beyond ccpa
play

Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt - PowerPoint PPT Presentation

Oct 28, 2022 •675 likes •999 views

Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt Scutari Optimizely Jim Trilling Federal Trade Commission (Disclaimer: The views expressed in this presentation are Jims as a FTC staff attorney and do not necessarily

  1. Beyond CCPA Melissa Maalouf ZwillGen Kandi Parsons ZwillGen Matt Scutari Optimizely Jim Trilling Federal Trade Commission (Disclaimer: The views expressed in this presentation are Jim’s as a FTC staff attorney and do not necessarily reflect the views of the Commission or any individual Commissioner )

  2. Agenda • How did we get here? • Structuring and Defining Your Privacy Program • Embedding Core Privacy/Security Principles Into Your Program • Regulatory Predictions and Preparedness • Questions

  3. How Did We Get Here?

  4. Beyond CCPA Previous Privacy Regimes • Traditional view was that there was a class of data called personally identifiable information that identified users on its face, usually by name, contact information, or government identifiers • Laws governing the privacy of personal information were sector-specific • healthcare (HIPAA), finance (GLBA), credit information (FCRA), education (FERPA) and children’s information (COPPA) • State data breach and security laws • Some notice requirements (CALOPPA and Shine the Light) • Regulators used UDAP authority to develop privacy principles for companies outside these regulated spaces

  5. Beyond CCPA May 25, 2018: EU General Data Protection Regulation (GDPR), a comprehensive privacy law with broad territorial scope takes effect, after 8 years of drafts and negotiations • Privacy of personal information across sectors • Related to an identified or identifiable person • Vendor management • Comprehensive data subject rights (access, deletion, rectification) • Transparency • Legal bases for processing data • Rigorous consent • Required risk analysis (DPIA) • Controller/processor distinction

  6. Beyond CCPA Major privacy/security issues make headline news • High profile data breaches • Cambridge Analytica

  7. Beyond CCPA CCPA: closest to a comprehensive law in the US is passed, but as opposed to GDPR, only 3 weeks in the making. Similar to GDPR (access, deletion, transparency) But some key differences: • Applies to data reasonably capable of being associated with a consumer or household • Contains different exceptions to data subject rights • Does not have the concept of a data controller v. data processor • Contains more rigid restrictions on sharing data with third parties for commercial purposes – called “sales” • Does not require “legal bases” for collecting and using data • Do not require same types of comprehensive and robust documentation and recordkeeping

  8. Beyond CCPA What’s Coming Next? • Copycat state laws, or worse, laws with inconsistent requirements? • US federal privacy legislation? • What will it regulate? Collection, use, sharing, all? • How will it interact with/preempt existing laws? • Will there be a private right of action? How broad? • Who will enforce? How does a company future-proof its privacy program to comply with existing rules and also be ready for future rules? • Carefully structure and define your privacy program • Ensure core privacy/security principles are embedded in your program • Predict and prepare for future enforcement trends

  9. Defining Your Privacy Program

  10. What is( n’t ) a Privacy Program? It’s not a legal function… It’s not a compliance function… It’s not a security function…

  11. What is a Privacy Program? A privacy program is your organization’s privacy and data protection quarterback • Privacy / Data Governance • Operations • Culture + Awareness

  12. Governance Governance: Driving cross-functional alignment on decisions with privacy impact • Develop strategy • Facilitate and guide product and business decision making • Document and enforce policies, standards, and procedures

  13. Operations Operations: Implementation and maintenance of processes that resolve issues or manage risk • Track and drive implementation of product and business decisions • Ensure policies don’t go stale and key processes remain efficient and effective

  14. Culture + Awareness Culture: Building a company-wide culture of privacy • Foster company-wide awareness of key privacy concepts • Educate key stakeholders on relevant policies and procedures • Enlist “privacy champions” to help scale your program’s efforts

  15. Organizational Structure No perfect option, but some to consider: • Legal • Security • Product Regardless of where the program sits, your goal should be to become embedded with key product/business partners!

  16. Hiring Privacy Program Managers Three key traits to look for (two out of three is great!): • Privacy subject-matter expertise • Industry/sector expertise • Project management skills Look internally!

