© 2019 Kilpatrick Townsend
October 15, 2019
Harmonizing Your Access Requests: Localizing Your GDPR Processes for CCPA
Presentation by: Ami Rodrigues, Privacy Counsel, The Coca-Cola CompanyAruna Sharma, AVP – Senior Legal Counsel, XandrAmanda Witt, Partner, Kilpatrick Townsend & Stockton LLP
Agenda
• Setting up Your DSAR Process(es)
• Verification Headaches
• GDPR v CCPA• GDPR Lessons
Learned• Localizing GDPR
Processes for CCPA
• Technical Challenges
• DSAR Alternatives
2
Verification Headaches
4
How do you verify the requester’s identity?
Challenge in verifying shared device data
How do you verify the identities of website
visitors?
Do you need to collect more information to fulfill the request?
AG Regulations: §999.313 (c) (Responding
to Requests to Know)
• If the business cannot verify the ID of the person making the request, the business shall not disclose any personal information to the requestor and shall inform the consumer it cannot verify their identity.
• Business shall not provide consumer with specific pieces of PI if “disclosure creates a substantial, articulable, and reasonable risk to the security of the PI, the consumer’s account with the business, or the security of the business’s systems or networks.”
• Business shall not at any time disclose a consumer’s SSN, driver’s license number or any other government-issued identification number, financial account number, any health insurance or medical ID number, an account password, or security questions and answers.
AG Regulations: §999.313 (c) (Responding
to Requests to Know); Cont’d.
• Business shall use reasonable security measures when transmitting PI to the consumer.
• If business must deny consumer’s verified request because of a conflict with state/federal law or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial. If the request is denied only in part, the business shall disclose the other PI sought by the consumer.
DSAR Hypo• Your company receives a data subject access request (DSAR) from an email address that does not correspond to any of your customers, but they have the individual’s first and last name, professional email address, telephone and mailing address.
• The request is for “any PII that your organization (or a third party organization on your behalf) stores about me. Please include data that your organization holds about me in your digital or physical files, backups, emails, voice recordings or other media you may store”
• How do you respond to such a request?• Do you provide the data?• How do you verify his/her identity?• Do you request additional documentation?
7
GDPR DSAR Lessons Learned• A researcher using his girlfriend’s personal data initiated numerous DSAR requests based on the previous hypothetical. The findings of his research:• 56% companies (in the UK and US) confirmed they were storing information about his girlfriend.• 39% insisted on a strong form of identification• 24% responded without further inquisition• 16% accepted a weak form of identification
• 5% of companies said they did not fall under the requirements as they were based in America • 3% took the step of immediately deleting the personal data they held, rather than disclosing it.
8
Remember ChoicePoint?
9
Records of 163,000 consumers compromised.
ChoicePoint agreed to pay $10M in civil penalties and $5M for consumer redress.
Side note: This breach is why we have security breach laws in all 50 states & DC.
California Consumer Privacy Act
Signed into law 6.28.18Regulates an organization’s
uses of a CA resident’s personal information
Effective January 1, 2020
Initial amendments in Sept 2018
Oct. 2019 - Additional Amendments signed by the
GovernorDraft AG regulations issued on 10.10.19
10
CCPA Applicability
• Companies “doing business” in CA must comply with CCPA if they meet or exceed one of these three thresholds:
• Annual gross revenue in excess of $25 million
• Alone or in combination, annually buys, receives for the entity’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
• 50% or more of annual revenue is derived by the company sellingconsumers’ personal information.
Comparison GDPR & CCPA
•
•
CAL Consumer Privacy Act (CCPA) EU General Data Protection Regulation (GDPR)
What data is affected? “personal information” covers almost any consumer or household related data that a company collects or maintains, including online IDs, profiling data, sensory data, etc.
“personal data” is any data relating to an identified or identifiable natural person, including online IDs, profiling data, etc.
Who must comply? Businesses that collect CAL consumer information and (a) have annual gross revenue of $25M USD, (b) annually buy, receive, sell or share for commercial purposes information of at least 50,000 consumers, households or devices, or (c) derive at least 50% of their annual revenue from selling consumer’s personal information
Organizations established in EU, offering goods and services to EU residents, or profiling or targeting EU residents.
Whose information is protected?
Consumers that are California residents, including employees. European residents (EU/EEA residents)
Requirement for Processing
“Robust Notice & Choice” = requirement to present a new “do not sell my personal information” link. Website and toll‐free phone number for consumer inquiries has to be provided.
