Operationalizing the California Consumer Privacy Act:

Key Decisions and Compliance Strategies

June 19, 2019

Hogan Lovells | 2

Today’s speakers

Mark Brennan Partner, Washington, D.C. T +1 202 637 6409 mark.brennan@hoganlovells.com

Bret Cohen Partner, Washington, D.C. T +1 202 637 8867 bret.cohen@hoganlovells.com @MWBrennanDC

Agenda

Hogan Lovells | 3

• What is the CCPA?

• Who must comply with the CCPA?

• What types of data are covered by the CCPA?

• Key CCPA requirements

• Consequences for noncompliance

• Interaction with existing laws and regulations

• How does the CCPA compare to the GDPR?

• What questions are companies asking about the CCPA?

• Key Compliance Steps

• Benchmarking

• Q&A

• Takes effect January 1, 2020

• Regulates the collection, use, sale, and disclosure of information about California consumers and households.

– Broadly scoped law with expansive definitions of key terms (e.g., “personal information”).

– Requires businesses to provide detailed notice of personal data processing activities.

– Grants individuals right to access, right to opt out of the sale of personal information and the right to delete personal information, and prohibits discrimination against consumers on the basis of exercising CCPA rights.

– California Attorney General can fine non-compliant businesses up to $7,500 per intentional violation.

– Consumers can sue for up to $750 per consumer per incident if, due to a failure “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” there is a breach of:

– Name plus unencrypted (i) SSN, (ii) driver’s license or California ID card number, (iii) financial account or payment card number, (iv) medical information, or (v) health insurance information.

– Username or email address in combination with a password or security question and answer that would permit access to an online account.

What is the CCPA?

Hogan Lovells | 4

• Business – (1) Any for-profit entity that:

– collects consumers’ personal information;

– determines the purposes and means of processing that information;

– does business in the State of California; and

– satisfies one or more of the following thresholds:

– Gross revenues exceeding $25,000,000;

– Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices per year; or

– Derives at least 50 percent of its annual revenues from selling personal information.

– (2) Any entity that controls, or is controlled by, a qualifying business if it shares common branding.

– Above thresholds will be calculated for an entire “business.”

Who Must Comply With the CCPA?

Hogan Lovells | 5

• “Personal information”

– Any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer (a resident of CA) or household.”

– Examples:

– Identifiers (name, email address, IP address, device ID, cookie information, etc.).

– Protected characteristics (race, gender, etc.).

– Commercial information (records of purchased products/services, etc.).

– Biometric information.

– Internet or other network activity (browsing history, search history, interaction with ads, etc.).

– Geolocation data.

– Professional information (education history, job title, etc.).

– Inferences derived from other personal information (preferences, characteristics, abilities, etc.).

– Note: Legislative proposals seek to revise definition by expressly excluding employees, tweaking scope of excluded public government records, and clarifying excluded “de-identified” data.

What Types of Data are Covered by the CCPA?

Hogan Lovells | 6

• Online privacy notice must include:

– A description of consumer rights under the CCPA and the methods for exercising those rights;

– A list of the categories of personal information the business has collected about consumers in the preceding 12 months;

– A list of the categories of personal information the business has sold about consumers in the preceding 12 months, or the fact that it has not done so; and

– A list of the categories of personal information the business has disclosed about consumers for business purposes in the preceding 12 months, or the fact that it has not done so.

• At or before the point of collection, a business must inform consumers of:

– Categories of personal information to be collected; and

– Purposes for which the collected personal information will be used.

• Organizations that receive personal information from a business via a sale may not re-sell the information unless the consumer:

– Receives explicit notice; and

– Has an opportunity to opt out of the sale.

