California Consumer Privacy Act Countdown to Compliance Anthony M. - - PowerPoint PPT Presentation

fisherphillips.com

California Consumer Privacy Act Countdown to Compliance

www.fisherphillips.com

Anthony M. Isola

aisola@fisherphillips.com (415) 490-9018

fisherphillips.com

Topics

• How the Law Came Into Effect
• Who Must Comply With the Law
• How to Comply with Requirements for Employees and

Job Applicant Data

• What Are the New Rights Consumers Have to Their

Data

• How to Comply with Requirements for Consumer Data

(of Non-Employees and Non-Job Applicants)

• Anticipated Changes in the Law, Including AG’s Revised

Proposed Regulations, Issued on Friday Feb. 7.

fisherphillips.com

“Cyberweapons and sophisticated hacking pose a greater threat to the United States than the risk of physical attacks.”

Kirstjen Nielsen Secretary of Homeland Security in a speech at GW University September 5, 2018

fisherphillips.com

Consumer Privacy is a Hot Topic

• The public is keenly aware
• f this issue and driving

discussion:

• Data breaches.
• Data collection and sharing

(Facebook, Google, etc.).

• Targeted advertising.
• Increasing protections for

consumers polls well with the public.

fisherphillips.com

This Is a Global Issue

General Data Protection Regulation (GDPR)

• Effective May 2018.
• Regulates data protection and

privacy for all citizens of the EU and the European Economic Area (EEA).

• Also addresses transfer of

personal data outside of the EU and EEA areas.

fisherphillips.com

California Consumer Privacy Act AB 375

Bill History How did this Bill Come to be Law?

• Alastair Mactaggart, a rich real estate developer,

self-funded a ballot measure that would have implemented an even tougher law than the one that was passed.

• Because the state legislature would have

become irrelevant regarding privacy if the measure passed, the state lawmakers passed pass AB 375.

fisherphillips.com

Whom Does the Law Protect?

Applies To • All California residents, including:

• Customers
• Employees
• Visitors to a company internet site or building
• Contractors and independent contractors
• Vendors

It’s not just your “customer’s” data.

fisherphillips.com

Whom Does the Law Apply To?

Applies To

All companies that collect California residents’ data and:

• Have annual gross revenues in excess of $25,000,000.
• OR-
• Annually buy, receive, sell or share for commercial

purposes, alone or in combination, the personal information of 50,000 or more California consumers, households or devices.

• OR-
• Derives 50 percent or more of its annual revenues from

selling consumers’ personal information.

fisherphillips.com

Whom Does the Law Apply To?

Applies To This includes:

• Companies directing that others collect the

information on their behalf

• “Controlled” Affiliates
• “Controlled” companies or non-profits that

share common branding

fisherphillips.com

What Types of Information Does the Law Apply To?

Protects

• “Personal Information” of California Residents:
• Online AND offline; paper AND electronic.
• Much broader than typical “PII.”
• Essentially, most information that could identify an

individual OR be used in conjunction with other information to identify an individual.

fisherphillips.com

What is Personal Information?

Personal Information • Information that identifies, relates to, describes, is

capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

• Inferences drawn from any PI to create a profile

about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

fisherphillips.com

Examples of Personal Information:

Personal Information • Identifiers such as a real name, alias, postal

address, username, online identifier (IP address), email address, SSN, driver’s license number, passport number, etc.

• Commercial information, including records of

personal property, products or services purchased,

• btained or considered, or other purchasing or

consuming histories or tendencies.

fisherphillips.com

Limited Exemptions from Personal Information:

Personal Information • Publicly available information

• Certain types of “regulated” information
• HIPAA-regulated info
• FCRA-regulated consumer/credit reports
• Info regulated under Gramm-Leach-Bliley Act
• PI of employee/agent of business collected solely in

context of a B-to-B transaction

fisherphillips.com

What rights does this law confer to consumers?

