The California Consumer Privacy Act: Your Questions, AnsweredScott M. Giordano, Esq., FIP, CISSPV.P. and Sr. Counsel, Privacy and ComplianceJanuary 28, 2020

• The California Consumer Privacy Act of 2018 (CCPA) has effectively become our default national standard for data protection

• The CCPA Regulations added to the compliance burden without providing clarity in several areas

• The California Privacy Rights and Enforcement Act of 2020 (CPREA), a/k/a CCPA 2.0, if passed, will replace it as that standard

• Other states have passed their own data protection statutes and more are on the way

• Understanding where personal information is located within your organization and who has access to it will be key to advancing your compliance

If you leave with nothing else…

The California Consumer Privacy Act of 2018

CCPA

• California AG Xavier Becerra said he considers the law in effect as of Jan. 1, 2020, even though formal enforcement won’t start until July 1.

• CCPA §150 (data security) enforceable on January 1st by private parties, which means class action lawsuits

What You Need to Know About the CCPA

4

What You Need to Know About the CCPA

• The CCPA is not, per se, a data breach statute, but a data protection statute, meaning it combines elements privacy + security

• Designed to offer certain rights to consumers, such as right to access and deletion of personal information

• Works side-by-side with the existing data security and data breach statutes, Civ. Code. §§1798.81.5 and 1798.82, respectively

What You Need to Know About the CCPA

• “InfoSec” §1798.150(a)(1) “Any consumer whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:• (A) To recover damages in an amount not less than one hundred dollars ($100)

and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

• If plaintiff wishes to pursue statutory damages, must give 30 days’ notice so the defendant can “cure” the breach; otherwise, can go directly to court

• How do you “cure” a breach?

What You Need to Know About the CCPA

The Big 5 areas of responsibility:1. [what] the categories of personal information it has collected about that

consumer; 2. [where] the categories of sources from which the personal information is

collected; 3. [why] the business or commercial purpose for collecting or selling

personal information; 4. [who] the categories of third parties with whom the business shares

personal information; and 5. [what] the specific pieces of personal information it has collected about

that consumer. They show up throughout the CCPA, directly and indirectly: §§ 100, 110, 115

What You Need to Know About the CCPAThe Act grants the following rights to consumers with respect to sales of personal information to third parties: • A consumer shall have the right at any time to direct a business that sells

personal information about the consumer to third parties not to sell the consumer's personal information. §1798.120(a).

• A business that sells consumers’ personal information to third parties shall provide notice to consumers…that this information may be sold and that consumers have the right to opt out of the sale of their personal information. §1798.120(b).

• A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out. §1798.115(d). (Note that the business may request opt-in after 12 months.)

• The “draft” CCPA Regulations were published on October 10, 2019 by AG Becerra

• However, these seem to be final – for now• What’s not in them?

• Information on jurisdictional thresholds• Information on de-identifying or aggregating personal information• How to “cure” a breach• Citation to CIS CSC Top 20 (or other data protection

frameworks), even though there are numerous references to information security (which I’ve highlighted in red)

• Details on “third-party identity verification services” or “authorized agents”

What You Need to Know About the CCPA

9

Some significant aspects of the Regulations:• A business shall not use a consumer’s personal information

for any purpose other than those disclosed in the notice at collection.

• If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.

What You Need to Know About the CCPA

10

With respect to the business’s privacy policy (privacy notice):§ 999.308. Privacy PolicyThe purpose of the privacy policy [i.e., the privacy notice] is to provide the consumer with a comprehensive description of a business’s online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information.

What You Need to Know About the CCPA

11

With respect to the business’s privacy policy (privacy notice):• For each category of personal information collected, provide

• the categories of sources from which that information was collected,

• the business or commercial purpose(s) for which the information was collected, and

• the categories of third parties with whom the business shares personal information.

• The notice shall be written in a manner that provides consumers a meaningful understanding of the categories listed.

What You Need to Know About the CCPA

12

With respect to the business’s information security practices:• A business shall not provide a consumer with specific pieces of personal

information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.

• A business shall not at any time disclose a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, or security questions and answers.

• A business shall use reasonable security measures when transmitting personal information to the consumer.

• A business shall implement reasonable security measures to detect fraudulent identity-verification activity and prevent the unauthorized access to or deletion of a consumer’s personal information.

What You Need to Know About the CCPA

13

• Official title: California Privacy Rights and Enforcement Act (CPREA).

• Ballot initiative can be found here:• https://uploads-

ssl.webflow.com/5aa18a452485b60001c301de/5d8bc3342a72fc8145920a32_CPREA_2020_092519_Annotated_.pdf

• Includes notes for much of the text• If passed by the voters, will go into effect January 1,

2021

CCPA 2.0

14

CCPA 2.0 Principle Changes• Creation of the California Privacy Protection Agency

(CPPA), tasked with enforcement of the CPREA and other state privacy regulations. In GDPR terms, a Supervisory Authority.

