California Consumer Privacy Act, TCPA and GDPR: Complying...

California Consumer Privacy Act, TCPA and

GDPR: Complying With Mobile Communications

Marketing RulesTrends in Enforcement Actions, Building and Maintaining Compliant Marketing Programs

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 1.

TUESDAY, MARCH 10, 2020

Presenting a live 90-minute webinar with interactive Q&A

Paul Bond, Partner, Holland & Knight, Philadelphia

William Long, Partner, Sidley Austin, London, England

Edward R. McNicholas, Partner, Ropes & Gray, Washington, D.C.

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-877-447-0294 and enter your Conference ID and PIN when prompted.

Otherwise, please send us a chat or e-mail [email protected] immediately

so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the ‘Full Screen’ symbol located on the bottom

right of the slides. To exit full screen, press the Esc button.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 2.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

• Click on the link to the PDF of the slides for today’s program, which is located

to the right of the slides, just above the Q&A box.

• The PDF will open a separate tab/window. Print the slides by clicking on the

printer icon.

FOR LIVE EVENT ONLY

GDPR/e-Privacy:

Compliance with Mobile

Communications Rules William Long, Partner, Sidley Austin LLP

[email protected]

mailto:[email protected]

Recent Statistics 2019

2) International Transfers $622Kthe average privacy budget for 2019 – a drop from $1 million in 2018 and $2.1 million in 2017

41% of respondents named compliance with privacy laws and regulations as their highest priority

56%of respondents named “locating unstructured personal data” as the biggest challenge in responding to data subject requests

91%of respondents will use SCCs to transfer data to the UK after Brexit

43%of EU respondents are only “moderately compliant” with the GDPR

38%of respondents have reported a breach in 2019 (compared to 16% in 2018)

19%of respondents feel full GDPR compliance is impossible (nearly 1 in 5)

500,000+organisations estimated to have registered DPOs

10%of respondents feel they are “somewhat” compliant with the GDPR (1 in 10)

<IAPP-EY Annual Privacy Governance Report 2019>

6

DPA Enforcement Actions

SIDLEY AUSTIN LLP 7

SINCE 25 MAY 2018 (AS AT MAY 2019):

o More than 280,000 cases requiring investigation across Europe

o More than 89,000 data breach notifications reported to DPAs across Europe

o More than 144,000 individual complaints GDPR Enforcement ActionsAs of October 2019

GeneralPrinciples (Art.

5)

Lawfulness ofprocessing (Art.

6)

Information tobe provided to

the data subject(Art. 13)

Right of accessby the data

subject (Art. 15)

Informationsecurity (Art. 32)

Others

29%

19%

6% 6%

16%

24%

8

Key GDPR Enforcement Actions

SIDLEY AUSTIN LLP

• Spain: Telecoms company fined €60,000 after a bill was sent to an individual for unsolicited services and a failure to

demonstrate that the individual had consented to the collection of their personal data (February 2020)

• Italy: University fined €30,000 after making the identification data of individuals who had reported misconduct via a

whistleblowing hotline available online (February 2020)

• Greece: Marine bunker provider fined €150,000 for inadequate security after third party access to company servers and

retrieval of personal data (January 2020)

• Italy: Gas company fined €11.5 million over unsolicited telemarking and execution of unrequested contracts (January

2020)

• Austria: Austrian medical company fined €50,000 for non-compliance with information obligations and for not appointing a

DPO (August 2019) – NB: Austria DPA only issues fines from second breach onwards

• Spain: La Liga fined €250,000 for alleged violations of the GDPR transparency principle and for not allowing users to

withdraw their consent (June 2019)

• Denmark: Furniture company fined €200,850 for breaching the storage limitation principle under the GDPR (June 2019) –

NB: Danish constitutional law means the DPA cannot issue penalties under the GDPR until the courts have established an

adequate level for fines for the various types of breach

• France: Google Inc. fined €50 million for a lack of valid consent regarding the personalisation of ads and for breaching

the transparency principle (January 2019) – NB: Complaints to the CNIL have increased by 32.5% compared with 2017

