16 th Annual In-House Counsel Conference January 23, 2019 (Anaheim,CA)

Transcription

1 16 th Annual In-House Counsel Conference January 23, 2019 (Anaheim,CA) #IHCC _1

2 ACC SOUTHERN CALIFORNIA IN HOUSE COUNSEL CONFERENCE January 23, 2019 Anaheim, California #IHCC12

3 Getting Ready for CCPA - 72 Hours That Changed The Privacy World Presented by: Craig Cardon Leader, Privacy and Cyber Security Practice Sheppard Mullin Richter & Hampton LLP ccardon@sheppardmullin.com

4 1. Privacy Law Currently 2. CCPA and What s Next

5 Currently Have Patchwork of US Laws Industry-specific laws Privacy Patchwork Activity-based laws Comprehensive laws

6 What Industry Specific Laws? Health care Telecommunications Financial services

7 What Activity-Based Regulations? (Spam laws) Text messages Phone calls Behavioral advertising Faxes

8 A Better Way? Comprehensive Privacy Regimes

9 It All Boils Down To: Notice Choice

10 But with CCPA (and Any Comprehensive Regime) Comes lots of details

11 1. Privacy Law Currently 2. CCPA and What s Next

12 CCPA What s the Deal?

13 Applicability Business in CA? Collect PI* Applies** * PI is basically everything (!) ** If have gross revenues of $25,000,000 plus or 50,000 people or get 50% or more revenue from selling PI

14 Who Are Consumers, Really? Employees? Consumers* Vendors employees? * natural person living in California Customers consumers?

15 But Exemptions? Info sold to CRA Info under GLB PHI Not applicable* * exemptions are to the data subject to the laws (HIPAA, GLB, etc.), not to a business generally because it complies with or is subject to those laws

16 Effective When? Penalties? Effective January 1, 2020 Lookback to January 1, 2019 (rights requests) AG regulations July 1, 2020 Enforced beginning July 1, 2020 Fines up to $2,500 per violation, $7,500 per intentional violation

17 The Private Right of Action For Data Breaches $100 Per Incident/Person Statutory Damages Essentially Eliminates Statutory Standing, But Question of Article III Standing

18 A Sea Of Data Breach Class Actions

19 How Does a Company Handle CCPA?: In Phases Phase I: Diligence Phase II: Remediation Ongoing Maintenance Phase III: Documentation

20 Involve the Key Players In the Company Human Resources Market ing What information is collected? How is it collected? Information Security Customer Service Information Technology Sales and E- Commerce Where and how is it stored?

21 Phase I: Diligence Information use? Sharing? Future plans?

22 Phase II: Remediate (May Go Beyond CCPA) Develop Programs Rights process Security Incident Response Data use Update Documents Disclosures Consents Vendor Contracts Privacy policies Internal Guides Using data Behavioral, targeting Sharing, vendor onboarding

23 Phase III: Documentation Update or create external privacy policies Communicate rights process Update or create internal guidelines

24 And Then Ongoing Maintenance (12 month updates)

25 What collected How collected How used Shared? Choices In General: Notice and Choice Examples of Notice and Choice Contact information Behaviors Payment Information Directly From third parties Passively Respond to requests Marketing Within organization Vendors Business partners Marketing Certain third party sharing

26 CCPA: Added Notice Obligations Give Notice Generally Financial Incentives Selling Information Online Privacy Policy

27 Categories of Information Collected Purpose of Use Right to delete If consumer asks Misc. to remember New: General Notice Obligations Your name Your Your shopping cart behavior To sign you up for loyalty program To send you rewards and offers To deliver a newsletter You have the right to have your information deleted Categories of what was collected Categories of sources Purpose of collection Third parties to whom shared Notice in offline environment Notice if get from third parties Notice at or before collect Specific pieces of information

28 If Offer Financial Incentives Notify of the financial incentive program (i.e., we are giving an incentive, include material terms) Definition?: Offering different price for goods/services if give information Get opt-in to program Opt-in may be revoked at any time

29 If Sell Information Do Not Sell My Personal Information.* You can opt-out of having your information sold by contacting us at If you are the parent of a child under 13, you can opt into having your child s information sold you can us at kidssellingoptin@companyx.com with your child s information in the subject line or body of the message. If you previously opted in, and would like to opt-out out of having information sold, us at sellingoptout@companyx.com. If you are opting out on behalf of your child who is under 13, please provide us with your child s information. *Have this also as a link on the home page

30 Online Policy (Will Need to Add Content) Likely Already Included, Now Required by CCPA What is collected Not Likely Included Yet Specific pieces of information collected What has been collected in last 12 months How information is collected Why information is collected If information shared or sold How consumers can exercise rights What has been sold or shared for business purpose in last 12 months More than just CAN-SPAM, but all rights under CCPA Won t discriminate if exercise a right Can opt out of having information sold

31 Let s Compare: Can We Have One Notice?* General Requirements Financial Incentives If Information Sold Online Disclosure What Categories of info collected Categories of info collected Specific What (if asked) specific pieces company has about person Specific pieces company has about person** Why Purposes of use Purpose of use From Where (if asked) sources where Sources where info is info is collected collected To Whom (if asked) categories of third parties to whom info shared Rights Can revoke consent Give people way to opt-out of sale No Discrim. Misc. Terms of incentive Do Not Sell link Categories of third parties to whom info shared Rights people have and how to exercise Won t discriminate if ask for right * Probably not ** Likely not possible to do

32 CCPA, Like GDPR, Adds Rights Verified Requests No Discrimination Rights Opt-Out of Selling (in for Kids) Access What information shared

33 Special Note About Selling Website link ( Do Not Sell ) Could be CA only Arguably content could be in privacy policy (if link directly)

34 Providing Rights (Responding to Verified Request) In writing (in usable format) Figure out who person is Cover last 12 month period Did collect in last 12 months? Get one 45-day extension Respond in 45 days

35 For Rights Requests Remember PII Is Everything Identifiers Health Information Protected information Commercial information (e.g. purchase history) Biometric information Internet activity, geolocation data Audio, electronic, olfactory Professional, employment, education information Inferences used to create a profile

36 Thank you! Craig Cardon Leader, Privacy and Cybersecurity Practice Sheppard Mullin Richter & Hampton LLP