2019-06-11 What New US State Laws Mean For Your Business

© 2019 TrustArc Inc Proprietary and Confidential Information
What New U.S. State Privacy Laws Mean
for your Business
Ray Everett - TrustArc
Bennet Kelley – Internet Law Center
11 June 2019

Thank you for joining the webinar “What New
U.S. State Privacy Laws Mean for your Business”
2
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording
and slides sent out later today
• Please use the GotoWebinar control panel on the
right hand side to submit any questions for the
speakers

Bennet Kelley – Founder, Internet Law Center
3
• Bennet Kelley is the Founder of the Internet Law
Center in Santa Monica. He represents e-
commerce, technology and other companies on
privacy and other compliance and business issues.
• He has testified before Sacramento legislative
committees on internet legislation and previously
worked with one of Washington’s most prominent
lobbyists.
• Named One of Most Influential Lawyers in Digital
Media and E-Commerce by Los Angeles Business
Journal (2014)
• Chair Technology, Internet and Privacy Committee
of California Lawyer’s Ass’n (CLA) Intellectual
Property Section and past Co-Chair of the Internet
and Privacy Committee of CLA’s Business Law
Section
• Host, Cyber Law & Business Report (2001-2008)
bkelley@internetlawcenter.net
@InternetLawCent

Ray Everett – Principal Consultant, TrustArc
4
• Appointed as one of the world’s first corporate
Chief Privacy Officers in 1999, Ray has more
than 20 years in privacy risk management
• Prior to joining TrustArc, Ray managed global
advertising and search privacy at Yahoo!, and
served as general manager for the privacy
monitoring business unit at Keynote Systems
• He was a founding board member of the
International Association of Privacy Professionals
• Co-author of two books, including Internet Privacy
for Dummies, Ray has testified before
committees in both chambers of the US Congress
• Ray is a graduate of George Washington
University Law School, is an IAPP Fellow of
Information Privacy, and also holds a Level 1
Sommelier credential from the Court of Master
Sommeliers
reverett@trustarc.com

The State of the States:
State Privacy Laws

Everything you need to know about CCPA?
6
• Sorry, wrong webinar!
• Try:
– 10 Steps to CCPA Compliance
(TrustArc On-Demand Webinar)
– Managing CCPA and GDPR
Individual Rights and DSARs
(TrustArc On-Demand Webinar)
– TrustArc’s Library of CCPA
Resources & Reference Docs
• Also:
– California Senate Judiciary Committee, The State of Data Privacy Protection:
Exploring the California Consumer Privacy Act and its European Counterpart
– Lothar Determann, Analysis: The California Consumer Privacy
Act of 2018
– Eric Goldman, An Introduction to the California Consumer Privacy Act (CCPA)
– Eric Goldman’s 41 California Privacy Experts Urge Major Changes to the CCPA

How to Pass a Statewide Privacy Law
7
Ingredients:
1 Dormant Bill
1 Real Estate Executive (with $3.5M to
spend on a ballot initiative)
1 Deadline for removal from the ballot
Combine in a well-greased Legislature
Marinate for only 7 days
Garnish with Governor’s signature
“The result is a sweeping, lengthy (10,000
words!), insanely complicated, and poorly
drafted privacy regulation that will govern
the world’s fifth largest economy.”
– Prof. Eric Goldman

CCPA Was Not Only Major State Privacy Law in 2018
Vermont Data Broker Regulation
8
Data Broker Must
• Register with the state Attorney General and
pay an annual $100 registration fee.
• Disclose Opt-out practices, whether it uses
a purchaser credentialing process and its
collection or use of information of minors.
• Develop, implement, and maintain a
comprehensive information security program
that is written in one or more readily accessible
parts and contains appropriate administrative,
technical, and physical safeguards.
• Failing to register results in a penalty of $50
per day up to $10,000 per year.
Vermont Attorney General, Guidance on Vermont’s Act
171 of 2018 Data Broker Regulation

© 2019 TrustArc Inc Proprietary and Confidential Information9
The Privacy Domino Effect . . .

. . . That Wasn’t
State Privacy Legislation 2019

Washington Privacy Act (SB 5376)
11
• Modeled on GDPR and supported
by Microsoft, RealNetworks,
TechNet
• CPO Magazine (2/28/19):
“Proposed Data Privacy Act for
Washington State Could Be a
Game-Changer”
• March 6: Passed Senate passed
46-1
• Drew opposition from ACLU, EFF
in the House over industry friendly
facial recognition provisions
• Failed to pass House by April 17th
deadline
• Plan to reintroduce in 2020

Texas Privacy Protection Act
12
Texas Consumer Privacy Act (HB 4518)
• Modeled after CCPA
• Died in Committee
Texas Privacy Protection Act (HB 4390)
• Began as a broad privacy bill
• Diluted to create Texas Privacy
Protection Advisory Council to:
• Study and evaluate laws in Texas,
other states and relevant foreign
jurisdictions that govern privacy and
make recommendations to the Texas
legislature on or before Sept. 1, 2020.
• Texas legislature does not reconvene
until 2021

Nevada Passes Opt-Out Legislation
13
NV SB 220 – An Act Related to Internet
Privacy
• Requires websites to establish a
designated request address through
which a consumer may submit a
verified request directing the operator
not to make any sale of covered
information collected about the
consumer.
• Prohibits sale of information after
such a request.
• Enforceable by Attorney General.

