WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIAS NEW PRIVACY LAW ( - - PowerPoint PPT Presentation

WHAT YOU NEED TO KNOW TO COMPLY WITH CALIFORNIA’S NEW PRIVACY LAW (CCPA)

Presented By:

Jim Brophy and Brett Smoot, Northwoods Sarah Sargent and Andy Schlidt, Godfrey & Kahn, S.C.

WELCOME TO NORTHWOODS!

• 45 digital strategists, marketers, UX

experts, developers & account directors

• Comprehensive digital strategy,

website design, software development & digital marketing services

#LearnAtNorthwoods www.northwoodsoft.com

Trusted by over 750 clients including:

NORTHWOODS’ CLIENTS

YOUR PRESENTERS

Jim Brophy

Group Director – Digital

YOUR PRESENTERS

Brett Smoot

Digital Marketing Coordinator

YOUR PRESENTERS

Sarah Sargent

Attorney Data Privacy & Cybersecurity

gklaw.com

YOUR PRESENTERS

Andy Schlidt

Attorney Chair - Technology & Digital Business Practice Shareholder - Data Privacy & Cybersecurity and Corporate Legal Practices

gklaw.com

SERVICES WE PROVIDE

DATA PRIVACY & CYBERSECURITY

We counsel clients on information security and privacy best practices, including the implementation of global privacy programs, drafting internal and external privacy policies and notices, implementing written information security programs and incident response plans, and conducting M&A due diligence. Our team includes individuals with real-world experience in:

• Software Development
• Incident Response; and
• Ethical Hacking

We advise clients with a full spectrum of legal support.

Privacy & Cybersecurity Compliance Data Breach Response Technology Transactions WISPs, Table-Tops, and Incident Response Planning

LEGAL DISCLAIMER

The information contained within this presentation in no way constitutes legal advice. This presentation and the information contained therein does not create an attorney-client relationship. Any person who intends to rely upon or use the information provided in any way is solely responsible for independently verifying the information and obtaining independent expert advice.

WHAT IS THE CALIFORNIA CONSUMER PRIVACY ACT? (CCPA)

FREQUENTLY ASKED QUESTIONS

We hope to answer the following questions during our presentation:

• I am not located in California. Does CCPA apply to me?
• I don’t have a physical location in California, so I’m not

“doing business” there, right?

• I don’t “sell” personal information about people, so I don’t have to worry

about CCPA, right?

• My company is B2B, so I don’t have to worry about CCPA, right?
• Do we need to offer these data subject rights to everyone?

Please let us know if we have not fully addressed these questions for you.

We hope to answer the following questions during our presentation:

• How do I determine the identity of a data subject if I only have an IP

address? How do I verify an identity?

• Do we really need to delete ALL information about a person if they

request it? What if we have a need to retain it?

• Do I need to obtain opt-in consent to send marketing emails under

CCPA?

• Do I have to have a cookie banner for CCPA compliance?
• What does my new privacy policy for CCPA have to say?

Please let us know if we have not fully addressed these questions for you.

FREQUENTLY ASKED QUESTIONS

WHAT IS THE CCPA?

• California Consumer Privacy Act (CCPA)
• AB-375 - The California Consumer Privacy Act of 2018
• Passed - June 28, 2018
• Amended - Sept 23, 2018
• Effective - Jan 1, 2020
• Cal. Civ. Code Section 1798 Sec 2(a)

THINGS TO KEEP IN MIND

• The law has a number of pending amendments
• 9 amendments or pieces of related legislation being considered
• For example, AB-25 excludes employment information from the definition of

personal information for one year

• Just because your business is not located in CA does not

mean you are off the hook

THINGS TO KEEP IN MIND

• There are trends toward:
• Obtaining opt-in consent for data processing
• Consider whether this is possible in your business
• Using more specific and informative privacy policies, written in

understandable language

• Obtaining opt-in consent before dropping cookies
• Required by GDPR & E-Privacy Directive
• Allowing individuals to exercise rights over their data
• It’s no longer “your data,” if it is about a person. They have rights over it.

WHY SHOULD I CARE?

• “As California goes, so goes the nation.”
• States That Have Introduced Bills Mirroring CCPA
• Hawaii
• Maryland
• Massachusetts
• Mississippi
• Maine
• Nevada (Passed with an effective date of October 2019)
• Other States Developing Different Privacy Laws
• New York
• North Dakota
• Washington
• Texas

Source: The National Law Review

KEY TERMS AND DEFINITIONS

WHAT TYPES OF DATA FALL WITHIN THE CCPA?

