Embed Size (px)
Citation preview
1
The California Consumer Privacy Act (CCPA)What Organizations Need to Know and Do to Prepare
2
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
What is CCPA?
In June 2018, California’s Governor Jerry Brown signed into law Assembly Bill 375, now known as the California Consumer Privacy Act (CCPA).
It started as a ballot initiative removed in favor of a legislative replacement that – with almost no hear-ings – went from draft to law in less than a week. It immediately became the most comprehensive pri-vacy law in the country and is scheduled to go into effect on January 1, 2020, although a small number of technical “fix” amendments have already been passed, including the introduction of a six-month enforcement grace period.
3
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
State vs. Federal Law
Although many congressional offices and committees in Washington D.C. are introduc-ing federal legislation or actively discussing the development of a U.S. federal privacy law, CCPA—by virtue of its timing and visibility—is inspiring a plethora of other states to introduce their own data privacy legislation, including Washington, New York, and Nevada. We ex-pect many more states to follow in 2020.
CALIFORNIA
REMAINING U.S. STATES
ARIZONA
HAWAII
MAINE
MARYLAND
MASSACHUSETTS
MISSISSIPPI
NEVADA
NEW JERSEY
NEW MEXICO
NEW YORK
NORTH DAKOTA
RHODE ISLAND
TEXAS
VIRGINIA
WASHINGTON STATE
4
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
This fragmented approach creates a conun-drum for businesses. Similar to the different data breach response laws that exist in each state, companies have to decide if they will treat each population differently, e.g., have a different data governance process for Califor-nia residents than for the rest of the nation. Having multiple state laws puts pressure on companies to create a patchwork process that is challenging to maintain with efficiency and consistency. Businesses will need to seriously consider if they should adjust their systems nationwide, rather than siloing off Califor-nia resident data for separate treatment.
STATE VS. FEDERAL LAWCALIFORNIA REMAINING U.S. STATES
5
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
So what does this law mean for you? The California Consumer Privacy Act affects any and all companies that collect and/or sell the personal information of California residents. Whether your company is located in San Francisco or Akron, if you have customers in California (more than 12% of the U.S. population), you need to prepare for CCPA. The first step is to understand what is included in the law, and what is still up for debate.
STATE VS. FEDERAL LAW
6
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
Right to access informationConsumers in California will be able to know the “what, who, and why” surround-ing their personal information. Specifically, they can request to know which categories of information were collected and sold, why it was collected, from whom this informa-tion was collected, with whom it was shared, and to whom it was sold – all of which must be provided in a digestible format.
Right to deletionConsumers in California will be able to re-quest that a company delete the personal information it has collected about them.
Right to opt outConsumers in California will be able to direct a company to not sell their person-al information to third parties (although the definition of “sell” in the bill is broad-er than simply monetary exchange).
Designed to give Californians more control over their personal data (very broadly defined in the law), among the major new data protections CCPA introduces:
STATE VS. FEDERAL LAW
7
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
The rapid passage of CCPA created a number of challenges for companies due to ambiguities and issues in the law that make achieving com-pliance a complex task. However, preparing for CCPA compliance will help companies bol-ster their commitments to honoring consumer choices, as well as demonstrate transparency and build trust. For example:
What can I do now to prepare?
8
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
Take a hard look at what data you are collecting and why. Map your data and your data sources. Do you need all the data you’re collecting? How long is that data really valuable? Know the right questions to ask, to inventory and validate all sources, as well as reduce risk exposure, by learning how long data actually needs to be retained. Auditing your data and cleaning up your data supply chain is critical to becoming CCPA-compliant.
1WHAT CAN I DO NOW TO PREPARE?
9
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
Button-up your notice and choice management. Do you and all your partners and suppliers have the proper rights and notice to aggregate and distribute data in a way that’s compliant with CCPA? Transparency in the collec-tion and sharing of personal information is key. You should ensure that you have the proper notice and choice mech-anisms in place and your privacy policy updated so that California residents can understand how their information is being used.
2WHAT CAN I DO NOW TO PREPARE?
CCPA COMPLIANCE
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
10
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
3Support the development and operationalization of an accountability-based data governance program. Business leaders know the brand value of stepping up and dis-tinguishing their organization through strong data governance and data ethics programs. Start by connecting your customer data internally so you can better manage the legal grounds under which you use and distribute data. Then, integrate data protection processes, including oversight and monitoring, into your product and engineering layers to keep up with rapidly changing data collection and use regulations. Embrace this opportunity to advance the strength and application of your policies and processes to help future-proof the organization if other similar state laws, or a federal law, are developed.