• Portugal: Hospital fined €400,000 for allegedly breaching the integrity and confidentiality principle under the GDPR –

unrestricted access to patient records (July 2018)

General Principles and Lawfulness of Processing

9


SIDLEY AUSTIN LLP

• Germany: Property company fined €14.5 million for using an archiving system for the storage of personal data of tenants

that did not provide for the possibility of removing data that was no longer required (November 2019)

• Austria: Austrian Post fined €18 million for creating profiles of more than three million Austrians, which included personal

data, without sufficient legal basis for data processing (October 2019)

General Principles and Lawfulness of Processing

Data Subject Rights (Art. 12–21, GDPR)

• Germany: Delivery company fined €195,400 for failing to comply with various data subject requests (September 2019) –

NB: in July, 75 fines had been issued in Germany including, on to an HCO that exposed SPD = €80,000

• Greece: A telecommunications service provider fined €200,000 for failing to comply with requests for erasure (October

2019)

• Poland: A data controller fined €219,538 for failing to inform over six million data subjects that their personal data were

being processed, preventing them from exercising their rights under the GDPR (March 2019)

• Portugal: [Confidential] fined €20,000 for insufficient fulfilment of data subject rights (February 2019)

10


SIDLEY AUSTIN LLP

• UK: Retailer fined €586,000 for “inadequacies related to basic, commonplace [security] measures” following a cyber-

attack (January 2020)

• Germany: Telecommunications Company fined €9.5 million for failing to implement sufficient technical and organisational

measures to prevent unauthorised staff from accessing customer data via the customer hotline service (December 2019)

• Germany: Real Estate Company fined €14.5 million for breaching the GDPR storage limitation principle (November

2019)

• Romania: Bank fined €150,000 for having insufficient technical and organisational measures to ensure information

security (October 2019)

• Bulgaria: National Revenue Agency fined €2,600,000 for a personal data breach leading to the unauthorised access of

over 5 million Bulgarian citizens’ personal data (August 2019)

• Poland: Retailer fined €644,780 for insufficient organisational and technical measures which led to unauthorised access

to the personal data of 2.2 million people (August 2019)

• UK: British Airways issued notice of intention to fine of €204.6 million following investigation into data breach (July 2019)

• UK: Marriott issued notice of intention to fine of €110.4 million following investigation into data breach (July 2019)

• Netherlands: Hospital fined €460,000 for security violations, pursuant to Article 32 of the GDPR (June 2019)

Information Security & Data Retention

Cookies and Similar

Technologies Update

11

12

Cookies and Similar Technologies

SIDLEY AUSTIN LLP

• UK (July 2019):

– Move away from implied consent (which many had relied upon from the ICO’s 2012 guidance)

– The need for granularity, no sliders set to “on” and limited guidance on what constitutes “strictly necessary”

– Significant implications for ICO’s own use of non-essential cookies following implementation of its new cookie banner

• France (July 2019):

– Aligning standards with GDPR-consent

– 12 month “grace period”

– CNIL has also published a consultation on practical guidance in January 2020 to assist organisations with implementing the “f irst round”

guidance

• Netherlands (March 2019): largely in line with the position taken by the CNIL and the ICO

– Pre-ticked boxes are no longer valid

– Silence, inactivity and/or scrolling do not constitute valid consent

– Cookie walls which prevent users who do not consent from accessing the website or app are unlawful

• Spain (November 2019): guidance released in conjunction with the IAB Spain.

– Divergence from the position taken from the other guidance released to date

– Actions such as: (i) browsing another webpage; (ii) scrolling on the website; (iii) closing a cookie banner; or (iv) clicking on content could

constitute affirmative consent?

Updated Regulatory Guidance

13


SIDLEY AUSTIN LLP

Source: UK ICO Website, “Cookies: Action We’ve Taken” (with Sidley emphasis in red)

Enforcement Action?

The UK ICO has provided the ability on its website to report cookie concerns:

14


SIDLEY AUSTIN LLP

Enforcement Action?