• Performs “administrative” enforcement• Has subpoena power

• A “Chief Privacy Auditor” will be appointed to conduct audits of businesses.

• Annual disclosure for political use of personal information.• Grants a statute of limitations for the Agency to enforce the

CCPA for five years.• Civil enforcement still performed by the A.G.

CCPA 2.0 Principle ChangesIntroduces the concept of “sensitive personal information,” defined as:• Social Security number• Driver’s license number• State identification card number• Passport number• A consumer’s account log‐in,

financial account, or debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account;

• A consumer’s precise geolocation;

• Personal information revealing a consumer’s racial or ethnic origin, religion, or union membership;

• The contents of a consumer’s private communications, unless the business is the intended recipient of the communication;

• A consumer’s biometric information; • Data concerning a consumer’s health; • Data concerning a consumer’s sexual

orientation; • or other data collected and analyzed for

the purpose of identifying such information

CCPA 2.0 Principle Changes• Enables consumers to direct businesses not to use

or disclose their SPI (i.e., opt out; presumably, another opt-out button would be needed on a website).

• Consumers must opt in for sale of their SPI.• Can not be used for cross-context behavioral

advertising.

Other States Have Not Been Idle

• Washington Privacy Act, S.B. 6281• Virginia Privacy Act, H.B. 473• New Hampshire, H.B. 1680-FN• Illinois, S.B. 2330, the Data Transparency and

Privacy Act (DTPA)• Florida, S.B. 1620/H.B. 963

Selected Bills Pending in State Legislatures

Your Questions, Answered

20

• Can you compare and contrast CCPA to GDPR during the webinar?

• Does your firm have an update data sheet for privacy regulations like the early 2019?

• How do you see this new law applying to mortgage lenders, which must collect personal information in order to make credit decisions on loan applications submitted?

• How does CCPA affect employees of subcontractors. If my company contracts out work and we have an agreement in place with that company can their employees come and request data removal from us or does the contract protect us well enough if it is detailed what data we collect?

Your Questions, Answered

• I'd like to know what other privacy laws are expected to pass in other states similar to the CCPA

• Most consider CCPA more stringent than GDPR. Would you agree and if so why?

• What impact will the California ""Shine the Light"" have with CCPA? Will we be required to ""name or itemize"" third-party providers at the request of Californian?

Your Questions, Answered

Summary of GDPR vs. CCPA: 3 Primary DifferencesGDPR CCPA Comments

Threshold for Becoming Subject/ Territorial Scope

• Applies to business, government bodies, and non-profits operating within the “four walls” of the EU

• Also applies to those entities outside the EU that offer goods or services into the EU or study the behavior of EU data subjects. Art. 3(2).

Satisfies one or more of the following thresholds:A. (A) Has annual gross revenues in excess of

$25MB. (B) Annually buys, receives, sells, or shares the

personal information of 50,000 or more consumers, households, or devices.

C. (C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information. §1798.140(c)(1).

CCPA:• For-profit entities only• Unclear whether the $25M

threshold is limited to business in California or applies to overall revenues. The California AG will decide.

Sale/Transfer of Personal Information –Right to Opt-Out

• Sale/transfer must have a “legal basis” such as consent of the data subject, contract, “legitimate interest” of the business, etc. If basis is consent, data subject could revoke it. Art. 6.

• Right to opt out of marketing. Art. 21(2).

“A business that sells consumers’ personal information to third parties shall provide notice to consumers…that this information may be sold and that consumers have the right to opt out of the sale of their personal information.” §1798.120(b).

Under GDPR, there must be a legal basis for processing. In principle, if a data controller subject to GDPR uses a basis other than consent, it could sell/transfer the data to another party and the data subject could not stop it.

Right to Erasure/ Deletion

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay[.]” Art. 17.

A consumer may request that personal information that “the business has collected from the consumer” be deleted. §1798.105

The CCPA has a long list of exceptions, some of which are very wide-ranging (e.g., “compatible with the context in which the consumer provided the information.”)

GDPR vs. CCPA: InfoSec, IR, and BNGDPR CCPA Comments

Information Security

“[T]he controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[.]” Art. 32(1).

Businesses have a “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” §1798.150(a).

CCPA’s §150 almost identical to Civ. Code §1798.81.5(b), “shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Incident Response

GDPR does not use the phase “incident response,” but cites the necessity to have “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident[.]” Art. 32(1)(c).

CCPA does not use the phase “incident response,” but cites the option to “cure” a breach if a victim of the breach pursue statutory damages. §1798.150(b). However, what qualifies as a “cure” is not defined.

The proposed “CCPA 2.0” adds this to §150 of the CCPA: “The implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure.”

