california consumer privacy act and gdpr – how do …/media/files/insights/... · california...

www.dlapiper.com 0November 14, 2018

November 14, 2018

CALIFORNIA CONSUMER PRIVACY ACT AND GDPR – HOW DO THEY DIFFER?KEY COMPLIANCE POINTS FOR BUSINESSES

Jennifer M. Kashatus, Kate Lucente, Rena Mears, Carol A.F. Umhoefer

*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.


Scope/Key Definitions Key Components

– Consumer Rights– Operational Requirements– Service Providers and Third Parties– M&A

Comparison with GDPR

Agenda

1 Scope/Key Definitions


California Consumer Privacy Act Game-changing new privacy law broadly applicable to businesses

(regardless of location) that collect personal information about California residents

Effective January 1, 2020 (though ahead of this date further amendments are expected and the CA Attorney General is to issue implementing regulations)– Data breach private right of action available from January 1, 2020– Privacy provisions enforceable by CA AG sometime between January 1,

2020 and July 1, 2020 Substantial new rights for CA residents

Significant operational impacts for covered business, likely require significant time and effort to prepare

Broad definitions and scope

What is the CCPA and why is it a big deal?


“Business” is any entity that collects personal information about California residents and makes decisions (alone or jointly with others) about how and why the personal information is processed, if the business either –

(a) has annual gross revenues over $25 million OR(b) annually buys, sells, shares, or receives personal information of 50,000+ California residents, OR(c) derives 50% or more of annual revenue from selling personal information

Also includes parents or subsidiaries (with common branding) of businesses that meet the above

CCPA Scope – covered businesses


Non-profit entities are not covered Limited exemptions for certain regulated entities

– Partial exemption for entities and information covered by certain federal and California health info and financial privacy laws

– Not exempt from data breach private right of action

Common misconceptions: The law does not apply to me b/c:– “I do not sell data”

– “I am a financial services company”– “I already comply with GDPR”

– “I am B2B”

– “I do not have any customers in California. I only have employees.”

CCPA Scope – covered businesses and exemptions


Financial services exception not absolute Only applies to data already covered by GLBA or California Financial Privacy

Act

– Evaluate data collection points/product lines/services– What data is outside of scope of financial privacy laws

– Consider data for advertising, data collected online, data collected before there is a consumer relationship

But still subject to private right of action for data breaches

CCPA Scope – Financial Services


Personal information: “Any information that directly or indirectly identifies, relates to, describes or can be associated with or reasonably linked to a California resident or household” — explicitly includes:– Name, contact info, government IDs, biometrics, location data, account numbers

– Employment and education history

– Purchase history, behavior, and tendencies

– Online and device IDs

– Search and browsing history and other online activities

– Activities from connected devices

Applies to consumer, employee, and B2B data currently

Includes household level data and device data Narrow exclusion for publicly available data from government records

Sweeping Definitions – Companies need to reassess how they think about data


Collection: Includes buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including active and passive collection and observing individual behavior.

Sale: Broadly includes selling, providing, or disclosing personal information in exchange for any consideration or thing of value

Sweeping Definitions – Companies need to reassess how they think about data


Know your data Identify, inventory, and map data flows at a level sufficient to meet

CCPA requirements Key considerations and challenges

– Expanded personal info definition (linkable to an individual or household)

– Data quality – establishing identity and resolving ambiguities– Establishing “household” relationships – Data sources and original acquisition channel – Third party sharing– California residency determination

Operational Impacts and Considerations

2 Key Components of CCPA


New Consumer Rights (access, deletion, opt-out, information) Prior notice of collection and use Privacy policy requirements Website updates and consumer rights mechanisms Vendor and third party management

– “Service providers”– Third party disclosures– Resale of data

Data mapping and impact of sweeping definitions and broad scope Private right of action for data breaches

Key Components


Key Components – New Consumer Rights

Individuals have rights to — Access and obtain copy of personal info collected in past 12 months

Require businesses to disclose information about how it has handled individual’s personal information in the preceding 12 months:– Categories of personal info collected

– Sources of personal information– Purposes of use, disclosure and sale

– Categories of third party recipients – Categories of third parties to whom personal information has been sold

Requests may be made up to 2xs/year, free of charge


Individuals have the right to – Request deletion of all personal information

Business must direct service providers to delete Numerous exceptions:

– Certain internal uses e.g., detect security incidents, complete a transaction requested by consumer, perform a contract with a consumer

– Newspapers

– Rights of other consumers– Compliance with law

– Using the consumer’s information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

Key Components – New Consumer Rights (cont.)


Individuals have the right to – Opt-out of sale of personal info

– Businesses that resell data obligated to confirm compliant individuals notice and opt-out provided

– Home page link to a “Do Not Sell My Personal Information” page Consent to sale of minor’s personal info

Complying with requests May not charge for exercising rights

Must provide, at a minimum, toll-free number and a website address (if business maintains a website) so individuals can exercise their rights

Data mapping, processes, and channels for individual requests

Key Components – New Consumer Rights (cont.)