• The broad definition of personal information is:
• Essentially any information that identifies, relates to, describes, is

capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

• CCPA focuses not just on individuals, but households and

devices

WHAT IS A SALE OF PERSONAL INFORMATION?

• “Sell” means not just sales of personal information for $$
• Also means:
• Renting, releasing, disclosing, making available, transferring, or
• therwise communicating [personal information] in any medium
• Sell is “by the business to another business or a third party”
• For monetary or other valuable consideration

IS MY BUSINESS IMPACTED BY THE CCPA?

WHO DOES THE CCPA APPLY TO?

Three-Part Equation

1) A “business” 2) Those “doing business In California” 3) Meets one or more of the three numerical thresholds

DOING BUSINESS + THRESHOLDS

• Annual gross revenues in excess of $25 million;
• Personal information of 50,000 or more consumers,

households, or devices; and/or

• Sale of personal information accounts for 50% or more of

annual revenues

REQUIREMENTS

CONSENT & SALE OF INFORMATION

• CCPA states that if a business “sells personal information”

to THIRD PARTIES it must provide notice to consumers of potential sale

• Must also provide a right to opt out of the sale
• Must have a “Do Not Sell” link on website, either on

homepage, or California-specific homepage that is “clear and conspicuous”

• Can’t require consumer to create an account to opt out
• Must allow other persons to opt out on a consumer’s behalf

NOTICES

• CCPA is like GDPR in that you need to update your privacy

policy to more particularly describe your privacy practices

• CCPA requires disclosure of categories of personal

information collected, used, disclosed, or sold

• CCPA also requires that you update your privacy policy at

least once every twelve months

• A business cannot collect any personal information that is not

disclosed to the consumer in a notice

• A business cannot use any personal information collected for

additional, non-disclosed purposes without providing notice

DATA SUBJECT REQUEST RIGHTS

• Rights Provided to CA Residents under CCPA
• Right to Deletion (companies must also require service providers to

delete personal information)

• Right of Access & Data Portability
• Right to Know Certain Information Upon Request

LIMITATIONS TO DATA SUBJECT REQUESTS

• Companies must take reasonable steps to verify the identity
• f the individual
• Companies are not required to provide personal information

to a consumer more than twice a year

• There are exceptions to Right to Deletion

VENDOR MANAGEMENT

Vendors that have access to personal information should have the following contractual obligations:

• Protect personal information
• Assist in compliance efforts
• Use personal information solely for the purposes of complying with
• bligations under agreement, and agreement will not constitute

“sale”

TRAINING

• Must “inform” all individuals responsible for handling

consumer inquiries about the business’ privacy practices or CCPA about “Do Not Sell” requirements under law

• You should conduct initial CCPA training before January 1,

2020, for all employees dealing with data subject requests

• Adding privacy session or content to on-boarding and annual

trainings

PENALTIES

ENFORCEMENT

Attorney General

• If a business fails to cure an

alleged violation within 30 days of noncompliance notification

• Maximum civil penalty of

$2,500 for each violation

• Maximum civil penalty of

$7,000 for each intentional violation

Private Action

• If a business fails to have

reasonable data security practices and a data breach

• ccurs
• Damages between $100 to

$750 per consumer per incident or actual damages, whichever is greater

• Injunctive or declaratory relief
• Any other relief the court

deems proper

DATES TO REMEMBER

• Effective Date: January 1, 2020
• AG Enforcement Date: July 1, 2020
• r six months after the publication
• f final AG regulations (whichever

is sooner)

• One-year look back date:

January 1, 2019

I AM GDPR READY! AM I CCPA READY? KINDA…

GDPR VS CCPA

• CCPA expands Personal Information
• “….is capable of being associated with… a particular consumer or

household”

• Additional training on processes
• Additions to privacy policy
• Additional pages on site to support users exercising their

rights

• Changes to data retention of those requests
• Possible changes to contracts with vendors
• Need to establish a toll-free number

NEXT STEPS

WHAT SHOULD I DO?

• Talk to your legal team to understand how this law applies to

your business

• Work with them to understand business processes across all

departments

• Conduct an analysis on your data collection process
• Understand where data flows from and to
• Not just marketing and sales data
• Understand what data is needed and what can be destroyed
• Ensure data is being stored and secured according to industry best practices

WHAT SHOULD I DO?

• Build process for managing and complying with requests

from customers

• Train employees on these processes
• Retrain each year
• Audit and test processes to ensure they are working and being

followed

• Update privacy policy to inform users of new rights under the

law

• Evaluate whether your company sells personal information
• Update contracts with vendors and third-party providers

LIVE LOOK

Q & A

TELL US HOW WE’RE DOING

Feedback on Today’s Webinar

2 Minutes!

Or go to: http://bit.ly/CCPAWebinar

NEXT MONTH’S WEBINARS

Digital Marketing for Manufacturers Learning Series

Register at: LearnAtNorthwoods.com/OctoberLearning

THANK YOU!

