California Consumer Privacy Act, TCPA and GDPR: Complying...
Transcript of California Consumer Privacy Act, TCPA and GDPR: Complying...
California Consumer Privacy Act, TCPA and
GDPR: Complying With Mobile Communications
Marketing RulesTrends in Enforcement Actions, Building and Maintaining Compliant Marketing Programs
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.
TUESDAY, MARCH 10, 2020
Presenting a live 90-minute webinar with interactive Q&A
Paul Bond, Partner, Holland & Knight, Philadelphia
William Long, Partner, Sidley Austin, London, England
Edward R. McNicholas, Partner, Ropes & Gray, Washington, D.C.
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-877-447-0294 and enter your Conference ID and PIN when prompted.
Otherwise, please send us a chat or e-mail [email protected] immediately
so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the ‘Full Screen’ symbol located on the bottom
right of the slides. To exit full screen, press the Esc button.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 2.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the link to the PDF of the slides for today’s program, which is located
to the right of the slides, just above the Q&A box.
• The PDF will open a separate tab/window. Print the slides by clicking on the
printer icon.
FOR LIVE EVENT ONLY
GDPR/e-Privacy:
Compliance with Mobile
Communications Rules William Long, Partner, Sidley Austin LLP
Recent Statistics 2019
2) International Transfers $622Kthe average privacy budget for 2019 – a drop from $1 million in 2018 and $2.1 million in 2017
41% of respondents named compliance with privacy laws and regulations as their highest priority
56%of respondents named “locating unstructured personal data” as the biggest challenge in responding to data subject requests
91%of respondents will use SCCs to transfer data to the UK after Brexit
43%of EU respondents are only “moderately compliant” with the GDPR
38%of respondents have reported a breach in 2019 (compared to 16% in 2018)
19%of respondents feel full GDPR compliance is impossible (nearly 1 in 5)
500,000+organisations estimated to have registered DPOs
10%of respondents feel they are “somewhat” compliant with the GDPR (1 in 10)
<IAPP-EY Annual Privacy Governance Report 2019>
6
DPA Enforcement Actions
SIDLEY AUSTIN LLP 7
SINCE 25 MAY 2018 (AS AT MAY 2019):
o More than 280,000 cases requiring investigation across Europe
o More than 89,000 data breach notifications reported to DPAs across Europe
o More than 144,000 individual complaints GDPR Enforcement ActionsAs of October 2019
GeneralPrinciples (Art.
5)
Lawfulness ofprocessing (Art.
6)
Information tobe provided to
the data subject(Art. 13)
Right of accessby the data
subject (Art. 15)
Informationsecurity (Art. 32)
Others
29%
19%
6% 6%
16%
24%
8
Key GDPR Enforcement Actions
SIDLEY AUSTIN LLP
• Spain: Telecoms company fined €60,000 after a bill was sent to an individual for unsolicited services and a failure to
demonstrate that the individual had consented to the collection of their personal data (February 2020)
• Italy: University fined €30,000 after making the identification data of individuals who had reported misconduct via a
whistleblowing hotline available online (February 2020)
• Greece: Marine bunker provider fined €150,000 for inadequate security after third party access to company servers and
retrieval of personal data (January 2020)
• Italy: Gas company fined €11.5 million over unsolicited telemarking and execution of unrequested contracts (January
2020)
• Austria: Austrian medical company fined €50,000 for non-compliance with information obligations and for not appointing a
DPO (August 2019) – NB: Austria DPA only issues fines from second breach onwards
• Spain: La Liga fined €250,000 for alleged violations of the GDPR transparency principle and for not allowing users to
withdraw their consent (June 2019)
• Denmark: Furniture company fined €200,850 for breaching the storage limitation principle under the GDPR (June 2019) –
NB: Danish constitutional law means the DPA cannot issue penalties under the GDPR until the courts have established an
adequate level for fines for the various types of breach
• France: Google Inc. fined €50 million for a lack of valid consent regarding the personalisation of ads and for breaching
the transparency principle (January 2019) – NB: Complaints to the CNIL have increased by 32.5% compared with 2017
