Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt - - PowerPoint PPT Presentation

Beyond CCPA

Melissa Maalouf

ZwillGen

Kandi Parsons

ZwillGen

Matt Scutari

Optimizely

Jim Trilling

Federal Trade Commission

(Disclaimer: The views expressed in this presentation are Jim’s as a FTC staff attorney and do not necessarily reflect the views of the Commission or any individual Commissioner)

Agenda

• How did we get here?
• Structuring and Defining Your Privacy Program
• Embedding Core Privacy/Security Principles Into

Your Program

• Regulatory Predictions and Preparedness
• Questions

How Did We Get Here?

Beyond CCPA

Previous Privacy Regimes

• Traditional view was that there was a class of data called personally identifiable

information that identified users on its face, usually by name, contact information, or government identifiers

• Laws governing the privacy of personal information were sector-specific
• healthcare (HIPAA), finance (GLBA), credit information (FCRA), education

(FERPA) and children’s information (COPPA)

• State data breach and security laws
• Some notice requirements (CALOPPA and Shine the Light)
• Regulators used UDAP authority to develop privacy principles for companies
• utside these regulated spaces

Beyond CCPA

May 25, 2018: EU General Data Protection Regulation (GDPR), a comprehensive privacy law with broad territorial scope takes effect, after 8 years of drafts and negotiations

• Privacy of personal information across sectors
• Related to an identified or identifiable person
• Vendor management
• Comprehensive data subject rights

(access, deletion, rectification)

• Transparency
• Legal bases for processing data
• Rigorous consent
• Required risk analysis (DPIA)
• Controller/processor distinction

Beyond CCPA

Major privacy/security issues make headline news

• High profile data breaches
• Cambridge Analytica

Beyond CCPA

CCPA: closest to a comprehensive law in the US is passed, but as opposed to GDPR, only 3 weeks in the making. Similar to GDPR (access, deletion, transparency) But some key differences:

• Applies to data reasonably capable of being associated with a

consumer or household

• Contains different exceptions to data subject rights
• Does not have the concept of a data controller v. data processor
• Contains more rigid restrictions on sharing data with third parties for

commercial purposes – called “sales”

• Does not require “legal bases” for collecting and using data
• Do not require same types of comprehensive and robust

documentation and recordkeeping

Beyond CCPA

What’s Coming Next?

• Copycat state laws, or worse, laws with inconsistent requirements?
• US federal privacy legislation?
• What will it regulate? Collection, use, sharing, all?
• How will it interact with/preempt existing laws?
• Will there be a private right of action? How broad?
• Who will enforce?

How does a company future-proof its privacy program to comply with existing rules and also be ready for future rules?

• Carefully structure and define your privacy program
• Ensure core privacy/security principles are embedded in your program
• Predict and prepare for future enforcement trends

Defining Your Privacy Program

What is(n’t) a Privacy Program?

It’s not a legal function… It’s not a compliance function… It’s not a security function…

What is a Privacy Program?

A privacy program is your organization’s privacy and data protection quarterback

• Privacy / Data Governance
• Operations
• Culture + Awareness

Governance

Governance: Driving cross-functional alignment on decisions with privacy impact

• Develop strategy
• Facilitate and guide product and business decision making
• Document and enforce policies, standards, and procedures

Operations

Operations: Implementation and maintenance of processes that resolve issues or manage risk

• Track and drive implementation of product and business decisions
• Ensure policies don’t go stale and key processes remain efficient

and effective

Culture + Awareness

Culture: Building a company-wide culture of privacy

• Foster company-wide awareness of key privacy concepts
• Educate key stakeholders on relevant policies and procedures
• Enlist “privacy champions” to help scale your program’s efforts

Organizational Structure

No perfect option, but some to consider:

• Legal
• Security
• Product

Regardless of where the program sits, your goal should be to become embedded with key product/business partners!

Hiring Privacy Program Managers

Three key traits to look for (two out of three is great!):

• Privacy subject-matter expertise
• Industry/sector expertise
• Project management skills

Look internally!

Embedding Core Privacy/Security Principles into Your Program

Increase the Value of Privacy Internally

• Avoiding risk (e.g., breach, regulatory scrutiny) is one consideration

but sound privacy decisions have real business value too!

