california consumer privacy act (ccpa) workshop · a) denying goods or services to the consumer. b)...
TRANSCRIPT
IAPPCalifornia Consumer Privacy Act (CCPA) Workshop
Presenters
Lothar Determann
Partner, Baker McKenzie
Ian Ballon
Shareholder, Greenberg
Traurig, [email protected]
Rachel Lovejoy
Senior Counsel
Space Exploration Technologies
1 - California Privacy Law Overview
2 - California Privacy Laws from A to Z
3 -3 3 - Compliance Guide
4 - Drafting a Privacy Policy
5 - Drafting Other
Documentation 6 - Enforcement
7 - Action Items, Risk Mitigation
California Privacy Law A - Z
Your Privacy Rights -
Shine the Light
Y Your Privacy Rights -Shine the Light
Businesses must add language to their
websites covering “Your Privacy Rights” or
“Your California Privacy Rights,” and provide
certain notices and information to
consumers in California if the businesses
disclose the consumers’ personal
information to third parties for direct
marketing purposes.
Waivers of the Shine the Light law are
unenforceable as against public policy.
California Consumer Privacy Act of 2018
• Effective – January 1, 2020
• Enforcement – July 1, 2020
• Look-back to January 1, 2019
• Substantive amendments in Sept. 2018 and Oct. 2019
• Draft AG Regulations published Oct. 10, 2019, revised February 10, 2020 and
March 11, 2020
• Data broker registration requirements January 31, 2020 (and following years)
• Delays for certain requirements re. B2B and employee information
• Applies to companies worldwide, B2C and B2B
• Disclosure requirements, opt-in, opt-out re. “selling of personal information”
• New consumer rights to access, deletion, and porting of personal data
• New penalties
• New statutory damages in case of data security breaches
Y
California Consumer Privacy Act of 2018
What it is - key features
• wordy and complex: 10,000 words and dozens of definitions added to Civil code
• extremely broad scope
• requires notice and choice
• gives Californians right to prohibit data sharing, request access, deletion, portatbility
• gives plaintiffs right to statutory damages in case of data security breaches, even where no harm shown
California Consumer Privacy Act of 2018
What it is not
• No one omnibus statute
• No default prohibition of data processing
• No data minimization requirements
• No data protection authorities
• No data protection registries or filings
• No data protection officers
• No specific restrictions on international data transfers
• No comprehensive, detailed prescription of data security measures
• No translation requirements
CCPA v. GDPR HighlightsCCPA GDPR
Covered Information Relates to a CA consumer or
household
Relates to an EEA person
Additional Restrictions on Sensitive
Data
No Yes
Rights Access, deletion, portability Access, deletion, rectification,
portability
Consent Opt-out generally, opt-in
children’s data
Opt-in generally
Enforcement California Attorney General Data Protection Authorities
Contracts with Service Providers Not required Required
Privacy Disclosures Yes, including new homepage
link
Yes
Penalties Up to $2500 per unintentional
violation and $7500 per
intentional violation
Ceiling of 4% global annual
revenue
Existing Privacy Law in California
CA Anti-
Spam LawCalOPPA CCCDFA
Shine the
LightCMIA Drones
Paparazzi CIPASong
Berverly
Supermarket Club
Card DisclosureAct
Conflicts, duplicative clauses
Cal. Civ. Code Section 1798.175. (…) in the event of a
conflict between other laws and the provisions of this title,
the provisions of the law that afford the greatest protection
for the right of privacy for consumers shall control.
Cal. Civ. Code Section 1798.194. This title shall be
liberally construed to effectuate its purposes.
CCPA – a Moving Target
Cal. Civ. Code §1798.130 – disclosure obligations for “preceding 12
months” look back to January 1, 2019
Draft AG regulations October 10, 2020 (comment period until Dec
2019)
Statutory amendments enacted October 11, 2019
Effective date January 2020
Delayed effective date for some B2B, HR information Jan 2021
Federal law? Other States’ laws?
Who and what data is protected?
Who is protected?
Consumer = any California resident
natural persons
residency as defined in tax regulations
includes patients, tenants, students, parents, children,
employees, candidates, contractors, owner, director,
medical staff member of business
until 2021: less protections for business representatives,
employees, candidates, contractors, owner, director,
medical staff member of business
What data is protected?
"Personal information" means information that identifies, relates to, describes, is reasonably capable of being
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information includes, but is not limited to, the following:
(A)Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address,
email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
(B)Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D)Commercial information, including records of personal property, products or services purchased, obtained, or considered, or
other purchasing or consuming histories or tendencies.
(E)Biometric information.
(F)Internet or other electronic network activity information, including, but not limited to, browsing history, search history,
and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G)Geolocation data.
(H)Audio, electronic, visual, thermal, olfactory, or similar information.
(I)Professional or employment-related information.
