January 16, 2019

*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Operationalizing CCPA – CLE WebinarKate Lucente, Rena Mears, Carol A.F. Umhoefer

www.dlapiper.com

Introduction: What does Operationalizing Mean?

2

www.dlapiper.com

“Operationalizing”1 is defined as putting something into operation or use.

Operationalizing legal requirements in an enterprise requires establishing

effective, sustainable processes and controls to achieve compliance

within the organization and its 3rd party ecosystem.

3

Operationalizing compliance

1- Merriam Webster

www.dlapiper.com

• Applicability and scope – does CCPA apply to all or part of the business or ecosystem

• Covered assets – personal information defined; similarities or differences to other definitions

• Covered population – consumer definition and California residency as criteria

• Know your data

• Covered business processes

• Data mapping

• Data strategy, transformation, innovation

• Third parties and ecosystem

• Consumer interaction

• Notices and public-facing language

• Receiving and responding to consumers

• Establishing validity of requests and resolving discrepancies

• Data protection and security – reasonable security; data breach liability

• Sustainment and change management

4

Operationalizing CCPA: key considerations

www.dlapiper.com

Applicability and Scope

5

www.dlapiper.com

• Business excludes non-profits, but includes parents and subsidiaries

• Any commercial entity – sole proprietorship, partnership, LLC, corporation, association – doing

business in California, collecting (or having collected on its behalf) consumer personal

information, that jointly or with others determines the purposes and means of processing of

personal information, and meets any one of the following thresholds:

• Gross yearly revenues over $25M

• Processing personal information of 50K or more consumers, or

• Deriving 50% or more of revenue from selling consumer personal information

• Also includes any controlling parent or controlled subsidiary that shares common branding

• Considerations

• Nearing threshold — need to prepare for compliance by the time reach threshold

• “Service Provider” — contractual terms needed to qualify as “service provider” as opposed to

“third party” and to exclude “sale” to “third party”

• Consider other definitions as part of scoping analysis — e.g. broad definitions of personal

information and sell

6

Applicability and Scope: Is the Business Subject to CCPA?

www.dlapiper.com

Covered Assets

7

www.dlapiper.com

• Identify personal information that may be subject to CCPA:

• Consumer currently includes any California resident (consumers, B2B contacts, employees)

• Personal information is “any information that directly or indirectly identifies, relates to,

describes or can be associated with or reasonably linked to a California resident or household”

– includes information related to individuals, households and devices

• Collection includes buying, renting, obtaining, gathering, receiving, accessing (actively or

passively) personal information, or deriving personal information from other information,

including for profiling

• Sale includes making available or disclosure of personal information for anything of value in

return

• Identify potentially relevant exemptions most exemptions apply only to regulated personal

information that is collected or used by a regulated entity. CCPA may therefore apply to residual

personal information even within generally regulated entities

8

Identify relevant data assets

• Personal information - identifying, inventorying and mapping the data flows of all information at a

level sufficient to meet the requirements associated with:

• Expanded definition

• Original acquisition channel/notice/permission

• “Third party” sharing

• 12-month look-back

• Erasure rights

• Opt-out rights

• Consent for sale of minors’ personal information

• Expansive universe of covered persons and challenges with “residency” qualification

Covered assets – key operational considerations

www.dlapiper.com

Covered Population

10

www.dlapiper.com

• California residency determination

• Individuals and households

• Expanded personal information definition (linkable to an individual or

household)

• Includes IP address and other unique identifiers – website visitors, ad targeting

• Connected devices – activity and interaction data

• Data quality – establishing identity and resolving ambiguities

• Establishing “household” relationships

11

Identify covered population

www.dlapiper.com

Know Your Data

12

www.dlapiper.com

• Consumer-facing products and services

• Online and offline

• Websites, mobile apps, SaaS, other online services

• Retail – e-commerce and brick and mortar

• Connected devices

• Marketing and advertising activities

• Online advertising and retargeting

• Lead generation

• Data enrichment and acquisition

• Customer support and sales operations

• Customer relationship management

• Machine learning engines, data analytics, data aggregation

• B2B marketing

• Recruiting, employee monitoring, performance reviews

13

Covered business processes (Sample List)

www.dlapiper.com

• Acquisitionprocessingstorageintegrationdisclosureretentiondisposition

• Typical three levels of data mapping

• Inventory – at the data storage level with key attributes

• Business process / application layer – showing data movement and use

• Underlying architecture

• Identify prior data inventories and maps and determine gaps for CCPA

• CCPA adds further complexity

• Is the disclosure to a service provider? A third party? A sale?

