Operationalizing CCPA CLE Webinar - DLA Piper/media/files/insights/... · Applicability and Scope:...
Transcript of Operationalizing CCPA CLE Webinar - DLA Piper/media/files/insights/... · Applicability and Scope:...
January 16, 2019
*This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
Operationalizing CCPA – CLE WebinarKate Lucente, Rena Mears, Carol A.F. Umhoefer
www.dlapiper.com
Introduction: What does Operationalizing Mean?
2
www.dlapiper.com
“Operationalizing”1 is defined as putting something into operation or use.
Operationalizing legal requirements in an enterprise requires establishing
effective, sustainable processes and controls to achieve compliance
within the organization and its 3rd party ecosystem.
3
Operationalizing compliance
1- Merriam Webster
www.dlapiper.com
• Applicability and scope – does CCPA apply to all or part of the business or ecosystem
• Covered assets – personal information defined; similarities or differences to other definitions
• Covered population – consumer definition and California residency as criteria
• Know your data
• Covered business processes
• Data mapping
• Data strategy, transformation, innovation
• Third parties and ecosystem
• Consumer interaction
• Notices and public-facing language
• Receiving and responding to consumers
• Establishing validity of requests and resolving discrepancies
• Data protection and security – reasonable security; data breach liability
• Sustainment and change management
4
Operationalizing CCPA: key considerations
www.dlapiper.com
Applicability and Scope
5
www.dlapiper.com
• Business excludes non-profits, but includes parents and subsidiaries
• Any commercial entity – sole proprietorship, partnership, LLC, corporation, association – doing
business in California, collecting (or having collected on its behalf) consumer personal
information, that jointly or with others determines the purposes and means of processing of
personal information, and meets any one of the following thresholds:
• Gross yearly revenues over $25M
• Processing personal information of 50K or more consumers, or
• Deriving 50% or more of revenue from selling consumer personal information
• Also includes any controlling parent or controlled subsidiary that shares common branding
• Considerations
• Nearing threshold — need to prepare for compliance by the time reach threshold
• “Service Provider” — contractual terms needed to qualify as “service provider” as opposed to
“third party” and to exclude “sale” to “third party”
• Consider other definitions as part of scoping analysis — e.g. broad definitions of personal
information and sell
6
Applicability and Scope: Is the Business Subject to CCPA?
www.dlapiper.com
Covered Assets
7
www.dlapiper.com
• Identify personal information that may be subject to CCPA:
• Consumer currently includes any California resident (consumers, B2B contacts, employees)
• Personal information is “any information that directly or indirectly identifies, relates to,
describes or can be associated with or reasonably linked to a California resident or household”
– includes information related to individuals, households and devices
• Collection includes buying, renting, obtaining, gathering, receiving, accessing (actively or
passively) personal information, or deriving personal information from other information,
including for profiling
• Sale includes making available or disclosure of personal information for anything of value in
return
• Identify potentially relevant exemptions most exemptions apply only to regulated personal
information that is collected or used by a regulated entity. CCPA may therefore apply to residual
personal information even within generally regulated entities
8
Identify relevant data assets
• Personal information - identifying, inventorying and mapping the data flows of all information at a
level sufficient to meet the requirements associated with:
• Expanded definition
• Original acquisition channel/notice/permission
• “Third party” sharing
• 12-month look-back
• Erasure rights
• Opt-out rights
• Consent for sale of minors’ personal information
• Expansive universe of covered persons and challenges with “residency” qualification
Covered assets – key operational considerations
www.dlapiper.com
Covered Population
10
www.dlapiper.com
• California residency determination
• Individuals and households
• Expanded personal information definition (linkable to an individual or
household)
• Includes IP address and other unique identifiers – website visitors, ad targeting
• Connected devices – activity and interaction data
• Data quality – establishing identity and resolving ambiguities
• Establishing “household” relationships
11
Identify covered population
www.dlapiper.com
Know Your Data
12
www.dlapiper.com
• Consumer-facing products and services
• Online and offline
• Websites, mobile apps, SaaS, other online services
• Retail – e-commerce and brick and mortar
• Connected devices
• Marketing and advertising activities
• Online advertising and retargeting
• Lead generation
• Data enrichment and acquisition
• Customer support and sales operations
• Customer relationship management
• Machine learning engines, data analytics, data aggregation
• B2B marketing
• Recruiting, employee monitoring, performance reviews
13
Covered business processes (Sample List)
www.dlapiper.com
• Acquisitionprocessingstorageintegrationdisclosureretentiondisposition
• Typical three levels of data mapping
• Inventory – at the data storage level with key attributes
• Business process / application layer – showing data movement and use
• Underlying architecture
• Identify prior data inventories and maps and determine gaps for CCPA
• CCPA adds further complexity
• Is the disclosure to a service provider? A third party? A sale?