  17. Embedding Core Privacy/Security Principles into Your Program

  18. Increase the Value of Privacy Internally • Avoiding risk (e.g., breach, regulatory scrutiny) is one consideration but sound privacy decisions have real business value too! • Examples : • Data minimization can save resources on compliance and access/deletion • Stronger policies can facilitate deals • Transparency reduces upset consumers/customers • A privacy protective approach can create market differentiation or a competitive advantage

  19. Speak the Same Language Get Your Organization on the Same Page, across all levels and roles • Do your engineers, sales reps, and recruiters all know what you mean when you talk about “personal data” or “sale”? (They probably don’t) • Focus culture and awareness efforts to ensure everyone understands one another • Work from the same language and playbook • Align on key definitions with legal and security, and then educate everyone else • Consider privacy by design training (along with some legal training) to help teams understand the basis for what you’re advising/asking • With privacy now a cross-functional task, important to train at all levels • CCPA requires employee training for those that will be receiving/handling access/deletion requests, and GDPR requires general training too

  20. Develop Global Solutions if Possible • While there are many different privacy laws across the globe, most have same core tenants – transparency, consumer choice/rights, data minimization, sound security • Benefit of global solutions • Apply across jurisdictions, products, and time (hopefully) • Require refinement but not overhaul • Easier to operationalize compliance • Free up resources to address areas that are not global • Challenges • Different laws; different requirements • Need to leverage less rigorous elements where possible • Marketing, cookie consent

  21. Data Protection Impact Assessment What is it? • An internal document to help you assess the privacy risks of existing and future products/services, and develop strategies to address such risks How/Why to Make it Global? • DPIAs are only required by the GDPR for certain high- risk processing activities, but…. • Even if not officially required under US law, the DPIA process serves as a key component of privacy and security by design • They don’t have to be lengthy – it is possible to create a lightweight, standardized documentation system for evaluating most privacy decisions where a specific type of DPIA is not required • Great for historical reference and to drive accountability • Drive internal alignment on privacy risks and allow for consistent application of internal privacy/security controls • Flexible if new requirements are adopted; teams will already be habituated to the practice

  22. Global Data Protection Addendum What is it? • A contractual addendum to an agreement that governs the privacy/security obligations of the parties with respect to the processing of personal information • Have one version that can be presented by a vendor to its customers, and one version that a company can present to its downward vendors How/Why to Make it Global? • Required by the GDPR, other global privacy laws (and CCPA requires a written contract with service providers) • Make it global to avoid more amendments! • Carefully tailor scope/definitions to be broad enough to work under various privacy regimes, while also making clear that the DPA only applies to data in scope for each law • Many provisions work across jurisdictions/laws • Use restrictions • Deletion rights • Breach notification and security

  23. Individual Rights What is it? • Many laws contain a variety of rights for individuals with respect to their data – e.g., access, deletion, rectification, objection, portability How/Why to make it global? • Consider working from one playbook with different templates/processes for different jurisdictions • OR, consider whether to apply rights globally so so you do not have to pivot when the next law is adopted • Even if you don’t hold yourself to precise strictures globally (e.g., timelines) • Develop Consumer Dashboards • This can enable customization based on the law • You might offer marketing opt outs in Iowa, access in California and objection to processing in the EU

Recommend

GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA

GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA

HOW IS BUSINESS DEALING WITH THE GDPR AND CCPA? CURRENT AND EMERGING AREAS OF PRIVACY FOCUS GDPR (EU General Data Protection Regulation) ePrivacy Directive and Regulation CCPA (California Consumer Privacy Act) GDPR (EU) Effective

493 views • 4 slides
WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim

WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim

WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( CCPA) Presented By: Jim Brophy and Brett Smoot, Northwoods Sarah Sargent and Andy Schlidt, Godfrey & Kahn, S.C. WELCOME TO NORTHWOODS! 45 digital strategists, marketers,

765 views • 54 slides
Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc

Ha Hardes est T t Things A s Abou out C t CCPA Pr Privacy & Security Academy Oc October 15, 2019 Introduction Part rtici cipa pants Industry Professionals Fenwick Aaron Ting Lael Bellamy Lead Counsel, Product & Privacy

295 views • 25 slides
California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy,