Rights

• Right to know
• Purpose limitation
• Right to deletion
• Right to opt-out of sale
• Right to be free of discrimination
• Regulatory enforcement
• Private right of action (limited)

fisherphillips.com

A Temporary Break for Employers

• CCPA Amended in October 2019 (AB 25)
• Originally intended to exempt employee data collected by

employers for employment purposes.

• After it passed the Assembly, there was late opposition

from labor groups.

• Compromise  postpone by one year (until 1/1/2020) all

requirements for employee data except 2.

fisherphillips.com

AB 25 – Amends the CCPA

• 2 requirements still go into effect 1/1/2020 with

respect to employee/job applicant data:

• Reasonable security measures to protect employee data

(both physical and electronic).

• Disclosure of categories of PI collected and the business

purposes for which it is collected.

fisherphillips.com

How Do You Comply with Applicant and Employee Requirements of CCPA?

• Data Mapping
• Thorough inventory of data.
• How is data collected?
• Where is data stored (electronic and paper form)?
• What is the business purpose?
• Who are the third parties with whom the data is shared

with?

fisherphillips.com

How Do You Comply with Applicant and Employee Requirements of CCPA?

• Implement reasonable security measures.
• Conduct an internal or external security assessment of

your security measures and data retention practices with respect to employee and applicant data.

• Draft and implement a data security policy.

fisherphillips.com

How Do You Comply with Applicant and Employee Requirements of CCPA?

• Implement reasonable security measures

(continued)

• Conduct due diligence on your service providers to who

you disclose any employee information.

• For contracts with third parties with whom you share

employee or applicant info, confirm the contracts have CCPA-required language.

fisherphillips.com

How Do You Comply with Applicant and Employee Requirements of CCPA?

• Distribute employee and job applicant disclosures.
• The disclosure must be comprehensive.
• The disclosure must specify the information that is collected and

business purpose the company uses the information.

• You are prohibited from collecting and using any PI that you don’t

list in the disclosure.

fisherphillips.com

What about CCPA for Consumers?

• Effective 1/1/2020, a covered business

also has to comply with all the requirements of the CCPA pertaining to data collected about CA non-employee and non-applicant consumers.

• This includes data collected about CA

households or devices through the company website that any member of the public can visit.

fisherphillips.com

What rights does this law confer to consumers?

Rights

• Right to know
• Purpose limitation
• Right to deletion
• Right to opt-out of sale
• Right to be free of discrimination
• Regulatory enforcement
• Private right of action (limited)

fisherphillips.com

Right to Know

Rights

• Businesses will have to inform consumers, at or

before the point of collection, what categories of PI they collect and the business’s purpose in collecting that information.

• Businesses will have to provide information within

45 days of receiving a verifiable consumer request.

fisherphillips.com

Right to Know

Rights

• Consumers can request up to 2X per year
• Categories of PI you collected or have
• Purposes for which each category of PI is used
• Categories of sources from which you got that PI
• Whether the PI is being disclosed or sold
• Categories of third parties to whom the PI is being

disclosed or sold

• Right to access, free of charge, the specific pieces
• f PI you collected

fisherphillips.com

Purpose Limitation

• Information must generally be used for company’s
• perational purposes or other notified purposes that are

reasonably necessary and proportionate to the purpose for which the data was collected.

• Businesses cannot use the data for a purpose not

disclosed – additional disclosure will be needed.

• Businesses cannot collect additional categories of

personal information without providing notice.

fisherphillips.com

Right to Deletion

Rights

• The right to have their data deleted, upon

request, unless it “is necessary for the business to maintain the consumer’s personal information.”

fisherphillips.com

For example:

• Comply with a legal obligation.
• Find, prevent or prosecute security breaches.
• “Enable solely internal uses that are reasonably

aligned with the consumer’s expectations.

• “Otherwise use the consumer’s personal

information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”

Reasons to Refuse Deletion Request

fisherphillips.com

Right to be Free of Discrimination

• Business must provide equal service and

pricing to consumers regardless of whether they exercise their rights under the CCPA.

