fall under the requirements of the California Consumer Privacy Act (CCPA), one of...

Read More

CCPA: The Benefits of Voluntary Compliance

by Phillip Walters May 13, 2021

If the California Consumer Privacy Act (CCPA) applies to your business, there is no question you should already be in compliance with the privacy law. Enforcement began in July 2020, and with the creation of the California Privacy Protection Agency (CPPA), the expectation is that enforcement activities will increase dramatically. Some businesses have held off on making the required changes, as they weigh the risks and costs of non-compliance. Others may not yet realize that the CCPA applies to...

Read More

Meet the CDPA: Virginia’s New Data Privacy Law

by Phillip Walters March 11, 2021

The push for states to create their own data privacy laws gained momentum as the Virginia Consumer Data Protection Act (CDPA) was signed into law by Governor Ralph Northam on March 3, 2021. Strongly influenced by the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the CDPA is a major piece of privacy legislation that also differs from both of those laws in a number of ways.

Read More

Surprise! The CCPA Applies to Many Small Businesses

by Nic Villasenor January 12, 2021

The California Consumer Privacy Act of 2018 (CCPA) defines a clear and specific criteria for what businesses must comply. We’ve outlined the CCPA requirements in What Businesses Must Comply With The CCPA.

Read More

Does the CCPA Apply to Businesses Outside of California?

by Sarah Edri October 21, 2020

Some businesses assume that if they do not have a storefront or office in California, the California Consumer Privacy Act of 2018 (“CCPA”) does not apply to them. That assumption is not only wrong, it could result in regulatory inquiries and monetary penalties.

Read More

What’s New in the CPRA (CCPA 2.0)? More Than You Think.

by Sarah Edri October 5, 2020

The California Privacy Rights Act of 2020 (CPRA) is on the ballot this November, and California voters are widely expected to approve the initiative. With some exceptions, the CPRA expands privacy protections afforded under the current California Consumer Privacy Act of 2018 (CCPA), giving consumers more rights over their personal information and requiring greater transparency and obligations from businesses. Beyond new rights, the CPRA establishes a privacy enforcement agency - the California...

Read More

Under CCPA, You Might Be Selling Personal Information (Part 2)

by Nic Villasenor April 1, 2020

Part 1 of this blog post discussed CCPA obligations if you use ad networks like Google or Facebook for interest-based advertising. Part 2 of this post is a discussion of the specific language in the CCPA that led us to conclude that interest-based advertising is a “sale” of information under the CCPA.

Read More

Under CCPA, You Might Be Selling Personal Information (Part 1)

by Nic Villasenor March 24, 2020

The first step to CCPA compliance is creating an information map and carefully evaluating how each of your vendors uses personal information your business shares with it. When you start this exercise, you may be surprised to find that under CCPA, you could be "selling" information when you share it with ad networks, data analytics providers, and possibly others.

Read More

TrueVault Safe free for COVID-19 projects

by Jason Wang March 20, 2020

TrueVault is offering its HIPAA-compliant service free of charge to nonprofit COVID-19 projects.

Read More

Who has rights under the CCPA?

by Nic Villasenor February 2, 2020

The California Consumer Privacy Act (CCPA) grants rights to California residents. But many businesses have decided to honor CCPA rights for consumers outside of California.

Read More

CCPA: What is Personal Information?

by Nic Villasenor December 20, 2019

When it comes to privacy laws, definitions matter. As we’ve discussed, the California Consumer Privacy Act (CCPA) broadly defines personal information. In this post, we’ll look at where the definition has a wider application and where it’s a bit more narrow.

Read More

What is the CCPA?

by Nic Villasenor December 20, 2019

In 2018, the California legislature passed a sweeping privacy law to protect consumers. The California Consumer Privacy Act (CCPA) became the most comprehensive consumer privacy law in the country.

Read More

🎈🎉 Announcing: TrueVault Atlas Cloud 🎉🎈

by Justin Gold May 1, 2019

Two months after we launched TrueVault Atlas as a self-managed solution, we are thrilled to announce we are launching TrueVault Atlas Cloud today.