• ICO Cookies Guidance (July 2019)

– The enforcement regime for PECR remains the same as it did under the Data Protection Act 1998

– However, guidance suggests that where personal data is involved, there is scope to enforce under GDPR (and the corresponding

penalties)

– ICO’s Regulatory Action Policy – formal action must be proportionate and monetary penalties for the most serious infringements

– Guidance says they are unlikely to prioritise first party cookies for analytics purposes or those which merely support the accessibility of

the website. Higher risk areas include user tracking, advertising or behavioural profiling.

• CJEU – Planet 49 (October 2019)

– Pre-ticked check boxes for cookies and similar technologies do not constitute valid consent for e-Privacy Directive purposes

– GDPR standard of consent applies

– Users must be provided with information about cookie duration and which third parties will be setting cookies

• Dutch DPA (December 2019): carried out a check of 175 websites and e-commerce platforms to determine compliance

with cookies requirements. Websites deemed “non-compliant” received a letter from the Dutch DPA which stated that an

investigation would follow to determine whether cookie practices had been brought back into compliance.

• Businesses are struggling with compliance

• It remains to be seen whether significant enforcement action is on the horizon….

The e-Privacy Directive,

PECR and the e-Privacy

Regulation

15

16

e-Privacy Regulation Update

SIDLEY AUSTIN LLP

Where are we now?

• The e-Privacy Regulation was originally intended to replace the e-Privacy Directive at the same time as the GDPR came

into force (25 May 2018)

• No agreement thus far. Draft proposed by the Finnish presidency at the end of 2019 did not gain enough support.

• Now we have the Croatian Presidency which will attempt to move the Regulation forward.

• General consensus: unlikely the e-Privacy Regulation will come into force before 2023…

• ePrivacy Directive (and PECR in the UK) continues to govern ePrivacy breaches….but note ICO guidance where

personal data is involved

17

e-Privacy Directive and the Privacy and Electronic

Communications Regulations (“PECR”)

SIDLEY AUSTIN LLP

Recent Developments

• ICO issues Draft Direct Marketing Code of Practice (January 2020)

– Update to guidance in relation to PECR and GDPR

– GDPR-standard consent for direct marketing must be obtained

– Other key takeaways include: (i) what is a service message?, (ii) legal grounds, and (iii) what constitutes processing of special

category data?

– Public consultation closed on 4 March 2020

• Planet 49 Decision: also relevant for e-Privacy Directive concepts beyond cookies

– Consent as the basis for processing means clear, explicit, active, informed consent. Pre-ticked boxes, silence or inactivity are no

good.

– The same concept of consent under GDPR applies within the ePrivacy Directive

– Article 2(f) of ePrivacy Directive “consent by a user or a subscriber corresponds to the data subject’s consent in Directive 95/46”

– GDPR-standard, active consent will be required from an end user regardless as to whether information stored or accessed is personal

data

18

sidley.com

Beijing

Boston

Brussels

Century City

Chicago

Dallas

Geneva

Hong Kong

Houston

London

Los Angeles

Munich

New York

Palo Alto

San Francisco

Shanghai

Singapore

Sydney

Tokyo

Washington, D.C.

19

The California Consumer

Privacy Act and Mobile

Communications MarketingEd McNicholas

[email protected]

Data, Privacy & Cybersecurity Practice Group Co-Leader

19

2020

▪ Background on CCPA and other emerging state laws

▪ CCPA key provisions

▪ Coping with the new compliance burdens

▪ Draft AG regulations

▪ Operational impacts: analytics and AdTech

▪ Enforcement and private right of action

▪ Take-home points

AGENDA

2121

▪ Background on CCPA and emerging state laws







AGENDA

22

Overview of U.S. privacy laws

▪ Law typically regulates either type of

entity, data or business practice

– Type of entity: e.g., banks,

hospitals, website owners,

data brokers

– Type of data: e.g., financial

data, health information,

children’s data

– Business practices: e.g.,

telemarketing, monitoring

emails, video-viewing

behavior, background checks

State privacy laws Federal privacy laws

▪ Breach Notification Laws

▪ Online Privacy Policy Laws

(CA, DE and NV)

▪ Biometric Information Laws

(IL, TX, and WA)

▪ Medical Information Privacy

Laws (CA, IL)

