California Consumer Privacy Act, TCPA and GDPR: Complying With Mobile Communications Marketing Rules Trends in Enforcement Actions, Building and Maintaining Compliant Marketing Programs Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 1. TUESDAY, MARCH 10, 2020 Presenting a live 90-minute webinar with interactive Q&A Paul Bond, Partner, Holland & Knight, Philadelphia William Long, Partner, Sidley Austin, London, England Edward R. McNicholas, Partner, Ropes & Gray, Washington, D.C.
67
Embed
California Consumer Privacy Act, TCPA and GDPR: Complying ...media.straffordpub.com/products/california-consumer-privacy-act-tc… · NB: Danish constitutional law means the DPA cannot
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
California Consumer Privacy Act, TCPA and
GDPR: Complying With Mobile Communications
Marketing RulesTrends in Enforcement Actions, Building and Maintaining Compliant Marketing Programs
Data, Privacy & Cybersecurity Practice Group Co-Leader
19
2020
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
2121
▪ Background on CCPA and emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
22
Overview of U.S. privacy laws
▪ Law typically regulates either type of
entity, data or business practice
– Type of entity: e.g., banks,
hospitals, website owners,
data brokers
– Type of data: e.g., financial
data, health information,
children’s data
– Business practices: e.g.,
telemarketing, monitoring
emails, video-viewing
behavior, background checks
State privacy laws Federal privacy laws
▪ Breach Notification Laws
▪ Online Privacy Policy Laws
(CA, DE and NV)
▪ Biometric Information Laws
(IL, TX, and WA)
▪ Medical Information Privacy
Laws (CA, IL)
▪ Children’s Online Privacy (CA)
▪ Employee Monitoring Laws
(CT, DE)
▪ Children’s Online Privacy
Protection Act (COPPA)
▪ CAN-SPAM
▪ Health Insurance Portability
and Accountability Act
(HIPAA)
▪ Gramm Leach Bliley Act
(GLBA)
▪ Telephone Consumer
Protection Act (TCPA)
▪ Fair Credit Reporting Act
(FCRA)
23
California privacy laws
▪ California Online Privacy Protection Act
(CalOPPA)
▪ California Shine the Light Act
▪ Data Security Statute
▪ Data Breach Notice
▪ Song-Beverly Credit Card Act
▪ Constitutional Privacy Rights
24
California Consumer Privacy Act (CCPA)
▪ Signed into law June 28, 2018. Creates new disclosure obligations and rights for
California residents, including right to opt-out of “sales” of personal information
▪ Result of a last-minute compromise between California lawmakers and an activist
organization supporting a data privacy ballot initiative
– The speed of passage resulted in many drafting errors and ambiguities
– Attempts to clarify through amendments and regulations
▪ Most significant provisions to become operational on January 1, 2020
– Private right of action
– Policies and disclosure requirements
▪ Not enforced by AG until July 1, 2020
25
What comes next?
▪ New California Privacy Rights and Enforcement Act (CPREA)
▪ Alastair Mactaggart is floating a new petition drive for the November 2020 ballot
▪ Current plan:
– Restrictions on further amendments that weaken the CCPA
– New California Privacy Protection Agency to enforce the Privacy Act and provide
guidance to industry
– Triple penalties for the violation of children's privacy
– New rights around the use of sensitive personal information, including race,
financial data and geolocation
– Require companies to disclose more details about algorithms used in decisions
about employment, housing and credit
26
Other State Bills Inspired by the CCPA
27
Key CCPA considerations
▪ Are you in scope and are the exemptions enough?
▪ How are you coping with the new compliance burdens?
– DSARs
– Restrictions on sales
– Vendor contracts
– Delta between GDPR and CCPA
▪ Operational impacts on data analytics? AdTech? Potential to significantly impact
ability to buy, sell and use data containing information about California residents
▪ Enforcement and Private Right of Action The availability of statutory damages
increases the risk of class action litigation in the event of a security incident
28
Are you in scope?