• Portugal: Hospital fined €400,000 for allegedly breaching the integrity and confidentiality principle under the GDPR –
unrestricted access to patient records (July 2018)
General Principles and Lawfulness of Processing
9
Key GDPR Enforcement Actions
SIDLEY AUSTIN LLP
• Germany: Property company fined €14.5 million for using an archiving system for the storage of personal data of tenants
that did not provide for the possibility of removing data that was no longer required (November 2019)
• Austria: Austrian Post fined €18 million for creating profiles of more than three million Austrians, which included personal
data, without sufficient legal basis for data processing (October 2019)
General Principles and Lawfulness of Processing
Data Subject Rights (Art. 12–21, GDPR)
• Germany: Delivery company fined €195,400 for failing to comply with various data subject requests (September 2019) –
NB: in July, 75 fines had been issued in Germany including, on to an HCO that exposed SPD = €80,000
• Greece: A telecommunications service provider fined €200,000 for failing to comply with requests for erasure (October
2019)
• Poland: A data controller fined €219,538 for failing to inform over six million data subjects that their personal data were
being processed, preventing them from exercising their rights under the GDPR (March 2019)
• Portugal: [Confidential] fined €20,000 for insufficient fulfilment of data subject rights (February 2019)
10
Key GDPR Enforcement Actions
SIDLEY AUSTIN LLP
• UK: Retailer fined €586,000 for “inadequacies related to basic, commonplace [security] measures” following a cyber-
attack (January 2020)
• Germany: Telecommunications Company fined €9.5 million for failing to implement sufficient technical and organisational
measures to prevent unauthorised staff from accessing customer data via the customer hotline service (December 2019)
• Germany: Real Estate Company fined €14.5 million for breaching the GDPR storage limitation principle (November
2019)
• Romania: Bank fined €150,000 for having insufficient technical and organisational measures to ensure information
security (October 2019)
• Bulgaria: National Revenue Agency fined €2,600,000 for a personal data breach leading to the unauthorised access of
over 5 million Bulgarian citizens’ personal data (August 2019)
• Poland: Retailer fined €644,780 for insufficient organisational and technical measures which led to unauthorised access
to the personal data of 2.2 million people (August 2019)
• UK: British Airways issued notice of intention to fine of €204.6 million following investigation into data breach (July 2019)
• UK: Marriott issued notice of intention to fine of €110.4 million following investigation into data breach (July 2019)
• Netherlands: Hospital fined €460,000 for security violations, pursuant to Article 32 of the GDPR (June 2019)
Information Security & Data Retention
Cookies and Similar
Technologies Update
11
12
Cookies and Similar Technologies
SIDLEY AUSTIN LLP
• UK (July 2019):
– Move away from implied consent (which many had relied upon from the ICO’s 2012 guidance)
– The need for granularity, no sliders set to “on” and limited guidance on what constitutes “strictly necessary”
– Significant implications for ICO’s own use of non-essential cookies following implementation of its new cookie banner
• France (July 2019):
– Aligning standards with GDPR-consent
– 12 month “grace period”
– CNIL has also published a consultation on practical guidance in January 2020 to assist organisations with implementing the “f irst round”
guidance
• Netherlands (March 2019): largely in line with the position taken by the CNIL and the ICO
– Pre-ticked boxes are no longer valid
– Silence, inactivity and/or scrolling do not constitute valid consent
– Cookie walls which prevent users who do not consent from accessing the website or app are unlawful
• Spain (November 2019): guidance released in conjunction with the IAB Spain.
– Divergence from the position taken from the other guidance released to date
– Actions such as: (i) browsing another webpage; (ii) scrolling on the website; (iii) closing a cookie banner; or (iv) clicking on content could
constitute affirmative consent?
Updated Regulatory Guidance
13
Cookies and Similar Technologies
SIDLEY AUSTIN LLP
Source: UK ICO Website, “Cookies: Action We’ve Taken” (with Sidley emphasis in red)
Enforcement Action?
