Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy - - PowerPoint PPT Presentation

ha hardes est t t things a s abou out c t ccpa
SMART_READER_LITE
LIVE PREVIEW

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy - - PowerPoint PPT Presentation

Aug 30, 2022 45 likes •297 views

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc October 15, 2019 Introduction Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product & Privacy

slide-1
SLIDE 1

Pr Privacy & Security Academy

Oc October 15, 2019

Ha Hardes est T t Things A s Abou

  • ut C

t CCPA

slide-2
SLIDE 2

Introduction

slide-3
SLIDE 3

4 FENWICK & WEST | Privacy & Security Academy

Industry Professionals Aaron Ting Lead Counsel, Product & Privacy Facebook Tiffany Morris General Counsel & Vice President of Global Privacy Lotame Michael McCullough Chief Privacy Officer & Data Risk Macy’s Fenwick Lael Bellamy Director, Privacy and Cybersecurity Practice Fenwick & West

Part rtici cipa pants

October 15, 2019

slide-4
SLIDE 4

Legislative History of the California Consumer Privacy Act

5

June 28, 2018

  • Governor signed the California Consumer Privacy Act (“CCPA”) into law

August 31, 2018

  • CCPA is effective Jan. 1, 2020, but CA legislature passed “technical corrections” to clarify

CCPA and extend the enforcement date to as late as July 1,2020.

  • Note: Jan. 1, 2020, DSARs and private rights of action for breaches

September 25, 2019

  • Californians for Consumer Privacy file a new ballot measure called the California Privacy

Rights and Enforcement Act October 10, 2019

  • AG releases proposed CCPA regs; comment period ends Dec. 9, 2019

October 13, 2019

  • Gov. Newsome signs seven CCPA related amendments

While CCPA Effectiveness Is Less than Three Months Away, There Are Steps You Can Take Now.

FENWICK & WEST | Privacy & Security Academy October 15, 2019

4

slide-5
SLIDE 5

CCP CCPA Highl hlight Reel

October 15, 2019 5 FENWICK & WEST | Privacy & Security Academy

Comprehensive

  • The California Consumer Privacy Act (AB 375 or CCPA) is the most comprehensive data privacy regulation

to date in the United States. New Consumer Rights

  • Affords a consumer (i.e., a natural person who is a California resident) the right to:
  • know how and what personal data companies collect and how it is used
  • access and/or delete it
  • opt out of the “sale” of personal information to third parties
  • not be subject to discriminatory pricing if they exercise their rights
  • Prohibits knowingly selling personal data of children under 16 (exceptions – consent and parental consent)

Personal Information Broadly Defined

  • Substantially broadens the definition of “personal information”

Fines and Private Right of Action

  • $7,500 fine per violation, which could be per record or customer file – no cap!
  • Includes a private right of action for data breaches if a company fails to maintain reasonable security
slide-6
SLIDE 6

Expert Roundtable

slide-7
SLIDE 7

Tip p #1 – Start rt Pri rivacy cy Policy cy Discl closur ures & & Othe her r Form rms of Notice ce

October 15, 2019 7 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Notice Requirements - 1798.100(b) and 1798.110(c)

  • A business must disclose the categories, sources, purposes and categories of third parties with whom

information is shared and the specific pieces of personal information the business has collected. What Makes it Difficult.

  • Policy Governance and Proliferation – One or Multiple Policies: CA specific flyout, state-by-state, CA plus EU

(and Brazil) or global (translations)

  • Scope of Laws: CCPA covers Consumer (CA resident) and households
  • Operationalizing requirements: Annual review of policy

Approaches Taken by Others.