▪ Applies to firms that are “doing business” in California and meet one of three
thresholds:
– annual gross revenue exceeds $25m;
– annually sells or receives for a commercial purpose, alone or in combination, the
personal information of 50,000 or more consumers, households, or devices; or
– derives 50% or more of its annual revenues from selling consumers’ personal
information
▪ Controlled or controlling entities: Also applies to any entity that controls or is
controlled by such a business and shares common branding
29
Key definitions
▪ Consumer: a California resident
– Applies not only to customers but also employees and others
▪ Personal information: information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly, with a
particular consumer or household
– Significantly broader than typical U.S. standard and compares to definition in GDPR
▪ Sell, selling, sale, or sold: selling, renting, releasing, making available or otherwise
communicating a consumer’s personal information “for monetary or other valuable
consideration”
– Given the broad definition, a “sale” could arguably apply to most contractual
arrangements that involve sharing personal information
30
New amendments: did they help?
Bill No Subject SummaryAB 25 Exclusion of “employee”
from definition of
“consumer”
▪ Excludes employees, contractors, job applicants and others from the definition of “consumer” so long as the personal information is collected and
used solely within the context of that person’s role
▪ Exemption is subject to a one-year sunset provision
▪ Businesses still must provide employees with notices about what categories of information a business collects about them and their purpose for
doing so, but need not offer opt-out, access, and deletion
▪ Employee-related Personal Information remains subject to the CCPA’s data breach provisions
AB 874 Carve-outs from personal
information – expansion of
publicly available
information exemption
▪ Redefines the term “publicly available” to clarify that it refers to information that is lawfully available in federal, state, or local records, regardless
of whether the information is being used in a way that is compatible with the purpose for which the data is maintained
▪ Clarifies that personal information does not include de-identified or aggregated data
▪ Clarifies that information capable of being associated with an individual or household must be “reasonably” capable of being associated with the
consumer or household before being considered personal information
AB 1146 Exemption for vehicle
warranties and recalls
▪ Exempts certain vehicle information shared between a new auto dealer and a vehicle manufacturer in connection with vehicle repairs relating to
warranty work or recall
AB 1355 Addressing differential
treatment and disclosures
▪ Exempts business contact information that a business collects during communications or transactions with another business or government
agency (B2B transactions). Specifically, AB 1355 exempts from most of the CCPA’s provisions personal information about an employee, owner,
director, officer or contractor of a business or government agency collected by a business as part of B2B transactions, in the context of due
diligence of, or the provision of products or services to, the business or agency. The exemption does not exclude all B2B information; but it
excludes much of it
▪ Exemption does not apply to the right to opt out of the sale of a consumer’s data or obligation not to discriminate against aconsumer for
attempting to exercise other rights
▪ Clarifies that consumers’ right to access any personal information that a company has collected about them in the past year does not require the
business to retain any personal information that it would not otherwise retain in the ordinary course of business
AB 1564 Consumer requests ▪ Retains general requirement that businesses must make available to consumers two or more designated methods for submitting requests for
information, including at a minimum, a toll-free telephone number
▪ Specifies that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects PI is only required
to provide an email address for purposes of submitting certain consumer requests for information disclosures required under the CCPA
▪ Clarifies that if the business maintains a website, the business must make the website available to consumers to submit requests for CCPA
information disclosures
AB 1202 Data broker requirements ▪ Defines a “data broker” (businesses that knowingly collect and sell personal information to third parties) and requires data brokers to register with
the Attorney General
▪ Failure to register may lead to liability (civil penalties, fees and costs)
3131
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
32
Didn’t we already deal with GDPR?
Provision GDPR CCPA
Scope Applies to a “controller” or “processor”:
▪ Established in the EU
▪ Established outside of the EU, and either (1)
offering goods/services to EU; or (2) monitoring
behavior in EU
▪ A for-profit “business” that does business in CA and
meets revenue / volume thresholds for CA resident
data
▪ A business is defined similarly to an EU “controller”
“Personal Data” v.
“Personal
Information”
Data related to identified or identifiable natural person Similar, data related to identifiable persons,
households or devices. Excludes data made publicly
available by the government.