The UK ICO has provided the ability on its website to report cookie concerns:
14
Cookies and Similar Technologies
SIDLEY AUSTIN LLP
Enforcement Action?
• ICO Cookies Guidance (July 2019)
– The enforcement regime for PECR remains the same as it did under the Data Protection Act 1998
– However, guidance suggests that where personal data is involved, there is scope to enforce under GDPR (and the corresponding
penalties)
– ICO’s Regulatory Action Policy – formal action must be proportionate and monetary penalties for the most serious infringements
– Guidance says they are unlikely to prioritise first party cookies for analytics purposes or those which merely support the accessibility of
the website. Higher risk areas include user tracking, advertising or behavioural profiling.
• CJEU – Planet 49 (October 2019)
– Pre-ticked check boxes for cookies and similar technologies do not constitute valid consent for e-Privacy Directive purposes
– GDPR standard of consent applies
– Users must be provided with information about cookie duration and which third parties will be setting cookies
• Dutch DPA (December 2019): carried out a check of 175 websites and e-commerce platforms to determine compliance
with cookies requirements. Websites deemed “non-compliant” received a letter from the Dutch DPA which stated that an
investigation would follow to determine whether cookie practices had been brought back into compliance.
• Businesses are struggling with compliance
• It remains to be seen whether significant enforcement action is on the horizon….
The e-Privacy Directive,
PECR and the e-Privacy
Regulation
15
16
e-Privacy Regulation Update
SIDLEY AUSTIN LLP
Where are we now?
• The e-Privacy Regulation was originally intended to replace the e-Privacy Directive at the same time as the GDPR came
into force (25 May 2018)
• No agreement thus far. Draft proposed by the Finnish presidency at the end of 2019 did not gain enough support.
• Now we have the Croatian Presidency which will attempt to move the Regulation forward.
• General consensus: unlikely the e-Privacy Regulation will come into force before 2023…
• ePrivacy Directive (and PECR in the UK) continues to govern ePrivacy breaches….but note ICO guidance where
personal data is involved
17
e-Privacy Directive and the Privacy and Electronic
Communications Regulations (“PECR”)
SIDLEY AUSTIN LLP
Recent Developments
• ICO issues Draft Direct Marketing Code of Practice (January 2020)
– Update to guidance in relation to PECR and GDPR
– GDPR-standard consent for direct marketing must be obtained
– Other key takeaways include: (i) what is a service message?, (ii) legal grounds, and (iii) what constitutes processing of special
category data?
– Public consultation closed on 4 March 2020
• Planet 49 Decision: also relevant for e-Privacy Directive concepts beyond cookies
– Consent as the basis for processing means clear, explicit, active, informed consent. Pre-ticked boxes, silence or inactivity are no
good.
– The same concept of consent under GDPR applies within the ePrivacy Directive
– Article 2(f) of ePrivacy Directive “consent by a user or a subscriber corresponds to the data subject’s consent in Directive 95/46”
– GDPR-standard, active consent will be required from an end user regardless as to whether information stored or accessed is personal
data
18
sidley.com
Beijing
Boston
Brussels
Century City
Chicago
Dallas
Geneva
Hong Kong
Houston
London
Los Angeles
Munich
New York
Palo Alto
San Francisco
Shanghai
Singapore
Sydney
Tokyo
Washington, D.C.