CCPA COMPLIANCE
WHAT CAN I DO NOW TO PREPARE?
11
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
As a result of the quick passage of CCPA, there are currently some “workability” challenges with the law.
Technical details around enforceable compliance remain to be interpreted and clarified. As the IAPP states, “[t]he main culprits for the law’s ambiguity are its occasionally contra-dictory internal cross-referencing and sometimes confusing definitions. The devil is in the details.” The Attorney Gen-eral’s office hosted six public forums earlier this year to give key stakeholders an opportunity to provide feedback on the law and help shape the implementing regulations, as well as discuss potential unintended consequences for businesses that collect information about California consumers.
What’s still up for debate as of July 2019?
12
The office of California Attorney General Xavier Becerra is expected to provide further guidance on how to implement the law, and it anticipates publishing a ‘Notice of Proposed Regulatory Action’ by the Fall of 2019. This should help clarify questions, giving us better direction for CCPA compliance.
Here are the areas the California Attorney General is expected to clarify in his guidance:
WHAT’S STILL UP FOR DEBATE AS OF JULY 2019?
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
CCPA COMPLIANCE
13
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
CCPA Requirement Examples of Outstanding Questions Implications for Brands
Categories of Personal Information Does this include household-level information in addition to individual information? How does someone opt out as a household?
Brands using household-level data (e.g., TV media buying) will need to evaluate all data they use to ensure compliance with CCPA’s consent rules.
Definition of Unique IdentifiersDoes this include probabilistic modeling? If a company looks at different variables to design an audience, at what point can it be considered uniquely identifiable?
Analytics teams will need to think about the implications of using a probabilistic model and how that conforms to the consent requirements of CCPA.
Exceptions to CCPA How does CCPA affect the current laws governing health care or financial services data?
CCPA is somewhat ambiguous about how it carves out certain laws already governing sensitive data (HIPAA, GLBA, etc.) and is causing confusion about how to oper-ationalize data compliance.
Submitting and Complying with Requests How should consumers make a request for access or opting out?
Brands need guidance on how to offer consumers a consistent method to opt out; e.g., in terms of the time window to honor the request, channels through which they can make the request, etc.
Uniform Opt-Out Logo/Button
Should companies use a recognizable and uniform opt-out logo or button to promote consumer awareness of the opportunity to opt out of the sale of personal information?
A process for uniform opt-out has not been specified, and without an adopted standard, businesses risk prose-cution under CCPA if they are deemed noncompliant.
Notices and Information to Consumer, Including Financial Incentive Offerings
How should notices be written and presented on a com-pany website or app? What if there is no screen?
Privacy teams have not yet received any specific direc-tion on how to write notices (should it be on a 5th- or 12th-grade reading level?) or how to present the informa-tion (is a video acceptable?) in compliance with CCPA.
Verification of Consumer’s Request How will businesses determine that a request for infor-mation received by a consumer is verifiable?
Businesses cannot provide data to individuals (right-to-access) if they are not authenticated, but CCPA is unclear about how they should verify the legitimacy of a request without asking for personal information.
14
THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA), WHAT ORGANIZATIONS NEED TO KNOW AND DO TO PREPARE
What Else Can We Do?
Companies can expect the California legislature to amend the law leading up to the enforcement date, so we all need to stay close to the news coming out of California in the next few months.
01.01.2020
CCPA
15
WHAT ELSE CAN WE DO?
Much is still in play – pay attention to the details regard-ing implementing regulations that will be released for comment from the California AG’s office in the Fall.
Business owners and employees also have many op-portunities to advocate for your position. Together, you have a collective opportunity to create positive change in your local areas through consistency and persistence. Reach out and get to know your local lawmakers, learn what their priorities are, and engage and educate them on the needs of your organization and people
16
For the latest news on CCPA and other issues affecting marketers, visit RampedUp.us and subscribe to receive top insights from Mar Tech experts, trends and ideas to put into practice, and information on our upcoming events.
225 Bush Street, San Francisco, CA 94104
The information provided in this e-book does not constitute legal advice.
Please consult your legal counsel to obtain legal advice.