Legal basis for processing, such as consent.
What rights do individuals have?
• Right to disclosure• Right to access• Right to delete• Right to opt out from sale of personal information
• Right to access• Right to delete• Right to rectification• Right to data portability• Right to object
Private Right of Action Yes, if data breach based on failure to maintain reasonable security. Statutory damages up to $750 per consumer per incident.
Yes.
Fines California AG can impose civil penalties of up to $7,500 per violation.
Administrative fines of up to EUR 20M. or 4% of total global annual turnover.
Key Definitions
CCPA: Personal information GDPR: Personal datainformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household
Includes a list of specific examples, including identifiers, biometric data, IP addresses and… olfactory information
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
CCPA vs. GDPR: right of accessApplies to PI that has been 'collected’ or ‘sold’
Applies to PD that is being 'processed'
• Categories of PI it has collected/sold about that consumer
• The categories of sources from which the PI is collected
• The business or commercial purpose for collecting/selling PI
• The categories of third parties with whom the business shares PI
• Existence of deletion right
• Purposes of processing• Categories of PD processed• Retention periods• Sources of PD• Existence of other rights, including to
complain• Existence of profiling, automated
decision-making (ADM)• Logic involved in profiling, ADM
• The specific pieces of PI it has collected about that consumer.
• A copy of the PD that are processed
• Reply in 45 days, that can be extended once (justified)
• Free of charge
• Reply in 30 days, which can be extended (justified)
• Free of charge, unless excessive request
CCPA vs. GDPR: right of deletion/erasureApplies to PI that has been ‘collected’ Applies to PD that is being ‘processed’
A consumer can request deletion in all circumstances, unless exceptions apply
A data subject can request erasure in certain circumstances only – PD are no longer necessary, unlawful processing, withdrawal of consent, successful objection,
Exceptions, where PI is needed to/for:• Complete a contract or provide a
service/good requested by the consumer• Detect security incidents• Free speech• Comply with other California laws• Scientific, historical, statistical research(et al, 9 in total)
Exceptions:• Freedom of expression• Legal obligation• Public health• Archiving or scientific, historical, statistical
research• Establishment, exercise or defense of
legal claims
CCPA vs. GDPR: Right to opt-outSelling of PI Processing of PD
• right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s PI
• Withdrawal of consent• Right to object to direct marketing• Right to object (when processing
based on legitimate interest or public interest)
• Right not to be subject to solely ADM
• Provide a clear and conspicuous link on the business’s homepage, titled ‘Do Not Sell My Personal Information’
• No specific formatting requirements
• Consent must be as easy to withdraw as it is to give
GDPR Lessons Learned
18
Be responsive! Many poorly answered / ignored access requests have turned into DPA complaints.
The importance of a good data retention policy
When to push back / how to narrow the request
De-identification Challenges
Importance of vendor cooperation –both access and format
Using GDPR Processes for CCPA
19
What GDPR policies / processes can be repurposed for CCPA?
Did your GDPR data mapping include all customers / employees or just EU-based data subjects?
Will the same individuals who handle GDPR DSARs handle CCPA requests?
How will your privacy policy change for CCPA?
DSAR Alternatives
20
Self-service offerings bypass the DSAR process
These processes do not talk about complying with a specific right, but have the effect of promoting transparency to users.
Technical Challenges
21
Search starts off automated, but ends up being manual in order to make it consumable to the individual
Organizations are resource and time-limited; defensibility is based on potential risks and benefits
Multiple foreign keys for matching an identity
Matching an identity with no ID
API illusion
Recommendations
22
Define a reasonable scope
Consider limits to unstructured data and backups
Test the processes regularly, even after effective dates of a privacy law have passed.
Other considerations?
Automate It?
23
Average DSAR costs $1,400 / request (employee requests can be even more challenging)
By 2021, 80% of negative financial impact of the CCPA will arise from a company’s failure to implement scalable DSAR workflow.
Likely spike in DSARs after CCPA is effective on Jan. 1, 2020
Pros & Cons to having an automated process?
Risk of keeping a “data lake” to make data more easily accessible vs. honeypot for attackers
Examine what motivates DSARs
California AG DraftRegulations
24
RECOMMENDED BEST PRACTICES
FOR VERIFICATION
RECORDKEEPING REQUIREMENTS
REPORTING DSARMETRICS
ACCESSIBLE TO CONSUMERS WITH
DISABILITIES