Right to Be
Forgotten
Data Subject may request deletion of “personal data”
with exceptions
Similar, but exceptions include continued internal uses
of data consistent with purposes of collection
Right to Opt-Out Applies only to processing based on consent Applies to the “sale” of Personal Information
Disclosures Disclose identity of controller, purpose of process,
source of data (if third party) and other information
about data subject rights, data transfers and record
retention
In addition to information about categories, sources
and disclosures of data, must expressly state if data is
“sold.” Include link to “Do Not Sell My Personal
Information,” if applicable.
Exceptions Does not apply to “anonymous” data In addition to anonymous data, contains numerous
exceptions, including for HIPAA-covered and GLBA-
covered data
33
The right to opt out
▪ Consumers may opt out of the “sale” of their Personal Information at any time
▪ Businesses that sell Personal Information must:
– Provide “Do Not Sell My Personal Information” opt-out link on homepage
– Describe the right and link to the opt-out webpage in their privacy policy
– Respect Consumer’s decision for at least 12 months before re-requesting
▪ Children: No selling Personal Information of children unless child (aged 13 to under
16) or parent (under 13) opts in
34
How many DSARs will be received?
▪ Right to know: business that collects “Personal Information” must, at or before the point
of collection, inform consumers about categories of information it collects and why;
additional disclosure obligations if business sells the information
– Lookback confusion
▪ Right to access / portability: consumers can request access to the specific pieces of
information collected
– If provided electronically, must be portable
▪ Right to erasure: consumers can request that a company delete their Personal
Information
– Many exceptions that could allow continued use
▪ Right to equal service: business cannot charge different price or offer different service
level if a consumer exercises a right
– CAN charge a different price if it is related to the value of the data
35
Updating privacy notices
▪ CCPA requires updates to online privacy notice by January 1, 2020
▪ Must include information about:
– California Privacy Rights
– Collection and Use of Personal Information
▪ Categories of information collected
– Reference categories listed in definition of personal information
▪ Categories of sources of information
▪ Purpose for collecting or selling information
▪ Categories of third parties with whom share information
▪ Specific pieces of information collected about consumer
– Sales and disclosures of Personal Information
▪ Must state whether or not business “sells” information
36
Amending contracts
▪ To avoid definition of “sales,” fit vendors within service provider exception:
– Contract must state that vendor cannot use data except for performing specified
services for business
– What about uses to “improve services”?
▪ Consider including other provisions to address CCPA issues:
– Right to be forgotten and other rights
– Restrictions on “discrimination”
– Data security and breach
– Restrictions on use of service providers
– Other privacy best practices
3737
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
38
39
Draft AG regulations
▪ Items of interest:
– Purpose limitation .305(3)
– Verification process
– Do Not Sell browser signals ? (The Return of Do Not Track?)
– Financial incentives disclosures including valuation methods
– Household privacy
4040
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
41
Compliance program impacts
▪ Non-Discrimination – § 1798.125
▪ Affirmative Link to “Do Not Sell” – § 1798.135
– Provide “Do Not Sell My Personal Information” opt-out link on homepage
– Describe the right and link to an opt-out webpage in the privacy policy
– Respect Consumer’s decision for at least 12 months before re-requesting
▪ Treatment of Children’s Data – § 1798.120
– No selling Personal Information of children unless child (aged 13 to under 16) or
parent (under 13) opts in
42
Operational impacts of new rights
▪ Gating issues
– Data Inventory
– Assess “sales” of data
– AdTech
– Analytics
▪ Need governance structure?