• Are existing maps sufficient to identify categories of personal information as set forth

in CCPA, including purposes of use for each? Categories of third parties?

Categories of sales? Categories of service providers?

• 12-month look-back

14

Data mapping

www.dlapiper.com

• Data mining, querying, sharing, profiling, deriving, insights, deep learning

• Data strategy

• Data sourcing

• Data mining

• Monetization

• Stage of transformation

• Governance structure – evolving nature of data management

• Derived outputs and data – ownership, control and accountability

• Multi-tenant platforms

• IoT and AI

15

Data strategy, transformation and innovation

www.dlapiper.com

Third Parties

16

www.dlapiper.com

• Identify disclosures

• Service providers

• Third parties

• Sales (remember broad definition of “sale”)

• Don’t forget, e.g., analytics, ad networks, APIs, affiliates, agents, advisors, accountants

• Impact on franchisor-franchisee relationship

• Contractual amendments

• Minimum language to qualify as a “service provider”

• Limit on use and disclosure and specify “business purpose”

• Third party personal information brokers and providers: compliant collection, offered but not

exercised opt-out

• Intra-group personal information disclosure and use terms

• Data sources and original acquisition channel

• Downstream implications17

Third parties

www.dlapiper.com

Consumer Interactions

18

www.dlapiper.com

Update and/or develop:

• Website privacy policy

• Notice language at or before collection

• Consumer rights requests – online form and toll free number

• “Do Not Sell My Personal Information” link and page (if applicable) (with toll free

number)

• Consent to sell personal information where individual has previously opted-out of sale

(but can’t ask for 12 months from opt-out)

• Consent to sell minor’s data

19

Consumer-facing notices and language

www.dlapiper.com

Adopt procedures to manage the “response process”:

• Review and respond to requests within 45 days, with additional 45 days if

necessary

• Identify relevant data assets

• Validate completeness and accuracy of response

• Review and respond to access requests — provide electronic copy (in portable

form), including through any online account, or provide a copy via postal mail

• Review and respond to deletion request — evaluate validity, procedure and

technical capability to “erase” personal information, and have service providers

erase personal information

• Document response to each consumer within previous 12 months

20

Responding to consumer rights requests

www.dlapiper.com

Establish processes to address the “consumer-centric” side of the request:

• Establishing the identify of the “consumer”

• Determining validity of consumer request

• California residency determination

• Resolving ambiguities and potential “opt-out” discrepancies across data

acquisition channels

• Establishing “household” relationships

• Resolving conflicting “do not sell” requests for household or device data

21

Verifying identity and resolving discrepancies

www.dlapiper.com

Data Protection and Security

22

www.dlapiper.com

• Security – confidentiality, integrity and availability in the data layer

• Effective Jan 1, 2020 – no “grace period” related to timing of AG regulations

• Private right of action for breaches of personal information, if company did not

have “reasonable” security controls

• Consider class action waiver language in employee and customer contracts

• Encryption / redaction defense

• “Reasonable security” defense?

• Meaning? Burden and expense of proof.

• AG could issue regulations to clarify standards for “reasonable security”

• Recognized standards - ISO 27001, NIST, CA AG Guidance on Online Security Controls

• Certification by recognized, independent third party

23

Data breach liability and “reasonable” security

www.dlapiper.com

Sustainability and Change Management

24

www.dlapiper.com

• Establish processes to support sustainment and change management

• Internal and external change

• Ownership

• Agility, responsiveness, refresh, impact of innovation

• Establish regular audit and update procedures, e.g., –

• ISO certification

• Annual refresh

• Create/update process for monitoring legal changes (e.g., further state privacy laws) and

corresponding operational impact of:

• AG regulations

• CCPA amendments

• AG interpretations (on-going)

• Case law (on-going)

• Additional state legislative developments

25

Sustainability and Change Management

www.dlapiper.com

Questions?

26

www.dlapiper.com 27

Presenters

Kate Lucente

Partner

T: +1 206 839 4854

F: +1 206 494 1809

kate.lucente@dlapiper.com

Rena Mears

Principal

T: +1 415 836 2555

F: +1 415 659 7366

rena.mears@dlapiper.com

Carol A. F. Umhoefer

Partner

T: +1 305 423 8528

F: +1 305 675 8420

carol.umhoefer@dlapiper.com

www.dlapiper.com

Thank you

28