19
The California Consumer
Privacy Act and Mobile
Communications MarketingEd McNicholas
Data, Privacy & Cybersecurity Practice Group Co-Leader
19
2020
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
2121
▪ Background on CCPA and emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
22
Overview of U.S. privacy laws
▪ Law typically regulates either type of
entity, data or business practice
– Type of entity: e.g., banks,
hospitals, website owners,
data brokers
– Type of data: e.g., financial
data, health information,
children’s data
– Business practices: e.g.,
telemarketing, monitoring
emails, video-viewing
behavior, background checks
State privacy laws Federal privacy laws
▪ Breach Notification Laws
▪ Online Privacy Policy Laws
(CA, DE and NV)
▪ Biometric Information Laws
(IL, TX, and WA)
▪ Medical Information Privacy
Laws (CA, IL)
▪ Children’s Online Privacy (CA)
▪ Employee Monitoring Laws
(CT, DE)
▪ Children’s Online Privacy
Protection Act (COPPA)
▪ CAN-SPAM
▪ Health Insurance Portability
and Accountability Act
(HIPAA)
▪ Gramm Leach Bliley Act
(GLBA)
▪ Telephone Consumer
Protection Act (TCPA)
▪ Fair Credit Reporting Act
(FCRA)
23
California privacy laws
▪ California Online Privacy Protection Act
(CalOPPA)
▪ California Shine the Light Act
▪ Data Security Statute
▪ Data Breach Notice
▪ Song-Beverly Credit Card Act
▪ Constitutional Privacy Rights
24
California Consumer Privacy Act (CCPA)
▪ Signed into law June 28, 2018. Creates new disclosure obligations and rights for
California residents, including right to opt-out of “sales” of personal information
▪ Result of a last-minute compromise between California lawmakers and an activist
organization supporting a data privacy ballot initiative
– The speed of passage resulted in many drafting errors and ambiguities
– Attempts to clarify through amendments and regulations
▪ Most significant provisions to become operational on January 1, 2020
– Private right of action
– Policies and disclosure requirements
▪ Not enforced by AG until July 1, 2020
25
What comes next?
▪ New California Privacy Rights and Enforcement Act (CPREA)
▪ Alastair Mactaggart is floating a new petition drive for the November 2020 ballot
▪ Current plan:
– Restrictions on further amendments that weaken the CCPA
– New California Privacy Protection Agency to enforce the Privacy Act and provide
guidance to industry
– Triple penalties for the violation of children's privacy
– New rights around the use of sensitive personal information, including race,
financial data and geolocation
– Require companies to disclose more details about algorithms used in decisions
about employment, housing and credit
26
Other State Bills Inspired by the CCPA
27
Key CCPA considerations
▪ Are you in scope and are the exemptions enough?
▪ How are you coping with the new compliance burdens?
– DSARs
– Restrictions on sales
– Vendor contracts
– Delta between GDPR and CCPA
▪ Operational impacts on data analytics? AdTech? Potential to significantly impact
ability to buy, sell and use data containing information about California residents
▪ Enforcement and Private Right of Action The availability of statutory damages
increases the risk of class action litigation in the event of a security incident
28
Are you in scope?
▪ Applies to firms that are “doing business” in California and meet one of three
thresholds:
– annual gross revenue exceeds $25m;
– annually sells or receives for a commercial purpose, alone or in combination, the
personal information of 50,000 or more consumers, households, or devices; or
– derives 50% or more of its annual revenues from selling consumers’ personal
information
▪ Controlled or controlling entities: Also applies to any entity that controls or is
controlled by such a business and shares common branding
29
Key definitions
▪ Consumer: a California resident
– Applies not only to customers but also employees and others
▪ Personal information: information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or household
– Significantly broader than typical U.S. standard and compares to definition in GDPR
▪ Sell, selling, sale, or sold: selling, renting, releasing, making available or otherwise
communicating a consumer’s personal information “for monetary or other valuable
consideration”
– Given the broad definition, a “sale” could arguably apply to most contractual
arrangements that involve sharing personal information
30
New amendments: did they help?