▪ Document privacy program
– Update compliance documents
– Externally facing privacy notices
– Procedures for responding to
Consumer rights requests
▪ Training
4343
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
44
Attorney General enforcement
Timing
▪ Enforcement actions can be brought six months after
publication of the final regulations or July 1, 2020,
whichever
is sooner
AG remedies
▪ $2,500 for each violation not cured within 30 days of
notice
▪ $7,500 for each intentional violation
▪ Injunctive relief
Consumer privacy fund
▪ Any civil penalties and settlement proceeds to go to new
fund
▪ Intended to “fully offset any costs incurred by the state
courts and the Attorney General” in connection with the
CCPA
45
CCPA’s private right of action
▪ Backdrop: Cal. Civ. Code § 1798.81.5
– Existing statutory obligation of “reasonable security”
– California already provides a private right of action for actual damages arising from
a violation of this provision
▪ The CCPA (§ 1798.150) creates a new private right of action with statutory damages
for consumers whose
– Nonencrypted and nonredacted personal information
– Is subject to an unauthorized access and exfiltration, theft or disclosure
– As a result of the business’s violation of the duty to implement and maintain
reasonable security procedures and practices
▪ “Reasonable security” is not defined in or addressed by the CCPA
46
CCPA’s private right of action
▪ What is “reasonable security”?
– Not defined in or addressed by the CCPA
– Appears to require violation of existing statutory obligation of “reasonable security”
(Cal Civil Code § 1798.81.5)
▪ Earlier California Attorney General guidance
– 2016 Data Breach Report – referenced Center for Internet Security’s Critical
Security Controls (SANS 20)
– 2014 “Cybersecurity in the Golden State” Report
47
CCPA’s private right of action
▪ At present, no private right of action for the CCPA’s other provisions
– “Nothing in this title shall be interpreted to serve as the basis for a private right of
action under any other law”
▪ So AG enforcement only
– Proposed amendments that would expand the private right of action are either dead
(AB 1760) or will not advance in 2019 (SB 561)
▪ Plaintiffs nonetheless may look to leverage the Unfair Competition Law, Cal. Bus. &
Prof. Code § 17200, to bring such claims
4848
▪ Background on CCPA and other emerging state laws
▪ CCPA key provisions
▪ Coping with the new compliance burdens
▪ Draft AG regulations
▪ Operational impacts: analytics and AdTech
▪ Enforcement and private right of action
▪ Take-home points
AGENDA
49
Take-home points
▪ California privacy law will continue to be a moving target for the foreseeable future. This issue may
not settle unless / until we get a federal law in 2021 at the earliest.
▪ Take proactive steps now to prepare for the CCPA’s implementation:
– Data mapping: track points of data collection, where data resides, retention policies, and how it
is used and shared outside the firm
– Assess third-party vendor risk: develop commercial contracts to ensure adherence to CCPA
requirements
– Policies: update or create policies to address developing privacy laws
– Procedures: develop procedures to allow consumers to exercise their new data access and
deletion rights
– Disclosure: develop disclosures and notices necessary to comply with the law
– Cyber defenses: minimize personal data, encrypt and redact (where feasible)
– Insurance: review language in cyberinsurance policies
– Training: train relevant employees on the scope and implications of the CCPA, as well as the
Firm’s policies and approaches to dealing with the law’s requirements
50
Seven things companies can be doing now
▪ Build a record to demonstrate “reasonable” information security
– Develop a demonstrable information governance program with senior leadership reporting
– Enhance your internal privacy and cybersecurity policies
– Tie your internal policies to international standards – including a mapping to the SANS20
▪ Increase your cyber-defenses
– Minimize personal data
– Implement encryption and redaction, where feasible
– Address phishing through systems that aggressively filter phishing emails and enhanced training
– Consider intrusion detection systems that help you spot – and limit – attacks
▪ Assess vendor agreements and risk management practices
– Review vendor contracts to include robust security and notice terms
– Audit: Consider checklist auditing of all vendors and on-site auditing of major vendors or forcing
them to submit to SAS / SSAE / ISO certifications
51
Seven things companies can be doing now
▪ Consider arbitration provisions with class action waivers
▪ Increase your ability to define the scope of any intrusion
– Map your information assets so that you can understand where they sit
– Enhance your logging and the retention periods of those logs
▪ Revisit incident response planning
– Pre-positioned legal and forensic experts
– Maximize attorney-client privilege and work product protection
– Develop process to respond to CCPA notices (30 day clock)
– Run tabletop simulations to help avoid unforced errors during breach response.