Crash Course: California Consumer Privacy Act Overview David - PowerPoint PPT Presentation

Crash Course: California Consumer Privacy Act Overview David Zetoony Partner & Co-Chair of Global Data Privacy and Security Team 1

Agenda • The History of the CCPA • Scope of the CCPA • What it requires businesses to do. – Policy 1: Privacy Notices – Policy 2: Data Subject Request Protocols – Policy 3: Anti-Discrimination – Policy 4: Written Information Security Programs – Policy 5: Incident Response Policies – Policy 6: Vendor Management. – Policy 7: Cookie Banner and Cookie Policy 2

History 3

CCPA amended Sept. 2019: • AB 25 delays some rights as to employees • AB 874 modifies definition of personal information. • AB 1146 exempts motor vehicle records • AB 1202 requires registration of data brokers • AB 1355 modifies financial incentive exception; delays some rights as to business contacts Attorney General Proposed Regulations • AB 1564 scales back methods of submitting data October 11, 2019 subject requests for eCommerce only businesses • No exemptions for adTech • No clarification concerning the extent to which cookies are / are not personal information. • No clarifications concerning the implications of What’s next?????? the CCPA on behavioral advertising 4

Scope of the CCPA • Applies extraterritorially to all entities that do “business in the state.” • Exempts some small businesses, such that it only applies if: 5

Scope of the CCPA – Effective Dates January 1, 2020 Date most provisions become law, and plaintiffs can seek money for data breaches July 1, 2020 Date the Attorney General can bring enforcement actions. 6

Scope of CCPA – What is “Personal Information”? “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following: (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers… (on and on) CCPA 1798.140(o)(1) 7

What does the CCPA require businesses to do? 8

Policy 1: Information Notices There were several laws in the United States that required companies to provide an information notice or a privacy policy: GLBA HIPAA FERPA State Laws State Laws Concerning Online COPPA Concerning Collection of Collection of SSN Information 9

Policy 1: Information Notices How does the CCPA change existing law? US federal Most US GDPR CCPA laws state laws BUSINESS REQUIREMENTS  Applies to a broad range of companies and    not limited to distinct industries e.g. finance ◊    Applies to the collection of personal information online and offline Provide detailed information on how they    use and process the personal information they collect ◊ Notify individuals about a right to access information they    ◊ hold about them Notify individuals about a right to have their information    ◊ deleted Include a ‘Do not sell my personal information’ link on     websites and privacy notices Describe the information that they share with service     providers Describe the types of entities to whom they     sell information 10 10

Policy 1: Information Notices What should companies do? 11 11

Policy 2: Data Subject Request Protocols – Comparison to current laws HIPAA FERPA Access GDPR Personal Information Opt-Out of Delete Sale of Personal Information Information COPPA ~GLBA (sharing) Ca Eraser Button Law ~Cal Financial Info Privacy Act (Sharing) GDPR 12 12

Policy 2: Data Subject Request Protocols What should companies do? 13 13

Policy 3: Marketing Practices “(1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by: (A) Denying goods or services to the consumer. (B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. (C) Providing a different level or quality of goods or services to the consumer. (D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. (2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.” CCPA 1798.125(a) 14 14

Policy 3: Marketing Practices Practical areas where discrimination may be occurring for some businesses: • Loyalty programs • Exclusive deals in mailing lists 15 15

Policy 3: Marketing Practices What should companies do? 16 16

Policy 4 & 5: WISP and IRP • The CCPA does not require that an organization implement a written information security program or implement an incident response plan. • The CCPA does create statutory damages if there is a data breach that is “a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” 17 17

Policy 4 & 5: WISP and IRP • How does this compare with existing European law? 18 18

Policy 4 & 5: WISP and IRP • What should a company do? 19 19

Policy 6: Vendor Management The CCPA defines a “service provider” as “’Service provider’ means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.” CCPA 1798.140(v) 20 20

Policy 6: Vendor Management What should a company do? 21 21

Policy 7: Cookie Banner and Cookie Policy 22 22

Policy 7: Cookie Banner and Cookie Policy Third party advertising cookies, tags, and pixels form the core of modern online behavioral advertising and are deployed by media publishers, and advertisers alike: 23 23

Biographies David Zetoony Partner Chair, Data Privacy & Security Team Bryan Cave Leighton Paisner LLP Washington, D.C. / Boulder, Colorado 202 508 6030 David.Zetoony@bclplaw.com David Zetoony is the leader of the firm's global data privacy and security practice. He has extensive experience advising clients on how to comply with state and federal privacy, security, and advertising laws, representing clients before the Federal Trade Commission, and defending national class actions. He has assisted hundreds of companies in responding to data security incidents and breaches, and has represented human resource management companies, financial institutions, facial recognition companies, and consumer tracking companies before the Federal Trade Commission on issues involving data security and data privacy. 24 24 24