Read More

What are the penalties associated with GDPR?

by Justin Gold April 10, 2019

As previously explained, GDPR is a new law governing the collection and use of personal data. It will affect people or organizations which are established in the European Union or which offer goods or services to or monitor the behavior of people living in the EU. It came into force on 25 May 2018.

Read More

How does GDPR define Personal Data?

by Justin Gold March 21, 2019

GDPR is based around protecting personal information for individuals and as such, the term ‘personal data’ is a critical entryway into implementing GDPR. In the regulation, ‘personal data’ is specifically defined as: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an...

Read More

What is a data subject access request?

by Justin Gold March 7, 2019

A Data Subject Access Request (DSAR) refers to a petition by a data subject (an identifiable individual about whom personal data is held) to a data controller (e.g., an organization/institution which sets personal data processing standards) regarding their personal data. A data subject may request access to their personal data record, edits or corrections to their personal data record, or request that their some or all of their personal data record with the company be deleted. The organization...

Read More

🎈🎉 Announcing: TrueVault Atlas 🎉🎈

by Justin Gold March 1, 2019

Read More

What happens after a data breach?

by Sara Kassabian January 17, 2019

If your company aligns its data processing activities with the principles of privacy by design, the likelihood of a data breach happening is less than if you don’t adhere to these principles. However, in the event a data breach does occur, the penalties under the General Data Protection Regulation (GDPR or “The Regulation”) are harsh. In this fourth blog, we unpack the consequences facing businesses that experience a data breach.

Read More

Privacy by design: Key philosophy of GDPR

by Sara Kassabian January 16, 2019

This is the third in a series of blog posts that summarize some of the key concepts of the European Union’s new General Data Protection Regulation (GDPR or “the Regulation”). Our previous posts answered two frequently asked questions: What is GDPR? and Does my business need to be GDPR compliant?. In this next blog post, we unpack one of the key principles of the Regulation — privacy by design.

Read More

Does GDPR apply to my company?

by Sara Kassabian January 15, 2019

The first blog post in our series introduced some of the fundamental concepts of GDPR. In this second blog post, we answer a question that many business owners are asking: how do I know if my business needs to be GDPR compliant?

Read More

Introduction to GDPR

by Sara Kassabian January 14, 2019

The scope of the European Union’s new General Data Protection Regulation (GDPR) is far-reaching, and has turned lives upside down for many businesses that are sustained by collecting personal data from consumers.

Read More

Inside the Vault: Searching and Fetching Data

by Sara Kassabian December 4, 2018

Virtually any business that works in the healthcare space will be accessing and managing health information. If personally identifiable information (PII) is linked with medical information, that data is considered protected health information (PHI), a special class of data that must be secured according to HIPAA standards. But building a HIPAA-compliant application requires expert knowledge in engineering for security as well as the law itself. There are few small businesses that have the...

Read More

Inside the Vault: How data flows in TrueVault

by Sara Kassabian November 20, 2018

Virtually any business that works in the healthcare space will be accessing and managing health information. If personally identifiable information (PII) is linked with medical information, that data is considered protected health information (PHI), a special class of data that must be secured according to HIPAA standards. But building a HIPPA-compliant application requires expert knowledge in engineering for security as well as the law itself. There are few small businesses that have the...

Read More

Will the midterms impact tech?

by Sara Kassabian November 13, 2018

There are few issues that garner bipartisan consensus among United States lawmakers these days, but a desire to regulate Silicon Valley has proponents on both sides of the aisle. Naturally, the priorities and means for regulation differ largely according to a lawmakers’ constituents and region, political priorities and political party.

Read More

Is antivirus software good or bad?

by Sara Kassabian November 6, 2018

Everyone remembers working on the home desktop and seeing the alert pop-up in the right-hand corner of your screen: time to upgrade your (Name Brand) antivirus software. Clicking it takes you to a web page where the company tries to upsell you on the latest enhancements to their product. Today, antivirus software (AV) or more precisely, antimalware software, is more sophisticated, and some security experts will say, begrudgingly, that tools like Windows Defender are “mostly good enough” for...