Bill No Subject SummaryAB 25 Exclusion of “employee”
from definition of
“consumer”
▪ Excludes employees, contractors, job applicants and others from the definition of “consumer” so long as the personal information is collected and
used solely within the context of that person’s role
▪ Exemption is subject to a one-year sunset provision
▪ Businesses still must provide employees with notices about what categories of information a business collects about them and their purpose for
doing so, but need not offer opt-out, access, and deletion
▪ Employee-related Personal Information remains subject to the CCPA’s data breach provisions
AB 874 Carve-outs from personal
information – expansion of
publicly available
information exemption
▪ Redefines the term “publicly available” to clarify that it refers to information that is lawfully available in federal, state, or local records, regardless
of whether the information is being used in a way that is compatible with the purpose for which the data is maintained
▪ Clarifies that personal information does not include de-identified or aggregated data
▪ Clarifies that information capable of being associated with an individual or household must be “reasonably” capable of being associated with the
consumer or household before being considered personal information
AB 1146 Exemption for vehicle
warranties and recalls
▪ Exempts certain vehicle information shared between a new auto dealer and a vehicle manufacturer in connection with vehicle repairs relating to
warranty work or recall
AB 1355 Addressing differential
treatment and disclosures
▪ Exempts business contact information that a business collects during communications or transactions with another business or government
agency (B2B transactions). Specifically, AB 1355 exempts from most of the CCPA’s provisions personal information about an employee, owner,
director, officer or contractor of a business or government agency collected by a business as part of B2B transactions, in the context of due
diligence of, or the provision of products or services to, the business or agency. The exemption does not exclude all B2B information; but it
excludes much of it
▪ Exemption does not apply to the right to opt out of the sale of a consumer’s data or obligation not to discriminate against aconsumer for
attempting to exercise other rights
▪ Clarifies that consumers’ right to access any personal information that a company has collected about them in the past year does not require the
business to retain any personal information that it would not otherwise retain in the ordinary course of business
AB 1564 Consumer requests ▪ Retains general requirement that businesses must make available to consumers two or more designated methods for submitting requests for
information, including at a minimum, a toll-free telephone number
▪ Specifies that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects PI is only required
to provide an email address for purposes of submitting certain consumer requests for information disclosures required under the CCPA
▪ Clarifies that if the business maintains a website, the business must make the website available to consumers to submit requests for CCPA
information disclosures
AB 1202 Data broker requirements ▪ Defines a “data broker” (businesses that knowingly collect and sell personal information to third parties) and requires data brokers to register with
the Attorney General
▪ Failure to register may lead to liability (civil penalties, fees and costs)
3131
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
32
Didn’t we already deal with GDPR?
Provision GDPR CCPA
Scope Applies to a “controller” or “processor”:
▪ Established in the EU
▪ Established outside of the EU, and either (1)
offering goods/services to EU; or (2) monitoring
behavior in EU
▪ A for-profit “business” that does business in CA and
meets revenue / volume thresholds for CA resident
data
▪ A business is defined similarly to an EU “controller”
“Personal Data” v.
“Personal
Information”
Data related to identified or identifiable natural person Similar, data related to identifiable persons,
households or devices. Excludes data made publicly
available by the government.
Right to Be
Forgotten
Data Subject may request deletion of “personal data”
with exceptions
Similar, but exceptions include continued internal uses
of data consistent with purposes of collection
Right to Opt-Out Applies only to processing based on consent Applies to the “sale” of Personal Information
Disclosures Disclose identity of controller, purpose of process,
source of data (if third party) and other information
about data subject rights, data transfers and record
retention
In addition to information about categories, sources
and disclosures of data, must expressly state if data is
“sold.” Include link to “Do Not Sell My Personal
Information,” if applicable.
Exceptions Does not apply to “anonymous” data In addition to anonymous data, contains numerous
exceptions, including for HIPAA-covered and GLBA-
covered data
33
The right to opt out
▪ Consumers may opt out of the “sale” of their Personal Information at any time
▪ Businesses that sell Personal Information must:
– Provide “Do Not Sell My Personal Information” opt-out link on homepage
– Describe the right and link to the opt-out webpage in their privacy policy
– Respect Consumer’s decision for at least 12 months before re-requesting
▪ Children: No selling Personal Information of children unless child (aged 13 to under
16) or parent (under 13) opts in
34
How many DSARs will be received?