  • Risk-Based Approach: Focus on high risk activities, locations with most users, sensitive data elements
  • Integrated Approach: One global policy with supplemental or just-in-time notices
  • Household Level: Identify information collected at household level previously not considered personal

Discussion Leader: Aaron Ting Takeaway Tips – Update Your Policies and Just in Time Notices - Put yourself in the consumer’s shoes—try to take an integrated approach depending on your business needs.

slide-8
SLIDE 8

Tip p #2 – Playing ng a High-St Stakes Game - Don’t n’t Wait & & See (Mo Mostly)

October 15, 2019 8 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Effective Date - 1798.198(a) and 1798.185(a)

  • 1/1/20 - Businesses must comply
  • 7/1/20 or Earlier - AG enforcement actions barred until six months after the earlier of final regulations or 7/1/20

What Makes it Difficult.

  • On one hand (reasons to wait) . . .
  • Not Final (Final regulations not available)
  • Uncertainly of New Regs, Button and New Ballot Initiative Even Though Amendments Are Done
  • On the other hand (reasons to act) . . .
  • Risk of Class Actions (breach private right of actions start 1/1/20)
  • A One-Year Look Back (to 1/1/19 if someone asks for categories of 3rd parties with whom data shared)

Approaches Taken by Others.

  • Start with commercial (include data mapping and third party inventory)
  • Taking a wait and see approach

Discussion Leader: Michael McCullough Key Takeaway Tip – Begin discussions with IT, product and marketing teams now.

  • Explore third party solutions for Ad Tech
slide-9
SLIDE 9

Tip p #3 – Leverage GDPR & & Pri rior r Investments

October 15, 2019 9 FENWICK & WEST | Privacy & Security Academy

Leverage GDPR & Prior Investments.

  • How to Simultaneously Prepare for CCPA, LGPD (Brazil), Nevada, and Maine

What Makes it Difficult.

  • No Energy/Money. People/management fatigued by (and budget spent on) GDPR implementation
  • Operational Challenges. Operationally difficult to address differences and exceptions
  • Risk Varies by Industry. Certain industries are in the cross-hairs
  • No Comprehensive Technological Tools or Solutions for New Requirements (while many are emerging)

Approaches Taken by Others.

  • Assess current programs, processes and procedures
  • Perform gap analysis and triage results
  • Prepare near and long term roadmaps

Discussion Leader: Tiffany Morris Key Takeaway Tip – Map differences between requirements, GDPR compliance controls and leverage similarities.

  • Overlap Areas: enhanced privacy policy, breach notification, data subject rights, contracts/DPAs, training
  • Key Difference: scope/definitions, exceptions, impact assessments (GDPR), Data Protection Officer

(GDPR), don’t sell my information button (CCPA) and non-discrimination (CCPA)

slide-10
SLIDE 10

Tip p #4 – Sale & & Do Not Sell But Button n Archi chitect ctur ure: Wha hat Happe ppens ns?

October 15, 2019 10 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Sell - 1798.140(g); Do Not Sell - 1798.120(a)

  • Individuals are able to opt-out of the sale or sharing of their personal information.
  • If you sell (or disclose) personal information “for monetary or other valuable consideration,” you will need to

update your website to include a clear and conspicuous link that says: “Do Not Sell My Personal Information.” What Makes it Difficult.

  • Uncertainty around What Is “Other Valuable Consideration” (and impact on AdTech, analytics, health

information exchanges/clinical trials, loyalty programs, other).

  • Technology of What Happens when the Button Is Pushed (downstream and upstream communications).
  • Brand Risk of Button (just because you retarget or share information does not mean you have a problem)

Approaches Taken by Others.

  • Manual Approach. Update processes, but take a manual approach until final regulations or enforcements.
  • Integration. Link “Do Not Sell” button to customer and marketing databases (adding 12 month no-contact).
  • Tools and Industry Efforts. Consider Tools and Industry Initiatives to Help.

Discussion Leader: Aaron Ting Key Takeaway Tip – Do not underestimate the complexity. One size does not fit all.