(J)Education information, defined as information that is not publicly available personally identifiable information as defined in
the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K)Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer
reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes.
"Personal information" means information
that relates to a particular consumer or
household.
What data is protected?
"Personal information" means information that identifies, relates to, describes, is reasonably capable of being
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information includes, but is not limited to, the following:
(A)Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address,
email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
(B)Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D)Commercial information, including records of personal property, products or services purchased, obtained, or considered, or
other purchasing or consuming histories or tendencies.
(E)Biometric information.
(F)Internet or other electronic network activity information, including, but not limited to, browsing history, search history,
and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G)Geolocation data.
(H)Audio, electronic, visual, thermal, olfactory, or similar information.
(I)Professional or employment-related information.
(J)Education information, defined as information that is not publicly available personally identifiable information as defined in
the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K)Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer
reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior,
attitudes, intelligence, abilities, and aptitudes.
What data is protected?
‒ "Personal information" does not include publicly available
information. For these purposes, "publicly available" means
information that is lawfully made available from federal, state,
or local government records, if any conditions associated with
such information. "Publicly available" does not mean biometric
information collected by a business about a consumer without
the consumer's knowledge.
Information is not "publicly available" if that data is used for a
purpose that is not compatible with the purpose for which the
data is maintained and made available in the government
records or for which it is publicly maintained.
"Personal information" does not include consumer information
that is deidentified or aggregate consumer information.
What data is protected?
Who must comply?
Who must comply?
Any business worldwide doing business in California;
exceeding thresholds of:
A. annual gross revenues of $25 million;
B. personal information of 50,000 or more California
residents, households, or devices annually; or
C. 50% or more annual revenue from selling California
residents' personal information.
Parent companies and subsidiaries sharing the same
branding, even if they themselves do not exceed the
applicable thresholds
How to comply?
1. Confirm that the company wants to – and can – eliminate all instances of ‘personal information selling’
2. Widely send unilateral communication and/or request to confirm data protection terms or standards to all of
Business’s vendors and business partners (we provided a draft separately earlier this month).
3. Add data protection terms or standards to any contracts under negotiation.
4. Review existing contracts with business partners to determine whether Business can get comfortable that it is
not involved in and does not allow “selling personal information,” or, where this is not sufficiently clear, earmark
the contract for renegotiation
5. Finalize draft data mapping questionnaire and deploy it to understand the details of how each entity collects,
uses and discloses personal information as a basis for preparing privacy notices and responses to requests
from California residents to exercise their CCPA rights.
6. Prepare privacy notices for all situations where the business collects the personal information of California
residents (e.g., from website visitors, employees, job candidates, contractors, and vendors) and ensure that
such notices are issued to California residents at or before the point that Business collects their personal
information.
7. Publish an online privacy policy that meets all of the disclosure requirements of the CCPA.
8. Conduct CCPA training sessions for Business employees to ensure that they protect personal information from
unauthorized access and disclosure, know how to respond to requests from individuals seeking to exercise their
CCPA obligations, and adhere to Business’s positions with respect to the “selling” of personal information.
9. Put in place protocols and channels for individuals to exercise their CCPA rights (i.e., access and deletion),
including a toll-free number.
How to comply? If you don’t sell…
1. Special link on every web page: Provide a clear and conspicuous link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” on every web page (except pages where
the business does not collect any personal information from California residents);
2. Special opt-out page: Create a page that enables California residents (and/or their authorized representatives) to globally opt out of all “personal information selling,” act upon any
opt-out request no later than 15 business days from receiving the request and if the business sells a consumer’s personal information to any third parties after the consumer submits
their request but before the business complies with the request, the business shall notify those third parties not to sell that consumer’s information;
3. Special disclosures in privacy policies: Include a description of California residents’ rights under the CCPA along with a separate link to the “Do Not Sell My Personal
Information”/”Do Not Sell My Info” page in: (a) the business’s online privacy policies; and (b) any California-specific description of individuals’ privacy rights;
4. Honor opt-outs without discrimination: Refrain from sharing personal information of any California residents who opt out of “selling,” except under information sharing arrangements
that do not involve “selling;” note that a business must not deny goods or services to California residents who opt out of “selling,” so a business must organize its offerings in a way
that enables it to continue providing services to California residents even if they opt out of information sharing;
5. Avoid requesting opt-in 12 months after opt-out: If a California resident opts out of a business’s “selling” of his or her personal information, the business must refrain from
requesting an authorization to sell his or her personal information for at least 12 months after the California resident opted out of the selling of personal information; note, this
would require that a business log opt-out requests across the business;
6. Obtain opt-ins from minors or parents/guardians: Obtain double opt-in consent to “selling” of “personal information” from minors under the age of 16 and consent from
parents/guardians for children under the age of 13 as prescribed by the regulations and in addition to any consent required under the Children’s Online Privacy Protection Act;
7. Disclose sales of personal information in preceding 12 months: Disclose in a public website privacy policy the categories of companies to whom a business has sold personal
information in the preceding 12 months, and what categories of personal information a business has sold;
8. Respond to individual requests for information on sales of personal informatio: Upon receipt of a verifiable request from a California resident, disclose to the individual the
categories of personal information that the business has sold about the consumer;
9. Limit information use: Use any personal information collected from a California resident in connection with an opt-out request solely for the purposes of complying with the opt-out
request; and
10. Training and instruction: Ensure that all individuals responsible for handling California residents’ inquiries about the business’s privacy practices or the business’s compliance with
the CCPA are informed of all requirements and how to direct individuals to exercise their rights with respect to selling.
