The impact of non-compliance with the California Consumer Privacy Act (CCPA) could be severe! If you're a business owner or an executive responsible for data and compliance for your organization, this presentation by Marit Davey - Data Privacy Compliance Expert can be helpful.
1. Marit Davey
D ata Privac y Comp lian c e E xp ert
CCPA | GDPR
CCPA-Get Your Business Ready
WEBINAR
PRESENTS
2. Helping 550+ clients worldwide attain
massive scale
Recognized by
Market Research and Industry Leaders
55+ Billion
Events Recorded per Month
40+ Billion
Messages Sent per
Month
500+ Million
User Profiles Processed
Every Month
Featured twice as one of the
highest-rated in the
‘Mobile Marketing Automation’
MQ
in terms of customer experience
Digital CX Competency partners
for achieving scale and
innovation with AWS
Vendor Landscape for
Mobile Engagement
Automation
solutions
4. Agenda
California Consumer Privacy Act (CCPA)
CCPA Background
Applicability
Personal Information under CCPA
Selling Consumer information
Comparison of key GDPR and CCPA requirements
Data Privacy Landscape
Data Privacy in the news
Consumer sentiment
Consumer rights within CCPA
Exceptions To The Law
CCPA impact to Businesses
Responding to DSAR Requests
CCPA Key Requirements
How to comply
Final Thoughts
6. CCPA back story
"These giant corporations
know absolutely
everything about you, and
you have no rights."
7. The CCPA was signed into law in California on June 28th, 2018;
Effective Date: January 1, 2020.
Estimated Enforcement Date: July 2020.
12-month lookback for consumer rights requests.
Intended to give consumers more control over their data
through notice and choice.
California Consumer Privacy Act: background
8. Most of the CCPA’s obligations apply directly to a “business,” which:
Determines the purposes and means of processing personal
information
Does business in California and meets one or more of the
following thresholds:
Has yearly revenue of more than $25 million,
Either annually sells, buys, or shares the personal data of at least 50,000
consumers, devices, or households
Generates at least 50% of its yearly revenue from selling consumers’
personal information. [Targeted to ad tech]
CCPA’s Applicability
9. According to the CCPA, personal information broadly includes any
information which relates to, identifies, describes, can be associated with,
or can reasonably be linked with, directly or indirectly, a specific consumer
or household.
This information can be a name, unique personal identifier, postal address,
online identifier, email address, Internet Protocol address, account name,
driver’s license number, Social Security number, passport number, certain
education information, and biometric information among others.
It includes behavioral data derived from digital interactions between a
brand and consumers, and any inferences your company draws from such
data, like a consumer’s buyer persona or preferences.
Personal Information Under The CCPA
10. Selling consumer information
Under the CCPA, the word “selling” encompasses or covers any exchange
of consumers’ personal data “for either monetary or other valuable
consideration.”
No money has to change hands in order for personal data to be sold
11. Comparison of key GDPR and CCPA requirements
GDPR
Scope Scope EU personal data processed ↓ California resident's personal data collected
Rights Right to access Right to access all EU personal data processed ↓
Right to access California personal data collected in last
12 months, delineated between sold and transferred
Right to portability
Must export and import certain EU personal data in a user-
friendly format
↓
All access requests must be exported in user-friendly
format, but there is no import requirement
Right to correction Right to correct errors in EU peronal data processed ✕ Not included in CCPA
Right to stop processing
right to withraw content or otherwise stop processing of EU
personal data
↓
Right to opt-out of selling personal data only, must
include opt-out link on website
Right to stop automated decision making
Right to require a human to make decisions that have a legal
effect
✕ Not included in CCPA
Right to stop 3rd party transfer
Right to withdraw concent for data transfers involving
second purposes of special categories of data
↓ Right to opt-out of selling personal data to third parties
Right to erasure Right to erase EU personal data under certain conditions =
Right to erase personal data collected, under certain
conditions
Legal basis Right to Equal services and price At most, implicitly required ↑ Eplicitly required
Enforcement Private right of action damages No floor or ceiling ↓
Floor of $100 and ceiling of $750 per consumer per
incident
Regulator enforcement penalties Ceiling of 4% of global annua; revenues ↑ No ceiling - $7,500 per violation
CCPA
Source: PwC
12. ‘It’s about time’: Facebook faces first lawsuit from
U.S. regulators after Cambridge Analytica scandal
Dec. 19, 2018 at 2:41 p.m. PST
March 11, 2019 | SACRAMENTO
California has become a battleground for the
protection of consumer privacy rules
February 11, 2019
The U.S. government and Facebook are
negotiating a record, multibillion-dollar fine
for the company’s privacy lapses.
