CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy & Security Forum 2019, Pre-Conference Day Workshop
Practical Checklist: CCPA (v. GDPR)
GDPR and CCPA Checklist Task GDPR CCPA Determine If You Are a Data Controller or Data Processor, or Both X Appoint a Data Protection Officer (DPO) X Prepare Personal Data Inventories for Consumer and HR Personal Data X X Identify Legal Bases for Data Processing X Conduct Data Protection Impact Assessments (DPIAs) X Review and Revise Privacy Notices X X Review and Update Your Agreements (Upstream and Downstream) X X Establish Procedures for Handling Data Subject/Consumer Requests to Exercise X X Rights/Do Not Sell Implement Appropriate Data Security Measures X X Train Your Personnel X X Maintain Appropriate Documentation X X
What To Do Today! • Update vendor contracts • Data mapping & inventory • Update privacy and information security policies • Do Not Sell implementation • Loyalty program opt-in • Train personnel
Data Mapping to Assist in Disclosures
How to do it? 1. What data do we collect, use, share and transfer? 2. Who collects, processes, stores, shares and deletes it? 3. Where did we get the data from and where is it stored? 4. How did we get it? 5. When did we collect the data?
Consumer Rights
Consumer Requests - CCPA Right of Access • The right of access under the CCPA allows a consumer to request – disclosure from a business of the consumer’s personal information including: (1) categories of personal information – (2) categories of sources from which the personal information is – collected. (3) The business or commercial purpose for collecting or selling – personal information. (4) The categories of third parties with whom the business shares personal – information. (5) The specific pieces of personal information it has collected about – that consumer. 8
Consumer Requests - CCPA A Verifiable Consumer Request • 45-day clock with one allowable 45-day extension when “reasonably necessary” with notice to – consumer. The disclosure shall cover the 12-month period prior to the request. – “ . . . shall be made in writing and delivered through the consumer’s account with the – business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business . . .”
How to Do It? Email box? • Privacy tech platform? • What matters? • Cultural fit of solution • Operational practicality over academic substance • Anticipate the worst case scenario •
Contracts – Service Provider v. Third Party
Contractual Requirements Business vs. Service • Provider vs. Third Party Contractual • Please center requirements image within Use for business – this image area. purposes only Certification – No sales –
Compare - DPA Requirements under GDPR Article 28 • Subject Matter – Duration – Nature/Purpose of – Please center Processing image within Types of – data/categories of data this image area. subjects Rights and obligations – of the controller Other –
Are You Going to Revisit All those GDPR DPAs?
Do Not Sell Requests; Specific Application to Ad Tech
Exceptions - What’s Not a Sale? Intentional disclosure per consumer direction or use to intentionally • interact with a third party, provided the third party does not also sell the personal information. Use or sharing of an identifier to alert a third party that a consumer has • opted out of the sale of their personal information. Use or sharing with a service provider (which requires a contract • documenting these restrictions) necessary to perform a business purpose if (i) notice is provided; and (ii) the service provider does not further collect, sell, or use the personal information except as necessary to perform the business purpose. Transfer as an asset that is part of a merger, acquisition, bankruptcy, or • other transaction in which the third party assumes control of all or part of the business.
What About Ad Tech?
Financial Incentives; Specific Concerns for Loyalty Programs
I Want My Rewards!
Discounts Can a consumer opt-in to personalized digital • advertising in exchange for free or discounted news? Doesn’t that mean another person is being • denied the same benefit if they opt out? How to reconcile? •
“Reasonable Security” Defense to Class Actions
“Reasonable Security” Floor, not a ceiling • State Data Security Laws • Federal Trade Commission Section 5 authority and • enforcement actions/consent decrees California Attorney General 2016 Annual • Data Security Breach Report Dual Factor Authentication • 20 Center for Internet Security Controls •
Q&A
CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy & Security Forum 2019, Pre-Conference Day Workshop
Recommend
More recommend
