The GDPR forced companies to spend a substantial amount of time, resources and money on becoming compliant. For many companies, it took years to understand, build and manage a compliance program to meet the variety of requirements included in the GDPR.
With new and updated privacy laws and regulations popping up, such as CCPA and Privacy Shield invalidation, companies are now being tasked with assessing the impact to their current privacy program and learning how to weave them into existing practices.
Listen to this webinar to learn how to leverage the substantial amount of work that was done for the GDPR to simplify additional privacy compliance.
2. How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More
New Requirements
2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out
later today
● Please use the GoToWebinar control panel on the right hand side to
submit any questions for the speakers
3. Speakers
3
K Royal
FIP, CIPP/US / E, CIPM, CDPSE
Associate General Counsel,
Privacy Intelligence
TrustArc
Joanne Furtsch
CIPP/C, CIPP/US, CIPT, FIP
Director, Privacy Intelligence Development
TrustArc
Meaghan McCluskey
LL.B., CIPP/US/E, CIPM
Director of Research
TrustArc
4. Agenda
4
● Key similarities and differences between GDPR and CCPA
● The main compliance areas that can be leveraged for multiple
requirements (including individual rights and consent)
● Recent legislative developments with similarities to GDPR and CCPA
● How a framework based approach helps achieve ongoing compliance for
future legislation
5. Polling Question 1
Where are you on GDPR to CCPA compliance?
● Both are fully operational
● Both are operational, but more so GDPR
● Both are operational, but more so CCPA
● Neither one are what I would call operational.
5
6. Using a Framework is Critical
6
● Consistency of approach
● Predictability
● Baseline documentation
● Reduce risk
● Prioritize actions and reactions
8. Summary of GDPR and CCPA Mapping
8
Compliance Area GDPR CCPA
Differences Compliance Deadline May 25, 2018 (note: Schrems II) January 1, 2020 (note: Regs approved)
Applicability In the EU and organizations offering goods and
services to people in the EU
California and organizations doing business there
Who it Protects Data protection is seen as a fundamental human
right, so no nationality requirement needed
This legislation focuses on California residents
Area of
Focus
Omnibus – it covers most aspects of data protection Focuses on data subject rights, transparency, third
party management, and training, but compliance is
dependent on privacy program accountability
Similarities Individual Rights Having a mechanism for fielding a broad scope of requests, timely responding to requests, and keeping an
audit trail should be part of an individual rights program.
Consent Having mechanisms for ensuring that data processing is permitted and lawful, such as consent management,
should be part of an overall data privacy management program.
Notice Notice should be part of an overall data privacy management program.
Data
Inventory
Having an up-to-date data inventory that shows what data is being collected, why it is being collected, and
who is using it will help meet compliance requirements.
9. Final CCPA Regulations Approved and Now Effective Immediately
9
● August 14, 2020: Approved
● Mostly non-substantive, but some areas to note of withdrawn provisions
○ § 999.305(a)(5) - New uses, no consent
■ Not required to directly contact consumers and obtain explicit consent if using PI for purposes that
are materially different than those disclosed in the privacy notice at the time of collection.
○ § 999.306(b)(2) - No offline opt-outs notices
■ Businesses that primarily interact with consumers offline will not be required to provide notice of their
right to opt-out of the sale of their personal information using an offline method.
○ § 999.315(c) - Easy opt-out removed, but does not permit obstructions
■ The provision that was withdrawn (1) required that a business’s opt-out method be “easy for
consumers to execute,” and “require minimal steps to allow the consumer to opt-out,” and (2)
prohibited using a method that intended or had the substantial effect of “subverting or impairing” a
consumer’s decision to opt-out.”
○ § 999.326(c) - Removed for redundancy
■ Businesses may deny requests from authorized agents who do not provide signed written permission
from the consumer demonstrating they have been authorized to act on the consumer’s behalf. Denial
still provided in § 999.315.
11. Individual Rights / Data Subject Rights
11
Background
● Privacy laws require companies to respond to individual (data subject) requests for
access to their data on specific timelines:
GDPR, General Data Protection Regulation
● Articles 15-23 provide data subjects rights to their data (i.e., right of access;
rectification or erasure; to restrict or object to processing; and to portability);
● Requests must be addressed within one month
CCPA, California Consumer Privacy Act
● Sections 1798.100-120 provide individuals rights of access and data portability,
erasure, information about collection and sales of data, to opt-out of sales.
● Requests must be addressed within 45 days.
12. Operationalizing Individual Rights under CCPA
12
How you can leverage what you did under GDPR for CCPA
Provide an accessible
mechanism through which
individuals can submit a
request (e.g., on the website,
through a toll-free phone
number, designated email
address, paper forms);
Validate that the mechanism
for receiving requests is
working - requests are
received, date of receipt is
recorded, receipt of request is
acknowledged, identity of the
requestor is verified, requests
are being actioned
appropriately.
Leverage communication
templates and other
mechanisms created for
GDPR:
● Access requests under GDPR
include most of what you need for
CCPA (the biggest challenge will
be providing an accounting of
disclosures/sales)
● Erasure requests - validate the
availability of exclusions;
● Opt-out and objection
mechanisms for marketing and
automated processing can be
retooled for sales of data;
● Data portability treat the same
way (CCPA only applies to
electronic requests).
Submit a Request Request Received
13. Consent
13
Background
● Privacy laws may require companies to obtain the consent of individuals before
processing the individual’s personal information for certain types of business purposes.
The conditions for consent may depend on the type of individual or information or the
processing purpose.
