Harmonizing Your Access Requests: Localizing Your GDPR ... · social identity of that natural person. ... • Logic involved in profiling, ADM • The specific pieces of PI it has

© 2019 Kilpatrick Townsend

October 15, 2019

Harmonizing Your Access Requests: Localizing Your GDPR Processes for CCPA

Presentation by: Ami Rodrigues, Privacy Counsel, The Coca-Cola CompanyAruna Sharma, AVP – Senior Legal Counsel, XandrAmanda Witt, Partner, Kilpatrick Townsend & Stockton LLP

Agenda

• Setting up Your DSAR Process(es)

• Verification Headaches

• GDPR v CCPA• GDPR Lessons

Learned• Localizing GDPR

Processes for CCPA

• Technical Challenges

• DSAR Alternatives

2

DSARs as a Trust-Building Opportunity

3

Verification Headaches

4

How do you verify the requester’s identity?

Challenge in verifying shared device data

How do you verify the identities of website

visitors?

Do you need to collect more information to fulfill the request?

AG Regulations: §999.313 (c) (Responding

to Requests to Know)

• If the business cannot verify the ID of the person making the request, the business shall not disclose any personal information to the requestor and shall inform the consumer it cannot verify their identity.

• Business shall not provide consumer with specific pieces of PI if “disclosure creates a substantial, articulable, and reasonable risk to the security of the PI, the consumer’s account with the business, or the security of the business’s systems or networks.”

• Business shall not at any time disclose a consumer’s SSN, driver’s license number or any other government-issued identification number, financial account number, any health insurance or medical ID number, an account password, or security questions and answers.

AG Regulations: §999.313 (c) (Responding

to Requests to Know); Cont’d.

• Business shall use reasonable security measures when transmitting PI to the consumer.

• If business must deny consumer’s verified request because of a conflict with state/federal law or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial. If the request is denied only in part, the business shall disclose the other PI sought by the consumer.

DSAR Hypo• Your company receives a data subject access request (DSAR) from an email address that does not correspond to any of your customers, but they have the individual’s first and last name, professional email address, telephone and mailing address.

• The request is for “any PII that your organization (or a third party organization on your behalf) stores about me. Please include data that your organization holds about me in your digital or physical files, backups, emails, voice recordings or other media you may store”

• How do you respond to such a request?• Do you provide the data?• How do you verify his/her identity?• Do you request additional documentation?

7

GDPR DSAR Lessons Learned• A researcher using his girlfriend’s personal data initiated numerous DSAR requests based on the previous hypothetical. The findings of his research:• 56% companies (in the UK and US) confirmed they were storing information about his girlfriend.• 39% insisted on a strong form of identification• 24% responded without further inquisition• 16% accepted a weak form of identification

• 5% of companies said they did not fall under the requirements as they were based in America • 3% took the step of immediately deleting the personal data they held, rather than disclosing it.

8

Remember ChoicePoint?

9

Records of 163,000 consumers compromised.

ChoicePoint agreed to pay $10M in civil penalties and $5M for consumer redress.

Side note: This breach is why we have security breach laws in all 50 states & DC.

California Consumer Privacy Act

Signed into law 6.28.18Regulates an organization’s

uses of a CA resident’s personal information

Effective January 1, 2020

Initial amendments in Sept 2018

Oct. 2019 - Additional Amendments signed by the

GovernorDraft AG regulations issued on 10.10.19

10

CCPA Applicability

• Companies “doing business” in CA must comply with CCPA if they meet or exceed one of these three thresholds:

• Annual gross revenue in excess of $25 million

• Alone or in combination, annually buys, receives for the entity’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices

• 50% or more of annual revenue is derived by the company sellingconsumers’ personal information.

CCPAApplicability

“Consumer” is defined as a natural person who is a California resident.

12

Comparison GDPR & CCPA

•

•

CAL Consumer Privacy Act (CCPA) EU General Data Protection Regulation (GDPR)

What data is affected? “personal information” covers almost any consumer or household related data that a company collects or maintains, including online IDs, profiling data, sensory data, etc.

“personal data” is any data relating to an identified or identifiable natural person, including online IDs, profiling data, etc.

Who must comply? Businesses that collect CAL consumer information and (a) have annual gross revenue of $25M USD, (b) annually buy, receive, sell or share for commercial purposes information of at least 50,000 consumers, households or devices, or (c) derive at least 50% of their annual revenue from selling consumer’s personal information

Organizations established in EU, offering goods and services to EU residents, or profiling or targeting EU residents.

Whose information is protected?

Consumers that are California residents, including employees. European residents (EU/EEA residents)

Requirement for Processing

“Robust Notice & Choice” = requirement to present a new “do not sell my personal information” link. Website and toll‐free phone number for consumer inquiries has to be provided.

