1111
Crash Course: California Consumer Privacy Act
Overview
David ZetoonyPartner & Co-Chair of
Global Data Privacy and Security Team
22
• The History of the CCPA• Scope of the CCPA• What it requires businesses to do.
– Policy 1: Privacy Notices– Policy 2: Data Subject Request Protocols– Policy 3: Anti-Discrimination– Policy 4: Written Information Security Programs– Policy 5: Incident Response Policies– Policy 6: Vendor Management. – Policy 7: Cookie Banner and Cookie Policy
Agenda
33
History
44
CCPA amendedSept. 2019:• AB 25 delays some rights as to employees• AB 874 modifies definition of personal information.• AB 1146 exempts motor vehicle records• AB 1202 requires registration of data brokers• AB 1355 modifies financial incentive exception;
delays some rights as to business contacts• AB 1564 scales back methods of submitting data
subject requests for eCommerce only businesses
Attorney General Proposed Regulations October 11, 2019• No exemptions for adTech• No clarification concerning the extent to which
cookies are / are not personal information.• No clarifications concerning the implications of
the CCPA on behavioral advertisingWhat’s next??????
55
Scope of the CCPA
• Applies extraterritorially to all entities that do “business in the state.”
• Exempts some small businesses, such that it only applies if:
66
Scope of the CCPA – Effective Dates
January 1, 2020 Date most provisions become law, and plaintiffs can seek money for data breaches
July 1, 2020 Date the Attorney General can bring enforcement actions.
77
“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers… (on and on) CCPA 1798.140(o)(1)
Scope of CCPA –What is “Personal Information”?
88
What does the CCPA require businesses to do?
99
COPPA
There were several laws in the United States that required companies to provide an information notice or a privacy policy:
Policy 1: Information Notices
HIPAAGLBA FERPA
State Laws Concerning Online
Collection of Information
State Laws Concerning
Collection of SSN
1010
How does the CCPA change existing law?
Policy 1: Information Notices
BUSINESS REQUIREMENTS
US federal laws
Most US state laws
GDPR CCPA
Applies to a broad range of companies and not limited to distinct industries e.g. finance
Applies to the collection of personal information online and offline
◊
Provide detailed information on how they use and process the personal information they collect ◊
Notify individuals about a right to access information they hold about them ◊
Notify individuals about a right to have their information deleted ◊
Include a ‘Do not sell my personal information’ link on websites and privacy notices
Describe the information that they share with service providers
Describe the types of entities to whom they sell information
1111
What should companies do?
Policy 1: Information Notices
1212
Policy 2: Data Subject Request Protocols – Comparison to current laws
Access Personal
Information
Delete Personal
Information
Opt-Out of Sale of
Information
HIPAAFERPAGDPR
COPPACa Eraser Button LawGDPR
~GLBA (sharing)~Cal Financial Info Privacy Act (Sharing)
1313
Policy 2: Data Subject Request Protocols
What should companies do?
1414
Policy 3: Marketing Practices
“(1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by:
(A) Denying goods or services to the consumer.(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.(C) Providing a different level or quality of goods or services to the consumer.(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.”
CCPA 1798.125(a)
1515
Policy 3: Marketing Practices
Practical areas where discrimination may be occurring for some businesses:• Loyalty programs• Exclusive deals in mailing lists
1616
Policy 3: Marketing Practices
What should companies do?
1717
Policy 4 & 5: WISP and IRP
• The CCPA does not require that an organization implement a written information security program or implement an incident response plan.
• The CCPA does create statutory damages if there is a data breach that is “a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
1818
Policy 4 & 5: WISP and IRP
• How does this compare with existing European law?
1919
Policy 4 & 5: WISP and IRP
• What should a company do?
2020
Policy 6: Vendor Management
The CCPA defines a “service provider” as
“’Service provider’ means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.”
CCPA 1798.140(v)
2121
Policy 6: Vendor Management
What should a company do?
2222
Policy 7: Cookie Banner and Cookie Policy
2323
Policy 7: Cookie Banner and Cookie Policy
Third party advertising cookies, tags, and pixels form the core of modern online behavioral advertising and are deployed by media publishers, and advertisers alike:
2424
Biographies
David ZetoonyPartner
Chair, Data Privacy & Security Team
Bryan Cave Leighton Paisner LLPWashington, D.C. / Boulder, Colorado
202 508 [email protected]
David Zetoony is the leader of the firm's global data privacy and security practice. He has extensive experience advising clients on how to comply with state and federal privacy, security, and advertising laws, representing clients before the Federal Trade Commission, and defending national class actions. He has assisted hundreds of companies in responding to data security incidents and breaches, and has represented human resource management companies, financial institutions, facial recognition companies, and consumer tracking companies before the Federal Trade Commission on issues involving data security and data privacy.
24