• Are existing maps sufficient to identify categories of personal information as set forth
in CCPA, including purposes of use for each? Categories of third parties?
Categories of sales? Categories of service providers?
• 12-month look-back
14
Data mapping
www.dlapiper.com
• Data mining, querying, sharing, profiling, deriving, insights, deep learning
• Data strategy
• Data sourcing
• Data mining
• Monetization
• Stage of transformation
• Governance structure – evolving nature of data management
• Derived outputs and data – ownership, control and accountability
• Multi-tenant platforms
• IoT and AI
15
Data strategy, transformation and innovation
www.dlapiper.com
Third Parties
16
www.dlapiper.com
• Identify disclosures
• Service providers
• Third parties
• Sales (remember broad definition of “sale”)
• Don’t forget, e.g., analytics, ad networks, APIs, affiliates, agents, advisors, accountants
• Impact on franchisor-franchisee relationship
• Contractual amendments
• Minimum language to qualify as a “service provider”
• Limit on use and disclosure and specify “business purpose”
• Third party personal information brokers and providers: compliant collection, offered but not
exercised opt-out
• Intra-group personal information disclosure and use terms
• Data sources and original acquisition channel
• Downstream implications17
Third parties
www.dlapiper.com
Consumer Interactions
18
www.dlapiper.com
Update and/or develop:
• Website privacy policy
• Notice language at or before collection
• Consumer rights requests – online form and toll free number
• “Do Not Sell My Personal Information” link and page (if applicable) (with toll free
number)
• Consent to sell personal information where individual has previously opted-out of sale
(but can’t ask for 12 months from opt-out)
• Consent to sell minor’s data
19
Consumer-facing notices and language
www.dlapiper.com
Adopt procedures to manage the “response process”:
• Review and respond to requests within 45 days, with additional 45 days if
necessary
• Identify relevant data assets
• Validate completeness and accuracy of response
• Review and respond to access requests — provide electronic copy (in portable
form), including through any online account, or provide a copy via postal mail
• Review and respond to deletion request — evaluate validity, procedure and
technical capability to “erase” personal information, and have service providers
erase personal information
• Document response to each consumer within previous 12 months
20
Responding to consumer rights requests
www.dlapiper.com
Establish processes to address the “consumer-centric” side of the request:
• Establishing the identify of the “consumer”
• Determining validity of consumer request
• California residency determination
• Resolving ambiguities and potential “opt-out” discrepancies across data
acquisition channels
• Establishing “household” relationships
• Resolving conflicting “do not sell” requests for household or device data
21
Verifying identity and resolving discrepancies
www.dlapiper.com
Data Protection and Security
22
www.dlapiper.com
• Security – confidentiality, integrity and availability in the data layer
• Effective Jan 1, 2020 – no “grace period” related to timing of AG regulations
• Private right of action for breaches of personal information, if company did not
have “reasonable” security controls
• Consider class action waiver language in employee and customer contracts
• Encryption / redaction defense
• “Reasonable security” defense?
• Meaning? Burden and expense of proof.
• AG could issue regulations to clarify standards for “reasonable security”
• Recognized standards - ISO 27001, NIST, CA AG Guidance on Online Security Controls
• Certification by recognized, independent third party
23
Data breach liability and “reasonable” security
www.dlapiper.com
Sustainability and Change Management
24
www.dlapiper.com
• Establish processes to support sustainment and change management
• Internal and external change
• Ownership
• Agility, responsiveness, refresh, impact of innovation
• Establish regular audit and update procedures, e.g., –
• ISO certification
• Annual refresh
• Create/update process for monitoring legal changes (e.g., further state privacy laws) and
corresponding operational impact of:
• AG regulations
• CCPA amendments
• AG interpretations (on-going)
• Case law (on-going)
• Additional state legislative developments
25
Sustainability and Change Management
www.dlapiper.com
Questions?
26
www.dlapiper.com 27
Presenters
Kate Lucente
Partner
T: +1 206 839 4854
F: +1 206 494 1809
Rena Mears
Principal
T: +1 415 836 2555
F: +1 415 659 7366
Carol A. F. Umhoefer
Partner
T: +1 305 423 8528
F: +1 305 675 8420
www.dlapiper.com
Thank you
28