THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

Transcription

1 THE IMPACT OF THE CALIFORNIA CONSUMER PRIVACY ACT

2 WHO IS INTRAEDGE? PROVIDING TECH SOLUTIONS FOR

3 DATA PROTECTION IS HEATING UP Source:

4 WHAT IS THE CCPA? California Consumer Privacy Act 2018 Game-changing new privacy law applies to entities that collect personal information about California persons, regardless of entity s location Effective January 1, 2020; expecting amendments/rules to implement law Data breach provisions effective and enforceable January 1, 2020 Data privacy provisions will take effect as from January 1, 2020 Enforcement of privacy provisions begins July 1, 2020, or 6 months after AG completes rulemaking, whichever is sooner Substantial new rights for CA residents; rights are not identical to those offered to EU residents under GDPR Most companies will need a long lead time to comply with the law; significant operational changes required High risk of enforcement

5 CCPA SCOPE: COVERED BUSINESSES Covered entities: entities (and their parents and subsidiaries), regardless of location, that collect personal information about California residents, AND (a) have annual gross revenues over $25 million; (b) annually collect personal information of 50,000+ California residents; or (c) derive 50 percent or more of annual revenue from selling personal information Limited Exemptions: partial exemption for entities and information covered by certain federal and California health info and financial privacy laws Common Misconceptions: The law does not apply to me b/c: I do not sell data I am a financial services company I already comply with GDPR I am not in the Ad Tech space I am B2B I do not have any customers in California. I only have employees.

6 SWEEPING DEFINITIONS: Companies need to reassess how they think about data Personal information: Any information that directly or indirectly identifies, relates to, describes or can be associated with or reasonably linked to a California resident or household explicitly includes name, contact info, government IDs, biometrics, location data, account numbers, education history, purchase history, online and device IDs, search and browsing history and other online activities Residents and households Search and browsing history and other online activities Applies to consumer, employee and B2B data for now Excludes publicly available data caution: specific definition of publicly available information made available from government records, but only if used for a purpose compatible with the maintenance of those same records Collection: includes intentional collection, as well as passive collection (e.g., of online identifiers) Sale: selling, providing or disclosing personal information in exchange for any consideration or thing of value

7 CCPA: CONFIRMED COMPLIANCE REQUIREMENTS ENFORCEMENTS + LIABILITIES Privacy enforcement Potentially massive class action liability for data breaches NOTICES At or before collection Toll free number and website Categories of information collected Categories of information disclosed (and to whom) Categories of information sold (and to whom)

8 CCPA: CONFIRMED COMPLIANCE REQUIREMENTS CONSUMER RIGHTS Right of Access for consumers Open clarification: Can someone from a household request data for another person in the household Remember: Broader definition over the GDPR where CCPA includes data that can be associated with a household Right to know about data disclosures Do not Sell Right to my information and obligation of organizations (and placement) Right to delete personal information Right to sue for statutory damages 12 months preceding and 12 month re-opt-in

9 CCPA IMPLEMENTATION COMMONALITIES CONCEPTS IN QUESTION HR data (and what is under this umbrella) Reporting What reports are auditors looking for? Suppression of rights by Location Does an individual have access to household Under 18, lots of confusion Source of data and how that impacts disclosure and data rights CONCEPTS NOT IN QUESTION Disclosure of the types of data you have Policies Show me my data Verification of consumer request Cookie consent (evolving complexity) Layering or single Breach notifications Right to be removed/erased Do not sell my data May as well cover me for the GDPR

10 COMMON RIGHTS: CCPA + GDPR Core Requirement GDPR CCPA Notice to Data Subject/Consumer Right of Access Without an account Right to Rectification Right to Equal Terms Right to Do not sell my data Internal documentation Consumer. A CCPA term to define any natural person who is a California resident. Data Subject. An identifiable natural person (where processing or subject resides in the union) Assignment of a DPO Breach Notification

11 HIGH LEVEL COMPARISON: GDPR + CCPA Data definition Privacy policy/ notices Sale of data Individual rights Class actions Enforcement GDPR Any information related to an identified or identifiable living natural person More detailed notices, layered approach acceptable, distinction between data collected from individual vs. collected from other sources No absolute right to opt-out of sale, but conditional rights to object to processing Rights to access with narrow exceptions Conditional rights to erasure, to object to processing and to restrict processing Right to portability with broader exceptions and narrower range of in-scope data No explicit right against discrimination but discrimination may render processing unlawful No class actions for statutory damages Antitrust-sized administrative fines (up to 4% global group revenue for serious violations) CCPA Broader definition includes information that relates to, or is capable of being associated with, an individual, device, or household Less detailed notices + prescriptive as to placement of notices and manner in which it must be received Right to opt-out of disclosure (sale), subject to limited exceptions; entity must display opt-out link on website Right of access limited to data collection in past 12 months; fewer explicit exemptions Conditional right to erasure, no right to object to processing, no right of restriction or amendment Right of portability with fewer exceptions and broader range of in-scope data Right against discrimination for exercising rights Data breach class action for statutory damages Potentially high California AG enforcement ($7,500 per violation if intentional)

12 BDO: A CUSTOMIZED, PROACTIVE APPROACH Readiness Readiness assessment Data mapping / data flow diagramming Article 30 register development and management Article 6(1) and 9(1) information audit and inventory Incident response planning and testing Data protection impact assessments (DPIA) / privacy impact assessments (PIA) Information security assessments Outsourced / Virtual Data Protection Officer (DPO) Services (Articles 37-39) Development and business alignment Setup and configuration GDPR/CCPA Governance Remediation and Implementation Data minimization, retention, erasure and classification policies, and process development Training and awareness Privacy notices, policies and procedures development Privacy by design and default Technical controls implementation Third-party processor remediation Data breach response and notification process planning International data transfers policies and registers development Incident response Dawn raid support Litigation support Cyber investigations

13 PRIVACY COMPLIANCE TECHNOLOGY ASSESSMENT: Enterprise-wide evaluation HOW CAN WE HELP? CCPA DEEP DIVE: Custom session with privacy experts TRUYO: Automated, scalable data privacy rights management, powered by Intel.

14 Thank You! Dan Clarke Pete Mueller