  • CA Only Rights and Geofencing (Difficult decision to consider offering different opt-in/opt-out

rights/buttons to CA residents as compared to residents from other states or countries)

slide-11
SLIDE 11

Tip p #5 – Pri rivate Right of Act ction n Strategy

October 15, 2019 11 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Unauthorized Access - 1798.150(a)(1)

  • “Any consumer whose nonencrypted and nonredacted personal information…is subject to an unauthorized

access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following” What Makes it Difficult.

  • Defining and Maintaining Reasonable Security at an Enterprise Level – Center for Internet Security 20

Controls (e.g., Basic, Foundational and Organizational ) not consistent with FTC, SOC2, ISO, or GAPP.

  • A Breach Is Breach Is a Breach (Maybe) - Is AdTech sharing a data breach?

Approaches Taken by Others.

  • Update incident response plan, and meet with CISO to review security program framework and certifications
  • War games to test entry points

Discussion Leader: Lael Bellamy Key Takeaway Tip – Document security measures.

  • Map security framework to CIS 20 Controls. Most security programs do not operate against the CIS 20.
slide-12
SLIDE 12

Tip p #6 – The he Defini nition n of Persona nal Inform rmation n and nd Data Ma Mappi pping ng

October 15, 2019 12 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Definition of Personal Information - 1798.140(o). “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. CCPA expands the definition to encompass:

  • Geolocation
  • Unique identifiers (e.g., online identifier and IP addresses, SSN, driver’s license or passport number, other)
  • Commercial information
  • Biometric information (e.g., DNA, face/voice prints, keystroke or gait patterns, sleep, health, exercise data)
  • Internet activity (e.g., browsing and search history and “information regarding a consumer’s interaction with

an internet website, application or advertisement”)

  • Professional and educational information
  • Inferences (drawn from personal information to create a profile about a consumer’s “preferences,

characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes”) What Makes it Difficult.

  • New/Derived Elements (often not identifying information) and derived data
  • Expansive and No Longer Precise (like U.S. state and HIPAA breach laws)

Discussion Leader: Tiffany Morris

slide-13
SLIDE 13

Tip p #6 – The he Defini nition n of Persona nal Inform rmation n and nd Data Ma Mappi pping ng

October 15, 2019 13 FENWICK & WEST | Privacy & Security Academy

Approaches Taken by Others

  • Borrowing from GDPR: data mapping, PIAs and vendor inventories
  • Manual approach and process initially; War gaming

Discussion Leader: Tiffany Morris Key Takeaway Tip – Create and document manual processes and escalate privacy rights requests.

  • Mapping for Expanded Definition of Personal Information. Update data classification, system surveys

and privacy compliance processes (e.g., Privacy by Design, DPIA, recordkeeping) for California residents and households. Make sure to include the specific data elements explicitly listed under the CCPA as personal information including geolocation, IP address, biometric information, professional or employment-related information, education information, browsing and search history, and other noted types of data.

slide-14
SLIDE 14

Tip p #7 – Vendo ndor r Co Contract cts and nd New AdT dTech ch Arr rrang ngements

October 15, 2019 14 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Service Provider Liability - 1798.140(v)-(w)

  • The contract between a company and its service provider must explicitly prohibit the service provider from

selling Personal Information, using it for secondary or its own purposes (and a certification by the recipient).

  • A service provider that violates these restrictions is liable, unless the company has actual knowledge or reason

to believe the service provider intends to commit such a violation. What Makes it Difficult.

  • Lose Information Rights. Provider under CCPA has limited use rights, but that differs from GDPR co-controller.
  • AdTech Paradigm/Compliance. Downstream consent is hard to obtain. No technical solution.

Approaches Taken by Others.

  • AdTech. More robust consent notices and industry solutions
  • Expand Contract Uses to include secondary and aggregated, deidentified uses (often reserved under GDPR)

Discussion Leader: Michael McCollough/Tiffany Morris Key Takeaway Tip – Companies and Service Providers Need to Update Contracts to Mutually Define Data Uses.