• Examples:
• Data minimization can save resources on compliance and

access/deletion

• Stronger policies can facilitate deals
• Transparency reduces upset consumers/customers
• A privacy protective approach can create market differentiation
• r a competitive advantage

Speak the Same Language

Get Your Organization on the Same Page, across all levels and roles

• Do your engineers, sales reps, and recruiters all know what you mean when

you talk about “personal data” or “sale”? (They probably don’t)

• Focus culture and awareness efforts to ensure everyone understands one

another

• Work from the same language and playbook
• Align on key definitions with legal and security, and then educate everyone

else

• Consider privacy by design training (along with some legal training) to help

teams understand the basis for what you’re advising/asking

• With privacy now a cross-functional task, important to train at all levels
• CCPA requires employee training for those that will be

receiving/handling access/deletion requests, and GDPR requires general training too

Develop Global Solutions if Possible

• While there are many different privacy laws across the globe, most have same core

tenants – transparency, consumer choice/rights, data minimization, sound security

• Benefit of global solutions
• Apply across jurisdictions, products, and time (hopefully)
• Require refinement but not overhaul
• Easier to operationalize compliance
• Free up resources to address areas that are not global
• Challenges
• Different laws; different requirements
• Need to leverage less rigorous elements where possible
• Marketing, cookie consent

Data Protection Impact Assessment

What is it?

• An internal document to help you assess the privacy risks of existing and future

products/services, and develop strategies to address such risks

How/Why to Make it Global?

• DPIAs are only required by the GDPR for certain high-risk processing activities, but….
• Even if not officially required under US law, the DPIA process serves as a key

component of privacy and security by design

• They don’t have to be lengthy – it is possible to create a lightweight, standardized

documentation system for evaluating most privacy decisions where a specific type of DPIA is not required

• Great for historical reference and to drive accountability
• Drive internal alignment on privacy risks and allow for consistent application of

internal privacy/security controls

• Flexible if new requirements are adopted; teams will already be habituated to

the practice

Global Data Protection Addendum

What is it?

• A contractual addendum to an agreement that governs the privacy/security obligations of

the parties with respect to the processing of personal information

• Have one version that can be presented by a vendor to its customers, and one version that

a company can present to its downward vendors

How/Why to Make it Global?

• Required by the GDPR, other global privacy laws (and CCPA requires a written contract with

service providers)

• Make it global to avoid more amendments!
• Carefully tailor scope/definitions to be broad enough to work under various privacy

regimes, while also making clear that the DPA only applies to data in scope for each law

• Many provisions work across jurisdictions/laws
• Use restrictions
• Deletion rights
• Breach notification and security

Individual Rights

What is it?

• Many laws contain a variety of rights for individuals with respect to their data –

e.g., access, deletion, rectification, objection, portability

How/Why to make it global?

• Consider working from one playbook with different templates/processes for

different jurisdictions

• OR, consider whether to apply rights globally so so you do not have to pivot

when the next law is adopted

• Even if you don’t hold yourself to precise strictures globally (e.g., timelines)
• Develop Consumer Dashboards
• This can enable customization based on the law
• You might offer marketing opt outs in Iowa, access in California and
• bjection to processing in the EU

Transparency

What is it?

• The core component of transparency is a company’s consumer-facing

privacy policy

How/Why to Make it Global?

• Core privacy concepts apply globally—what you collect, how you use it,

with whom do you share it, and how you protect it

• Maintaining one, comprehensive global company privacy policy:
• Is easier to update
• Can drive consistency across all business units and global offices
• Is easier for consumers to understand (avoids questions like “why

are they treating EU users differently?”)

• Alternative -- can consider layered polices for different jurisdictions or

different components, while still maintaining a single core document

Don’t Forget Security!

What is it?

• The standard—everywhere—continues to be reasonableness
• GDPR increased notification pressure
• 72 hour requirement
• CCPA added a data breach PRA for breach of certain personal information
• Privacy and security go hand in hand!!

How/Why to Make it Global?

• Having a global security posture makes sense
• High-level, risk-based security requirements and principles
• Technical and organizational measures to ensure a level of security

commensurate with the risk, combined with frequent testing

• Assess and update ISPs and IRPs
• Security training and tabletop exercises

Regulatory Predictions and Preparedness

FTC Background

• Independent law enforcement agency
• Consumer protection and competition

mandate

• New roster of Commissioners in 2018
• Enforcement, Education and Outreach, Policy

Initiatives

FTC Privacy Enforcement

• Federal Trade Commission Act Section 5
• Children’s Online Privacy Protection Act
• Fair Credit Reporting Act
• Gramm-Leach-Bliley Act Privacy and Safeguards Rules

FTC Education and Outreach

• Annual Privacy & Data Security Update
• FTC Business Blog: ftc.gov/subscribe
• FTC Business Center: business.ftc.gov

FTC Policy Initiatives

• 2018-19 Series of Public Hearings on

Competition and Consumer Protection in the 21st Century

• COPPA Rule Review and October 2019

COPPA Workshop

• FTC Congressional Testimony

Questions + Contact

Melissa Maalouf

Shareholder ZwillGen 202 706 5212 melissa@zwillgen.com

Kandi Parsons

Shareholder ZwillGen 202 706 5213 kandi@zwillgen.com

Matt Scutari

Privacy Director Optimizely

Jim Trilling

Attorney, Division of Privacy and Identity Protection Federal Trade Commission

jtrilling@ftc.gov