Enable Proactive Engagement

The number one GDPR & CCPA mistake some immigration practitioners are making.

Posted by: Umesh Vaidyamath | Date: April 24, 2020

The past two years have seen a massive shift in international privacy laws. The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, as well as the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, have changed the way organizations around the world collect and use personal data.

We’ll dive into each of these laws just below, but first thing’s first – immigration law deals with voluminous sensitive, personal data, so this article is about how these two acts affect the practice of immigratin law, specifically around data collection and storage. So the purpose of this article isn’t to explain every detail of GDPR and CCPA but rather to give a high-level overview of what they mean and connect it to immigration practice.

Ok, so what’s GDPR and CCPA?

At a high level, per Forbes, GDPR is “a legal framework that requires businesses to protect the personal data and privacy of European Union (EU) citizens for transactions that occur within EU member states. It covers all companies that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies.” In other words, it’s a set of rules and regulations restricting the use of personal user information that many of today’s largest companies collect, store and sometimes sell as part of their business.

One of the key things to take note of here is that it also applies to companies outside the EU. As the EU’s own site,, emphasizes, “if you process the personal data of EU citizens or residents, or you offer goods or services to such people, then the GDPR applies to you even if you’re not in the EU.”

Without getting into the “how,” it’s important to note what type of data GDPR protects: “personal data” and “sensitive personal data.” Per Wired, here’s the distinction:

  • Personal data. Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymized data if a person can be identified from it.
  • Sensitive personal data. GDPR calls sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
How about the CCPA?

Well according to TechCrunch, “CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.” CCPA became California law on January 1, 2020, but the state is giving businesses a six month grace period to amend their practices, policies, and procedures to become compliant.

Ok so now we have a very broad overview of CCPA and GDPR. They’re regulatory requirements of companies that collect personal and private user data to safeguard that data, refrain from selling, sharing, or otherwise monetizing it, and when possible avoid collecting it or enable users to opt-out of sharing it.

This is a great step forward, especially after the recent Equifax and Facebook (and other) data breaches.

But how do these rules affect the immigration practice, and what steps can immigration practitioners take to enhance data security?

The number one privacy mistake immigration practitioners are making

The immigration process inherently requires collecting personal information. Let’s say a company is looking to bring in a foreign worker on an H-1B visa – in order to file an H-1B petition, the company needs the candidate’s name, date of birth, home address, family member information and much more. There are also instances where financial data and health data need to be disclosed too.

Against the backdrop of GDPR and CCPA, you would expect that most immigration practitioners collect this and other personal information in a safe and secure manner, right?

Well, the reality is, not always. And the number one mistake many are making is based on something we all use every single day: email. That’s right, one of the most common forms of digital communication actually exposes immigration professionals, and the companies and beneficiaries they service, to potential data security breaches.

Here’s a not uncommon scenario: a law firm staff member has to send a beneficiary a copy of some of their personal documentation. The staff member accidentally sends the email to the wrong foreign national (FN) in an instance where two people in the company have the same name.

Not only did this cause confusion when the wrong person received an email about a visa process that wasn’t related to them, but the employer of the individual whose data was compromised also had to involve their privacy attorney, and was otherwise very much upset about the whole situation. This simple mistake ended up costing the employer money by way of attorney fees and caused unnecessary stress.

This was a real scenario, and there are many more instances of sensitive beneficiary information sent around in not-so-secure ways that end up costing time, money, and trust.

INSZoom’s foreign national portal is the answer.

INSZoom takes GDPR and CCPA very seriously, and one of the ways we do that is through our robust FN portal. Here are just a few of the security features built into the INSZoom FN portal:

  • Portal Setup. An immigration law firm using INSZoom controls the foreign national portal setup and can choose what information each user can see or access. That means no one can see or access more than they’re supposed to.
  • Single Sign-On (SSO). INSZoom access can be tied to an FN’s corporate network, which means they can leverage the same secure authentication they use for work.
  • Multi-factor authentication. Still, INSZoom may require the user to authenticate with an additional ID or password such as code generated from a mobile app, sent via SMS, generated via a hard token (a little hand-held device that generates unique codes and changes continuously), etc.
  • One-Time-Password (OTP). FNs, corporate users, and others get a one-time password to access their INSZoom account for the first time. They are then prompted to change their password to something new that no one else knows.

Let’s think about a service we all know well – online banking. Does your bank send you your bank statement via email as a PDF attachment anymore? Are you able to see sensitive account information in the body of an email? Absolutely not. Email prompts from your bank always send you to your bank’s secure website where you have to log in, often using multi-factor authentication, and only then can they get access to your sensitive financial data.

Immigration should be the same.

We’re seeing more and more INSZoom users adopt the FN portal, and the industry, in general, is moving in this direction across the board. But we’re not fully there yet. Small firms, particularly those that deal with small corporate clients or individual clients who may not come with stringent security requirements, should take it upon themselves to be proactive with their data safety and security.

Just the other day we spoke with an INSZoom user that absolutely requires all their clients to use INSZoom’s FN portal for correspondence, and has a no-email policy for documentation and sensitive information. A great example of how immigration law firms can lead the way. Not only does that promote compliance with frameworks like GDPR and CCPA, it also protects user data and, in the end, the safety and identity of the individuals the industry is meant to help – immigrants moving across the world for new opportunities and a better life.

Want to learn more about how INSZoom supports data privacy and security? Reach out to your INSZoom rep or visit our site and read about how we’re addressing it head-on!

Inszoom Academy