▪ Children’s Online Privacy (CA)

▪ Employee Monitoring Laws

(CT, DE)

▪ Children’s Online Privacy

Protection Act (COPPA)

▪ CAN-SPAM

▪ Health Insurance Portability

and Accountability Act

(HIPAA)

▪ Gramm Leach Bliley Act

(GLBA)

▪ Telephone Consumer

Protection Act (TCPA)

▪ Fair Credit Reporting Act

(FCRA)

23

California privacy laws

▪ California Online Privacy Protection Act

(CalOPPA)

▪ California Shine the Light Act

▪ Data Security Statute

▪ Data Breach Notice

▪ Song-Beverly Credit Card Act

▪ Constitutional Privacy Rights

24

California Consumer Privacy Act (CCPA)

▪ Signed into law June 28, 2018. Creates new disclosure obligations and rights for

California residents, including right to opt-out of “sales” of personal information

▪ Result of a last-minute compromise between California lawmakers and an activist

organization supporting a data privacy ballot initiative

– The speed of passage resulted in many drafting errors and ambiguities

– Attempts to clarify through amendments and regulations

▪ Most significant provisions to become operational on January 1, 2020

– Private right of action

– Policies and disclosure requirements

▪ Not enforced by AG until July 1, 2020

25

What comes next?

▪ New California Privacy Rights and Enforcement Act (CPREA)

▪ Alastair Mactaggart is floating a new petition drive for the November 2020 ballot

▪ Current plan:

– Restrictions on further amendments that weaken the CCPA

– New California Privacy Protection Agency to enforce the Privacy Act and provide

guidance to industry

– Triple penalties for the violation of children's privacy

– New rights around the use of sensitive personal information, including race,

financial data and geolocation

– Require companies to disclose more details about algorithms used in decisions

about employment, housing and credit

26

Other State Bills Inspired by the CCPA

27

Key CCPA considerations

▪ Are you in scope and are the exemptions enough?

▪ How are you coping with the new compliance burdens?

– DSARs

– Restrictions on sales

– Vendor contracts

– Delta between GDPR and CCPA

▪ Operational impacts on data analytics? AdTech? Potential to significantly impact

ability to buy, sell and use data containing information about California residents

▪ Enforcement and Private Right of Action The availability of statutory damages

increases the risk of class action litigation in the event of a security incident

28

Are you in scope?

▪ Applies to firms that are “doing business” in California and meet one of three

thresholds:

– annual gross revenue exceeds $25m;

– annually sells or receives for a commercial purpose, alone or in combination, the

personal information of 50,000 or more consumers, households, or devices; or

– derives 50% or more of its annual revenues from selling consumers’ personal

information

▪ Controlled or controlling entities: Also applies to any entity that controls or is

controlled by such a business and shares common branding

29

Key definitions

▪ Consumer: a California resident

– Applies not only to customers but also employees and others

▪ Personal information: information that identifies, relates to, describes, is capable of

being associated with, or could reasonably be linked, directly or indirectly, with a

particular consumer or household

– Significantly broader than typical U.S. standard and compares to definition in GDPR

▪ Sell, selling, sale, or sold: selling, renting, releasing, making available or otherwise

communicating a consumer’s personal information “for monetary or other valuable

consideration”

– Given the broad definition, a “sale” could arguably apply to most contractual

arrangements that involve sharing personal information

30

New amendments: did they help?

Bill No Subject SummaryAB 25 Exclusion of “employee”

from definition of

“consumer”

▪ Excludes employees, contractors, job applicants and others from the definition of “consumer” so long as the personal information is collected and

used solely within the context of that person’s role

▪ Exemption is subject to a one-year sunset provision

▪ Businesses still must provide employees with notices about what categories of information a business collects about them and their purpose for

doing so, but need not offer opt-out, access, and deletion

▪ Employee-related Personal Information remains subject to the CCPA’s data breach provisions

AB 874 Carve-outs from personal

information – expansion of

publicly available

information exemption

▪ Redefines the term “publicly available” to clarify that it refers to information that is lawfully available in federal, state, or local records, regardless

of whether the information is being used in a way that is compatible with the purpose for which the data is maintained