Key Components – Enhanced Disclosures

Disclosure at or before collection: must disclose personal info collected and its useNew privacy policy requirements: Describe rights and how to exercise List categories of personal info collected, sold, and disclosed in prior 12

months and update every 12 months

Link to “Do Not Sell” page (home page and data collection page that allows consumer to submit request not to sell his or her data (or household or device data))

Update website and privacy policy; update or introduce new notices “at or before collection”


Key Components – Service Providers

Mandatory contract terms for service providers– Prohibit recipient from selling the personal information

– Restrict use of personal information to performing services under contract

– Restrict use of personal information outside the direct relationship between person and the (disclosing) business

– Include a certification regarding above Absent terms, vendor will be treated as a “third party” for purposes of

disclosures and other obligations

Notify service providers of deletion requests Review and update service provider agreements


Assess sources of third party data No sale of personal info of California residents that did not receive

proper notice and opt-out choices, or that opted out Resellers of personal information obligated to confirm proper notice

and opt-out Need to identify sources of personal information Need to identify categories of personal information, recipients, and

purposes for both third party disclosures and (separately) third party sales

Key Components – Third Party Management


Provisions specifically targeted at corporate transactions Limitations on use of personal information purchased through

acquisition of the business, if use is materially inconsistent with notice given to consumer

If personal information (e.g., customer list) is sold in an asset deal, potential valuation issue since new notice and opt-out choice is required

Careful attention to diligence for analytics companies – broad definition of “personal information” brings companies under CCPA (i.e., previously, collected was not PII and companies may not have had protections in place for data)

Implications for M&A


Private right of action and statutory damages of USD 100-750 per violation in the event of data breach of unencrypted or “un-redacted” personal information, if company did not have “reasonable” security; significant class action risk!Enforcement of privacy provisions by California Attorney Generalwith penalties of up to $2,500 ($7,500 if intentional) per violation

Heightened Enforcement Risks


Key considerations and challenges Original acquisition channel

– Compliance with notice and choice/consent– Impact on historical/legacy data

– Data sources and third party sharing 12-month look-back

Deletion rights Resolving potential conflicts and discrepancies

– “Opt-out” discrepancies across data acquisition channels– Resolving conflicting “do not sell” requests for household or device data

Determining validity of consumer request “California Data Segregation” strategy challenges

Third party management

Operational Impacts and Considerations


Key Components – Compliance Management

Data mapping and impact of sweeping definitions and broad scope Process and mechanisms for individual right requests Notice and privacy policy requirements –

– Review collection practices

– New notices at or before collection– Changes to website and website policies

– Update privacy policy every 12 months Vendor and third party management

– Mandatory contract terms for “service providers”– Deletion requests

– Third party data flows– Resale of data

3 Comparison with GDPR


CCPA• Broader definition includes information that

relates to, or is capable of being associated with, an individual, device, or household

• Less detailed notices + prescriptive as to placement of notices and manner in which it must be received

• Right to opt-out of disclosure (sale), subject to limited exceptions; entity must display opt-out link on website

• Right of access limited to data collection in past 12 months; fewer explicit exemptions

• Conditional right to erasure, no right to object to processing, no right of restriction or amendment

• Right of portability with fewer exceptions and broader range of in-scope data

• Right against discrimination for exercising rights

• Data breach class action for statutory damages

• Potentially high California AG enforcement ($7,500 per violation if intentional)

GDPR• Any information related to an identified or

identifiable living natural person

• More detailed notices, layered approach acceptable, distinction between data collected from individual vs. collected from other sources

• No absolute right to opt-out of sale, but conditional rights to object to processing

• Rights to access with narrow exceptions

• Conditional rights to erasure, to object to processing and to restrict processing

• Right to portability with broader exceptions and narrower range of in-scope data

• No explicit right against discrimination but discrimination may render processing unlawful

• No class actions for statutory damages• Antitrust-sized administrative fines (up to 4%

global group revenue for serious violations)

Data definition

Privacy policy/notices

Sale of data

Individual rights

Class actionsEnforcement

High-level comparison – GDPR and CCPA


Control processes designed for GDPR unlikely to be fit for CCPAwithout amendment– Different scope and definitions (devices, household information,

publicly available information, health and financial data)– Different data subject rights– Different privacy notices– GDPR data mapping will not be sufficient

Commercial agreements amended for GDPR will need to be further amended (specific terms to avoid qualification as ‘third party’, cooperation in responding to deletion requests)

CCPA’s Challenges for your GDPR program


QUESTIONS?


Jennifer M. KashatusPartnerT: +1 202 799 4448F: +1 202 799 [email protected]

Kate LucentePartnerT: +1 206 839 4854F: +1 206 494 [email protected]

Rena MearsPrincipalT: +1 415 836 2555F: +1 415 659 [email protected]

Carol A. F. UmhoeferPartnerT: +1 305 423 8528F: +1 305 675 [email protected]

Presenters

california consumer privacy act and gdpr – how do …/media/files/insights/... · california...

Documents