• Privacy policy and website homepage must include “Do Not Sell My Personal Information” link

Key CCPA Requirements – Notice

Hogan Lovells | 7

• Must disclose upon request:

– The “specific pieces of personal information” that the business has collected about the individual consumer over the prior 12 months;

– The categories of information that the business has collected about the individual consumer over the prior 12 months;

– The categories of sources from which the personal information is collected;

– The business or commercial purpose for collecting or selling personal information;

– The categories of third parties with whom the business shares personal information;

– The categories of personal information that the business sold about the individual consumer in the preceding 12 months, the categories of the third parties to whom such personal information was sold, and the specific categories of information that were sold to each category of third parties; and

– The categories of personal information that the business disclosed about the individual consumer for a business purpose in the preceding 12 months, the categories of the third parties to whom such personal information was disclosed, and the specific categories of information that were disclosed to each category of third parties.

Key CCPA Requirements – Access Right

Hogan Lovells | 8

• A business does not have to fulfill a deletion request if it is necessary to maintain the PI to:

– Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;

– Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;

– Debug to identify and repair errors that impair existing intended functionality;

– Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;

– Comply with a legal obligation;

– Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; or

– Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

• Scope of the last two exceptions will depend on courts’ and the California AG’s concept of “expectations of the consumer” and “context in which the consumer provided the information.”

Key CCPA Requirements – Deletion Right

Hogan Lovells | 9

• Businesses must provide an opportunity to opt out of the “sale” of their personal information.

• “Sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

• Examples:

– Traditional sales of PI to third parties (e.g., selling a list of emails).

– Making PI available to third parties for monetary or in-kind benefits (e.g., swapping marketing lists with third parties or providing information for cooperative use).

– Licensing/renting PI to third parties (including where providers of services retain independent rights to use data for marketing).

– Permitting third parties to collect PI for their own purposes (e.g., the business permits third parties to collect PI from consumers with whom the business interacts (such as the placement of third party cookies on the business website) in exchange for money or other benefits.

Key CCPA Requirements – Sale Opt-out Right

Hogan Lovells | 10

• Exceptions:

– Consumer-directed disclosures (if recipient doesn’t subsequently sell PI).

– Transfers of PI to a “service provider” for a “business purpose” (operational purposes such as security, or other notified purposes that do not directly advance commercial or economic interests). A service provider:

– processes personal information on behalf of a business; and

– is subject to a written contract that prohibits the service provider from retaining, using, and disclosing personal information other than for the specific purpose of perform the service specified in the contract; or as the CCPA otherwise allows.

– Transfers that are part of a business merger, acquisition, bankruptcy, or other transaction involving change of control of part of the business.

• Note: While the CCPA prohibits businesses from “discriminating” against consumers for exercising their rights, businesses may offer financial incentives to consumers to not exercise their rights if “reasonably related” to the value provided to the consumer.

Key CCPA Requirements – Sale Opt-out Right

Hogan Lovells | 11

• Opt-in requirements for sales of certain minors’ personal information:

– Consumers under 16, above 13 years of age.

– Consumer opt-in consent required for the sale of the consumer’s PI.

– Consumers under 13 years of age.

– Parental opt-in consent required for the sale of the consumer’s PI.

Key CCPA Requirements – Minor Opt-in Requirements

Hogan Lovells | 12

• Attorney General

– California’s Attorney General can enforce all provisions of the CCPA and its regulations.

– AG expected to issue first draft of regulations by this fall.

– AG is required to finalize regulations by July 1, 2020.

– Businesses will have 30 days to cure any alleged violations.

– If violations not cured, AG can impose penalties of up to $2,500 per violation, or $7,500 per intentional violation.

– Total liability is uncapped.

• Private Right of Action

– Consumers are able to sue a business if certain types of their personal information (e.g., SSNs) are subject to unauthorized access, exfiltration, theft, or disclosure and the information was not encrypted or redacted.

– Consumers are able to sue only if the breach was the result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

– Consumers may recover the greater of actual damages or statutory damages ($100-$750 per consumer per incident).

Consequences for Noncompliance

Hogan Lovells | 13

• The CCPA states that it does not interfere with a business’s ability to:

– comply with federal, state, or local law;

– comply with government requests;

– cooperate with law enforcement agencies; and

– exercise or defend legal claims.