▪ Clarifies that personal information does not include de-identified or aggregated data

▪ Clarifies that information capable of being associated with an individual or household must be “reasonably” capable of being associated with the

consumer or household before being considered personal information

AB 1146 Exemption for vehicle

warranties and recalls

▪ Exempts certain vehicle information shared between a new auto dealer and a vehicle manufacturer in connection with vehicle repairs relating to

warranty work or recall

AB 1355 Addressing differential

treatment and disclosures

▪ Exempts business contact information that a business collects during communications or transactions with another business or government

agency (B2B transactions). Specifically, AB 1355 exempts from most of the CCPA’s provisions personal information about an employee, owner,

director, officer or contractor of a business or government agency collected by a business as part of B2B transactions, in the context of due

diligence of, or the provision of products or services to, the business or agency. The exemption does not exclude all B2B information; but it

excludes much of it

▪ Exemption does not apply to the right to opt out of the sale of a consumer’s data or obligation not to discriminate against aconsumer for

attempting to exercise other rights

▪ Clarifies that consumers’ right to access any personal information that a company has collected about them in the past year does not require the

business to retain any personal information that it would not otherwise retain in the ordinary course of business

AB 1564 Consumer requests ▪ Retains general requirement that businesses must make available to consumers two or more designated methods for submitting requests for

information, including at a minimum, a toll-free telephone number

▪ Specifies that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects PI is only required

to provide an email address for purposes of submitting certain consumer requests for information disclosures required under the CCPA

▪ Clarifies that if the business maintains a website, the business must make the website available to consumers to submit requests for CCPA

information disclosures

AB 1202 Data broker requirements ▪ Defines a “data broker” (businesses that knowingly collect and sell personal information to third parties) and requires data brokers to register with

the Attorney General

▪ Failure to register may lead to liability (civil penalties, fees and costs)

3131








AGENDA

32

Didn’t we already deal with GDPR?

Provision GDPR CCPA

Scope Applies to a “controller” or “processor”:

▪ Established in the EU

▪ Established outside of the EU, and either (1)

offering goods/services to EU; or (2) monitoring

behavior in EU

▪ A for-profit “business” that does business in CA and

meets revenue / volume thresholds for CA resident

data

▪ A business is defined similarly to an EU “controller”

“Personal Data” v.

“Personal

Information”

Data related to identified or identifiable natural person Similar, data related to identifiable persons,

households or devices. Excludes data made publicly

available by the government.

Right to Be

Forgotten

Data Subject may request deletion of “personal data”

with exceptions

Similar, but exceptions include continued internal uses

of data consistent with purposes of collection

Right to Opt-Out Applies only to processing based on consent Applies to the “sale” of Personal Information

Disclosures Disclose identity of controller, purpose of process,

source of data (if third party) and other information

about data subject rights, data transfers and record

retention

In addition to information about categories, sources

and disclosures of data, must expressly state if data is

“sold.” Include link to “Do Not Sell My Personal

Information,” if applicable.

Exceptions Does not apply to “anonymous” data In addition to anonymous data, contains numerous

exceptions, including for HIPAA-covered and GLBA-

covered data

33

The right to opt out

▪ Consumers may opt out of the “sale” of their Personal Information at any time

▪ Businesses that sell Personal Information must:

– Provide “Do Not Sell My Personal Information” opt-out link on homepage

– Describe the right and link to the opt-out webpage in their privacy policy

– Respect Consumer’s decision for at least 12 months before re-requesting

▪ Children: No selling Personal Information of children unless child (aged 13 to under

16) or parent (under 13) opts in

34

How many DSARs will be received?