RESOURCES

RESOURCES

• Law
• https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill

_id=201720180AB375

• Overview of CCPA
• https://www.law.com/njlawjournal/2018/12/01/the-california-

consumer-privacy-act-what-you-need-to-know/

• https://iapp.org/media/pdf/resource_center/Intro_to_CCPA.pdf
• https://iapp.org/resources/article/top-5-operational-impacts-of-

cacpa/

• IAB webinar - https://youtu.be/uL4kYew68AM
• https://www.iab.com/ccpa/

RESOURCES

• Comparison of CCPA vs GDPR
• https://fpf.org/2018/11/28/fpf-and-dataguidance-comparison-

guide-gdpr-vs-ccpa/

• Privacy Policy
• https://secureprivacy.ai/privacy-policy-generator-for-gdpr-ccpa-

eprivacy/

RESOURCES

• Online Tools
• www.northwoodsoft.com/privacy
• Other
• https://www.natlawreview.com/article/state-law-developments-

consumer-privacy

ANNEX

“DOING BUSINESS IN CALIFORNIA”

• Not defined under CCPA, but there are some theories about

what “doing business” means:

• Based on the definition of “consumer”—a natural person who is a

California resident—“doing business” could mean that it applies to any business that collects or sells the personal information of California residents

• California Revenue and Taxation Code Section 23101(a) states that

an out-of-state company is doing business in California if it “actively engages in any transaction for the purpose of financial or pecuniary gain or profit.”

WHAT CCPA DOES NOT APPLY TO

• Information that is “publicly available”
• Medical information or PHI under California Medical

Information Act or HIPAA/HITECH

• Information for clinical trials
• Sale of personal information to or from a Consumer

Reporting Agency

• Information collected, processed, sold, or disclosed pursuant

to GLBA or Cal. Financial Information Privacy Act

• Information collected, processed, sold, or disclosed pursuant

to Driver’s Privacy Protection Act of 1994

DEFINITION OF “THIRD PARTY”

• Means anyone but:
• The business itself
• Any person the business has a written contract with, provided the

contract:

• Prohibits the selling of said personal information
• Prohibits retaining, using, or disclosing the information other than as specified

in the contract

• Prohibits retaining, using, or disclosing the information for a commercial

purpose other than providing the services specified in the contract

• Prohibits retaining, using, or disclosing the information outside of the direct

business relationship between the person and the business

DISCLOSURES WITHIN NOTICES

• The CCPA requires a number of disclosures – most of which will be located in an outward facing

privacy notice or pursuant to a data subject request (which will be discussed later)

• Disclosures include:

1. Categories of personal information collected about the consumer; 2. Categories of the sources from which personal information was collected; 3. Business or commercial purpose for collecting or selling personal information; 4. Categories of third parties with whom the business shares personal information; 5. (Specific pieces of personal information); 6. A list of categories of personal information sold about consumers in the preceding 12 months or, if no sale

• ccurred, the fact;

7. A list of categories of personal information disclosed for a business purpose in the preceding 12 months or, if no disclosure occurred, the fact; 8. Consumers’ right to request access to their personal information, along with designated methods for submitting such requests; 9. Consumers’ rights to request deletion of their personal information;

• 10. Consumers’ rights to opt out of sale of their business information; and
• 11. Consumers’ rights not be discriminated against for exercising CCPA rights

RESPONDING TO DATA SUBJECT REQUESTS

• Must provide two or more designated methods for making

requests: toll-free number and website

• Response must be:
• Free of charge
• In readily usable and portable format
• Within 45 days – can extend once for 45 days with notice to

consumer

• Via individual’s existing account or via mail or email at consumer’s
• ption
• If not taking requested actions, must inform data subject and

include reasons for not taking action and any rights to appeal the decision

VENDOR MANAGEMENT

• Relevant Provisions
• CCPA 1798.140(v) – “Service Provider” is a legal entity that processes

information on behalf of a business and to which the business discloses personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

• CCPA 1798.105(c) – A business that receives a consumer request to delete

personal information shall direct any service provider to delete the consumer’s personal information from their records.

• CCPA 1798.145(h) – A business that discloses personal information to a service

provider shall not be liable for the Service Provider using the personal information in violation of this title if at the time of disclosure, the business does not have actual knowledge or reason to believe the service provider intends to commit such a violation selling information. (Same exception for service providers).