webinar: the “final” california consumer privacy act › - › media › files › insights ›...

Webinar: The “Final” California Consumer Privacy Act

October 17, 2019

*The contents of this document are not intended to serve as legal advice related to individual situations or as legal opinions

concerning such situations, nor should they be considered a substitute for taking legal advice.

2squirepattonboggs.com

Game Changer

It’s broad

o ALL PI

o ALL kinds of people

Creates new “rights”

New statutory damages

California often sets the floor high – and other states follow

Recent Surprises

Data broker registration with AG

Broad regulations

CCPA 2.0 might be coming

January 1, 2021

© 2019 Squire Patton Boggs


Recent Amendments and Regulations Changed Things

New data carve outs

Definition of “PI”

Notice requirements – online and offline collection

Mechanics for individual rights requests

Opt-out requirements

Record keeping requirements

Requirements around offering financial incentives


squirepattonboggs.com

Scope of CCPA

Who and what is regulated by the law

FOCUS ON:

- notifying consumers- handling consumer requests- verifying consumers’ identities - processing requests concerning information on behalf of

children under the age of 16; and - avoiding discrimination

Article by Ryan Johnston / Oct 10, 2019 | STATESCOOP

NOTE: All 2019 amendments to CCPA have now been signed into law (Oct 11)



Who is Regulated?

“Business”

For-profit + collects PI (“PI”) + determines means and purpose + does business in

CA + satisfies one of the following:

• Annual gross revenues exceeding $25 million;

• Annually sells/buys OR receives/shares for commercial purposes 50,000 or more consumers, households, or devices; or

• Derives 50% or more of its annual revenue from selling PI

Any entity that “controls or is controlled” + operates under common brand

“Service provider”

Process on behalf of business + compliant contract

Expands: Entities that provide services to a non-business/collect on behalf of

business but would otherwise not qualify

Limitation on data use: No use to provide services to another person or entity

• May “combine the information received” as necessary to detect security incidents, or protect against fraudulent or illegal activity

May deny right to know / deletion requests (but must explain why)

Third Party



What is Regulated?

Collecting, using, and sharing consumer PI

“Collection”

• “buying, renting, gathering, obtaining, receiving, or accessing any PI pertaining to a consumer by any means”

• Not limited to PI collected online

“Personal Information” (“PI”)

• “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

• Excludes: public data & de-identified/aggregate data

“Consumer” :

• California resident (including employees, B2B contacts, website visitors, etc.)

CCPA does not restrict a business’s ability to:

Comply with law/inquiries, investigations, subpoenas and summons, cooperate with

law enforcement, or exercise or defend legal claims

Collect, use, retain, sell, or disclose de-identified or aggregated PI

Collect or sell a consumer’s PI if every aspect of that commercial conduct takes

place wholly outside of California



New Carve Outs

Warranty and recall information

Vehicle and ownership information shared between motor vehicle dealer & vehicle’s

manufacturer not subject to opt-out

Added to exceptions to deletion

Worker data moratorium (sunsets in 1 year)

Limited to employer/employee context

Emergency contact information

Benefits administration data

B2B moratorium (sunsets in 1 year)

Communications and transactions occurring solely within the context of due

diligence

Situations where a product or service is provided or received

Plus, CCPA does not apply to:

PI subject to HIPAA/CMIA, GLBA/CalFIPA, Driver’s Privacy Protection Act, FCRA,

other



Complying with Consumer Rights under CCPA

“We want companies to understand that ignorance is not an excuse.”- AG BecerraSF Chronicle Article by Shwanika Narayan | on October 10, 2019

Right to “Know”

Right to Delete

Right to Opt-out/Opt-in

Right Against Discrimination



Right to Know

Specific pieces of PI:

Don’t disclose if cannot verify identity; instead, disclose categories of PI

Deny if disclosure would:

• Create a substantial, articulable, and unreasonable risk to the security

• Conflict with state or federal law

Never disclose:

• Social Security number, driver’s license number or other government-issued ID number, financial account number, any health insurance or medical ID number, an account password, or security questions and answers

Categories of PI:

May deny if cannot verify (direct the consumer to privacy policy)

For each category provide:

• the categories of sources;

• the business or commercial purpose for collection;

• the categories of third parties to whom the information is disclosed/sold; and

• the business or commercial purpose for which it sold or disclosed



Right to Know (cont.)

Two Methods: toll-free number at a minimum (unless only interacts in person)

12-month look-back period (from date of request)

Reasonable security measures when transmitting PI to the consumer

Password-protected account:

May use a secure self-service portal for consumers to access, view, and receive a

portable copy of their PI

Individualized response

Portable and readily usable format

PI collected for a one-time transaction (if not sold) need not be retained

No need to re-identify or otherwise link any data that is not considered PI



Right to Delete

Two Methods (need not be toll free number)

2-step process for online requests:

Request submission and separate confirmation

Permanently and completely erase the PI:

May delay deletion of archived or back-up data until next accessed or used

De-identify or Aggregate the PI

Specify to consumer in response: manner of deletion, and if not all data deleted then reason for retention and record retention policy

May deny request if:

Exemption applies; or

Cannot verify identity, BUT must treat the request as a request to opt-out of sale

May offer to erase part BUT option to erase ALL must be available

Inform vendors



Right to Know and Right to DeleteSubmission Methods and Responding

Methods:

At least one method shall reflect the manner of primarily interaction with the

consumer (even if it results in offering three methods)

If no direct interact with consumers, at least one method shall be online

If a consumer request is deficient or submitted not in a designated manner either:

• Treat the request as validly submitted; or

• Provide directions on how to submit the request or remedy any deficiencies

Responding:

Confirm receipt within 10 days + inform about the process

Respond within 45 days (from date of receipt)

May take up to an additional 45 days (max. total of 90 days) but must provide

notice and explanation of the reason for the extension



Right to Know and Right to Delete (cont.)Verification of Identity

In general consider:

The type, sensitivity, and value of the PI

The risk of harm to the consumer posed by any unauthorized access or deletion

Likelihood that fraudulent or malicious actors would seek the information

Available technology

Avoid requesting additional information

Preference: use password protected accounts

Authorized agents:

Require verification of both person acting as authorized agent and consumer

May require written permission from consumer assigning authorized agent

“Household” data: individually verify all the members of the household subject to verification requirements

Verify parents for opt-in where appropriate (similar to COPPA)



Right to Opt-Out / Opt-InWhat is a “Sale”?

Exemptions:

Consumer directs business to share with

third party

Disclosures to service providers that

comply with certain requirements

Corporate transactions (e.g., M&A deals) with exceptions

Sharing to operationalize opt-outs

Vehicle/ownership info shared between manufacturer and dealer

Sale = sharing with business or third party for “valuable consideration”

Notify consumers that PI may be sold and about their right to opt-out

Provide opt-out if 16 or older

Obtain opt-in if under 16 (<13: from parent; 13-15: from minor)

Third parties can’t sell unless notice provided



Right to Opt-Out / Opt-In (cont.) Mechanics

Two methods:

At a minimum, an interactive link “Do Not Sell My PI”

At least one method offered shall reflect the manner in which the business

primarily interacts with the consumer

Two-step opt-in process:

If opting-in to sale after opting-out, or if opting-in to sale as a minor, request

submission and separate confirmation

Comply within 15 days

May offer option to opt-out of sale of certain categories of information butoption to opt-out of ALL must be available

Inform:

Notify all third parties to whom PI was sold in past 90 days and

Notify consumer when complete



Right to Opt-Out/ Opt-In (cont.)Other Rules

Verification:

Consumer verification not required for opt-out

Minors (opt-in):

• Under 13: similar to COPPA

• 13-15: describe methods and opt-out in privacy policy

Browser plug-ins and privacy settings

If collecting PI from consumers online:

• Treat user-enabled privacy controls (e.g., browser plugin, privacy setting, or other mechanism) that communicate or signal the consumer’s choice to opt-out of the sale of their PI as a valid request to opt-out for that browser or device, or, if known, for the consumer

When a transaction requires a sale

May inform a consumer who has opted-out when a transaction requires the sale of

their PI as a condition of completing the transaction, along with instructions on how

the consumer can opt-in



Right Against Discrimination

Shall not discriminate against a consumer for exercising their rights under CCPA

Loyalty cards clarification FAILED

Calculate the value of the data:

Marginal or average value of the sale, collection, or deletion

Revenue or profit generated from separate tiers/categories/classes of consumers

Expenses related to the sale, collection, or retention, offer, provision of financial

incentive, or price/service difference

Profit generated from sale, collection, or retention

Other “practical or reliable” method



Business Obligations

Obligation to InformVendor Management TrainingRecord Keeping Reasonable Security



Obligation to Inform: Privacy Policy

All notices must be:

Conspicuous, easy to read, understandable (including on smaller screens), and

accessible (language, offline collection)

Required Contents:

Individual rights: explanation + instructions on submission + verification process

For each category of PI collected in the preceding 12 months:

• Categories of sources;

• Business or commercial purpose(s); and

• Categories of third parties with whom the business shares PI

Whether or not the business has disclosed/sold to third parties (in prior 12 months)

• List the categories of PI disclosed/sold

• Sold minors’ data without opt-in authorization

Metrics (if required)



Obligation to Inform: Additional Notices

Cannot collect PI without notice and cannot use for non-notified purpose

At OR before collection (if collecting directly):

Categories of PI

For each category, the business or commercial purpose(s) for use

Link/URL to “Do Not Sell” information and full privacy policy

Accessible

Right to opt-out (if selling):

Describe right + method/instructions to submit

May require proof of authorization (only when using an authorized agent)

Link/URL to privacy policy

Opt-out Logo: TBD

Financial Incentives (if offering):

Summary of incentive + categories of PI affected + right to withdraw and process

Explain basis under CCPA:

• A good-faith estimate of the value of the data; and

• Method used to calculate the value



Obligation to Inform: If Not Collecting Directly From Consumer

Need not provide notice at or before collection BUT before selling any information shall do either of the following:

Contact the consumer directly:

• Provide notice that the business sells PI; and

• Provide a notice of right to opt-out in accordance with CCPA

Contact the source of the PI to:

• Confirm that the source provided compliant notice at collection

• Obtain a signed attestation describing how notice was given and an example of the notice

• Retain attestations for at least 2 years

• Make attestations available to the consumer upon request



Vendor Management

Contract with “service providers”:

Limit unauthorized use of PI;

Prohibit the sale of PI;

Prohibit use of PI for a commercial purpose; and

Assist with deletion requests (arguably)

Contract with “non-third parties”:

Prohibit disclosure “outside of the direct business relationship between the person

and the business”; and

Certification

Other contracts:

Business partners

Vendors that prefer not to act as “service providers”



Training

Train employees responsible for handling CCPA compliance and consumer requests

Establish, document, and comply with a

training policy (if over 4M records

sold/disclosed for commercial purposes)

Ensure that all individuals responsible are

informed

Even when you are not required to provide training (e.g., worker data moratorium, data subject to GLBA, etc.) should ensure your personnel is sufficiently informed to respond to requests



Record Keeping

Keep records on requests and responses for at least 24 months

Ticket or log format ok

Can’t use record-keeping information for any other purpose

If annually, a business buys, receives for business purpose, sells, or shares for commercial purpose the PI of at least 4 million consumers, must keep record of the following for the previous year (and share in privacy policy)

Number of requests for access, deletion, and opt-out received

Number of requests complied with (in whole or in part) and denied

Median # of days taken to substantively respond

Additional recommended record keeping:

Record of notice at collection

Records of opt-in consent

If PI not collected directly by the business is sold, record:

• Notification and consent from consumer; or

• Certification by source



Data Breach and Statutory Damages

CCPA creates a private right of action for non-encrypted PI breaches resulting from a failure to implement and maintain “reasonable security”

CCPA allows for statutory damages up to $750/person or actual damages, whichever is greater

CHANGE: “…any consumer whose nonencrypted and nonredacted PI…”



How We Can Help

ApplicabilityGap AssessmentData MappingWork PlansTraining…and more



What We Do to Help

Determine applicability of the CCPA to a company

Conduct a gap

Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing GDPR compliance efforts where applicable

Interpret nuances in the CCPA provisions, such as identifying business partners as service providers, third parties, or something else under the law

Assist with individual compliance tasks, such as:

Conducting data inventories;

Designing processes to respond to individual rights requests;

Drafting privacy notices; and

Preparing contracts, including updating GDPR DPAs to cover CCPA

Ensure your voice is heard by regulators/lawmakers

Train employees regarding CCPA requirements / Educate C-Suite/Board regarding compliance obligations



Proposed Rules: Next steps

Proposed rules published

Written comment period closes December 6

Public hearings Dec 2nd to Dec. 5th, 2019

No changes: rules will be final

Minor changes sufficiently

related: 15-day comment

Major changes: new 45-day

comment period required



Contact

Elliot Golding

Partner, Washington

T +1 202 457 6407

[email protected]

Lydia F de la Torre

Of Counsel, Palo Alto

T +1 650 843 3227

[email protected]


mailto:[email protected]

mailto:[email protected]

webinar: the “final” california consumer privacy act › - › media › files › insights ›...

Documents