▪ Right to know: business that collects “Personal Information” must, at or before the point

of collection, inform consumers about categories of information it collects and why;

additional disclosure obligations if business sells the information

– Lookback confusion

▪ Right to access / portability: consumers can request access to the specific pieces of

information collected

– If provided electronically, must be portable

▪ Right to erasure: consumers can request that a company delete their Personal

Information

– Many exceptions that could allow continued use

▪ Right to equal service: business cannot charge different price or offer different service

level if a consumer exercises a right

– CAN charge a different price if it is related to the value of the data

35

Updating privacy notices

▪ CCPA requires updates to online privacy notice by January 1, 2020

▪ Must include information about:

– California Privacy Rights

– Collection and Use of Personal Information

▪ Categories of information collected

– Reference categories listed in definition of personal information

▪ Categories of sources of information

▪ Purpose for collecting or selling information

▪ Categories of third parties with whom share information

▪ Specific pieces of information collected about consumer

– Sales and disclosures of Personal Information

▪ Must state whether or not business “sells” information

36

Amending contracts

▪ To avoid definition of “sales,” fit vendors within service provider exception:

– Contract must state that vendor cannot use data except for performing specified

services for business

– What about uses to “improve services”?

▪ Consider including other provisions to address CCPA issues:

– Right to be forgotten and other rights

– Restrictions on “discrimination”

– Data security and breach

– Restrictions on use of service providers

– Other privacy best practices

3737








AGENDA

39

Draft AG regulations

▪ Items of interest:

– Purpose limitation .305(3)

– Verification process

– Do Not Sell browser signals ? (The Return of Do Not Track?)

– Financial incentives disclosures including valuation methods

– Household privacy

4040








AGENDA

41

Compliance program impacts

▪ Non-Discrimination – § 1798.125

▪ Affirmative Link to “Do Not Sell” – § 1798.135

– Provide “Do Not Sell My Personal Information” opt-out link on homepage

– Describe the right and link to an opt-out webpage in the privacy policy

– Respect Consumer’s decision for at least 12 months before re-requesting

▪ Treatment of Children’s Data – § 1798.120

– No selling Personal Information of children unless child (aged 13 to under 16) or

parent (under 13) opts in

42

Operational impacts of new rights

▪ Gating issues

– Data Inventory

– Assess “sales” of data

– AdTech

– Analytics

▪ Need governance structure?

▪ Document privacy program

– Update compliance documents

– Externally facing privacy notices

– Procedures for responding to

Consumer rights requests

▪ Training

4343








AGENDA

44

Attorney General enforcement

Timing

▪ Enforcement actions can be brought six months after

publication of the final regulations or July 1, 2020,

whichever

is sooner

AG remedies

▪ $2,500 for each violation not cured within 30 days of

notice

▪ $7,500 for each intentional violation

▪ Injunctive relief

Consumer privacy fund

▪ Any civil penalties and settlement proceeds to go to new

fund

▪ Intended to “fully offset any costs incurred by the state

courts and the Attorney General” in connection with the

CCPA

45

CCPA’s private right of action

▪ Backdrop: Cal. Civ. Code § 1798.81.5

– Existing statutory obligation of “reasonable security”

– California already provides a private right of action for actual damages arising from

a violation of this provision

▪ The CCPA (§ 1798.150) creates a new private right of action with statutory damages

for consumers whose

– Nonencrypted and nonredacted personal information

– Is subject to an unauthorized access and exfiltration, theft or disclosure

– As a result of the business’s violation of the duty to implement and maintain

reasonable security procedures and practices

▪ “Reasonable security” is not defined in or addressed by the CCPA

46


▪ What is “reasonable security”?

– Not defined in or addressed by the CCPA

– Appears to require violation of existing statutory obligation of “reasonable security”

(Cal Civil Code § 1798.81.5)

▪ Earlier California Attorney General guidance

– 2016 Data Breach Report – referenced Center for Internet Security’s Critical

Security Controls (SANS 20)

– 2014 “Cybersecurity in the Golden State” Report

47


▪ At present, no private right of action for the CCPA’s other provisions

– “Nothing in this title shall be interpreted to serve as the basis for a private right of

action under any other law”

▪ So AG enforcement only

– Proposed amendments that would expand the private right of action are either dead

(AB 1760) or will not advance in 2019 (SB 561)

▪ Plaintiffs nonetheless may look to leverage the Unfair Competition Law, Cal. Bus. &

Prof. Code § 17200, to bring such claims

4848








AGENDA

49

Take-home points

▪ California privacy law will continue to be a moving target for the foreseeable future. This issue may

not settle unless / until we get a federal law in 2021 at the earliest.