▪ Right to know: business that collects “Personal Information” must, at or before the point
of collection, inform consumers about categories of information it collects and why;
additional disclosure obligations if business sells the information
– Lookback confusion
▪ Right to access / portability: consumers can request access to the specific pieces of
information collected
– If provided electronically, must be portable
▪ Right to erasure: consumers can request that a company delete their Personal
Information
– Many exceptions that could allow continued use
▪ Right to equal service: business cannot charge different price or offer different service
level if a consumer exercises a right
– CAN charge a different price if it is related to the value of the data
35
Updating privacy notices
▪ CCPA requires updates to online privacy notice by January 1, 2020
▪ Must include information about:
– California Privacy Rights
– Collection and Use of Personal Information
▪ Categories of information collected
– Reference categories listed in definition of personal information
▪ Categories of sources of information
▪ Purpose for collecting or selling information
▪ Categories of third parties with whom share information
▪ Specific pieces of information collected about consumer
– Sales and disclosures of Personal Information
▪ Must state whether or not business “sells” information
36
Amending contracts
▪ To avoid definition of “sales,” fit vendors within service provider exception:
– Contract must state that vendor cannot use data except for performing specified
services for business
– What about uses to “improve services”?
▪ Consider including other provisions to address CCPA issues:
– Right to be forgotten and other rights
– Restrictions on “discrimination”
– Data security and breach
– Restrictions on use of service providers
– Other privacy best practices
3737
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
38
39
Draft AG regulations
▪ Items of interest:
– Purpose limitation .305(3)
– Verification process
– Do Not Sell browser signals ? (The Return of Do Not Track?)
– Financial incentives disclosures including valuation methods
– Household privacy
4040
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
41
Compliance program impacts
▪ Non-Discrimination – § 1798.125
▪ Affirmative Link to “Do Not Sell” – § 1798.135
– Provide “Do Not Sell My Personal Information” opt-out link on homepage
– Describe the right and link to an opt-out webpage in the privacy policy
– Respect Consumer’s decision for at least 12 months before re-requesting
▪ Treatment of Children’s Data – § 1798.120
– No selling Personal Information of children unless child (aged 13 to under 16) or
parent (under 13) opts in
42
Operational impacts of new rights
▪ Gating issues
– Data Inventory
– Assess “sales” of data
– AdTech
– Analytics
▪ Need governance structure?
▪ Document privacy program
– Update compliance documents
– Externally facing privacy notices
– Procedures for responding to
Consumer rights requests
▪ Training
4343
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
44
Attorney General enforcement
Timing
▪ Enforcement actions can be brought six months after
publication of the final regulations or July 1, 2020,
whichever
is sooner
AG remedies
▪ $2,500 for each violation not cured within 30 days of
notice
▪ $7,500 for each intentional violation
▪ Injunctive relief
Consumer privacy fund
▪ Any civil penalties and settlement proceeds to go to new
fund
▪ Intended to “fully offset any costs incurred by the state
courts and the Attorney General” in connection with the
CCPA
45
CCPA’s private right of action
▪ Backdrop: Cal. Civ. Code § 1798.81.5
– Existing statutory obligation of “reasonable security”
– California already provides a private right of action for actual damages arising from
a violation of this provision
▪ The CCPA (§ 1798.150) creates a new private right of action with statutory damages
for consumers whose
– Nonencrypted and nonredacted personal information
– Is subject to an unauthorized access and exfiltration, theft or disclosure
– As a result of the business’s violation of the duty to implement and maintain
reasonable security procedures and practices
▪ “Reasonable security” is not defined in or addressed by the CCPA
46
CCPA’s private right of action
▪ What is “reasonable security”?
– Not defined in or addressed by the CCPA
– Appears to require violation of existing statutory obligation of “reasonable security”
(Cal Civil Code § 1798.81.5)
▪ Earlier California Attorney General guidance
– 2016 Data Breach Report – referenced Center for Internet Security’s Critical
Security Controls (SANS 20)
– 2014 “Cybersecurity in the Golden State” Report
47
CCPA’s private right of action
▪ At present, no private right of action for the CCPA’s other provisions
– “Nothing in this title shall be interpreted to serve as the basis for a private right of
action under any other law”
▪ So AG enforcement only
– Proposed amendments that would expand the private right of action are either dead
(AB 1760) or will not advance in 2019 (SB 561)
▪ Plaintiffs nonetheless may look to leverage the Unfair Competition Law, Cal. Bus. &
Prof. Code § 17200, to bring such claims
4848
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
49
Take-home points
▪ California privacy law will continue to be a moving target for the foreseeable future. This issue may
not settle unless / until we get a federal law in 2021 at the earliest.