4,590 views | Jul 22, 2019, 10:01am
Equifax Just Got Fined Up To $700 Million For
That Massive 2017 Hack
Data Privacy in the news
Twitter and Facebook could be facing
billions in fines after Ireland investigations
PUBLISHED MON, OCT 7 2019
13. Consumer sentiment
10% of consumers feel they have complete control over their
personal information
25% of consumers believe most companies handle their sensitive data
responsibly
88% of consumers say their willingness to share data depends on how much
they trust a company
Nearly the same amount of consumers say they’ll take their business elsewhere if they
don’t trust a company
More than half of consumers said they’d make an effort to get their information back from
a company if they had that choice
Here’s what PwC found when they surveyed 2,000 U.S. consumers over age 18 in 2017:
14. Consumer rights within CCPA
Right to know all personal data collected by a business
Right to say no to the sale of personal data
Right to delete personal data
Right to be informed of what categories of personal data will be collected prior to its
collection, and to be informed of any changes to this collection
Mandated opt-in before sale of children’s information (under the age of 16)
Right to know categories of third parties with whom personal data is shared
Right to know categories of sources of information from whom personal data is acquired
Right to know the business or commercial purpose of collecting personal information
Private right of action when companies breach personal data
15. Responding to DSAR Requests
Register, log, and authenticate the DSAR:
- Companies need an easy way to receive, log, and
authenticate the DSAR, and to automatically notify the
person and company leads.
Collect the personal information:
- Assign and manage the collection or deletion of
information, usually from multiple data
stores with multiple owners/managers.
Review and approve the information:
- Review the request and the personal information, and
ensure that you are delivering what is required to the right
person
Safely deliver the customer information:
- Personal information needs to be delivered to the right
person, in a secure way
• Risks:
• Missed or unauthenticated requests:
- Without automation, important requests could be missed.
- Without authentication, cannot trust the requestor.
• Risks:
• Tracking, data minimization, and security:
- Requests need to be managed to make sure deadline are met.
- Systems that manage DSARs should keep the personal
information centralized and encrypted.
• Risks:
• Audit, data minimization:
- Approvals must be tracked and auditable.
• - Big risks if data is delivered to the wrong person
• Risks:
• Authentication, verification, and security:
- Systems that manage DSARs should keep the personal
information centralized and encrypted.
16. Data inventory and mapping of in-scope personal data and instances of
“selling” data
New individual rights to data access and erasure
New individual right to opt-out of data selling
Updating service-level agreements with third-party data processors
Remediation of information security gaps and system vulnerabilities
CCPA key requirements
17. Privacy Notice Clearly disclose to requesting consumers the categories as well as specific pieces of
personal information you have collected
Privacy Policy Before or at the point of data collection, inform consumers about the specific types
of personal data to be collected as well as the purposes for which the types of
personal information will be used
Access and
Deletion Request
Disclose and deliver or delete personal information (for free) as requested by your
consumers. However, keep in mind that your business is not under an obligation to
furnish personal data to a consumer more than two times in a twelve-month period.
Data Mapping
Exercise / Self
Assess
De-identify or else link any information that, in the usual course of business, isn’t
maintained in a way that would be deemed personal information.
How to comply
18. Final Thoughts
Being prepared in order to avoid costly enforcement actions
Meeting subject access requests - you need to be able to identify content related to a
data subject, classify and protect consumer data, and delete upon request. you need to
be able to identify content related to a data subject, classify and protect consumer data,
and delete upon request.
You will have to update privacy notices, other procedures and policies, and your website
Your business must start mapping all the personal data that it collects as well as locations
where such personal data is stored in order to promptly meet or respond to any request
under the CCPA.
Work with someone who is knowledgeable about the law in order to determine how
your business, clients, vendors and other third parties are defined under the CCPA, and
then concentrate on the implications for your business.
Don’t expect this to be the last privacy act.
Although the CCPA has already been amended, it might go through more updates before
it comes into effect.