▪ Take proactive steps now to prepare for the CCPA’s implementation:

– Data mapping: track points of data collection, where data resides, retention policies, and how it

is used and shared outside the firm

– Assess third-party vendor risk: develop commercial contracts to ensure adherence to CCPA

requirements

– Policies: update or create policies to address developing privacy laws

– Procedures: develop procedures to allow consumers to exercise their new data access and

deletion rights

– Disclosure: develop disclosures and notices necessary to comply with the law

– Cyber defenses: minimize personal data, encrypt and redact (where feasible)

– Insurance: review language in cyberinsurance policies

– Training: train relevant employees on the scope and implications of the CCPA, as well as the

Firm’s policies and approaches to dealing with the law’s requirements

50

Seven things companies can be doing now

▪ Build a record to demonstrate “reasonable” information security

– Develop a demonstrable information governance program with senior leadership reporting

– Enhance your internal privacy and cybersecurity policies

– Tie your internal policies to international standards – including a mapping to the SANS20

▪ Increase your cyber-defenses

– Minimize personal data

– Implement encryption and redaction, where feasible

– Address phishing through systems that aggressively filter phishing emails and enhanced training

– Consider intrusion detection systems that help you spot – and limit – attacks

▪ Assess vendor agreements and risk management practices

– Review vendor contracts to include robust security and notice terms

– Audit: Consider checklist auditing of all vendors and on-site auditing of major vendors or forcing

them to submit to SAS / SSAE / ISO certifications

51

Seven things companies can be doing now

▪ Consider arbitration provisions with class action waivers

▪ Increase your ability to define the scope of any intrusion

– Map your information assets so that you can understand where they sit

– Enhance your logging and the retention periods of those logs

▪ Revisit incident response planning

– Pre-positioned legal and forensic experts

– Maximize attorney-client privilege and work product protection

– Develop process to respond to CCPA notices (30 day clock)

– Run tabletop simulations to help avoid unforced errors during breach response.

▪ Evaluate cyberinsurance coverage

52

Ropes resources

▪ Visit Ropes’ California Consumer

Privacy Act microsite for quick access

to Ropes’ analysis of the law, together

with useful resources and FAQs:

– https://www.ropesgray.com/ccpa

https://www.ropesgray.com/ccpa

TCPA Rubric

»Under the TCPA, it is unlawful “to make any call (other than a

call made for emergency purposes or made with the prior

express consent of the called party) using any automatic

telephone dialing system or an artificial or prerecorded voice” to

a cellphone or to certain other types of devices for which the

caller may be charged for incoming calls.

54

TCPA Liability -- Questions

»Did the defendant send the plaintiff a text message, or call the

plaintiff and/or leave a message using a prerecorded voice?

»Did the defendant use an “automatic telephone dialing system”

to send that text or make that call?

55

TCPA Liability

»If so, unless the message was for emergency purposes or the

defendant had the plaintiff’s prior express consent, the plaintiff

will demand $500 in statutory damages per call or text.

»For willful violations, the TCPA provides a recovery of up to

$1,500 per call or text.

»Because there is no statutory cap, class action damages under

the TCPA can quickly mount to catastrophic levels.

56

Autodialer -- Definition

»The TCPA defines an “automatic telephone dialing system” as:

equipment which has the capacity—

– (A) to store or produce telephone numbers to be called, using

a random or sequential number generator; and

– (B) to dial such numbers.

57

Autodialer -- Guidance

»FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer

Protection Act of 1991, 47 CFR Parts 64 and 68, ¶¶ 94-97 (July 25, 2003).

» the commission clarified that an autodialer need not actually store, produce, or dial

random or sequential numbers for it to be an “automatic telephone dialing system.” The

autodialer only must have the capacity to do so, as stated in the statute.

» even an autodialer that is programmed with a nonrandom, nonsequential list of phone

numbers is an “automatic telephone dialing system” and subject to the TCPA, as long

as the equipment has the “capacity” to “store or produce telephone numbers to be

called, using a random or sequential number generator and to dial such numbers.”