• Some provision to allow business to “pay”

consumers who allow greater use of PI.

Rights

fisherphillips.com

Right to Opt Out of Sale

Rights

• The right to say no to the sale of PI.
• “Do Not Sell My Personal Information.”
• Definition of “selling” is broad – disclosing PI

to a third party in exchange for any valuable consideration, not just money.

fisherphillips.com

Targeted Online Advertisements

• CCPA defines “sale” broadly to

include any sharing of data for some form of value.

• Online advertising often

involves data sharing for commercial purposes.

• Creates challenges for deletion
• f data identified only by

“cookies.”

fisherphillips.com

How Do You Comply with CCPA for Consumers?

How To Comply

• Data Mapping.
• Thorough inventory of data, including collection,

storage and uses.

• Implement Reasonable Security Measures.

fisherphillips.com

How Do You Comply with CCPA for Consumers?

How To Comply

• Privacy Policy
• Including conspicuous link to privacy policy on

company’s website

• Implement Methods to Receive, Track and

Respond to Consumer Requests:

• Requests to Know
• Requests to Delete
• Requests to Opt Out of Sale

fisherphillips.com

You need to be able to track

Tracking Requests

• Do not sell requests
• Opt-in authorizations (for under 16s)
• Deletion requests
• Access (copies) requests
• Along with your response

fisherphillips.com

Non-compliance – Consequences

Liability

• Civil penalties from an AG action up to

$7,500 per violation.

• Private right of action in case of a breach up

to $750 per consumer per incident, or actual damages.

• 30-day right to cure, but how do you cure a

breach?

fisherphillips.com

Proposed AG Regulations

• Issued on October 10, 2019.
• Issued revisions on February 7, 2020
• AG stated plans to finalize regulations in

the spring.

• AG does not enforce until July 2020, but

hinted he may take enforcement actions for conduct between January 2020 and July 2020.

fisherphillips.com

Proposed AG Regulations

Some Good Clarifications:

• Provides clear instructions on what has to be provided in

privacy policies and initial notices.

• Says the initial notice may be provided via a link to a privacy

policy posted on a website.

• Clear deadlines for businesses to comply with consumer

requests.

fisherphillips.com

Proposed AG Regulations

But Also Some NEW Requirements:

• Disclosure must link categories of personal information to the

purposes for which they will be used.

• Other detailed content to include in privacy policies and initial

disclosures.

• Cannot use collected information for a purpose not noticed without

new notice and opt-in.

• Businesses that collect data from over 4 million consumers have new

reporting requirements.

fisherphillips.com

We’re Not Done Yet!

New CCPA Ballot Measure Filed for 2020

• California Privacy Rights and

Enforcement Act of 2020 (CPREA).

• Same proponent as the initial ballot

measure that led to CCPA.

• Business community currently

seeking to negotiate changes to ballot measure.

fisherphillips.com

[Proposed] California Privacy Rights and Enforcement Act of 2020 (CPREA)

• Expanded disclosures and notices
• Expanded obligations for “sensitive” information and minors’ PI
• New right to “correction”
• New privacy duties for businesses – “data minimization” and “data

accuracy”

• Security assessment and privacy audits for “large data processors”

(PI of more than 5 million CA residents)

• New enforcement agency – California Privacy Protection Agency

fisherphillips.com

fisherphillips.com

California Consumer Privacy Act

• Enacted in June 2018
• Effective 1/1/2020; enforcement starts 7/1/2020
• Applies to businesses based on certain factors
• Disclosure requirement at or before collecting

information from consumers

• Gives number of rights to consumers

fisherphillips.com

California Consumer Privacy Act

• Expanded definition of “Personal Information” –

applies to all paper and electronic info.

• Requires adopting policies, procedures and tools to

track what info is collected, deleted, and requested.

fisherphillips.com ON THE FRONT LINES OF WORKPLACE LAW TM

Final Questions?

Presented by:

Anthony M. Isola

aisola@fisherphillips.com (415) 490-9018