webinar: the “final” california consumer privacy act › - › media › files › insights ›...
TRANSCRIPT
Webinar: The “Final” California Consumer Privacy Act
October 17, 2019
*The contents of this document are not intended to serve as legal advice related to individual situations or as legal opinions
concerning such situations, nor should they be considered a substitute for taking legal advice.
2squirepattonboggs.com
Game Changer
It’s broad
o ALL PI
o ALL kinds of people
Creates new “rights”
New statutory damages
California often sets the floor high – and other states follow
Recent Surprises
Data broker registration with AG
Broad regulations
CCPA 2.0 might be coming
January 1, 2021
© 2019 Squire Patton Boggs
3squirepattonboggs.com
Recent Amendments and Regulations Changed Things
New data carve outs
Definition of “PI”
Notice requirements – online and offline collection
Mechanics for individual rights requests
Opt-out requirements
Record keeping requirements
Requirements around offering financial incentives
© 2019 Squire Patton Boggs
squirepattonboggs.com
Scope of CCPA
Who and what is regulated by the law
FOCUS ON:
- notifying consumers- handling consumer requests- verifying consumers’ identities - processing requests concerning information on behalf of
children under the age of 16; and - avoiding discrimination
Article by Ryan Johnston / Oct 10, 2019 | STATESCOOP
NOTE: All 2019 amendments to CCPA have now been signed into law (Oct 11)
© 2019 Squire Patton Boggs
5squirepattonboggs.com
Who is Regulated?
“Business”
For-profit + collects PI (“PI”) + determines means and purpose + does business in
CA + satisfies one of the following:
• Annual gross revenues exceeding $25 million;
• Annually sells/buys OR receives/shares for commercial purposes 50,000 or more consumers, households, or devices; or
• Derives 50% or more of its annual revenue from selling PI
Any entity that “controls or is controlled” + operates under common brand
“Service provider”
Process on behalf of business + compliant contract
Expands: Entities that provide services to a non-business/collect on behalf of
business but would otherwise not qualify
Limitation on data use: No use to provide services to another person or entity
• May “combine the information received” as necessary to detect security incidents, or protect against fraudulent or illegal activity
May deny right to know / deletion requests (but must explain why)
Third Party
© 2019 Squire Patton Boggs
6squirepattonboggs.com
What is Regulated?
Collecting, using, and sharing consumer PI
“Collection”
• “buying, renting, gathering, obtaining, receiving, or accessing any PI pertaining to a consumer by any means”
• Not limited to PI collected online
“Personal Information” (“PI”)
• “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
• Excludes: public data & de-identified/aggregate data
“Consumer” :
• California resident (including employees, B2B contacts, website visitors, etc.)
CCPA does not restrict a business’s ability to:
Comply with law/inquiries, investigations, subpoenas and summons, cooperate with
law enforcement, or exercise or defend legal claims
Collect, use, retain, sell, or disclose de-identified or aggregated PI
Collect or sell a consumer’s PI if every aspect of that commercial conduct takes
place wholly outside of California
© 2019 Squire Patton Boggs
7squirepattonboggs.com
New Carve Outs
Warranty and recall information
Vehicle and ownership information shared between motor vehicle dealer & vehicle’s
manufacturer not subject to opt-out
Added to exceptions to deletion
Worker data moratorium (sunsets in 1 year)
Limited to employer/employee context
Emergency contact information
Benefits administration data
B2B moratorium (sunsets in 1 year)
Communications and transactions occurring solely within the context of due
diligence
Situations where a product or service is provided or received
Plus, CCPA does not apply to:
PI subject to HIPAA/CMIA, GLBA/CalFIPA, Driver’s Privacy Protection Act, FCRA,
other
© 2019 Squire Patton Boggs
squirepattonboggs.com
Complying with Consumer Rights under CCPA
“We want companies to understand that ignorance is not an excuse.”- AG BecerraSF Chronicle Article by Shwanika Narayan | on October 10, 2019
Right to “Know”
Right to Delete
Right to Opt-out/Opt-in
Right Against Discrimination
© 2019 Squire Patton Boggs
9squirepattonboggs.com
Right to Know
Specific pieces of PI:
Don’t disclose if cannot verify identity; instead, disclose categories of PI
Deny if disclosure would:
• Create a substantial, articulable, and unreasonable risk to the security
• Conflict with state or federal law
Never disclose:
• Social Security number, driver’s license number or other government-issued ID number, financial account number, any health insurance or medical ID number, an account password, or security questions and answers
Categories of PI:
May deny if cannot verify (direct the consumer to privacy policy)
For each category provide:
• the categories of sources;
• the business or commercial purpose for collection;
• the categories of third parties to whom the information is disclosed/sold; and
• the business or commercial purpose for which it sold or disclosed
© 2019 Squire Patton Boggs
10squirepattonboggs.com
Right to Know (cont.)