• Some data and practices are exempted:

– Health information governed by HIPAA or the Confidentiality of Medical Information Act;

– The sale of information that is regulated under the Fair Credit Reporting Act (“FCRA”);

– The collection, processing, sale, or disclosure of personal information pursuant to the Gramm-Leach-Bliley Act (“GLBA”); and

– The collection, processing, sale, or disclosure of personal information pursuant to the Driver’s Privacy Protection Act of 1994.

Interaction with Existing Laws and Regulations

Hogan Lovells | 14

How Does the CCPA Compare to the GDPR?

Topic area EU General Data Protection Regulation California Consumer Privacy Act

Scope Applies to a “controller” or “processor”: • Established in the EU • Established outside of the EU, and either (1) offering

goods/services to EU; or (2) monitoring behavior in EU

• A for-profit “business” that does business in CA and meets revenue / volume thresholds for California resident data

• A business is defined similarly to an EU “controller”

Definition of personal data/information

• Any data relating to an identified or identifiable natural person • Data “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

Notice requirements • Must provide data subjects with detailed notice about the collection, use, disclosure of personal data, as well as retention period, individual rights, information about lawful bases for processing, identity of controller/DPO/representative, etc.

• Must disclose certain information about the collection, sale, and disclosure of personal information in privacy policy/on website

• Must provide just-in-time disclosures at or before the collection of personal information

• “Do Not Sell My Personal Information” button

Hogan Lovells | 15

How Does the CCPA Compare to the GDPR? (cont’d)

Topic area EU General Data Protection Regulation California Consumer Privacy Act

Right to access • Must provide data subjects with “access to [their] personal data,” as well as specific details about processing (e.g., purposes of processing, sources of information, etc.)

• Exceptions: (a) can verify identity, (b) manifestly unfounded or excessive requests, (c) adversely affects the rights and freedoms of others

• Must provide consumers with details about collection, sale, and disclosure of their personal information (e.g., categories of personal information sold to different categories of third parties), as well as “specific pieces of personal information” Exceptions: (a) can verify identity, (b) manifestly unfounded or excessive requests

Right to data portability

• Where basis for processing is consent or legitimate interests, data subjects have the right to receive personal data they have provided to the controller “in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance”

• If a business responds to a request to access personal information via electronic means, “the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit the information to another entity without hindrance”

Right to delete information

• Data subjects have a right to have their personal data deleted where (a) “no longer necessary,” (b) they withdraw consent, (c) processing is unlawful, or (d) if processing is based on legitimate interests, there are no “overriding legitimate grounds”

• Exceptions: (i) continued lawful basis for processing, (ii) exercising right of expression, (iii) compliance with EU law, (iv) establishment / exercise / defense of legal claims, (v) public health exception, (vi) archiving / research exception

• Consumers have a generally applicable right to have their personal information deleted

• Exceptions: (i) complete a transaction / perform a contract, (ii) detect / protect against / prosecute security incidents or illegal activity, (iii) debug and fix errors, (iv) exercise free speech or other legal rights, (v) research exception, (vi) “solely internal uses that are reasonably aligned” with consumer expectations, (vii) compliance with law

Right to object • Data subjects have a right to object to the broader processing of their personal data in certain circumstances

• Consumers have a right to opt out of the “sale” of their personal information; greater control over data-sharing

Hogan Lovells | 16

How Does the CCPA Compare to the GDPR? (cont’d)

Topic area EU General Data Protection Regulation California Consumer Privacy Act

Time for responding to individual rights requests

• “Without undue delay” and in any event within one month • Can be extended by two months “where necessary”

• Within 45 days of receiving a verifiable request • Can be extended by 45 days “when reasonably

necessary” – or “up to 90 additional days where necessary”?

Fines • Infringements may result in administrative fines up to €20 million or 4% of total worldwide annual turnover, whichever is greater

• Private right of action for actual damages

• The California Attorney General may impose civil penalties of up to $7,500 per intentional violation. There is no cap on the total amount of the penalty

• Private right of action for data breaches ($100-$750) • But 30 day cure period (for AG or private actions)

Hogan Lovells | 17

1. Will the law be amended, and should we wait for the outcome of that process? Will employee data be covered in the final draft of the law? What is happening in the other states and at the federal level?

2. Do we really have to put a “Do not sell my personal information” link on our website and app? What do we do when someone clicks on it?

3. What questions should we be asking of the business to determine what information is covered and how we update our privacy policy?

4. How do we determine what data disclosures are subject to the sale opt-out, and what are not?

5. What contract provisions should we be putting in place with service providers? With third parties?

6. What should we do if we get a request to “delete all of my data”?

What Questions are Companies Asking About CCPA?

Hogan Lovells | 18

Key Compliance Steps Action Category Description

Scoping • Identify whether your entity is subject to the CCPA. • Determine what data should be treated as “personal information.” • Determine whether to treat CA data differently from non-CA data.

Data Mapping • Inventory data assets and processing activities that may include personal information of CA residents or households

• Map data transfers, including to other affiliates, clients, partners, and service providers.

Third-party relationships • For data transfers, determine if you are really “selling,” or if an exception applies, e.g.: • Disclosure to commonly owned and branded businesses. • Disclosures to service providers. • Consumer uses/directs the “intentional” disclosure to a third party.

• To minimize the impact of the opt-out right: • Revise service provider agreements as needed. • Clarify “intentional” disclosures • Determine whether to offer financial incentives to minimize impact of opt-out right.

• Where you are “selling,” strategize with business about how to cut off disclosures as needed. • For data receipts, determine if you are in receipt of a “sale” and if so:

• Strategize about what might happen if consumers opt out of data sources. • If you wish to re-sell, determine how you will provide notice and opportunity to opt out.

Hogan Lovells | 19

Key Compliance Steps (cont’d)

Action Category Description

Policies and Procedures • Update privacy notices (and set a procedure to do so annually). • Establish procedures for receiving, verifying, and responding to consumer rights

requests. • Update internal policies and procedures to account for CCPA. • Establish procedures to implement, maintain, track, and demonstrate reasonable

security measures taken to protect personal information (especially the categories listed in the CCPA private right of action).

• Consider revising data retention policies in order to limit CCPA obligations. • Develop materials to train relevant employees on CCPA obligations. • Evaluate whether to grant rights to all consumers across the US. • Monitor federal and state developments closely for impact.

Hogan Lovells | 20

Key Compliance Steps (cont’d)

Hogan Lovells | 21

Sample requests that we are receiving

• Determine jurisdictional scope of the CCPA for in-state and out-of-state affiliates, business lines, employees, vendors, and customers

• Data mapping interview questions and data inventory chart

• Prioritization criteria for CCPA data mapping/compliance

• Analysis of client vendor contract templates’ compliance with CCPA requirements

• Sample contract language for the CCPA “service provider” contract requirements

• Assessment of the obligation to identify and categorize categories of “third parties” to whom personal information is sold or disclosed

• Strategies for unstructured personal information

• Strategies for responding to CCPA data subject access, deletion, and opt-out requests

• Preparing template responses to access/deletion inquiries

• Assessment of the CCPA restrictions and exceptions

Benchmarking

Hogan Lovells | 22

• Across your industry

• Across different industry sectors

• Similarly sized organizations

• Similar business models

• Business-to-consumer vs. business-to-business

• Similar target audiences

Resources

Our CCPA Blog Series

Our blog, Chronicle of Data Protection, focuses on important global developments in privacy law and policy, including a new series “The Challenge Ahead,” that analyzes legal implications and key takeaways for the California Consumer Privacy Act. For more information, please visit: https://www.hldataprotection.com/tags/ccpa

Follow us on Twitter!

@HL_Privacy

Hogan Lovells | 23

"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.

The word “partner” is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or

any of their affiliated entities or any employee or consultant with equivalent standing.. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent

to members.

For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.

Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. Images of people may feature current or former lawyers and employees at Hogan Lovells or models not

connected with the firm.

© Hogan Lovells 2019. All rights reserved

www.hoganlovells.com