WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIA’S NEW PRIVACY LAW ( CCPA) Presented By: Jim Brophy and Brett Smoot, Northwoods Sarah Sargent and Andy Schlidt, Godfrey & Kahn, S.C.
WELCOME TO NORTHWOODS! 45 digital strategists, marketers, UX • experts, developers & account directors Comprehensive digital strategy, • website design, software development & digital marketing services # LearnAtNorthwoods www.northwoodsoft.com
NORTHWOODS’ CLIENTS Trusted by over 750 clients including:
YOUR PRESENTERS Jim Brophy Group Director – Digital
YOUR PRESENTERS Brett Smoot Digital Marketing Coordinator
YOUR Sarah Sargent PRESENTERS Attorney Data Privacy & Cybersecurity gklaw.com
YOUR Andy Schlidt PRESENTERS Attorney Chair - Technology & Digital Business Practice Shareholder - Data Privacy & Cybersecurity and Corporate Legal Practices gklaw.com
SERVICES WE PROVIDE
DATA PRIVACY & CYBERSECURITY We counsel clients on information security and privacy best practices, including the implementation of global privacy programs, We advise clients with a full drafting internal and external privacy policies spectrum of legal support. and notices, implementing written information security programs and incident response plans, Privacy & Cybersecurity Compliance and conducting M&A due diligence. Data Breach Response Technology Transactions Our team includes individuals with real-world WISPs, Table-Tops, and Incident experience in: Response Planning Software Development • Incident Response; and • Ethical Hacking •
LEGAL DISCLAIMER The information contained within this presentation in no way constitutes legal advice. This presentation and the information contained therein does not create an attorney-client relationship. Any person who intends to rely upon or use the information provided in any way is solely responsible for independently verifying the information and obtaining independent expert advice.
WHAT IS THE CALIFORNIA CONSUMER PRIVACY ACT? (CCPA)
FREQUENTLY ASKED QUESTIONS We hope to answer the following questions during our presentation: • I am not located in California. Does CCPA apply to me? • I don’t have a physical location in California, so I’m not “doing business” there, right? • I don’t “sell” personal information about people, so I don’t have to worry about CCPA, right? • My company is B2B, so I don’t have to worry about CCPA, right? • Do we need to offer these data subject rights to everyone? Please let us know if we have not fully addressed these questions for you.
FREQUENTLY ASKED QUESTIONS We hope to answer the following questions during our presentation: • How do I determine the identity of a data subject if I only have an IP address? How do I verify an identity? • Do we really need to delete ALL information about a person if they request it? What if we have a need to retain it? • Do I need to obtain opt-in consent to send marketing emails under CCPA? • Do I have to have a cookie banner for CCPA compliance? • What does my new privacy policy for CCPA have to say? Please let us know if we have not fully addressed these questions for you.
WHAT IS THE CCPA? • California Consumer Privacy Act (CCPA) • AB-375 - The California Consumer Privacy Act of 2018 • Passed - June 28, 2018 • Amended - Sept 23, 2018 • Effective - Jan 1, 2020 Cal. Civ. Code Section 1798 Sec 2(a)
THINGS TO KEEP IN MIND • The law has a number of pending amendments • 9 amendments or pieces of related legislation being considered • For example, AB-25 excludes employment information from the definition of personal information for one year • Just because your business is not located in CA does not mean you are off the hook
THINGS TO KEEP IN MIND • There are trends toward: • Obtaining opt-in consent for data processing • Consider whether this is possible in your business • Using more specific and informative privacy policies, written in understandable language • Obtaining opt-in consent before dropping cookies • Required by GDPR & E-Privacy Directive • Allowing individuals to exercise rights over their data • It’s no longer “your data,” if it is about a person. They have rights over it.
WHY SHOULD I CARE? • “As California goes, so goes the nation.” • States That Have Introduced Bills Mirroring CCPA • Hawaii • Maryland • Massachusetts • Mississippi • Maine • Nevada (Passed with an effective date of October 2019) • Other States Developing Different Privacy Laws • New York • North Dakota • Washington • Texas Source: The National Law Review
KEY TERMS AND DEFINITIONS
WHAT TYPES OF DATA FALL WITHIN THE CCPA? • The broad definition of personal information is: • Essentially any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. • CCPA focuses not just on individuals, but households and devices
WHAT IS A SALE OF PERSONAL INFORMATION? • “Sell” means not just sales of personal information for $$ • Also means: • Renting, releasing, disclosing, making available, transferring, or otherwise communicating [personal information] in any medium • Sell is “by the business to another business or a third party” • For monetary or other valuable consideration
IS MY BUSINESS IMPACTED BY THE CCPA?
WHO DOES THE CCPA APPLY TO? Three-Part Equation 1) A “business” 2) Those “doing business In California” 3) Meets one or more of the three numerical thresholds
DOING BUSINESS + THRESHOLDS • Annual gross revenues in excess of $25 million; • Personal information of 50,000 or more consumers, households, or devices; and/or • Sale of personal information accounts for 50% or more of annual revenues
REQUIREMENTS
CONSENT & SALE OF INFORMATION • CCPA states that if a business “sells personal information” to THIRD PARTIES it must provide notice to consumers of potential sale • Must also provide a right to opt out of the sale • Must have a “Do Not Sell” link on website, either on homepage, or California- specific homepage that is “clear and conspicuous” • Can’t require consumer to create an account to opt out • Must allow other persons to opt out on a consumer’s behalf
NOTICES • CCPA is like GDPR in that you need to update your privacy policy to more particularly describe your privacy practices • CCPA requires disclosure of categories of personal information collected, used, disclosed, or sold • CCPA also requires that you update your privacy policy at least once every twelve months • A business cannot collect any personal information that is not disclosed to the consumer in a notice • A business cannot use any personal information collected for additional, non-disclosed purposes without providing notice
DATA SUBJECT REQUEST RIGHTS • Rights Provided to CA Residents under CCPA • Right to Deletion (companies must also require service providers to delete personal information) • Right of Access & Data Portability • Right to Know Certain Information Upon Request
LIMITATIONS TO DATA SUBJECT REQUESTS • Companies must take reasonable steps to verify the identity of the individual • Companies are not required to provide personal information to a consumer more than twice a year • There are exceptions to Right to Deletion
VENDOR MANAGEMENT Vendors that have access to personal information should have the following contractual obligations: • Protect personal information • Assist in compliance efforts • Use personal information solely for the purposes of complying with obligations under agreement, and agreement will not constitute “sale”
TRAINING • Must “inform” all individuals responsible for handling consumer inquiries about the business’ privacy practices or CCPA about “Do Not Sell” requirements under law • You should conduct initial CCPA training before January 1, 2020, for all employees dealing with data subject requests • Adding privacy session or content to on-boarding and annual trainings
PENALTIES
ENFORCEMENT Private Action Attorney General • If a business fails to have • If a business fails to cure an reasonable data security alleged violation within 30 practices and a data breach days of noncompliance occurs notification • Damages between $100 to • Maximum civil penalty of $750 per consumer per $2,500 for each violation incident or actual damages, whichever is greater • Maximum civil penalty of • Injunctive or declaratory relief $7,000 for each intentional violation • Any other relief the court deems proper
DATES TO REMEMBER • Effective Date: January 1, 2020 • AG Enforcement Date: July 1, 2020 or six months after the publication of final AG regulations (whichever is sooner) • One-year look back date: January 1, 2019
I AM GDPR READY! AM I CCPA READY? KINDA …
Recommend
More recommend