CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data - - PowerPoint PPT Presentation

ccpa how to do it
SMART_READER_LITE
LIVE PREVIEW

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data - - PowerPoint PPT Presentation

Sep 23, 2022 253 likes •527 views

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy &

slide-1
SLIDE 1

CCPA - How To Do It

Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy & Security Forum 2019, Pre-Conference Day Workshop

slide-2
SLIDE 2

Practical Checklist: CCPA (v. GDPR)

slide-3
SLIDE 3

GDPR and CCPA Checklist

Task GDPR CCPA

Determine If You Are a Data Controller or Data Processor, or Both X Appoint a Data Protection Officer (DPO) X Prepare Personal Data Inventories for Consumer and HR Personal Data X X Identify Legal Bases for Data Processing X Conduct Data Protection Impact Assessments (DPIAs) X Review and Revise Privacy Notices X X Review and Update Your Agreements (Upstream and Downstream) X X Establish Procedures for Handling Data Subject/Consumer Requests to Exercise Rights/Do Not Sell X X Implement Appropriate Data Security Measures X X Train Your Personnel X X Maintain Appropriate Documentation X X

slide-4
SLIDE 4

What To Do Today!

  • Update vendor contracts
  • Data mapping & inventory
  • Update privacy and

information security policies

  • Do Not Sell

implementation

  • Loyalty program opt-in
  • Train personnel
slide-5
SLIDE 5

Data Mapping to Assist in Disclosures

slide-6
SLIDE 6

How to do it?

1. What data do we collect, use, share and transfer? 2. Who collects, processes, stores, shares and deletes it? 3. Where did we get the data from and where is it stored? 4. How did we get it? 5. When did we collect the data?

slide-7
SLIDE 7

Consumer Rights

slide-8
SLIDE 8

Consumer Requests - CCPA

  • Right of Access

– The right of access under the CCPA allows a consumer to request disclosure from a business of the consumer’s personal information including: – (1) categories of personal information – (2) categories of sources from which the personal information is collected. – (3) The business or commercial purpose for collecting or selling personal information. – (4) The categories of third parties with whom the business shares personal information. – (5) The specific pieces of personal information it has collected about that consumer.

8

slide-9
SLIDE 9

Consumer Requests - CCPA

  • A Verifiable Consumer Request

– 45-day clock with one allowable 45-day extension when “reasonably necessary” with notice to consumer. – The disclosure shall cover the 12-month period prior to the request.

– “ . . . shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business . . .”

slide-10
SLIDE 10

How to Do It?

  • Email box?
  • Privacy tech platform?
  • What matters?
  • Cultural fit of solution
  • Operational practicality over academic substance
  • Anticipate the worst case scenario
slide-11
SLIDE 11

Contracts – Service Provider v. Third Party

slide-12
SLIDE 12

Contractual Requirements

  • Business vs. Service

Provider vs. Third Party

  • Contractual

requirements

– Use for business purposes only – Certification – No sales

Please center image within this image area.

slide-13
SLIDE 13

Compare - DPA Requirements under GDPR

  • Article 28

– Subject Matter – Duration – Nature/Purpose of Processing – Types of data/categories of data subjects – Rights and obligations

  • f the controller

– Other

Please center image within this image area.

slide-14
SLIDE 14

Are You Going to Revisit All those GDPR DPAs?

slide-15
SLIDE 15

Do Not Sell Requests; Specific Application to Ad Tech

slide-16
SLIDE 16

Exceptions - What’s Not a Sale?

  • Intentional disclosure per consumer direction or use to intentionally

interact with a third party, provided the third party does not also sell the personal information.

  • Use or sharing of an identifier to alert a third party that a consumer has
  • pted out of the sale of their personal information.
  • Use or sharing with a service provider (which requires a contract

documenting these restrictions) necessary to perform a business purpose if (i) notice is provided; and (ii) the service provider does not further collect, sell, or use the personal information except as necessary to perform the business purpose.

  • Transfer as an asset that is part of a merger, acquisition, bankruptcy, or
  • ther transaction in which the third party assumes control of all or part of

the business.

slide-17
SLIDE 17

What About Ad Tech?

slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20

Financial Incentives; Specific Concerns for Loyalty Programs

slide-21
SLIDE 21

I Want My Rewards!

slide-22
SLIDE 22

Discounts

  • Can a consumer opt-in to personalized digital

advertising in exchange for free or discounted news?

  • Doesn’t that mean another person is being

denied the same benefit if they opt out?

  • How to reconcile?
slide-23
SLIDE 23

“Reasonable Security” Defense to Class Actions

slide-24
SLIDE 24

“Reasonable Security”

  • Floor, not a ceiling
  • State Data Security Laws
  • Federal Trade Commission Section 5 authority and

enforcement actions/consent decrees

  • California Attorney General 2016 Annual

Data Security Breach Report

  • Dual Factor Authentication
  • 20 Center for Internet Security Controls
slide-25
SLIDE 25

Q&A

slide-26
SLIDE 26

CCPA - How To Do It

Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy & Security Forum 2019, Pre-Conference Day Workshop