beyond ccpa
play

Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt - PowerPoint PPT Presentation

Oct 28, 2022 •675 likes •999 views

Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt Scutari Optimizely Jim Trilling Federal Trade Commission (Disclaimer: The views expressed in this presentation are Jims as a FTC staff attorney and do not necessarily

  1. Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt Scutari Optimizely Jim Trilling Federal Trade Commission (Disclaimer: The views expressed in this presentation are Jim’s as a FTC staff attorney and do not necessarily reflect the views of the Commission or any individual Commissioner )

  2. Agenda • How did we get here? • Structuring and Defining Your Privacy Program • Embedding Core Privacy/Security Principles Into Your Program • Regulatory Predictions and Preparedness • Questions

  3. How Did We Get Here?

  4. Beyond CCPA Previous Privacy Regimes • Traditional view was that there was a class of data called personally identifiable information that identified users on its face, usually by name, contact information, or government identifiers • Laws governing the privacy of personal information were sector-specific • healthcare (HIPAA), finance (GLBA), credit information (FCRA), education (FERPA) and children’s information (COPPA) • State data breach and security laws • Some notice requirements (CALOPPA and Shine the Light) • Regulators used UDAP authority to develop privacy principles for companies outside these regulated spaces

  5. Beyond CCPA May 25, 2018: EU General Data Protection Regulation (GDPR), a comprehensive privacy law with broad territorial scope takes effect, after 8 years of drafts and negotiations • Privacy of personal information across sectors • Related to an identified or identifiable person • Vendor management • Comprehensive data subject rights (access, deletion, rectification) • Transparency • Legal bases for processing data • Rigorous consent • Required risk analysis (DPIA) • Controller/processor distinction

  6. Beyond CCPA Major privacy/security issues make headline news • High profile data breaches • Cambridge Analytica

  7. Beyond CCPA CCPA: closest to a comprehensive law in the US is passed, but as opposed to GDPR, only 3 weeks in the making. Similar to GDPR (access, deletion, transparency) But some key differences: • Applies to data reasonably capable of being associated with a consumer or household • Contains different exceptions to data subject rights • Does not have the concept of a data controller v. data processor • Contains more rigid restrictions on sharing data with third parties for commercial purposes – called “sales” • Does not require “legal bases” for collecting and using data • Do not require same types of comprehensive and robust documentation and recordkeeping

  8. Beyond CCPA What’s Coming Next? • Copycat state laws, or worse, laws with inconsistent requirements? • US federal privacy legislation? • What will it regulate? Collection, use, sharing, all? • How will it interact with/preempt existing laws? • Will there be a private right of action? How broad? • Who will enforce? How does a company future-proof its privacy program to comply with existing rules and also be ready for future rules? • Carefully structure and define your privacy program • Ensure core privacy/security principles are embedded in your program • Predict and prepare for future enforcement trends

  9. Defining Your Privacy Program

  10. What is( n’t ) a Privacy Program? It’s not a legal function… It’s not a compliance function… It’s not a security function…

  11. What is a Privacy Program? A privacy program is your organization’s privacy and data protection quarterback • Privacy / Data Governance • Operations • Culture + Awareness

  12. Governance Governance: Driving cross-functional alignment on decisions with privacy impact • Develop strategy • Facilitate and guide product and business decision making • Document and enforce policies, standards, and procedures

  13. Operations Operations: Implementation and maintenance of processes that resolve issues or manage risk • Track and drive implementation of product and business decisions • Ensure policies don’t go stale and key processes remain efficient and effective

  14. Culture + Awareness Culture: Building a company-wide culture of privacy • Foster company-wide awareness of key privacy concepts • Educate key stakeholders on relevant policies and procedures • Enlist “privacy champions” to help scale your program’s efforts

  15. Organizational Structure No perfect option, but some to consider: • Legal • Security • Product Regardless of where the program sits, your goal should be to become embedded with key product/business partners!

  16. Hiring Privacy Program Managers Three key traits to look for (two out of three is great!): • Privacy subject-matter expertise • Industry/sector expertise • Project management skills Look internally!