  • Identify third parties receiving California data and supplement and update contracts (as needed). Begin tracking

external data flows to understand the categories of personal data provided to third parties and whether those third parties make a commercial use of the information (ask for more details if your vendor uses consumer data to “improve their product” and update your contract terms). Many companies are leveraging the GDPR Impact Assessment process.

slide-15
SLIDE 15

Tip p #8 – Co Cons nsum umer r Pri rivacy cy Rights & & Veri rification n Requi quirements

October 15, 2019 15 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Consumer Privacy Rights - 1798.100(a) and 1798.105(c)

  • Under the CCPA, individuals may make access, portability and/or deletion requests.

What Makes it Difficult.

  • “Verifiable Consumer Request.” Verifying identity if email address only or handling household requests
  • Communicating Downstream Opt-Out Requests. Technology to support communication improving, but 90

days is hard.

  • Exceptions Vary. Differences under CCPA and GDPR; some from GDPR not available (e.g., fraud prevention).
  • Global Procedure Difficult. Different requirements, timing and exceptions globally, by sector and by state

Approaches Taken by Others.

  • Borrowing from GDPR: data mapping, PIAs and vendor inventories, leveraging or acquiring technology
  • Training. War gaming data subject requests (often combined with cyber simulations).
  • Automated Approaches. “Self-service” tool on websites or apps required to enable Californians to access,

download and request access and/or deletion of their personal information in recent regs. Discussion Leader: Lael Bellamy Key Takeaway Tip – Create and document manual processes, automate and/or escalate rights requests to Legal.

  • Inventory PI and begin tracking data flows to be able to respond to requests from Californians (e.g.,

check your CRM, email mgmt, sales leads, and data agmts). Once collected, migration to a tool is easier.

slide-16
SLIDE 16

Tip p #9 – How to Eng ngage Chi Childr dren? n?

October 15, 2019 16 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Consumer - 1798.120(c)

  • The Right to Opt-In. The sale or sharing of personal information of children is restricted without an opt-in

(ages 13-15) or parental consent (under 13).

  • Deemed Knowledge. “A business that willfully disregards the consumer’s age shall be deemed to have had

actual knowledge of the consumer’s age.’” What Makes it Difficult.

  • Harder to Identify Children. Ages 13-15 overlap in adult content and activity.
  • General Audience Sites Harder to Claim. Age Gating and Targeting Children under FTC and CCPA

Approaches Taken by Others.

  • Adding age gates, reviewing complaints and accounts, and/or making sites less child oriented

Discussion Leader: Lael Bellamy Key Takeaway Tip – Conduct a review with fresh eyes.

  • Reconsider in Light of Musical.ly’s $5.7 million fine – Broader interpretation of “directed at children”

which goes to site subject matter, visual content, animated characters, child-based activities/incentives, music/audio content, age of models, child celebrities, language, ad content and empirical evidence.

slide-17
SLIDE 17

Tip p #10 – No Discri crimina nation n & & Discl closur ures

October 15, 2019 17 FENWICK & WEST | Privacy & Security Academy

CCPA Requirement: Discrimination - 1798.125(a)(1)

  • “A business shall not discriminate against a consumer...by: (A) Denying goods or services to the consumer. (B)

Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer. (D) Suggesting that the consumer will receive a different price”, rate, level or quality of goods or services.”

What Makes it Difficult.

  • Proposed regs require detailed calculations and disclosures
  • Releasing product demos in compliance with the anti-discriminatory differential pricing requirements
  • New form of regulation based on the value of data is impossible to make
  • Building a database & the cost of data is negligible while the value of building a data lake is exponential

Approaches Taken by Others.

