THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

Similar documents
16 th Annual In-House Counsel Conference January 23, 2019 (Anaheim,CA)

GDPR: What Is It & Should Your Financial Institution Be Concerned?

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Regulation P & GLBA Training

Data Compromise Notice Procedure Summary and Guide

U.S. Private-sector Privacy Certification

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

COMMENTARY. Information JONES DAY

Cybersecurity: Federalism as Defense-in-Depth

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Cybersecurity in Higher Ed

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Keeping It Under Wraps: Personally Identifiable Information (PII)

BoostMyShop.com Privacy Policy

Beam Technologies Inc. Privacy Policy

EDENRED COMMUTER BENEFITS SOLUTIONS, LLC PRIVACY POLICY. Updated: April 2017

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

[Utility Name] Identity Theft Prevention Program

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Privacy Policy Effective May 25 th 2018

Janie Appleseed Network Privacy Policy

New Data Protection Laws

Regulatory Notice 10-21

PRIVACY POLICY. Personal Information Our Company Collects and How It Is Used

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2007 H 1 HOUSE BILL 1699

User Security and Governance Models. A review and primer presented for. ISACA - Phoenix

I. INFORMATION WE COLLECT

PRIVACY POLICY VANTAGE HOMES

RippleMatch Privacy Policy

Prevention of Identity Theft in Student Financial Transactions AP 5800

Data Use and Reciprocal Support Agreement (DURSA) Overview

NYSVMS WEBSITE PRIVACY POLICY

Effective Date: November 26, A. Overview

FinFit will request and collect information in order to determine whether you qualify for FinFit Loans*.

Security Breaches: How to Prepare and Respond

Privacy Policy Effective Date - May 2017

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Privacy Law Doing Business In Canada

1. provide and communicate with you about the Services or your account with us,

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Policy. Effective date: 21 May 2018

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

GROUPON.COM - PRIVACY POLICY

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Incident Response Guidelines

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

PRIVACY POLICY Commitment to Privacy

Chart 2: e-waste Processed by SRD Program in Unregulated States

Beyond Accessible Web & IT: Update on State Impact

Shaw Privacy Policy. 1- Our commitment to you

Testimony of Bethanne Cooley Director, State Legislative Affairs CTIA The Wireless Association December 2 nd, 2015 Support for H3747

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

HPE DATA PRIVACY AND SECURITY

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

User Experience Task Force

PRIVACY POLICY CHILDREN S PRIVACY

Privacy Policy on the Responsibilities of Third Party Service Providers

The HIPAA Omnibus Rule

PRIVACY POLICY. Personal Information Our Company R&D Enterprises Group, LLC Collects and How It Is Used

Everything Health Care Districts need to know about online compliance

We will ask you for certain kinds of personal information ( Personal Information ) to provide the services you request. This information includes:

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

Canadian Anti-Spam Legislation (CASL)

MOBILE.NET PRIVACY POLICY

What To Do When Your Data Winds Up Where It Shouldn t

Personal Information You Provide When Visiting Danaher Sites

Security Awareness Compliance Requirements. Updated: 11 October, 2017

Summary Comparison of Current Data Security and Breach Notification Bills

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Subject: Kier Group plc Data Protection Policy

We offer background check and identity verification services to employers, businesses, and individuals. For example, we provide:

Privacy Policy. Third Party Links

Canada s New Anti-Spam and Anti- Spyware Regime: Why You Need to Get Ready Now

Managing Your Affiliates and Partners in the Financial Industry

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

PRIVACY STATEMENT. Effective Date 11/01/17.

Consolidated Privacy Notice

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

WHAT DOES THIS PRIVACY POLICY COVER?

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

GLBA, information security and incident response a compliance perspective

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Alaska no no all drivers primary. Arizona no no no not applicable. primary: texting by all drivers but younger than

Manufactured Home Production by Product Mix ( )

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

ETSY.COM - PRIVACY POLICY

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

DATA PROTECTION LAWS OF THE WORLD. United States

Employee Security Awareness Training Program

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

Security Breach Notification Reflections on the U.S. Experience

Website Privacy Policy

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Earthlink and Google Final Contract Chart. Recommended Privacy and 1st Amendment Protections. Earthlink (monthly charge) Google (no fee)

Ferrous Metal Transfer Privacy Policy

DS MEDIA & EVENTS LTD PRIVACY POLICY

Transcription:

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION Nathan Taylor Morrison & Foerster LLP

Federal Financial Privacy Law Fair Credit Reporting Act Regulates the disclosure and use of consumer reports Functionally limits sharing with affiliates Limits marketing based on information received from affiliates Title V of the Gramm-Leach-Bliley Act ( GLBA ) Privacy notice obligation Limits sharing with nonaffiliated third parties Right to Financial Privacy Act Limits sharing with the federal government 1

HOW WE GOT HERE 2

The California Consumer Privacy Act Arguably the most significant U.S. privacy development ever Replaced a controversial privacy ballot initiative Fast tracked from introduction to enactment in June (but amended by SB1121 in September) AG rulewriting expected in Fall 2019 (but legislative lobbying efforts continue) Operative on January 1, 2020, AG enforcement by at least July 1, 2020 1