▪ Take proactive steps now to prepare for the CCPA’s implementation:
– Data mapping: track points of data collection, where data resides, retention policies, and how it
is used and shared outside the firm
– Assess third-party vendor risk: develop commercial contracts to ensure adherence to CCPA
requirements
– Policies: update or create policies to address developing privacy laws
– Procedures: develop procedures to allow consumers to exercise their new data access and
deletion rights
– Disclosure: develop disclosures and notices necessary to comply with the law
– Cyber defenses: minimize personal data, encrypt and redact (where feasible)
– Insurance: review language in cyberinsurance policies
– Training: train relevant employees on the scope and implications of the CCPA, as well as the
Firm’s policies and approaches to dealing with the law’s requirements
50
Seven things companies can be doing now
▪ Build a record to demonstrate “reasonable” information security
– Develop a demonstrable information governance program with senior leadership reporting
– Enhance your internal privacy and cybersecurity policies
– Tie your internal policies to international standards – including a mapping to the SANS20
▪ Increase your cyber-defenses
– Minimize personal data
– Implement encryption and redaction, where feasible
– Address phishing through systems that aggressively filter phishing emails and enhanced training
– Consider intrusion detection systems that help you spot – and limit – attacks
▪ Assess vendor agreements and risk management practices
– Review vendor contracts to include robust security and notice terms
– Audit: Consider checklist auditing of all vendors and on-site auditing of major vendors or forcing
them to submit to SAS / SSAE / ISO certifications
51
Seven things companies can be doing now
▪ Consider arbitration provisions with class action waivers
▪ Increase your ability to define the scope of any intrusion
– Map your information assets so that you can understand where they sit
– Enhance your logging and the retention periods of those logs
▪ Revisit incident response planning
– Pre-positioned legal and forensic experts
– Maximize attorney-client privilege and work product protection
– Develop process to respond to CCPA notices (30 day clock)
– Run tabletop simulations to help avoid unforced errors during breach response.
▪ Evaluate cyberinsurance coverage
52
Ropes resources
▪ Visit Ropes’ California Consumer
Privacy Act microsite for quick access
to Ropes’ analysis of the law, together
with useful resources and FAQs:
– https://www.ropesgray.com/ccpa
Copyright © 2018 Holland & Knight LLP. All Rights Reserved
TCPA Issues
53
TCPA Rubric
»Under the TCPA, it is unlawful “to make any call (other than a
call made for emergency purposes or made with the prior
express consent of the called party) using any automatic
telephone dialing system or an artificial or prerecorded voice” to
a cellphone or to certain other types of devices for which the
caller may be charged for incoming calls.
54
TCPA Liability -- Questions
»Did the defendant send the plaintiff a text message, or call the
plaintiff and/or leave a message using a prerecorded voice?
»Did the defendant use an “automatic telephone dialing system”
to send that text or make that call?
55
TCPA Liability
»If so, unless the message was for emergency purposes or the
defendant had the plaintiff’s prior express consent, the plaintiff
will demand $500 in statutory damages per call or text.
»For willful violations, the TCPA provides a recovery of up to
$1,500 per call or text.
»Because there is no statutory cap, class action damages under
the TCPA can quickly mount to catastrophic levels.
56
Autodialer -- Definition
»The TCPA defines an “automatic telephone dialing system” as:
equipment which has the capacity—
– (A) to store or produce telephone numbers to be called, using
a random or sequential number generator; and
– (B) to dial such numbers.
57
Autodialer -- Guidance
»FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer
Protection Act of 1991, 47 CFR Parts 64 and 68, ¶¶ 94-97 (July 25, 2003).
» the commission clarified that an autodialer need not actually store, produce, or dial
random or sequential numbers for it to be an “automatic telephone dialing system.” The
autodialer only must have the capacity to do so, as stated in the statute.