  • Building multiple versions of the demo or searching for additional data sources
  • Obtaining consent, offering equivalent goods or services, and/or determining value of personal data
  • Doing different things with the data based on people’s opt outs (could open company to scrutiny)

Key Takeaway Tip – Be careful about denying features not tied to the Personal Information.

slide-18
SLIDE 18

QUESTIONS?

slide-19
SLIDE 19

Appendix

slide-20
SLIDE 20

Scope for the CCPA

(1) gross over $25 million in annual revenue (collectively, in and out of California) (2) buy, receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices (3) derive 50% or more of its annual revenues from selling consumers’ personal information 20

The CCPA applies to corporate entities that do business in California and meet one or more of the following triggering thresholds:

CCPA Applies

Protections afforded by the law apply only to California residents, regardless of whether the entity is headquartered inside or outside of California. Note: CCPA exempts data already regulated under HIPAA, GLBA, the clinical trials Common Rule (45 C.F.R. Part 4), and the Driver's Privacy ProtectionAct.

FENWICK & WEST | Privacy & Security Academy October 15, 2019

slide-21
SLIDE 21

PRIVILEGED & CONFIDENTIAL DRAFT – FOR DISCUSSION

21

CCP CCPA Fr Framework rk - 4 Co Core Areas for r Enha nhance ncement & & Impl plementation n

Core Areas & Categories (* Indicates GDPR Potential Point of Leverage)

  • 4 Core Areas. We have organized CCPA

requirements into 4 Areas, shown in the four colored boxes to the right, to facilitate comparison to GDPR requirements (and identify points of potential leverage).

  • 10 Categories. Within the Areas, we have identified

10 categories for which actions are needed to meet CCPA compliance by 1/1/20 (on this slide).

  • 19 Activities. We have subdivided the Categories

into 19 remediation activities that can be prioritized, resourced, and reported on (see next slide).

  • 1. Notice & Choice
  • 2. Individual Rights
  • 3. Processes
  • 4. Other Considerations

1.1. Policies & Notices* 1.2. Do-Not-Sell Button/Opt-Out 2.1 Individual Rights Request* 2.2. Incentive Programs / Non-Discriminatory Pricing 2.3. Incident Response* 4.1 Training 4.2 Governance* 3.1 Data Inventories 3.2 Third-Party Data Flows & Contracts* 3.3 Update Recordkeeping*

To focus compliance efforts and support tiered reporting and structured resource allocation, we developed the following CCPA framework.

slide-22
SLIDE 22

Impl plementation n Appr pproach ch – Overvi view of 19 Act ctivi vities

October 15, 2019 22 FENWICK & WEST | Privacy & Security Academy

Area Category Activity

  • 1. Notice &

Choice

1.1. Policies & Notices

  • 1. External Policies
  • 2. Just-in-Time Notices
  • 3. Employee Notices

1.2. Do-Not-Sell Button/Opt-in/out

  • 4. Do-Not-Sell/Opt-in/out

Area Category Activity

  • 3. Processes

3.1. Data Inventories

  • 9. Data Mapping
  • 10. Inventory

3.2. Third-Party Data Flows & Contracts

  • 11. Partners
  • 12. Contracting
  • 13. Procurement Process
  • 14. Third-Party Review

3.3. Recordkeeping

  • 15. Age-Gating
  • 16. Privacy Review

Area Category Activity

  • 4. Other

Considerations

4.1. Training

  • 17. CCPA Training
  • 18. Supplementary Training

4.2. Governance

  • 19. Governance

Area Category Activity

  • 2. Individual

Rights

2.1. Individual Rights Requests

  • 5. Request Processes
  • 6. Customer Service

2.2. Incentive Programs and Pricing

  • 7. Incentive Programs /

Non-Discriminatory Pricing 2.3. Incident Response

  • 8. Incident Response

Below, we have listed 19 common implementation activities for CCPA.

slide-23
SLIDE 23

Exampl ple CCP CCPA Impl plementation n Proje ject ct Plan

October 15, 2019 23 FENWICK & WEST | Privacy & Security Academy

Months Area Category Activity 1-2 3-4 5-6 7-8

  • 1. Notice &

Choice 1.1 Policies & Notices External Policies Just-in-time Notices Employee Notices 1.2 Do-Not-Sell Button/Opt-Out Do Not Sell/Opt-in/out