GDPR, General Data Protection Regulation
● Articles 7 & 8 lay out the conditions for using consent as the basis for processing
● The consent mechanism needs to be clearly presented and easily identified and
distinguished from other content or features
CCPA, California Consumer Privacy Act
● 1798.120(a) gives consumers the right to opt-out of the sale of personal information to
third parties
● § 999.315. Requests to Opt-Out. under the Final CCPA Regulation requires companies to
provide two mechanisms for consumers to opt-out including an interactive form available
on the company’s website or mobile app via a “Do Not Sell My Personal Information” link.
14. Operationalizing Consent Requirements under CCPA
14
How you can leverage what you did under GDPR for CCPA
Provide a clear, easily
identifiable mechanism(s) to
obtain consent and let
individuals indicate a
preference (e.g., opt-out)
Track that the individual gave
consent or opted-out -
evidence of the individual’s
preference
Enable individuals to withdraw
consent or change their
preference (e.g., it’s okay to
sell my information)
CCPA’s requirements for providing the opt-out mechanism around the sale of personal
information and for obtaining consent for financial incentives are outlined in the Final Text of
the CCPA Regulation
https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf?
Opt-Out Opt-Out Confirmed
15. Notice
15
Background
● Privacy laws require individuals to be informed of processing activities prior to
collecting their personal information or before using information if received from third
parties.
GDPR, General Data Protection Regulation
● Article 12 - Concise, transparent, intelligible and easily accessible form; in
writing, including electronically.
● Article 13 - 6 mandatory disclosures; 6 additional disclosures if necessary to
ensure fair and lawful processing.
CCPA, California Consumer Privacy Act
● Sec. 130/110 - 4 main disclosures to include in online privacy policies.
● Sec. 135 - disclose that information might be sold and provide an opt-out.
CCPA Regulations adds requirements, including delivery, formatting, language, and content.
16. Operationalizing Notices under CCPA
16
How you can leverage what you did under GDPR for CCPA
Language is already in a
concise, transparent, intelligible
and easily accessible form,
using clear and plain language
(Art. 12).
Notice is already in writing,
likely electronically, and
possibly scripts have been
developed for providing the
information orally (Art 12).
Leverage mechanisms created
for displaying and providing
GDPR notice:
● In person - hard copy,
posters;
● Online - links (Consider
separate California Privacy
Rights Notice if you already
comply with Shine the Light)
● In apps.
17. Data Inventory
17
Background
● A data inventory helps companies understand where data is stored and start to
understand their data flows. Some privacy laws explicitly require companies to
maintain records or an inventory of their processing activities.
GDPR, General Data Protection Regulation
● Article 30 - Records of Processing Activities
● Art 30(1) - Data Controllers must maintain a record of data processing
activities
● Art 30(2) - Data Processors are required to maintain a list of processing
activities carried out on behalf of Data Controller
CCPA, California Consumer Privacy Act
● 1798.130 - Inventory of Data Processing requires companies to maintain a
data inventory covering at least the prior 12 month period
18. Doing your inventory to comply with CCPA
18
Leverage your organization’s
process for creating and
maintaining Records of
Processing Activities used to
generate GDPR Article 30
Reports to create your
Inventory of Data Processing.
Identify processing activities
that include processing data of
California consumers and
update your existing inventory.
Indicate on the record whether
the disclosure of personal
information to a third party is a
sale.
How you can leverage what you did under GDPR for CCPA
20. Main GDPR Compliance Areas Mapped to Other Regulations
20
GDPR CCPA
NZ Privacy
Act 2020
Japan
LPPI
China
Civil Code
Dubai
DPL 2020
Egypt
LPPD
Privacy
Shield
Individual
Rights
X X X X X X X X
Notice X X X X X X X
Consent X X X X X X X X
Data
Inventory
X X X X
21. Individual Rights Mapped to Other Regulations
21
GDPR CCPA
NZ Privacy
Act 2020
Japan
LPPI*
China
Civil Code
Dubai
DPL 2020
Egypt
LPPD
Privacy
Shield
Access X X X X X X X X
Correction X X X X X X X
Erasure X X X X X X
Object,
Opt-Out
X X X X X X
Portability X X X
*Japan’s Law on the Protection of Personal Information was amended, effective June 12th, to bring in rights of access and cessation of
processing.
23. Polling Question 2
What framework if any do you use in your privacy or security program?
● ISO/IEC
● NIST
● Another recognized framework
● Our own self-developed framework
● None
23
24. Important Framework Elements
24
Build
● Establish, maintain and continually evolve and improve a privacy
program aligned with other information governance, compliance
and risk management functions such as security, IP and trade
secret protection and e-discovery
● 6 “Build” standards aligned with key laws, regulations and effective
ethics and compliance programs
Implement
● 8 “Implement” standards for designing and/or engineering effective
privacy and data governance controls into organizational processes
products and technologies and maintain or enhance those controls
throughout the lifecycle for the product, process or technology
● Conduct privacy impact assessments (D/PIAs) presents a high
inherent risk of harm to individuals and remediate identified risks
Demonstrate
● 2 “Demonstrate” standards for providing evidence of program and
practices compliance, maturity, responsibility and value
27. Upcoming Webinars
27
Past Webinars
5 Signs Your Privacy Management Program is
Not Working for You
August 26, 2020 @ 9:00
PST
CCPA Compliance from Ground Zero: Start to
Finish with TrustArc Solutions
Free Download
The Court Speaks: Privacy Shield, Standard
Contractual Clauses and Cookie Consent
Free Download