Maine Passes ISP Privacy Legislation
14
2016
• Federal Communications Commission adopts
privacy rule for internet service providers giving
consumers right to opt-out of sharing of data
2017
• Congress passes resolution reversing FCC
rule, signed by President Trump.
SP 275
• Prohibits a provider of broadband Internet
access service from using, disclosing, selling or
permitting access to customer personal
information unless the customer expressly
consents to that use, disclosure, sale or
access.
• ISP may not refuse service or charge a penalty
or offer discount connected to consent to use
personal information.
• Effective July 1, 2020
Governor Mills and Senator Shenna
Bellows at signing of SP 275

Meanwhile in California . . .
15
To Expand or Clarify?
Cal AG / Senate Judiciary Chair - Expand
• SB 561 sought to expand CCPA
• Removes 30-day cure provision
• Gives consumers private right of action for all
violations
• Died in committee
Assembly Privacy Chair – Clarify
• AB 25 (Chau) – removes employees from definition
of consumer.
• AB 873 (Irwin) – narrow personal information to
information “reasonably capable” of being associated
and exempts de-identified data.
• AB 874 (Irwin) – exempting publicly available
information.
• AB 1564 (Berman) – consumers may contact
businesses by toll-free number, email or address or
by website form.
• ALL PASSED THE ASSEMBLY

Will Washington Step In?

Why Privacy is Different than Spam
17
2003
• California passes law banning spam
with effective date Jan. 1, 2003.
• Congress passed the CAN-SPAM Act
82-days later preempting California law.
2019
• Little activity to date
• No framework or proposal emerging as
likely to be adopted
• Industry wants preemption but
Democrats will only consider
preemption if bill provides baseline
rights comparable to CCPA.
• Difficulty of achieving consensus
• Who sits at the table to negotiate?
• Many players and business interests are
not all aligned equally.

Factoring Multiple Laws into a
Global Privacy Program

Privacy Program Fundamentals
19
• Identify the Personal Information
being processed
• Identify In-Scope Laws and Regs
• Develop and Implement your Framework
– Rationalizing your requirements and drivers
• Build your Privacy Strategy & Governance Model
• Build your Team
• Identify Technologies to Execute at Scale
• Identify Relevant Metrics
• Iterate and Evolve

Building your Framework
20
• Principles and Standards
– e.g., AICPA’s Generally Accepted
Privacy Principles (GAPP) & Maturity Model
• Regulatory-Driven
– e.g., GDPR, APEC, BCRs, HIPAA, GLBA
• Contracts or Industry Standards
– e.g., Customer requirements, NIST, PCI DSS
• Rationalizing the Requirements
– Find similarities and build to them
– Identify outliers and build variations to accommodate
– Strictest Standard (e.g., timeline for breach notification)

Case Study
21
• Background
– Largest global manufacturer in its industry
– >€9B annual revenues
– >50k employees in ~35 countries
• Priorities
– GDPR readiness + Alignment with in-scope laws/regs
– Build and maintain a Data Inventory
– Risk Assessment Program (PIAs & DPIAs)
– Structured response for customer privacy questions
– Limited internal resources
?

The Approach: Work the Fundamentals
22
 Identify the Personal Information
being processed
 Identify In-Scope Laws and Regs
 Develop and Implement your
Framework
 Rationalizing your requirements and
drivers
 Build your Privacy Strategy &
Governance Model
 Build your Team
 Identify Technologies to Execute at
Scale
 Identify Relevant Metrics
 Iterate and Evolve
 Conduct a Data Inventory
 Data Inventory & PIAs to Identify
Geographies and Data Types
 Developed an Frameworks; Deploy
Customized Assessments
 Assessments build in risk-ranking and
help to support the rationalization
 Refined Privacy Strategy &
Governance Model
 Consulting support for limited team
 Deploy Privacy Technologies at
Scale
 Technologies support ROI and other
functional metrics
 Iterate and Evolve

Blending Rationalized & Strictest Standard
23
• Supporting the Rationalization process
– Data location – understand applicable laws and expectations
– Data types – understand nature of regulatory risk
– Data owners – build case for formalized data stewardship
– Vendors & 3rd Parties – identify external risk; support rights-related
compliance (e.g., data sharing and sales)
• Supporting Strictest Standard process
– Data location – where strictest standards may apply
– Data types – when strictest standards may apply
– Owners/Vendors/3rd Parties – to whom strictest standards may
apply; who will be responsible for implementation/management
– Risk Assessments – flag outliers and target specialized
remediation efforts exactly where they’re needed

TrustArc as a “Force Multiplier”
24
• Assessment Manager
– Deploy and manage assessments
at scale
– Easily customized templates for
quick and flexible re-assessments
• Data Flow Manager
– Process-based records that can
be directly edited for fast maintenance
– Intelligence Engine to flag risks and
trigger follow-on assessments
• Consulting & Managed Services
– Provide support to resource-constrained teams
– Consulting Team of former CPOs and senior
leaders of global privacy teams

Concluding Thoughts
25
• Impossible to track and synchronize every law…
• You must be Strategic
– Build your Program around a Framework that keeps
you focused on the big picture without forgetting the
outliers
– Build your Program around tools and techniques that
will track with your Framework
• Make a plan, then work the plan!
• Technology is essential to being efficient, effective
and nimble
• Don’t be afraid to ask for help!

Questions?

Thank You!
Register now for the last webinar in our 2019 Spring Webinar Series
“GDPR Compliance: Convince Customers, Partners, and The Board
You Are Compliant!” on June 19, 2019.
See http://www.trustarc.com/insightseries for the 2019
Privacy Insight Series and past webinar recordings.

2019-06-11 What New US State Laws Mean For Your Business

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2019-06-11 What New US State Laws Mean For Your Business

Similar to 2019-06-11 What New US State Laws Mean For Your Business (20)

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

2019-06-11 What New US State Laws Mean For Your Business