  • 2. Individual Rights

2.1 Individual Rights Requests Request Processes Customer Service 2.2 Incentive Programs/Pricing Incentives/Pricing 2.3 Incident Response Incident Response

  • 3. Processes

3.1 Data Inventories Mapping Inventory 3.2 Third-Party Data Flows & Contracts Partners Contracting Procurement Process Third-Party Review 3.3 Recordkeeping Age-Gating Privacy Review

  • 4. Other

Considerations 4.1 Training CCPA Training Supplementary Training 4.2 Governance Governance

Below is an example of a CCPA implementation project plan.

slide-24
SLIDE 24

Leading provider for assistance with global compliance, regulatory investigations, enforcements (e.g., assisting companies with FTC, OCR, CFPB, SEC, Attorneys General, and

  • thers) and other class action

experience. “One of the leading privacy & cybersecurity groups in the United States” The Legal 500 (2018, 2019) James Koenig "is exceedingly pragmatic and has a time-tested methodology to scope a project, evaluate risk and resolve issues.” Chambers & Partners (2019) Leader in developing innovative privacy and cybersecurity solutions for technology, biotech and many of the Fortune 500 companies. Fenwick & West Privacy &Cybersecurity Practice uniquely brings together industry CPOs/CISOs, regulatory and consulting experts and data scientists to solve and implement today’s emerging privacy and security challenges.

Fenwick’s Privacy & Cybersecurity Practice

24

slide-25
SLIDE 25

Fenwick ck’s Pri rivacy cy & & Cy Cybe bersecuri curity Pract ctice ce

October 15, 2019 25 FENWICK & WEST | Privacy & Security Academy

  • Regulatory & Compliance Expertise from Both Sides of the Table. Fenwick is a

leading advisor for global compliance, regulatory investigations and

  • enforcements. The firm regularly assists companies with regulatory matters

involving the FTC, SEC, CFPB, Attorneys General, OCR, FCC, and others. Our team members draw on their experience working for or serving as experts to many of these agencies.

  • Top in Technology. Fenwick was recently named Technology Group of the Year

by Law360 for the fifth consecutive year, which stated “Fenwick continues to be at the forefront of emerging technology.”

  • “Unicorns.” Fenwick is providing consulting and/or legal advisory services to

more than 80% of unicorns, or non-public technology companies with more than a billion dollar valuation in addition to dozens of leading public companies.

  • Customized Solutions. Fenwick’s extensive involvement with the leaders across

technology and other industries allows us to develop solutions that reflect best practices for common compliance challenges (e.g., CCPA, GDPR, Privacy Shield, privacy program development, third-party privacy risk management) that are also tailored to each client.

Fenwick’s Privacy & Cybersecurity practice uniquely combines consultants, lawyers, and former privacy and cybersecurity executives to provide a one- stop shop for operational, risk, compliance, and regulatory support.

Key Advantages

California-Based. Fenwick’s strong presence in CA and extensive CA client base keep us at the forefront of the state’s legal and regulatory developments.

  • GDPR. Our team has conducted over 150 GDPR-related engagements

for companies of all sizes over the past 15 months.

Program Management. We have significant experience providing program management services for global organizations.

  • Training. We have practical experience researching, developing, and

deploying innovative compliance training to implement or reinforce privacy controls.

Practice Team Member Differentiators

Consulting Leaders. Our team includes key leaders from global consulting firms, including PwC, Booz Allen, and Promontory.

CPO Experience. We have former CPOs who leverage perspective and best practices from front-line experience at JPMC, The Home Depot, ING, IBM, Merck, AstraZeneca, EA Games, Westfield & eBay.

Data Scientists. Our firm also has PhDs from academia to help clients address complex issues such as big data and de-identification solutions.