» even an autodialer that is programmed with a nonrandom, nonsequential list of phone
numbers is an “automatic telephone dialing system” and subject to the TCPA, as long
as the equipment has the “capacity” to “store or produce telephone numbers to be
called, using a random or sequential number generator and to dial such numbers.”
» The FCC also clarified that a “call” under the act includes an SMS text message.
58
Autodialer -- Guidance
»Rules and Regulations Implementing the Telephone Consumer Protection
Act of 1991, Declaratory Ruling, 23 FCC Rcd 559 (2008).
» In 2008, the FCC reaffirmed that “automatic telephone dialing systems”
include so-called predictive dialers, at least for some purposes. A
predictive dialer helps representatives automatically dial telephone
numbers in a manner that anticipates the time when a consumer will
answer the phone and a representative of the caller will be available to
take the call.
59
Autodialer -- Guidance
»Omnibus Declaratory Ruling and Order issued by the Federal
Communications Commission (FCC) in July of 2015.
» The 2015 order determined that “capacity” in the definition of ATDS
included “potential functionalities” and “future possibilities.” This
expansive reading had left open the prospect that any dialing equipment
more modern than a rotary phone would be an autodialer.
» That order had even left open the prospect that personal use of
smartphones may constitute calls via autodialer leading to potential
TCPA liability.
60
Autodialer -- Guidance
»ACA International et al. v. FCC
»The DC Circuit court set aside the 2015 FCC order when it came to the definition of autodialers..
» That order had even left open the prospect that personal use of smartphones may constitute calls via
autodialer leading to potential TCPA liability.
» The DC Court noted this as a sign of the unreasonableness of the definition: “It cannot be the case that every
uninvited communication from a smartphone infringes federal law, and that nearly every American is a TCPA-
violator-in-waiting, if not a violator-in-fact.”
»The court further noted that seemingly conflicting FCC guidance as to, for example, (1) the extent that human
intervention would prevent a device from being an ATDS, and (2) whether the device had to itself store or
generate numbers to be an ATDS, rendered this section of the 2015 order arbitrary and capricious.
»In setting aside the autodialer rule, the DC Circuit did not put any clear test in its place.
61
Post- ACA TCPA Cawlaw Split: Ninth Circuit Court of Appeals
» Jordan Marks v. Crunch San Diego LLC, case number 14-
56834, in the U.S. Court of Appeals for the Ninth Circuit.
»construing ATDS to encompass any equipment that has the
capacity to store numbers and dial them, even if these numbers
haven't been generated by a random or sequential number
generator.
»the Ninth Circuit may have just rendered every smartphone
user a potential TCPA violator.
62
Third Circuit Court of Appeals
»Dominguez v. Yahoo Inc., case number 17-1243, in the U.S.
Court of Appeals for the Third Circuit.
– First COA following ACA to limit definition of autodialer
– No present ability of SMS software to generate or store
sequential or random numbers
– Dismissal of TCPA claims
63
Seventh Circuit Court of Appeals
»Ali Gadelhak v. AT&T Services Inc., case number 19-1738, in
the U.S. Court of Appeals for the Seventh Circuit.
– equipment must have the capacity to generate random or
sequential numbers in order to be considered an autodialer
under the TCPA
– Just calling from a stored list of phone numbers not sufficient
64
Eleventh Circuit Court of Appeals
»Melanie Glasser v. Hilton Grand Vacations Co., case number
18-14499, and Tabitha Evans v. Pennsylvania Higher Education
Assistance Agency, case number 18-14586, in the U.S. Court of
Appeals for the Eleventh Circuit.
» This calling equipment would also be excluded from the
TCPA's autodialer definition because it requires too much
human intervention to use, since employees must push a
button before any call is made, the panel added.
65
Supreme Court Review
»William P. Barr et al. v. American Association of Political
Consultants et al., case number 19-631, in the Supreme Court of
the United States.
– Does an exemption to the TCPA for government-backed debt
collectors violate the First Amendment?
– If it does, is the appropriate remedy is to strike down the
exemption?
66
Paul Bond
609.865.5009
https://www.linkedin.com/in/pa
ul-bond-hk/
67