SCOPE 4

Who Will Be Required to Comply? Any business that: o Collects personal information (PI) relating to California residents o Determines (alone or jointly) the purposes and means of the processing of the PI o Does business in California o Meets one of the following thresholds: Has annual gross revenues in excess of $25 million; Annually buys, receives for commercial purposes, sells, or shares for commercial purposes PI relating to 50,000 or more California residents, households, or devices; or Derives 50% or more of its annual revenues from selling PI relating to California residents A business that controls or is controlled by, and shares common branding with, a covered business above 5

Consumer Means Californian A natural person who is a CA resident o A resident includes any individual who is: In CA for other than a temporary or transitory purpose; or Domiciled in CA, but outside of CA for a temporary or transitory purpose No customer-type nexus needed o Includes employees, individuals associated with commercial customers, vendors and business partners, independent contractors and visitors to company premises Banks will need to decide if they want to limit these rights to CA residents or extend beyond CA 5

Personal Information Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked with a particular consumer or household Includes information identified in 11 enumerated categories (e.g., identifiers, commercial information and employment-related information) 7

OVERVIEW OF INDIVIDUAL RIGHTS 8

Individual Rights Right to know/access Right to deletion Right to opt out of sale Right to be free from discrimination Right to sue (for certain data security events) 9

THE GLBA EXCEPTION 10

The GLBA Exception This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law. or the California Financial Information Privacy Act... This subdivision shall not apply to Section 1798.150. Amended in September 2018 to remove conflict limitation and to add California SB1 to the exception But also preserved consumer right to sue for security incidents 31

STRATEGIES OUTSIDE OF CALIFORNIA 12

The CCPA A Trickle or a Tsunami? California is undisputedly a state leader Sometimes California is the model o Data breach Within 15 years, every state has a law Sometimes it s not o Online privacy protection Only several states have followed in 15 years o California Shine the Light 41

CCPA-Like Bills Connecticut S.B. 1108 Hawaii S.B. 418 Illinois H.B. 2736 S.B. 2149 Maine S.P. 275 Maryland H.B. 901 / S.B. 613 Massachusetts S. 120 Minnesota H.F. 1030 S.F. 1553 Montana H.B. 457 Nevada S.B. 220 New Jersey A. 4902 / S. 2834 A. 4640 / S. 3153 New Mexico S.B. 176 New York A.B. 6531 / S.B. 4411 A.B 3739 / S.B. 224 A.B. 3818 / S.B. 2323 North Dakota H.B. 1485 Rhode Island S. 234 Texas H.B. 4390 H.B. 4518 Washington S.B. 5376 / H.B 1854

State Lobbying Strategies GLBA exceptions are a/the prominent state financial lobbying strategy o On an island when not aligned with other industries o Legislature often do not understand the GLBA o But there are numerous examples of state GLBA exceptions in privacy laws (e.g., biometric laws) and security laws (e.g., breach notification) o Consider adding HIPAA to the mix? Most other lobbying efforts align with other industries o Limiting scope (e.g., definition of consumer) o Limiting controversial rights (e.g., access/portability and deletion) 41

Understanding GLBA Privacy As more states consider consumer privacy laws, it is essential to understand what the GLBA requires and why a GLBA exception makes sense Title V of the GLBA Part of the 1999 financial reform law repealing the Glass-Steagall Act separating banking and commercial activities Privacy protections added to improve transparency and require notice regarding a financial institution s privacy practices Limits disclosure of customer information to third parties Financial institutions must provide notice and an opt-out opportunity Before disclosing information to nonaffiliated third parties Personally identifiable information relating to both customers and former customers So financial institution customers have been protected for nearly 20 years! 16

Understanding GLBA Privacy Many important exceptions to GLBA disclosure limitations, including: Consent of the consumer To complete a transaction requested by the consumer Fraud prevention and institutional risk control Disclosure to private label, co-brand card partners Disclosures to and from consumer reporting agencies To enforce legal rights and for law enforcement purposes But disclosure to third parties for marketing is usually not permitted Unless notice is given with an opportunity to opt out GLBA reuse/redisclosure restrictions Information received from a financial institution under an exception may only be reused or redisclosed under an exception This impacts both the financial institution and the recipient 17

Banking Agency Oversight of the GLBA Within banking, financial institutions are subject to comprehensive oversight, examinations and enforcement by both the CFPB and prudential regulators (e.g., the OCC and FDIC) FFIEC examines service providers for GLBA compliance, particularly data security Due to the completeness of this federal oversight scheme, many state laws already exempt financial institutions subject to the GLBA And, the CCPA exempts information subject to the GLBA State recognition of this comprehensive federal oversight structure will be critical when states consider the adoption of privacy laws The focus of any state privacy legislation should be on companies that attempt to monetize consumer information, not on banks that have been subject to privacy rules for 20 years 18

The Many Forms of GLBA Exceptions State GLBA exceptions come in many forms that are far from equal Examples o The law does not apply to a person who is a financial institution as defined in the GLBA o The law does not apply to a person who is subject to the GLBA o The law does not apply to a person who is subject to, and complies with, the GLBA o The law does not apply to information subject to the GLBA/collected pursuant to the GLBA o The law does not apply to the extent that it is in conflict with the GLBA 41

Importance of Consumer Definition If not done correctly, a state statute can sweep in information related to employees, small business and even commercial banking clients, and vendors Should reflect, to the extent possible, the customer definition in the GLBA: A natural person who is a resident of [STATE] [acting in a personal, family or household context [OR] who obtains a product or service used primarily for personal, family or household purposes] 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback