Post on 10-Jul-2020
www.dlapiper.com 0November 14, 2018
November 14, 2018
CALIFORNIA CONSUMER PRIVACY ACT AND GDPR – HOW DO THEY DIFFER?KEY COMPLIANCE POINTS FOR BUSINESSES
Jennifer M. Kashatus, Kate Lucente, Rena Mears, Carol A.F. Umhoefer
*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
www.dlapiper.com 1November 14, 2018
Scope/Key Definitions Key Components
– Consumer Rights– Operational Requirements– Service Providers and Third Parties– M&A
Comparison with GDPR
Agenda
1 Scope/Key Definitions
www.dlapiper.com 3November 14, 2018
California Consumer Privacy Act Game-changing new privacy law broadly applicable to businesses
(regardless of location) that collect personal information about California residents
Effective January 1, 2020 (though ahead of this date further amendments are expected and the CA Attorney General is to issue implementing regulations)– Data breach private right of action available from January 1, 2020– Privacy provisions enforceable by CA AG sometime between January 1,
2020 and July 1, 2020 Substantial new rights for CA residents
Significant operational impacts for covered business, likely require significant time and effort to prepare
Broad definitions and scope
What is the CCPA and why is it a big deal?
www.dlapiper.com 4November 14, 2018
“Business” is any entity that collects personal information about California residents and makes decisions (alone or jointly with others) about how and why the personal information is processed, if the business either –
(a) has annual gross revenues over $25 million OR(b) annually buys, sells, shares, or receives personal information of 50,000+ California residents, OR(c) derives 50% or more of annual revenue from selling personal information
Also includes parents or subsidiaries (with common branding) of businesses that meet the above
CCPA Scope – covered businesses
www.dlapiper.com 5November 14, 2018
Non-profit entities are not covered Limited exemptions for certain regulated entities
– Partial exemption for entities and information covered by certain federal and California health info and financial privacy laws
– Not exempt from data breach private right of action
Common misconceptions: The law does not apply to me b/c:– “I do not sell data”
– “I am a financial services company”– “I already comply with GDPR”
– “I am B2B”
– “I do not have any customers in California. I only have employees.”
CCPA Scope – covered businesses and exemptions
www.dlapiper.com 6November 14, 2018
Financial services exception not absolute Only applies to data already covered by GLBA or California Financial Privacy
Act
– Evaluate data collection points/product lines/services– What data is outside of scope of financial privacy laws
– Consider data for advertising, data collected online, data collected before there is a consumer relationship
But still subject to private right of action for data breaches
CCPA Scope – Financial Services
www.dlapiper.com 7November 14, 2018
Personal information: “Any information that directly or indirectly identifies, relates to, describes or can be associated with or reasonably linked to a California resident or household” — explicitly includes:– Name, contact info, government IDs, biometrics, location data, account numbers
– Employment and education history
– Purchase history, behavior, and tendencies
– Online and device IDs
– Search and browsing history and other online activities
– Activities from connected devices
Applies to consumer, employee, and B2B data currently
Includes household level data and device data Narrow exclusion for publicly available data from government records
Sweeping Definitions – Companies need to reassess how they think about data
www.dlapiper.com 8November 14, 2018
Collection: Includes buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including active and passive collection and observing individual behavior.
Sale: Broadly includes selling, providing, or disclosing personal information in exchange for any consideration or thing of value
Sweeping Definitions – Companies need to reassess how they think about data
www.dlapiper.com 9November 14, 2018
Know your data Identify, inventory, and map data flows at a level sufficient to meet
CCPA requirements Key considerations and challenges
– Expanded personal info definition (linkable to an individual or household)
– Data quality – establishing identity and resolving ambiguities– Establishing “household” relationships – Data sources and original acquisition channel – Third party sharing– California residency determination
Operational Impacts and Considerations
2 Key Components of CCPA
www.dlapiper.com 11November 14, 2018
New Consumer Rights (access, deletion, opt-out, information) Prior notice of collection and use Privacy policy requirements Website updates and consumer rights mechanisms Vendor and third party management
– “Service providers”– Third party disclosures– Resale of data
Data mapping and impact of sweeping definitions and broad scope Private right of action for data breaches
Key Components
www.dlapiper.com 12November 14, 2018
Key Components – New Consumer Rights
Individuals have rights to — Access and obtain copy of personal info collected in past 12 months
Require businesses to disclose information about how it has handled individual’s personal information in the preceding 12 months:– Categories of personal info collected
– Sources of personal information– Purposes of use, disclosure and sale
– Categories of third party recipients – Categories of third parties to whom personal information has been sold
Requests may be made up to 2xs/year, free of charge
www.dlapiper.com 13November 14, 2018
Individuals have the right to – Request deletion of all personal information
Business must direct service providers to delete Numerous exceptions:
– Certain internal uses e.g., detect security incidents, complete a transaction requested by consumer, perform a contract with a consumer
– Newspapers
– Rights of other consumers– Compliance with law
– Using the consumer’s information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information
Key Components – New Consumer Rights (cont.)
www.dlapiper.com 14November 14, 2018
Individuals have the right to – Opt-out of sale of personal info
– Businesses that resell data obligated to confirm compliant individuals notice and opt-out provided
– Home page link to a “Do Not Sell My Personal Information” page Consent to sale of minor’s personal info
Complying with requests May not charge for exercising rights
Must provide, at a minimum, toll-free number and a website address (if business maintains a website) so individuals can exercise their rights
Data mapping, processes, and channels for individual requests
Key Components – New Consumer Rights (cont.)
www.dlapiper.com 15November 14, 2018
Key Components – Enhanced Disclosures
Disclosure at or before collection: must disclose personal info collected and its useNew privacy policy requirements: Describe rights and how to exercise List categories of personal info collected, sold, and disclosed in prior 12
months and update every 12 months
Link to “Do Not Sell” page (home page and data collection page that allows consumer to submit request not to sell his or her data (or household or device data))
Update website and privacy policy; update or introduce new notices “at or before collection”
www.dlapiper.com 16November 14, 2018
Key Components – Service Providers
Mandatory contract terms for service providers– Prohibit recipient from selling the personal information
– Restrict use of personal information to performing services under contract
– Restrict use of personal information outside the direct relationship between person and the (disclosing) business
– Include a certification regarding above Absent terms, vendor will be treated as a “third party” for purposes of
disclosures and other obligations
Notify service providers of deletion requests Review and update service provider agreements
www.dlapiper.com 17November 14, 2018
Assess sources of third party data No sale of personal info of California residents that did not receive
proper notice and opt-out choices, or that opted out Resellers of personal information obligated to confirm proper notice
and opt-out Need to identify sources of personal information Need to identify categories of personal information, recipients, and
purposes for both third party disclosures and (separately) third party sales
Key Components – Third Party Management
www.dlapiper.com 18November 14, 2018
Provisions specifically targeted at corporate transactions Limitations on use of personal information purchased through
acquisition of the business, if use is materially inconsistent with notice given to consumer
If personal information (e.g., customer list) is sold in an asset deal, potential valuation issue since new notice and opt-out choice is required
Careful attention to diligence for analytics companies – broad definition of “personal information” brings companies under CCPA (i.e., previously, collected was not PII and companies may not have had protections in place for data)
Implications for M&A
www.dlapiper.com 19November 14, 2018
Private right of action and statutory damages of USD 100-750 per violation in the event of data breach of unencrypted or “un-redacted” personal information, if company did not have “reasonable” security; significant class action risk!Enforcement of privacy provisions by California Attorney Generalwith penalties of up to $2,500 ($7,500 if intentional) per violation
Heightened Enforcement Risks
www.dlapiper.com 20November 14, 2018
Key considerations and challenges Original acquisition channel
– Compliance with notice and choice/consent– Impact on historical/legacy data
– Data sources and third party sharing 12-month look-back
Deletion rights Resolving potential conflicts and discrepancies
– “Opt-out” discrepancies across data acquisition channels– Resolving conflicting “do not sell” requests for household or device data
Determining validity of consumer request “California Data Segregation” strategy challenges
Third party management
Operational Impacts and Considerations
www.dlapiper.com 21November 14, 2018
Key Components – Compliance Management
Data mapping and impact of sweeping definitions and broad scope Process and mechanisms for individual right requests Notice and privacy policy requirements –
– Review collection practices
– New notices at or before collection– Changes to website and website policies
– Update privacy policy every 12 months Vendor and third party management
– Mandatory contract terms for “service providers”– Deletion requests
– Third party data flows– Resale of data
3 Comparison with GDPR
www.dlapiper.com 23November 14, 2018
CCPA• Broader definition includes information that
relates to, or is capable of being associated with, an individual, device, or household
• Less detailed notices + prescriptive as to placement of notices and manner in which it must be received
• Right to opt-out of disclosure (sale), subject to limited exceptions; entity must display opt-out link on website
• Right of access limited to data collection in past 12 months; fewer explicit exemptions
• Conditional right to erasure, no right to object to processing, no right of restriction or amendment
• Right of portability with fewer exceptions and broader range of in-scope data
• Right against discrimination for exercising rights
• Data breach class action for statutory damages
• Potentially high California AG enforcement ($7,500 per violation if intentional)
GDPR• Any information related to an identified or
identifiable living natural person
• More detailed notices, layered approach acceptable, distinction between data collected from individual vs. collected from other sources
• No absolute right to opt-out of sale, but conditional rights to object to processing
• Rights to access with narrow exceptions
• Conditional rights to erasure, to object to processing and to restrict processing
• Right to portability with broader exceptions and narrower range of in-scope data
• No explicit right against discrimination but discrimination may render processing unlawful
• No class actions for statutory damages• Antitrust-sized administrative fines (up to 4%
global group revenue for serious violations)
Data definition
Privacy policy/notices
Sale of data
Individual rights
Class actionsEnforcement
High-level comparison – GDPR and CCPA
www.dlapiper.com 24November 14, 2018
Control processes designed for GDPR unlikely to be fit for CCPAwithout amendment– Different scope and definitions (devices, household information,
publicly available information, health and financial data)– Different data subject rights– Different privacy notices– GDPR data mapping will not be sufficient
Commercial agreements amended for GDPR will need to be further amended (specific terms to avoid qualification as ‘third party’, cooperation in responding to deletion requests)
CCPA’s Challenges for your GDPR program
www.dlapiper.com 25November 14, 2018
QUESTIONS?
www.dlapiper.com 26November 14, 2018
Jennifer M. KashatusPartnerT: +1 202 799 4448F: +1 202 799 5448jennifer.kashatus@dlapiper.com
Kate LucentePartnerT: +1 206 839 4854F: +1 206 494 1809kate.lucente@dlapiper.com
Rena MearsPrincipalT: +1 415 836 2555F: +1 415 659 7366rena.mears@dlapiper.com
Carol A. F. UmhoeferPartnerT: +1 305 423 8528F: +1 305 675 8420carol.umhoefer@dlapiper.com
Presenters
www.dlapiper.com 27November 14, 2018