Breach Notification

• To Supervisory Authorities. “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it[.]”

• To Data Subjects. “[T]he controller shall communicate the personal data breach to the data subject without undue delay.”

CCPA is not, per se a breach notification statute. Under §1798.82(a), businesses “shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California[.]…The disclosure shall be made in the most expedient time possible and without unreasonable delay[.]”

The CCPA works side-by-side with the existing data security and data breach statutes, Civ. Code. §§1798.81.5 and 1798.82, respectively.

Data Inventories

25

Sample Data Inventory

Process Descriptions

Nerve Center' Country

(dropdown)Business teams

(dropdown)

Business process activity (e.g. recruiting, payroll

calculations, payment processing, etc.)

Description, why activity is done (possible highlight if privacy notice or consent required)

Employees, Customers, Candidates,

Suppliers (dropdown)

Types of Personal Data include name, address, date of birth,

marital status

personal data type (Standard or Sensitive) - sensitive data type include

standard personal data

fieldsLegal basis for

processingCountry Business Unit Process flow name Purpose of the processing Category of Personal List of data items Data Type Legal Basis

United States IT MDM Expert

Mobile Device Management (MDM). Mobile device management (MDM) is software that allows IT administrators to control, secure and enforce policies on smartphones, tablets and other endpoints. MDM is a core component of enterprise mobility management (EMM) which also includes mobile application management, identity and access management and enterprise file sync and share. The intent of MDM is to optimize the functionality and security of mobile devices within the enterprise while simultaneously protecting the corporate network.

Employee IMSI, IMEI, Device ID, ESN Standard Legitimate Interest

United States IT DLP Master

Data loss prevention; specifically, file centric actions - e.g., copying from a Word document to Yahoo mail or a USB drive. Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

EmployeeEquipment identifier (laptop, desktop ID or processor serial number), UserID, AD credentials

Standard Legitimate Interest

A section of a sample data inventory, with personal data categories highlighted. Reproduced with permission from Robert Half Legal Consulting

• Feb. 5th: Fifth Annual Atlanta Cyber Security Summit, The New CCPA Regulations and What They Mean for Your Information Security Program

• Feb. 11th: (webinar) The U.K., Post-Brexit: Data Protection, E-Privacy & Cybersecurity Challenges Ahead

• Feb. 26th: RSA Conference, The New CCPA Regulations and What They Mean for Your Information Security Program

Upcoming Data Protection Presentations

• We’re already seeing massive change in approaches to data protection operations based on the CCPA

• CCPA 2.0 will create another wave of such change• Other states are advancing their version of CCPA or promoting their

“favorite” data protection causes, e.g., data brokers, IoT, biometrics, etc.• It is highly unlikely that we’ll see federal privacy legislation • Understanding where personal information is located within your

organization and who has access to it will be key to advancing compliance

Summary and Conclusions

Thank you!

All trademarks are the property of their rightful owners.

Scott M. Giordano, Esq.Scott.Giordano@Spirion.com

Learn more about how Spirion can help accelerate CCPA compliance through automated accurate data discovery, classification and monitoring.

Visit www.spirion.com

Appendix A: State Data Protection Laws Enforceable in 2020

Compliance Deadlines

State Bill Number and/or Name

Compliance Mandate Area(s)

Enforcement Begins

California S.B. 327, A.B. 1906 Internet of Things (IoT) security

January 1, 2020

California A.B. 375, S.B. 1125 Comprehensive personal data privacy; security

January 1, 2020

Oregon H.B. 2395 Internet of Things (IoT) security

January 1, 2020

Illinois S.B. 1624 Breach notification January 1, 2020Oregon S.B. 684 Personal information; breach

notification for vendorsJanuary 1, 2020

Texas H.B. 4390 Breach notification January 1, 2020

Compliance Deadlines

State Bill Number and/or Name

Compliance Mandate Area(s)

Enforcement Begins

Washington state

H.B. 1071 Breach notification March 1, 2020

New York S. 5575-B, the SHIELD Act

Identify and protect “private information”; breach notification; secure disposal

March 21, 2020

Alabama S.B. 54, the Insurance Data Security Law

Comprehensive written information security program

May 1, 2020

Compliance DeadlinesState Bill Number and/or

NameCompliance Mandate

Area(s)Enforcement

BeginsMaine L.D. 946 Sales of personal information July 1, 2020Delaware H.B. 174, Insurance

Data Security ActComprehensive written information security program

July 31, 2020

Connecticut the Insurance Data Security Law

Comprehensive written information security program

October 1, 2020

Michigan H.B. 6491, the Insurance Data Security Law

Comprehensive written information security program

January 1, 2021

New Hampshire

S.B. 194, Insurance Data Security Law

Comprehensive written information security program

January 1, 2021