Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

California's Tough New Privacy Law is Here. Are You Ready?

32 views

Published on

by William Rothbard

Published in: Marketing
  • Be the first to comment

  • Be the first to like this

California's Tough New Privacy Law is Here. Are You Ready?

  1. 1. Affiliate Summit West 2020 California’s Tough New Privacy Law Is Here. Are You Ready? William I. Rothbard Law Offices of William I. Rothbard
  2. 2. CCPA vs. GDPR • Both enshrine right to privacy and “fundamental right to be forgotten,” including these rights: – access personal data – know how personal data is used – delete personal data – rectify incorrect personal data – prevent sale of personal data • MAJOR Difference – GDPR is OPT-IN – CCPA is OPT-OUT
  3. 3. CCPA RIGHTS • 4 Basic Rights over personal information: – Right to know what personal information is collected; its source; purpose of use; whether and with whom it’s shared – Right to delete personal information – Right to “opt out” of sale of personal info – Right to receive equal service and pricing, even if privacy rights are exercised.  Must give notice of rights at time of collection
  4. 4. NOTICE OF RIGHTS • Required Notices at Time of Data Collection – purposes and uses of collection – right to opt-out of sale of personal information – any financial incentives re retention/sale of data – privacy policy • Prominent notice where personal data is collected, or link to notices in privacy policy • No proper notice, no collection
  5. 5. WHO’S COVERED • For-profits that collect and control CA residents’ personal information, do business in California, and: – have annual gross revenues over $25 million; – OR receive or disclose the personal information of 50,000 or more CA residents, households or devices annually; – OR derive 50 percent or more of their annual revenues from selling CA residents’ personal information. • Potential to be de facto national privacy standard given CA’s influence and complexity of managing dual privacy policies
  6. 6. BROAD DEFINITION OF PERSONAL DATA • “Personal information” applies to persons, households and their devices and includes: – personal identifiers (name, phone, email, etc., but also IP address and cookies) – geolocation – biometric data – internet browsing, search and purchase histories – psychometric data – profession or employment, educational background – inferences a company might make about a consumer.
  7. 7. RIGHT TO ACCESS DATA • Consumer right to request, for free, for last 12 months, and receive within 45 days: – categories of personal information collected – categories of sources of collection – business purpose for collecting or selling data – categories of 3d parties with whom data shared – specific pieces of personal data collected about consumer • Information must be provided so as to permit easy “portability” to other providers.
  8. 8. RIGHT TO DELETE DATA • Consumer right to request, for free, deletion of personal information collected. • Exceptions when personal information may be needed to: – Complete a transaction – Provide a requested good or service – Otherwise perform a consumer contract – Detect security incidents, and protect against/prosecute malicious, deceptive, fraudulent, or illegal activity – Debug to identify & repair errors that impair functionality – Exercise or ensure another’s free speech rights, or another right provided by law
  9. 9. RIGHT TO DELETE (CONT.) – Comply with CA Electronic Communications Privacy Act – Engage, with consent, in ethical research in public interest, when deletion likely to hinder research – Enable solely internal uses in line with consumer expectations based on relationship with business; – Comply with legal obligation – Otherwise use personal information internally, in lawful manner compatible with context in which information is provided.
  10. 10. RIGHT TO DISCLOSURE OF DATA SOLD • Consumer right to request for last 12 months, and receive within 45 days: – Categories of personal data collected – Categories of personal data: sold; 3d parties to whom sold; and purchased by each 3d party – Categories of personal information disclosed about consumer for a business purpose; – If no personal data sold, disclosure of that fact.
  11. 11. RIGHT TO DENY SALE OF DATA • Consumer right to opt out of sale of personal information. • “Sale” means providing personal information to another business or 3d party for monetary or other valuable consideration. • Required hyperlink on homepage, titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.” • After opt-out, selling data barred unless expressly authorized. • Sale of personal information of consumers under 16 barred without express approval of minor (between 13-16) or minor’s parent or guardian (under 13).
  12. 12. RIGHT TO DENY SALE (CONT.) • Exception for provision of personal data to “service provider.” • “Service Provider” defined as for-profit that: – processes information for a business – receives info for a contracted business purpose – is prohibited from retaining/using/disclosing personal information for any purpose other than performing services specified in contract, or as otherwise permitted by CCPA.
  13. 13. RIGHT AGAINST DISCRIMINATION • Consumer right to receive equal service and pricing, even if exercising privacy rights • Business may not discriminate against or penalize consumer for exercising rights by: – Charging different prices for our service – Providing a different level or quality of service – Suggesting a different price or level or quality of service • Price and quality differences still permitted if difference is reasonably related to value of consumer’s data to consumer.
  14. 14. REQUIRED METHODS FOR REQUESTS • Minimum 2 methods for consumer personal information request, including: – website – toll-free number • For online only business with direct consumer relationship, email request OK
  15. 15. CCPA ENFORCEMENT & PENALTIES • Enforceable by CA Attorney General, with civil penalties up to $2500 per violation and $7500 for each intentional violation. • Enforceable by individual or class actions for: – abuse of sensitive personal information; or – failure to have reasonable security procedures. – up to $750 per consumer per incident or actual damages, whichever is greater
  16. 16. CCPA IMPLEMENTING REGS • CCPA is vague in many respects, raising almost as many questions as it answers • CA AG has issued proposed regulations in attempt to clarify law, https://oag.ca.gov/privacy/ccpa • Regs offer detail on Notices, Requests and Request Verification protocols • Final regs after public comment
  17. 17. CCPA AS DE FACTO U.S. STANDARD? • Like U.S. firms subject to GDPR and U.S. law, those covered by CCPA face a choice: follow CCPA for everyone, or treat Californians one way and everyone else another. • Latter option could be complex and costly, and anger non-Californians. • Dilemma if in both CA and EU: how to comply at once with GDPR (opt-in) and CCPA (opt-out). • To avoid risk of CA AG or class action, need to be COMPLIANT NOW!
  18. 18. DO NOT TRACK • Some browsers send Do Not Track (DNT) signals • California Online Privacy Protection Act (COPPA) requires disclosure of DNT capability. • However, granting of a DNT request is not required • DNT decisions are voluntary
  19. 19. QUESTIONS? •William I. Rothbard •310-453-8713 •Rothbard@FTCAdLaw.com •www.FTCAdLaw.com

×