  17. Embedding Core Privacy/Security Principles into Your Program

  18. Increase the Value of Privacy Internally • Avoiding risk (e.g., breach, regulatory scrutiny) is one consideration but sound privacy decisions have real business value too! • Examples : • Data minimization can save resources on compliance and access/deletion • Stronger policies can facilitate deals • Transparency reduces upset consumers/customers • A privacy protective approach can create market differentiation or a competitive advantage

  19. Speak the Same Language Get Your Organization on the Same Page, across all levels and roles • Do your engineers, sales reps, and recruiters all know what you mean when you talk about “personal data” or “sale”? (They probably don’t) • Focus culture and awareness efforts to ensure everyone understands one another • Work from the same language and playbook • Align on key definitions with legal and security, and then educate everyone else • Consider privacy by design training (along with some legal training) to help teams understand the basis for what you’re advising/asking • With privacy now a cross-functional task, important to train at all levels • CCPA requires employee training for those that will be receiving/handling access/deletion requests, and GDPR requires general training too

  20. Develop Global Solutions if Possible • While there are many different privacy laws across the globe, most have same core tenants – transparency, consumer choice/rights, data minimization, sound security • Benefit of global solutions • Apply across jurisdictions, products, and time (hopefully) • Require refinement but not overhaul • Easier to operationalize compliance • Free up resources to address areas that are not global • Challenges • Different laws; different requirements • Need to leverage less rigorous elements where possible • Marketing, cookie consent

  21. Data Protection Impact Assessment What is it? • An internal document to help you assess the privacy risks of existing and future products/services, and develop strategies to address such risks How/Why to Make it Global? • DPIAs are only required by the GDPR for certain high- risk processing activities, but…. • Even if not officially required under US law, the DPIA process serves as a key component of privacy and security by design • They don’t have to be lengthy – it is possible to create a lightweight, standardized documentation system for evaluating most privacy decisions where a specific type of DPIA is not required • Great for historical reference and to drive accountability • Drive internal alignment on privacy risks and allow for consistent application of internal privacy/security controls • Flexible if new requirements are adopted; teams will already be habituated to the practice

  22. Global Data Protection Addendum What is it? • A contractual addendum to an agreement that governs the privacy/security obligations of the parties with respect to the processing of personal information • Have one version that can be presented by a vendor to its customers, and one version that a company can present to its downward vendors How/Why to Make it Global? • Required by the GDPR, other global privacy laws (and CCPA requires a written contract with service providers) • Make it global to avoid more amendments! • Carefully tailor scope/definitions to be broad enough to work under various privacy regimes, while also making clear that the DPA only applies to data in scope for each law • Many provisions work across jurisdictions/laws • Use restrictions • Deletion rights • Breach notification and security

  23. Individual Rights What is it? • Many laws contain a variety of rights for individuals with respect to their data – e.g., access, deletion, rectification, objection, portability How/Why to make it global? • Consider working from one playbook with different templates/processes for different jurisdictions • OR, consider whether to apply rights globally so so you do not have to pivot when the next law is adopted • Even if you don’t hold yourself to precise strictures globally (e.g., timelines) • Develop Consumer Dashboards • This can enable customization based on the law • You might offer marketing opt outs in Iowa, access in California and objection to processing in the EU

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA

GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA

HOW IS BUSINESS DEALING WITH THE GDPR AND CCPA? CURRENT AND EMERGING AREAS OF PRIVACY FOCUS GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA (California Consumer Privacy Act) GDPR (EU) Effective

493 views • 4 slides
WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim

WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim

WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim Brophy and Brett Smoot, Northwoods Sarah Sargent and Andy Schlidt, Godfrey & Kahn, S.C. WELCOME TO NORTHWOODS! 45 digital strategists, marketers,

765 views • 54 slides
Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc October 15, 2019 Introduction Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product & Privacy

295 views • 25 slides
California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy,

California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy,

California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy, Confidentiality and Security September 14, 2018 Background Dubbed the GDPR of CA Desire to give consumers more privacy rights and transparency

160 views • 5 slides
Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit

Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit Decisions Capitalizing on Past Precedent to Withstand 112(a) Rejections and Attacks on

1.34k views • 111 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data

Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data

Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data deployments Your Speakers Lars George, Principal Solutions Architect, Okera Ifi Derekli, Senior Solutions Engineer, Cloudera Mark Donsky,

1.5k views • 118 slides
CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource

CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource

CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource Policy Analyst Canadian Centre for Policy Alternatives, BC Office June 25, 2018 From the limited correspondence I have received from the Ministry of

294 views • 11 slides
CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy &

524 views • 26 slides
Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of

Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of

Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of Global Data Privacy and Security Team 1 Agenda The History of the CCPA Scope of the CCPA What it requires businesses to do.

269 views • 24 slides
California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning

California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning

Privacy.Minded. Legal insight at the intersection of business, technology and personal data California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning CCPA Enforcement Beginning CCPA Enforcement July 28,

181 views • 3 slides
Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575

Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575

Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575 Ballon@GTLaw.com Facebook, Twitter, LinkedIn: Ian Ballon www.IanBallon.net CCPA class action litigation over cybersecurity breaches brought in state court

253 views • 23 slides
Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian

Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian

A CanadaE.U. Free Trade Agreement: Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian Centre for Policy Alternatives (CCPA), Carleton Universitys Canada-Europe Transatlantic Dialogue, and the

239 views • 11 slides
Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit Decisions Capitalizing on Precedent to Withstand 112(a) Rejections and Attacks on Patent

1.41k views • 101 slides
Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in

Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in

Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in 2016 Hadrian Mertins-Kirkwood, Canadian Centre for Policy Alternatives Bruce Campbell, CCPA & University of Ottawa 1. Context: a snapshot of

674 views • 16 slides
The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan University of California, Irvine Who has responsibilities? CCPA (California) GDPR (Europe) business: controller: for

459 views • 16 slides
Parents, teenagers, and student privacy issues Engineering & Public

Parents, teenagers, and student privacy issues Engineering & Public

CyLab Parents, teenagers, and student privacy issues Engineering & Public Policy Rebecca Balebako With thanks to Manya Sleeper y & c S a e v c i u r P r i t e

705 views • 19 slides
Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes,

Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes,

Wont Somebody Think of the Children? Examining COPPA Compliance at Scale Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina- Rodriguez, and Serge Egelman COPPA? Age 13 and under

233 views • 19 slides
DISCLAIMER Is this your Organizations Data Is this your Organization s Data Privacy Strategy?

DISCLAIMER Is this your Organizations Data Is this your Organization s Data Privacy Strategy?

DISCLAIMER Is this your Organizations Data Is this your Organization s Data Privacy Strategy? Is this your Organizations Social Is this your Organization s Social Media Policy? Mitigating the Social Media and Data Mitigating the Social

834 views • 48 slides
1 Apps are able to request access to private user data and sensitive device resources. In their

1 Apps are able to request access to private user data and sensitive device resources. In their

1 Apps are able to request access to private user data and sensitive device resources. In their app store listings (such as this one from the Google Play Store), apps disclose their capabilities. However, these d isclosures dont tell the full

1.13k views • 54 slides
OTT-o-matic 7/29/2020 zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA DocuSign Envelope ID:

OTT-o-matic 7/29/2020 zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA DocuSign Envelope ID:

DocuSign Envelope ID: C45796C4-6BE5-4787-9CDB-96E1C168A62F UTAH STUDENT DATA PRIVACY AGREEMENT Version 2.0 Washington County School District and OTT-o-matic 7/29/2020 zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA DocuSign Envelope ID:

456 views • 16 slides
Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam

Flexible, fine-grained distributed access control John Mitchell Stanford with Adam Barth, Anupam Datta, Ninghui Li (Purdue), Helen Nissenbaum (NYU), Will Winsborough, . April 2006 Were all ears What policy concepts are important in

531 views • 20 slides
Machine Translation of Medical Text in the KConnect Project Petra Galukov, Jan Haji,

Machine Translation of Medical Text in the KConnect Project Petra Galukov, Jan Haji,

Machine Translation of Medical Text in the KConnect Project Petra Galukov, Jan Haji, Jindich Libovick, Pavel Pecina, Ale Tamchyna Charles University in Prague Institute of Formal and Applied Linguistics Introduction

222 views • 8 slides
outline Institute for Software Research motivation A Software Product Line Approach

outline Institute for Software Research motivation A Software Product Line Approach

Institute for Software Research outline Institute for Software Research motivation A Software Product Line Approach software product line for Handling Privacy Constraints our privacy-enabling user modeling architecture in Web

262 views • 4 slides

More recommend