» The FCC also clarified that a “call” under the act includes an SMS text message.

58


»Rules and Regulations Implementing the Telephone Consumer Protection

Act of 1991, Declaratory Ruling, 23 FCC Rcd 559 (2008).

» In 2008, the FCC reaffirmed that “automatic telephone dialing systems”

include so-called predictive dialers, at least for some purposes. A

predictive dialer helps representatives automatically dial telephone

numbers in a manner that anticipates the time when a consumer will

answer the phone and a representative of the caller will be available to

take the call.

59


»Omnibus Declaratory Ruling and Order issued by the Federal

Communications Commission (FCC) in July of 2015.

» The 2015 order determined that “capacity” in the definition of ATDS

included “potential functionalities” and “future possibilities.” This

expansive reading had left open the prospect that any dialing equipment

more modern than a rotary phone would be an autodialer.

» That order had even left open the prospect that personal use of

smartphones may constitute calls via autodialer leading to potential

TCPA liability.

60


»ACA International et al. v. FCC

»The DC Circuit court set aside the 2015 FCC order when it came to the definition of autodialers..

» That order had even left open the prospect that personal use of smartphones may constitute calls via

autodialer leading to potential TCPA liability.

» The DC Court noted this as a sign of the unreasonableness of the definition: “It cannot be the case that every

uninvited communication from a smartphone infringes federal law, and that nearly every American is a TCPA-

violator-in-waiting, if not a violator-in-fact.”

»The court further noted that seemingly conflicting FCC guidance as to, for example, (1) the extent that human

intervention would prevent a device from being an ATDS, and (2) whether the device had to itself store or

generate numbers to be an ATDS, rendered this section of the 2015 order arbitrary and capricious.

»In setting aside the autodialer rule, the DC Circuit did not put any clear test in its place.

61

Post- ACA TCPA Cawlaw Split: Ninth Circuit Court of Appeals

» Jordan Marks v. Crunch San Diego LLC, case number 14-

56834, in the U.S. Court of Appeals for the Ninth Circuit.

»construing ATDS to encompass any equipment that has the

capacity to store numbers and dial them, even if these numbers

haven't been generated by a random or sequential number

generator.

»the Ninth Circuit may have just rendered every smartphone

user a potential TCPA violator.

62

Third Circuit Court of Appeals

»Dominguez v. Yahoo Inc., case number 17-1243, in the U.S.

Court of Appeals for the Third Circuit.

– First COA following ACA to limit definition of autodialer

– No present ability of SMS software to generate or store

sequential or random numbers

– Dismissal of TCPA claims

63

Seventh Circuit Court of Appeals

»Ali Gadelhak v. AT&T Services Inc., case number 19-1738, in

the U.S. Court of Appeals for the Seventh Circuit.

– equipment must have the capacity to generate random or

sequential numbers in order to be considered an autodialer

under the TCPA

– Just calling from a stored list of phone numbers not sufficient

64

Eleventh Circuit Court of Appeals

»Melanie Glasser v. Hilton Grand Vacations Co., case number

18-14499, and Tabitha Evans v. Pennsylvania Higher Education

Assistance Agency, case number 18-14586, in the U.S. Court of

Appeals for the Eleventh Circuit.

» This calling equipment would also be excluded from the

TCPA's autodialer definition because it requires too much

human intervention to use, since employees must push a

button before any call is made, the panel added.

65

Supreme Court Review

»William P. Barr et al. v. American Association of Political

Consultants et al., case number 19-631, in the Supreme Court of

the United States.

– Does an exemption to the TCPA for government-backed debt

collectors violate the First Amendment?

– If it does, is the appropriate remedy is to strike down the

exemption?

66

Paul Bond

609.865.5009

[email protected]

https://www.linkedin.com/in/pa

ul-bond-hk/

67

mailto:[email protected]

https://www.linkedin.com/in/paul-bond-hk/

California Consumer Privacy Act, TCPA and GDPR: Complying...

Documents

Transcript of California Consumer Privacy Act, TCPA and GDPR: Complying...