Read More

What's the difference between PII and personal data?

by Sara Kassabian October 30, 2018

The two data protection regulations that TrueVault technology helps companies comply with are the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Both HIPAA and GDPR introduce distinct but related concepts surrounding what information constitutes as “personal”. In this blog, we clarify and untangle these definitions.

Read More

Explaining Business Associate Agreements

by Sara Kassabian October 23, 2018

If your business is exploring opportunities in the healthcare industry, chances are you will be working with health information that contains identifying details, also known as protected health information (PHI).

Read More

How does data de-identification work?

by Sara Kassabian October 16, 2018

Previously, we answered a commonly asked question: What constitutes as protected health information (PHI)? This time, we take our series a step further, and explain how de-identifying PHI will allow your business to work with health behavior data without liability.

Read More

What is PHI?

by Sara Kassabian October 9, 2018

Last week, we broke down the working definitions of personally identifiable information (PII) as it applies to laws like GDPR and CCPA. But there are laws that extend even further beyond regulating how businesses can collect and store personally identifiable information (PII) when health information is involved.

Read More

What is personally identifiable information (PII)?

by Sara Kassabian October 2, 2018

TrueVault is in the business of protecting personally identifiable information (PII) collected on behalf of your company. PII is different from other types of data, and by storing PII in our SecureVault, we limit the legal liability for businesses that interact with this sensitive data.

Read More

Comparing TrueVault and HIPAA Compliant Hosting Services

by Sara Kassabian September 25, 2018

Clients ask us a lot: What is the difference between TrueVault and HIPAA compliant hosts, such as Amazon Web Services (AWS)? The answer really comes down to risk. If you’re looking for a ready made solution to HIPAA compliance, use TrueVault. If you’re confident in your ability to build from scratch a secure and lawful platform that can store protected health information (PHI) — essentially, build your own version of TrueVault — then you’ll start with a HIPAA compliant host, such as AWS.

Read More

Announcing Tokenization Engine

by Justin Gold September 18, 2018

Today, TrueVault is launching Tokenization Engine, a new feature of SecureVault, to help companies import healthcare data without the legal burden of HIPAA compliance. The Problem There is clear business value to leveraging health behavior data, but working with healthcare data can be problematic. If a company wishes to work with healthcare data, chances are this data includes Protected Health Information (PHI), a special class of data that requires compliance with HIPAA regulations because it...

Read More

MFA Strategies: Not All are Created Equal

by Andrew Mitchell August 3, 2018

This week Reddit disclosed a data breach, the result of account-takeover attacks targeting Reddit employees with access to user data. The attack worked because these Reddit employees used SMS-based Multi-Factor Authentication (MFA). This exposed them to a popular social-engineering attack where the assailant is able to intercept text messages by fooling the target’s cell phone provider. In these types of attacks, the perpetrator does not need to be particularly sophisticated or even technical.

Read More

Do I Need to Be GDPR Compliant?

by Jason Wang March 15, 2018

As covered in the previous blog post, GDPR is a new law regulating the processing (collection and use) of individuals’ personal data, which comes into effect on May 25th, 2018. If you are covered by GDPR, then not only will your customers expect you to be compliant, but your business partners may require it as a condition of their contracts. Moreover, the fines for breaching the Regulation are harsh, going up to €20,000,000 or 4% of your global turnover (whichever is higher). With that in mind,...

Read More

What is GDPR?

by Jason Wang March 8, 2018

The General Data Protection Regulation (GDPR) is an extensive new law regulating the collection and use of personal data of individuals in the European Union, which comes into effect on May 25, 2018. GDPR replaces the Data Protection Directive of 1995, which was the EU’s first legal framework covering data security. In the 20 years since then, the explosion in the use of computers and the internet has contributed to a huge rise in the collection and processing of personal data. Unfortunately,...

Read More

Latest Posts

Should Utah's Privacy Law Be on Your Radar?

A Cookie Banner Isn't Enough for CCPA Compliance

Why CCPA Compliance Matters to HR

Mailing List