Legal basis for processing, such as consent.

What rights do individuals have?

• Right to disclosure• Right to access• Right to delete• Right to opt out from sale of personal information

• Right to access• Right to delete• Right to rectification• Right to data portability• Right to object

Private Right of Action Yes, if data breach based on failure to maintain reasonable security. Statutory damages up to $750 per consumer per incident.

Yes.

Fines California AG can impose civil penalties of up to $7,500 per violation.

Administrative fines of up to EUR 20M. or 4% of total global annual turnover.

Key Definitions

CCPA: Personal information GDPR: Personal datainformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household

Includes a list of specific examples, including identifiers, biometric data, IP addresses and… olfactory information

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

CCPA vs. GDPR: right of accessApplies to PI that has been 'collected’ or ‘sold’

Applies to PD that is being 'processed'

• Categories of PI it has collected/sold about that consumer

• The categories of sources from which the PI is collected

• The business or commercial purpose for collecting/selling PI

• The categories of third parties with whom the business shares PI

• Existence of deletion right

• Purposes of processing• Categories of PD processed• Retention periods• Sources of PD• Existence of other rights, including to

complain• Existence of profiling, automated

decision-making (ADM)• Logic involved in profiling, ADM

• The specific pieces of PI it has collected about that consumer.

• A copy of the PD that are processed

• Reply in 45 days, that can be extended once (justified)

• Free of charge

• Reply in 30 days, which can be extended (justified)

• Free of charge, unless excessive request

CCPA vs. GDPR: right of deletion/erasureApplies to PI that has been ‘collected’ Applies to PD that is being ‘processed’

A consumer can request deletion in all circumstances, unless exceptions apply

A data subject can request erasure in certain circumstances only – PD are no longer necessary, unlawful processing, withdrawal of consent, successful objection,

Exceptions, where PI is needed to/for:• Complete a contract or provide a

service/good requested by the consumer• Detect security incidents• Free speech• Comply with other California laws• Scientific, historical, statistical research(et al, 9 in total)

Exceptions:• Freedom of expression• Legal obligation• Public health• Archiving or scientific, historical, statistical

research• Establishment, exercise or defense of

legal claims

CCPA vs. GDPR: Right to opt-outSelling of PI Processing of PD

• right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s PI

• Withdrawal of consent• Right to object to direct marketing• Right to object (when processing

based on legitimate interest or public interest)

• Right not to be subject to solely ADM

• Provide a clear and conspicuous link on the business’s homepage, titled ‘Do Not Sell My Personal Information’

• No specific formatting requirements

• Consent must be as easy to withdraw as it is to give

GDPR Lessons Learned

18

Be responsive! Many poorly answered / ignored access requests have turned into DPA complaints.

The importance of a good data retention policy

When to push back / how to narrow the request

De-identification Challenges

Importance of vendor cooperation –both access and format

Using GDPR Processes for CCPA

19

What GDPR policies / processes can be repurposed for CCPA?

Did your GDPR data mapping include all customers / employees or just EU-based data subjects?

Will the same individuals who handle GDPR DSARs handle CCPA requests?

How will your privacy policy change for CCPA?

DSAR Alternatives

20

Self-service offerings bypass the DSAR process

These processes do not talk about complying with a specific right, but have the effect of promoting transparency to users.

Technical Challenges

21

Search starts off automated, but ends up being manual in order to make it consumable to the individual

Organizations are resource and time-limited; defensibility is based on potential risks and benefits

Multiple foreign keys for matching an identity

Matching an identity with no ID

API illusion

Recommendations

22

Define a reasonable scope

Consider limits to unstructured data and backups

Test the processes regularly, even after effective dates of a privacy law have passed.

Other considerations?

Automate It?

23

Average DSAR costs $1,400 / request (employee requests can be even more challenging)

By 2021, 80% of negative financial impact of the CCPA will arise from a company’s failure to implement scalable DSAR workflow.

Likely spike in DSARs after CCPA is effective on Jan. 1, 2020

Pros & Cons to having an automated process?

Risk of keeping a “data lake” to make data more easily accessible vs. honeypot for attackers

Examine what motivates DSARs

California AG DraftRegulations

24

RECOMMENDED BEST PRACTICES

FOR VERIFICATION

RECORDKEEPING REQUIREMENTS

REPORTING DSARMETRICS

ACCESSIBLE TO CONSUMERS WITH

DISABILITIES

Questions?

www.kilpatricktownsend.com© 2019 Kilpatrick Townsend

Resilience for our clients and our firmthrough data management in theworld’s most challenging regimes