Crash Course: California Consumer Privacy Act Overview David - - PowerPoint PPT Presentation

1

Crash Course: California Consumer Privacy Act Overview

David Zetoony Partner & Co-Chair of Global Data Privacy and Security Team

2

• The History of the CCPA
• Scope of the CCPA
• What it requires businesses to do.

– Policy 1: Privacy Notices – Policy 2: Data Subject Request Protocols – Policy 3: Anti-Discrimination – Policy 4: Written Information Security Programs – Policy 5: Incident Response Policies – Policy 6: Vendor Management. – Policy 7: Cookie Banner and Cookie Policy

Agenda

3

History

4

CCPA amended

• Sept. 2019:
• AB 25 delays some rights as to employees
• AB 874 modifies definition of personal information.
• AB 1146 exempts motor vehicle records
• AB 1202 requires registration of data brokers
• AB 1355 modifies financial incentive exception;

delays some rights as to business contacts

• AB 1564 scales back methods of submitting data

subject requests for eCommerce only businesses

Attorney General Proposed Regulations October 11, 2019

• No exemptions for adTech
• No clarification concerning the extent to which

cookies are / are not personal information.

• No clarifications concerning the implications of

the CCPA on behavioral advertising

What’s next??????

5

Scope of the CCPA

• Applies extraterritorially to all entities that do “business in the state.”
• Exempts some small businesses, such that it only applies if:

6

Scope of the CCPA – Effective Dates

January 1, 2020 Date most provisions become law, and plaintiffs can seek money for data breaches July 1, 2020 Date the Attorney General can bring enforcement actions.

7

“Personal Information” means information that identifies, relates to, describes, is capable of being associated with,

• r could reasonably be linked, directly or indirectly, with a

particular consumer or household. Personal information includes, but is not limited to, the following: (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers… (on and on) CCPA 1798.140(o)(1)

Scope of CCPA – What is “Personal Information”?

8

What does the CCPA require businesses to do?

9

COPPA

There were several laws in the United States that required companies to provide an information notice or a privacy policy:

Policy 1: Information Notices

HIPAA GLBA FERPA

State Laws Concerning Online Collection of Information State Laws Concerning Collection of SSN

10 10

How does the CCPA change existing law?

Policy 1: Information Notices

BUSINESS REQUIREMENTS US federal laws Most US state laws GDPR CCPA Applies to a broad range of companies and not limited to distinct industries e.g. finance

   

Applies to the collection of personal information online and offline

◊   

Provide detailed information on how they use and process the personal information they collect

◊   

Notify individuals about a right to access information they hold about them

◊   

Notify individuals about a right to have their information deleted

◊   

Include a ‘Do not sell my personal information’ link on websites and privacy notices

   

Describe the information that they share with service providers

   

Describe the types of entities to whom they sell information

   

11 11

What should companies do?

Policy 1: Information Notices

12 12

Policy 2: Data Subject Request Protocols – Comparison to current laws

Access Personal Information Delete Personal Information Opt-Out of Sale of Information

HIPAA FERPA GDPR COPPA Ca Eraser Button Law GDPR ~GLBA (sharing) ~Cal Financial Info Privacy Act (Sharing)

13 13

Policy 2: Data Subject Request Protocols

What should companies do?

14 14

Policy 3: Marketing Practices

“(1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer. (D) Suggesting that the consumer will receive a different price or rate for goods

• r services or a different level or quality of goods or services.

(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.” CCPA 1798.125(a)

15 15

Policy 3: Marketing Practices

Practical areas where discrimination may be occurring for some businesses:

• Loyalty programs
• Exclusive deals in mailing lists

16 16

Policy 3: Marketing Practices

What should companies do?

17 17

Policy 4 & 5: WISP and IRP

• The CCPA does not require that an organization implement a written

information security program or implement an incident response plan.

• The CCPA does create statutory damages if there is a data breach

that is “a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

18 18

Policy 4 & 5: WISP and IRP

• How does this compare with existing European law?

19 19

Policy 4 & 5: WISP and IRP

• What should a company do?

20 20

Policy 6: Vendor Management

The CCPA defines a “service provider” as “’Service provider’ means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or

• perated for the profit or financial benefit of its shareholders or other
• wners, that processes information on behalf of a business and to which

the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as

• therwise permitted by this title, including retaining, using, or disclosing the

personal information for a commercial purpose other than providing the services specified in the contract with the business.” CCPA 1798.140(v)

21 21

Policy 6: Vendor Management

What should a company do?

22 22

Policy 7: Cookie Banner and Cookie Policy

23 23

Policy 7: Cookie Banner and Cookie Policy

Third party advertising cookies, tags, and pixels form the core of modern online behavioral advertising and are deployed by media publishers, and advertisers alike:

24 24

Biographies

David Zetoony Partner Chair, Data Privacy & Security Team Bryan Cave Leighton Paisner LLP Washington, D.C. / Boulder, Colorado 202 508 6030 David.Zetoony@bclplaw.com

David Zetoony is the leader of the firm's global data privacy and security

• practice. He has extensive experience advising clients on how to comply with

state and federal privacy, security, and advertising laws, representing clients before the Federal Trade Commission, and defending national class actions. He has assisted hundreds of companies in responding to data security incidents and breaches, and has represented human resource management companies, financial institutions, facial recognition companies, and consumer tracking companies before the Federal Trade Commission on issues involving data security and data privacy. 24