Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc October 15, 2019
Introduction
Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product & Privacy Director, Privacy and Facebook Cybersecurity Practice Fenwick & West Tiffany Morris General Counsel & Vice President of Global Privacy Lotame Michael McCullough Chief Privacy Officer & Data Risk Macy’s FENWICK & WEST | Privacy & Security Academy October 15, 2019 4
Legislative History of the California Consumer Privacy Act June 28, 2018 • Governor signed the California Consumer Privacy Act (“CCPA”) into law August 31, 2018 • CCPA is effective Jan. 1, 2020 , but CA legislature passed “technical corrections” to clarify CCPA and extend the enforcement date to as late as July 1,2020. • Note: Jan. 1, 2020, DSARs and private rights of action for breaches September 25, 2019 • Californians for Consumer Privacy file a new ballot measure called the California Privacy Rights and Enforcement Act October 10, 2019 • AG releases proposed CCPA regs; comment period ends Dec. 9, 2019 October 13, 2019 • Gov. Newsome signs seven CCPA related amendments While CCPA Effectiveness Is Less than Three Months Away, There Are Steps You Can Take Now. 4 5 FENWICK & WEST | Privacy & Security Academy October 15, 2019
CCP CCPA Highl hlight Reel Comprehensive • The California Consumer Privacy Act (AB 375 or CCPA) is the most comprehensive data privacy regulation to date in the United States. New Consumer Rights • Affords a consumer (i.e., a natural person who is a California resident) the right to: - know how and what personal data companies collect and how it is used - access and/or delete it - opt out of the “sale” of personal information to third parties - not be subject to discriminatory pricing if they exercise their rights • Prohibits knowingly selling personal data of children under 16 (exceptions – consent and parental consent) Personal Information Broadly Defined • Substantially broadens the definition of “personal information” Fines and Private Right of Action • $7,500 fine per violation, which could be per record or customer file – no cap! • Includes a private right of action for data breaches if a company fails to maintain reasonable security FENWICK & WEST | Privacy & Security Academy October 15, 2019 5
Expert Roundtable
Tip p #1 – Start rt Pri rivacy cy Policy cy Discl closur ures & & Othe her r Form rms of Notice ce Discussion Leader: Aaron Ting CCPA Requirement: Notice Requirements - 1798.100(b) and 1798.110(c) A business must disclose the categories, sources, purposes and categories of third parties with whom • information is shared and the specific pieces of personal information the business has collected. What Makes it Difficult. • Policy Governance and Proliferation – One or Multiple Policies: CA specific flyout, state-by-state, CA plus EU (and Brazil) or global (translations) • Scope of Laws: CCPA covers Consumer (CA resident) and households • Operationalizing requirements: Annual review of policy Approaches Taken by Others. • Risk-Based Approach: Focus on high risk activities, locations with most users, sensitive data elements • Integrated Approach: One global policy with supplemental or just-in-time notices • Household Level: Identify information collected at household level previously not considered personal Takeaway Tips – Update Your Policies and Just in Time Notices - Put yourself in the consumer’s shoes—try to take an integrated approach depending on your business needs. FENWICK & WEST | Privacy & Security Academy October 15, 2019 7
Tip p #2 – Playing ng a High-St Stakes Game - Don’t n’t Wait & & See (Mo Mostly) Discussion Leader: Michael McCullough CCPA Requirement: Effective Date - 1798.198(a) and 1798.185(a) • 1/1/20 - Businesses must comply • 7/1/20 or Earlier - AG enforcement actions barred until six months after the earlier of final regulations or 7/1/20 What Makes it Difficult. • On one hand (reasons to wait) . . . • Not Final (Final regulations not available) • Uncertainly of New Regs, Button and New Ballot Initiative Even Though Amendments Are Done • On the other hand (reasons to act) . . . • Risk of Class Actions (breach private right of actions start 1/1/20) • A One-Year Look Back (to 1/1/19 if someone asks for categories of 3 rd parties with whom data shared) Approaches Taken by Others. • Start with commercial (include data mapping and third party inventory) • Taking a wait and see approach Key Takeaway Tip – Begin discussions with IT, product and marketing teams now. • Explore third party solutions for Ad Tech FENWICK & WEST | Privacy & Security Academy October 15, 2019 8
Tip p #3 – Leverage GDPR & & Pri rior r Investments Discussion Leader: Tiffany Morris Leverage GDPR & Prior Investments. • How to Simultaneously Prepare for CCPA, LGPD (Brazil), Nevada, and Maine What Makes it Difficult. • No Energy/Money. People/management fatigued by (and budget spent on) GDPR implementation • Operational Challenges. Operationally difficult to address differences and exceptions • Risk Varies by Industry. Certain industries are in the cross-hairs • No Comprehensive Technological Tools or Solutions for New Requirements (while many are emerging) Approaches Taken by Others. • Assess current programs, processes and procedures • Perform gap analysis and triage results • Prepare near and long term roadmaps Key Takeaway Tip – Map differences between requirements, GDPR compliance controls and leverage similarities. Overlap Areas: enhanced privacy policy, breach notification, data subject rights, contracts/DPAs, training • Key Difference: scope/definitions, exceptions, impact assessments (GDPR), Data Protection Officer • (GDPR), don’t sell my information button (CCPA) and non-discrimination (CCPA) FENWICK & WEST | Privacy & Security Academy October 15, 2019 9
Tip p #4 – Sale & & Do Not Sell But Button n Archi chitect ctur ure: Wha hat Happe ppens ns? Discussion Leader: Aaron Ting CCPA Requirement: Sell - 1798.140(g); Do Not Sell - 1798.120(a) • Individuals are able to opt-out of the sale or sharing of their personal information. • If you sell (or disclose) personal information “for monetary or other valuable consideration,” you will need to update your website to include a clear and conspicuous link that says: “Do Not Sell My Personal Information.” What Makes it Difficult. • Uncertainty around What Is “Other Valuable Consideration” (and impact on AdTech, analytics, health information exchanges/clinical trials, loyalty programs, other). • Technology of What Happens when the Button Is Pushed (downstream and upstream communications). • Brand Risk of Button (just because you retarget or share information does not mean you have a problem) Approaches Taken by Others. • Manual Approach. Update processes, but take a manual approach until final regulations or enforcements. • Integration. Link “Do Not Sell” button to customer and marketing databases (adding 12 month no-contact). • Tools and Industry Efforts. Consider Tools and Industry Initiatives to Help. Key Takeaway Tip – Do not underestimate the complexity. One size does not fit all. CA Only Rights and Geofencing (Difficult decision to consider offering different opt-in/opt-out • rights/buttons to CA residents as compared to residents from other states or countries) FENWICK & WEST | Privacy & Security Academy October 15, 2019 10
Tip p #5 – Pri rivate Right of Act ction n Strategy Discussion Leader: Lael Bellamy CCPA Requirement: Unauthorized Access - 1798.150(a)(1) • “Any consumer whose nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following” What Makes it Difficult. • Defining and Maintaining Reasonable Security at an Enterprise Level – Center for Internet Security 20 Controls (e.g., Basic, Foundational and Organizational ) not consistent with FTC, SOC2, ISO, or GAPP. • A Breach Is Breach Is a Breach (Maybe) - Is AdTech sharing a data breach? Approaches Taken by Others. Update incident response plan, and meet with CISO to review security program framework and certifications • War games to test entry points • Key Takeaway Tip – Document security measures. • Map security framework to CIS 20 Controls. Most security programs do not operate against the CIS 20. FENWICK & WEST | Privacy & Security Academy October 15, 2019 11
Recommend
More recommend