Two Methods: toll-free number at a minimum (unless only interacts in person)
12-month look-back period (from date of request)
Reasonable security measures when transmitting PI to the consumer
Password-protected account:
May use a secure self-service portal for consumers to access, view, and receive a
portable copy of their PI
Individualized response
Portable and readily usable format
PI collected for a one-time transaction (if not sold) need not be retained
No need to re-identify or otherwise link any data that is not considered PI
© 2019 Squire Patton Boggs
11squirepattonboggs.com
Right to Delete
Two Methods (need not be toll free number)
2-step process for online requests:
Request submission and separate confirmation
Permanently and completely erase the PI:
May delay deletion of archived or back-up data until next accessed or used
De-identify or Aggregate the PI
Specify to consumer in response: manner of deletion, and if not all data deleted then reason for retention and record retention policy
May deny request if:
Exemption applies; or
Cannot verify identity, BUT must treat the request as a request to opt-out of sale
May offer to erase part BUT option to erase ALL must be available
Inform vendors
© 2019 Squire Patton Boggs
12squirepattonboggs.com
Right to Know and Right to DeleteSubmission Methods and Responding
Methods:
At least one method shall reflect the manner of primarily interaction with the
consumer (even if it results in offering three methods)
If no direct interact with consumers, at least one method shall be online
If a consumer request is deficient or submitted not in a designated manner either:
• Treat the request as validly submitted; or
• Provide directions on how to submit the request or remedy any deficiencies
Responding:
Confirm receipt within 10 days + inform about the process
Respond within 45 days (from date of receipt)
May take up to an additional 45 days (max. total of 90 days) but must provide
notice and explanation of the reason for the extension
© 2019 Squire Patton Boggs
13squirepattonboggs.com
Right to Know and Right to Delete (cont.)Verification of Identity
In general consider:
The type, sensitivity, and value of the PI
The risk of harm to the consumer posed by any unauthorized access or deletion
Likelihood that fraudulent or malicious actors would seek the information
Available technology
Avoid requesting additional information
Preference: use password protected accounts
Authorized agents:
Require verification of both person acting as authorized agent and consumer
May require written permission from consumer assigning authorized agent
“Household” data: individually verify all the members of the household subject to verification requirements
Verify parents for opt-in where appropriate (similar to COPPA)
© 2019 Squire Patton Boggs
14squirepattonboggs.com
Right to Opt-Out / Opt-InWhat is a “Sale”?
Exemptions:
Consumer directs business to share with
third party
Disclosures to service providers that
comply with certain requirements
Corporate transactions (e.g., M&A deals) with exceptions
Sharing to operationalize opt-outs
Vehicle/ownership info shared between manufacturer and dealer
Sale = sharing with business or third party for “valuable consideration”
Notify consumers that PI may be sold and about their right to opt-out
Provide opt-out if 16 or older
Obtain opt-in if under 16 (<13: from parent; 13-15: from minor)
Third parties can’t sell unless notice provided
© 2019 Squire Patton Boggs
15squirepattonboggs.com
Right to Opt-Out / Opt-In (cont.) Mechanics
Two methods:
At a minimum, an interactive link “Do Not Sell My PI”
At least one method offered shall reflect the manner in which the business
primarily interacts with the consumer
Two-step opt-in process:
If opting-in to sale after opting-out, or if opting-in to sale as a minor, request
submission and separate confirmation
Comply within 15 days
May offer option to opt-out of sale of certain categories of information butoption to opt-out of ALL must be available
Inform:
Notify all third parties to whom PI was sold in past 90 days and
Notify consumer when complete
© 2019 Squire Patton Boggs
16squirepattonboggs.com
Right to Opt-Out/ Opt-In (cont.)Other Rules
Verification:
Consumer verification not required for opt-out
Minors (opt-in):
• Under 13: similar to COPPA
• 13-15: describe methods and opt-out in privacy policy
Browser plug-ins and privacy settings
If collecting PI from consumers online:
• Treat user-enabled privacy controls (e.g., browser plugin, privacy setting, or other mechanism) that communicate or signal the consumer’s choice to opt-out of the sale of their PI as a valid request to opt-out for that browser or device, or, if known, for the consumer
When a transaction requires a sale
May inform a consumer who has opted-out when a transaction requires the sale of
their PI as a condition of completing the transaction, along with instructions on how
the consumer can opt-in
© 2019 Squire Patton Boggs
17squirepattonboggs.com
Right Against Discrimination
Shall not discriminate against a consumer for exercising their rights under CCPA
Loyalty cards clarification FAILED
Calculate the value of the data:
Marginal or average value of the sale, collection, or deletion
Revenue or profit generated from separate tiers/categories/classes of consumers
Expenses related to the sale, collection, or retention, offer, provision of financial
incentive, or price/service difference
Profit generated from sale, collection, or retention
Other “practical or reliable” method
© 2019 Squire Patton Boggs
squirepattonboggs.com
Business Obligations
Obligation to InformVendor Management TrainingRecord Keeping Reasonable Security
© 2019 Squire Patton Boggs
19squirepattonboggs.com