How to comply? If you sell…
"Sell," "selling," "sale," or "sold," means
selling, renting, releasing, disclosing,
disseminating, making available,
transferring, or otherwise communicating
orally, in writing, or by electronic or other
means, a consumer's personal information by
the business to another business or a third
party for monetary or other valuable
consideration.
How to comply?
How to comply? Action items
Decide: To Sell or Not to Sell Personal Information
"Selling" means any sharing of Personal Informattion for valuable consideration
Business that sell personal information must
post "Do Not Sell My Personal Information" link [or “do not sell my info” or button
per regulations]
opt-out page
seek opt-in from 13-16 year old Californians, parental consent from children
under 13 [double opt-in according to draft regulations]
Refrain from seeking opt-in for 12 months from Californians who opt out
No discrimination - free services, fremium, trials?
Disclosures of sales in preceding 12 months
A business that posts a conspicuous link "Do Not Sell My Personal
Information" on every home page and mobile site on January 1, 2020
can expect
opt-out requests from consumers (acting individually,
with apps or represented by associations)
concerns and information requests from consumers in
California and elsewhere
concerns and information requests from business
partners
scrutiny from data protection authorities in Europe
media attention
attention from privacy advocates
How to comply? Action items
Avoiding Sales of Personal Information by
‒ avoid information sharing
‒ clarifying in written contracts with business partners that
Personal Information is not communicated for
consideration
‒ invoking statutory exceptions for
user-directed sharing
service providers
third parties
opt-out compliance
M&A transactions
How to comply? Action items
Update or Supplement Privacy Policies:
Provide at or before collection: categories of personal
information (PI) to be collected and underlying
purposes (information may be provided elsewhere)
Separate lists of categories of PI collected, sold or
disclosed for a business purpose in the preceding 12
months (explicitly state if not sold or disclosed)
Categories of sources of PI collected
Business/commercial purposes for collecting or selling PI
How to comply? Action items
Disclose:
Categories of third parties receiving PI
Description of the rights to access, deletion, to obtain
information about disclosures, to opt out of sales, and not
to be discriminated against
If PI is sold: Fact that PI collected may be sold and
clear and conspicuous link, titled "Do Not Sell My
Personal Information", to webpage that enables opt-
out
Method(s) for submitting requests including, at a
minimum, toll-free telephone number and, where
maintained by the business, website address
How to comply? Action items
A business shall not discriminate against a consumer because
the consumer exercised any of the consumer's rights under
this title, including, but not limited to, by:
a) Denying goods or services to the consumer.
b) Charging different prices or rates for goods or services,
including through the use of discounts or other benefits or
imposing penalties.
c) Providing a different level or quality of goods or services to
the consumer, if the consumer exercises the consumer's
rights under this title.
d) Suggesting that the consumer will receive a different price or
rate for goods or services or a different level or quality of
goods or services.
How to comply? Action items
Access, deletion rights: Implement processes and policies to
verify the identity of individuals making requests
timely provide portable copies via “account” (can include
multiple communication lines)
delete personal information or claim statutory exception(1)Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably
anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and
the consumer.
(2)Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3)Debug to identify and repair errors that impair existing intended functionality.
(4)Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
(5)Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of
the Penal Code.
(6)Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and
privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the
consumer has provided informed consent.
(7)To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
(8) Comply with a legalobligation.
(9)Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer
provided the information.
obtain assistance of service providers
How to comply? Action items
Training
Create channels and response processes for data subject
requests
How to comply? Action items
Sanctions and remedies
Sanctions and remedies
$7,500 per intentional violation
$2,500 for unintentional violations, if the company fails
to cure the unintentional violation within 30 days of
notice
Cal State AG, Consumer Privacy Fund
New cause of action: statutory damages for data
security breaches
New definition of data security breach: "unauthorized
access and exfiltration, theft, or disclosure as a result of
the business' violation of the duty to implement and
maintain reasonable security procedures and practices"
Narrower definition of "personal information" in this
context: SSNs, credit card/account numbers, medical
information
Statutory damages $100-$750 per incident, per consumer
Sanctions and remedies
