california consumer privacy act and adtech/media/files/insights/events/2019/09/ccpa-a… · *this...
TRANSCRIPT
September 17, 2019
California Consumer Privacy Act and AdTech
*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
www.dlapiper.com
Agenda
Attorney-Client Privileged and Confidential 2
Introduction
AdTech ecosystem
CCPA – key components
Key digital advertising activities
Applying CCPA to advertising and marketing activities
Operationalizing CCPA: responding to consumer requests
www.dlapiper.com
AdTech ecosystem
4
AdTech ecosystem – CCPA impact analysis
5
www.dlapiper.com 6
Marketing and advertising – enterprise view
Attorney-Client Privileged and Confidential 6
Email marketing
Organizational groups
Direct mail
Channels Activities (impacted by CCPA)
Telemarketing Experiential marketing
Regional, geography-based
marketingMobile marketing
Video marketing Search engine marketing
Website marketing Social media marketing
Website Mobile
Phone Email
Social Media Search
In-person events Direct mail
Out of band Video
Customer experience
Profiling and enrichment
Display advertising Direct mail/print marketing
Email marketing Paid social advertising
Analytics Search engine
advertising (paid search, PPC, CPC)
Campaign management CRM management
Loyalty and referral programs
Cookie, pixel, and tag management
Affiliates
Social listening Retargeting
Inbound marketing Surveys
www.dlapiper.com
CCPA – key components
7
Access / copy Introduces broad rights for consumers, including the right to obtain a copy of personal information in a portable form, and the right to know how the business has handled the specific individual’s personal information in the preceding 12 months
Deletion Upon request, a business must delete a consumer’s personal information, unless an exemption applies
Do not sell Introduces mandatory right to opt out of sales of personal information. Businesses must provide a “do not sell” link on website to a page that explains how to opt out
Enhanced notice Businesses must disclose collection and use of personal information prior or at point of collection. Privacy policies require updates and specific disclosures
Discrimination Businesses are prohibited from discriminating against consumers for exercising their rights, eg, by offering a different class of service or charging a higher rate
Incentives Businesses may only offer incentives that are fair and fully disclosed; incentives must be reasonably related to the value of the consumer’s personal information
Contract terms Introduces mandatory contract terms for service providers
Enforcement risks Private right of action and statutory damages of $100-750 per violation in the event of data breach of unencrypted or “un-redacted” personal information, if company did not have “reasonable” securityEnforcement of privacy provisions by California Attorney General with penalties of up to $2,500 ($7,500 if intentional) per violation
Key components of the CCPA
Business vs. service provider vs. third party
9
BusinessAn entity “that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California” Section 1798.140 (c)
Third party An entity that is not a business or a service provider. Section 1798.140(w)
Service provider An entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the [service provider] from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business or as otherwise permitted by [CCPA] including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the Business.” Section 1798.140 (v)
• Personal Information: “information that directly or indirectly identifies, relates to, describes or is reasonably capable of being associated with or reasonably linked to a California resident or household” (eg, contact information, government IDs, biometrics, location data, account numbers, purchase history, behavior, tendencies, online and device IDs, cookie IDs, search and browsing history or activities from connected devices)
• Four buckets: an approach to addressing the breadth of the definition• Data elements – traditional concept of personal information • Contextual – attributes, profiles, queries, ordinary course of business• Potential – may be PI given significant effort, not done in ordinary business• Not Personal Information - financial information, not related to a personBuckets 1, 2 and 4 operational response; Bucket 3 requires analysis and decision
Key definitions under CCPA
• Collection: Includes buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including active and passive collection and observing individual behavior
• Sale: Broadly includes selling, providing, making available or disclosing personal information in exchange for any consideration or thing of value
• The following is NOT a sale: The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose (if notice provided and service provider provisions are in place)
Key definitions under CCPA
Business purpose means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected, including:
• Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with specification and other standards
• Short-term, transient use such as the contextual customization of ads shown as part of the same interaction, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction
• Performing services on behalf of the business or service provider, including … providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider
Key definitions under the CCPA
www.dlapiper.com
• Contextual and ad reporting
• Behavioral advertising • Retargeting
• Advertising analytics
• SSPs, DSPs, DMPs• Ad exchanges
• Direct ad sales and buys
• Ad agencies
13
How will the CCPA apply?
Specific digital advertising activities
• Providing user segments to data provider
• Obtaining third-party user segments• Intermediaries that connect two entities data
sets so that one entity can supplement its data set
• Using existing user data to target ads (to the user, lookalikes) on social media platform
www.dlapiper.com
Applying CCPA to advertising and marketing
14
www.dlapiper.com
An effective and efficient method for determining the impact and the operational requirements necessary to comply with CCPA is through the analysis of the following five CCPA use cases:
Three use cases are based on the consumer requests made by consumer:• Access• Deletion • Do not sell
Two use cases involve the enterprise requirements with respect to consumers and third parties:• Transparency/notice• Third parties vs. service provider
It is important apply the use cases to both individual functions, such as marketing, as well as to the enterprise as a whole to manage CCPA compliance effectively
15
CCPA use cases
www.dlapiper.com
• Privacy policy updates • Categories of information collected, sold, disclosed for a business purpose
• Notice of collection and use at or before collection• Are cookie banners now required?
Opt out• Managing opt out
• After opt out, can’t request consumer opt back in for 12 months• Applying opt outs to stop personal information disclosure• Distinguishing between sales and non-sales involving third-party tags
• Reseller provisions• AdTech providers may begin to seek a rep from publishers that they have provided the notice
and opt out required by CCPA
Transparency and notice
16
Applying CCPA obligations in AdTech
www.dlapiper.com
• Challenges in responding to access and deletion requests in the AdTech space
• What is a “verifiable consumer request”? • A request that is made by a consumer … that the business can reasonably verify, pursuant to regulations
adopted by the Attorney General to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer if the business cannot verify that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
• Determining who is a California resident
Access and deletion
17
Applying CCPA obligations in AdTech
www.dlapiper.com
Third-party management• Ensure appropriate contractual terms are included in contracts with service providers• Consider role of agency, including in contracting with third parties
• Data enhancement and acquisition
Non-discrimination vs. fair and reasonable incentives• Consumer can’t be required to waive rights under CCPA or be penalized for exercising rights
• Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data
CCPA vs. GDPR• Consent versus opt-out (but no opt in request for 12 months)
• Use of cookie banners, tag managers and consent portals for GDPR + CCPA
18
Applying CCPA obligations in AdTech
www.dlapiper.com
Operationalizing CCPA: responding to consumer requests
19
www.dlapiper.com 20
Process requirements – CCPA consumer request
1. Consumer request 7. Communication
2. Point of contact 8. Production action
3. Audit record 9. Response aggregation
4. Validation of request 10. Response package review
5. Response analysis 11. Consumer response
Central Orchestration Point
6. Required actions 12. Record action and close
• Data governance committee• Privacy office• Privacy software / workflow
Management tool• Audit tool• Functional POCs• Legal/compliance
www.dlapiper.com 21
CCPA: “The Law of Lists”• List of covered population
• List of categories of personal information collected, sold and disclosed during the preceding 12 months
• List of categories of sources from which the business collects Personal Information
• List of categories of third parties who purchased or received Personal Information
• List of business processes that collect Personal Information
• Inventory of systems and data stores and corresponding owners
• Inventory of data maps
• Inventory of websites, mobile applications, marketing and digital marketing activities
• Inventory of cookies, cookie providers and pixels
• List of use cases (interaction, sources, channels, relationships, consumer types)
www.dlapiper.com
Questions?
22
www.dlapiper.com
Thank you
23