Obligation to Inform: Privacy Policy
All notices must be:
Conspicuous, easy to read, understandable (including on smaller screens), and
accessible (language, offline collection)
Required Contents:
Individual rights: explanation + instructions on submission + verification process
For each category of PI collected in the preceding 12 months:
• Categories of sources;
• Business or commercial purpose(s); and
• Categories of third parties with whom the business shares PI
Whether or not the business has disclosed/sold to third parties (in prior 12 months)
• List the categories of PI disclosed/sold
• Sold minors’ data without opt-in authorization
Metrics (if required)
© 2019 Squire Patton Boggs
20squirepattonboggs.com
Obligation to Inform: Additional Notices
Cannot collect PI without notice and cannot use for non-notified purpose
At OR before collection (if collecting directly):
Categories of PI
For each category, the business or commercial purpose(s) for use
Link/URL to “Do Not Sell” information and full privacy policy
Accessible
Right to opt-out (if selling):
Describe right + method/instructions to submit
May require proof of authorization (only when using an authorized agent)
Link/URL to privacy policy
Opt-out Logo: TBD
Financial Incentives (if offering):
Summary of incentive + categories of PI affected + right to withdraw and process
Explain basis under CCPA:
• A good-faith estimate of the value of the data; and
• Method used to calculate the value
© 2019 Squire Patton Boggs
21squirepattonboggs.com
Obligation to Inform: If Not Collecting Directly From Consumer
Need not provide notice at or before collection BUT before selling any information shall do either of the following:
Contact the consumer directly:
• Provide notice that the business sells PI; and
• Provide a notice of right to opt-out in accordance with CCPA
Contact the source of the PI to:
• Confirm that the source provided compliant notice at collection
• Obtain a signed attestation describing how notice was given and an example of the notice
• Retain attestations for at least 2 years
• Make attestations available to the consumer upon request
© 2019 Squire Patton Boggs
22squirepattonboggs.com
Vendor Management
Contract with “service providers”:
Limit unauthorized use of PI;
Prohibit the sale of PI;
Prohibit use of PI for a commercial purpose; and
Assist with deletion requests (arguably)
Contract with “non-third parties”:
Prohibit disclosure “outside of the direct business relationship between the person
and the business”; and
Certification
Other contracts:
Business partners
Vendors that prefer not to act as “service providers”
© 2019 Squire Patton Boggs
23squirepattonboggs.com
Training
Train employees responsible for handling CCPA compliance and consumer requests
Establish, document, and comply with a
training policy (if over 4M records
sold/disclosed for commercial purposes)
Ensure that all individuals responsible are
informed
Even when you are not required to provide training (e.g., worker data moratorium, data subject to GLBA, etc.) should ensure your personnel is sufficiently informed to respond to requests
© 2019 Squire Patton Boggs
24squirepattonboggs.com
Record Keeping
Keep records on requests and responses for at least 24 months
Ticket or log format ok
Can’t use record-keeping information for any other purpose
If annually, a business buys, receives for business purpose, sells, or shares for commercial purpose the PI of at least 4 million consumers, must keep record of the following for the previous year (and share in privacy policy)
Number of requests for access, deletion, and opt-out received
Number of requests complied with (in whole or in part) and denied
Median # of days taken to substantively respond
Additional recommended record keeping:
Record of notice at collection
Records of opt-in consent
If PI not collected directly by the business is sold, record:
• Notification and consent from consumer; or
• Certification by source
© 2019 Squire Patton Boggs
25squirepattonboggs.com
Data Breach and Statutory Damages
CCPA creates a private right of action for non-encrypted PI breaches resulting from a failure to implement and maintain “reasonable security”
CCPA allows for statutory damages up to $750/person or actual damages, whichever is greater
CHANGE: “…any consumer whose nonencrypted and nonredacted PI…”
© 2019 Squire Patton Boggs
squirepattonboggs.com
How We Can Help
ApplicabilityGap AssessmentData MappingWork PlansTraining…and more
© 2019 Squire Patton Boggs
27squirepattonboggs.com
What We Do to Help
Determine applicability of the CCPA to a company
Conduct a gap
Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing GDPR compliance efforts where applicable
Interpret nuances in the CCPA provisions, such as identifying business partners as service providers, third parties, or something else under the law
Assist with individual compliance tasks, such as:
Conducting data inventories;
Designing processes to respond to individual rights requests;
Drafting privacy notices; and
Preparing contracts, including updating GDPR DPAs to cover CCPA
Ensure your voice is heard by regulators/lawmakers
Train employees regarding CCPA requirements / Educate C-Suite/Board regarding compliance obligations
© 2019 Squire Patton Boggs
28squirepattonboggs.com
Proposed Rules: Next steps
Proposed rules published
Written comment period closes December 6
Public hearings Dec 2nd to Dec. 5th, 2019
No changes: rules will be final
Minor changes sufficiently
related: 15-day comment
Major changes: new 45-day
comment period required
© 2019 Squire Patton Boggs
29squirepattonboggs.com
Contact
Elliot Golding
Partner, Washington
T +1 202 457 6407
Lydia F de la Torre
Of Counsel, Palo Alto
T +1 650 843 3227
© 2019 Squire Patton Boggs