California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy,

California Consumer Protection Act (CCPA) Jacki Monson, JD Subcommittee on Privacy, Confidentiality and Security September 14, 2018 Background Dubbed the GDPR of CA Desire to give consumers more privacy rights and transparency

160 views • 5 slides
Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit

Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit Decisions Capitalizing on Past Precedent to Withstand 112(a) Rejections and Attacks on

1.34k views • 111 slides
How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data

Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data

Getting ready for GDPR and CCPA Securing and governing hybrid, cloud, and on-premises big data deployments Your Speakers Lars George, Principal Solutions Architect, Okera Ifi Derekli, Senior Solutions Engineer, Cloudera Mark Donsky,

1.5k views • 118 slides
CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource

CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource

CCPA - BC Submission to the Scientific Hydraulic Fracturing Review Panel By Ben Parfitt, Resource Policy Analyst Canadian Centre for Policy Alternatives, BC Office June 25, 2018 From the limited correspondence I have received from the Ministry of

294 views • 11 slides
CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit

CCPA - How To Do It Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz Beth Hill, General Counsel & Chief Compliance Officer, FordDirect Maggie Mansourkia Mobley, Advisor, Privacy Matters Privacy &

524 views • 26 slides
Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of

Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of

Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of Global Data Privacy and Security Team 1 Agenda The History of the CCPA Scope of the CCPA What it requires businesses to do.

269 views • 24 slides
California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning

California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning

Privacy.Minded. Legal insight at the intersection of business, technology and personal data California Attorney General Wastes No Time California Attorney General Wastes No Time Beginning CCPA Enforcement Beginning CCPA Enforcement July 28,

181 views • 3 slides
Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575

Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575

Ian Ballon, JD, LLM, CIPP/US Greenberg Traurig LLP (650) 289-7881 (310) 586-6575 Ballon@GTLaw.com Facebook, Twitter, LinkedIn: Ian Ballon www.IanBallon.net CCPA class action litigation over cybersecurity breaches brought in state court

253 views • 23 slides
Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian

Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian

A CanadaE.U. Free Trade Agreement: Public Good or Private Interest? Presentation to a one-day forum, sponsored by the Canadian Centre for Policy Alternatives (CCPA), Carleton Universitys Canada-Europe Transatlantic Dialogue, and the

239 views • 11 slides
Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written

Presenting a live 90-minute webinar with interactive Q&A Section 112(a) Enablement and Written Description: Leveraging CCPA and Early Federal Circuit Decisions Capitalizing on Precedent to Withstand 112(a) Rejections and Attacks on Patent

1.41k views • 101 slides
Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in

Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in

Evaluating government plans and actions to reduce GHG emissions in Canada: The state of play in 2016 Hadrian Mertins-Kirkwood, Canadian Centre for Policy Alternatives Bruce Campbell, CCPA & University of Ottawa 1. Context: a snapshot of

674 views • 16 slides
The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan University of California, Irvine Who has responsibilities? CCPA (California) GDPR (Europe) business: controller: for

459 views • 16 slides
#MicroFocusCyberSummit Voltage Data Security Product Direction Reiner Kappenberger Director of

#MicroFocusCyberSummit Voltage Data Security Product Direction Reiner Kappenberger Director of

#MicroFocusCyberSummit Voltage Data Security Product Direction Reiner Kappenberger Director of Product Management #MicroFocusCyberSummit The Challenges of Innovation Threats Regulations Data Breaches CCPA Big Data Malicious Insiders

429 views • 15 slides
Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May

Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May

womblebonddickinson.com Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May 14, 2019 Agenda Potential State Data Protection Laws Affirmative Obligations GDPR CCPA In the Law Existing State

433 views • 24 slides
Witness to Medically-Assisted Dying in Canada: A Counselling and Psychotherapy Perspective Charles

Witness to Medically-Assisted Dying in Canada: A Counselling and Psychotherapy Perspective Charles

Running head: WITNESS TO MEDICALLY-ASSSISTED DYING IN CANADA 1 Witness to Medically-Assisted Dying in Canada: A Counselling and Psychotherapy Perspective Charles D. Walsh May 11, 2018 Winnipeg, Manitoba CCPA Annual Conference May 10-13, 2018

497 views • 20 slides

More recommend