How to not strike out with the CCPA

How To Not Strike Out With The CCPA
Susan Natland & Jessica Sganga
June 27, 2019

© 2019 Knobbe Martens
CCPA Timeline
2
June 28, 2018:
CCPA enacted
September 23, 2018:
CCPA amendments
signed into law
Jan.-March 2019:
CaAG holds public
forums re CCPA
January 1, 2020: CCPA is
effective
July 1, 2020: CaAG
enforcement begins or 6
months after CaAG
promulgates regulations
(whichever is earlier)

The Why
3
Legal Liability
Private, state, and regulatory
action and exposure to
substantial damage awards.
Reputational Risk
Beyond hefty fines, the
commercial losses can be
staggering.
Data is the Bedrock of
our Digital Society
Continued access to
consumer data is no
longer a given.
Data is the New Currency
Consumers will vote with
their wallets – and their
data.
Burden or Opportunity?
Successful companies see
this as an opportunity to
transform trust into value.

© 2019 Knobbe Martens 4
Delivering Privacy
this is an opportunity to rethink the way
your organization handles data
consumers
say trust is a
key driver of
brand loyalty
cases consumer trust in a
company increases when
breaches are handled
swiftly and correctly
of consumers switched
providers last year
because they lost trust
in a company
8out of
10
45%4 out of 10
In
“A New Slice of PII, with a Slice of Digital Privacy,” Accenture Deck, Spring 2018

Cost of Data Breach
5
Average total cost of
a data breach:
$3.86 million
Average total one-year
cost increase:
6.4%
Average cost per lost or
stolen record:
$148
One-year increase in
per capita cost:
4.8%
Likelihood of reoccurring
material
breach over the next 2 years:
27.9%
Average cost savings with an
Incident Response team:
$14 per record
Ponemon Institute; 2018 Cost of a Data Breach Study: Global Overview
What your personal data
is worth to a hacker
(per record)
§ $10 Name, Address & Email
§ $50 Drivers license
§ $50 Credit/Debit Card
§ $3 Netflix password
§ $100 Bank password
§ $1000 Bank password (balance >$15k)
§ $1000 Complete medical record
§ $300 Average medical record
The incentives for hackers are great
The personal data of a
US resident is worth
about
$2000 — $3000
per year

CCPA Summary
Who?
Any for-profit businesses conducting
business in California that collects or
processes personal consumer data of
California residents AND also meets one of:
§ Revenue $25MM+ OR
§ Data of 50,000 Californian consumers, OR
§ Derive 50%+ of revenue selling consumer
data
What?
CCPA expressly focuses on: Preventing ‘misuse’ of
Californians’ consumer data through increased
transparency.
New Consumer Data Rights:
1. To Request knowledge (visibility) of their data
used by the business
2. To Delete their data used by the business
3. To Opt-out of the sale of their data
500,000
businesses will be
affected by the CCPA
Penalties
Enforcement will lever fines ($7,500/event)
injunctive, or class action relief/rights
“One Trust Comprehensive Guide to CCPA,” One Trust, June 24, 2018
CCPA Summary

Does the CCPA Apply to Your Business?
7
• For profit organization
(partnership, corporation, LLC, or
other legal entity)
• That collects consumer personal
information (online or offline)
• Does business in the State of
California
• Annual gross revenues in excess of
$25 million
• Alone or in combination, annually
buys, receives for the business'
commercial purposes, sells, or
shares for commercial purposes, the
PI of 50,000 or more CA consumers,
households, or devices
• Derives 50 percent or more of its
annual revenues from selling CA
consumers’ PI
Business
Meets One or More of the
Following Criteria

Which consumers does the CCPA apply to?
8
• Applies to “a natural person who is
a California resident”
⎼ “Resident” =
o In CA “other than for a
temporary or transitory
purpose”; or
o Domiciled in CA but out of
the state for a temporary
or transitory purpose.
Operational Options:
1) Apply CCPA to everyone; or
2) Consider applying the CCPA only
to CA residents and creating customized solutions for
CA residents
Create a CA specific portal with CA
specific policies and create separate
HR policies for CA employees
Auto-direct CA IP addresses to
CA specific website
Create option on home page of website for
CA residents to navigate to
CA specific webpage
Internally flag/route anything with a CA
billing or mailing address• Applies to consumers and employees
who are California residents

Expansive Definition of Personal Information (PI)
9
email address
FredYellowtail@work.com
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer or household.”
Name
Online identifiers

Discovery Mode / Data Mapping
10
• First step in privacy
compliance
• Identify collection, flow and
retention of PI
• Identify purpose of PI
• Worksheet available to assist
• Third party vendors offer
software solutions
• Recommend naming DPO or
lead
• Review and update vendor
agreements

Consumer Rights in CCPA
11
CA consumers can make a verifiable request regarding:
1.Right to know/access what PI is being collected and
sold
2.Right to deletion
3.Right to opt-out
Businesses have 45 days to respond
How to comply:
- Set up a toll-free telephone # for requests
- Train employees to manage toll-free # or retain outside vendor to manage
- Train existing customer relations team about where to direct CCPA inquiries
- Create web page where consumers can submit requests
- Prepare template responses / ensure capabilities to provide data in portable form
- Compliance tracking

Right to Know About Collection, Sale, or Disclosure
12
• Update external privacy policy
• Upon verifiable request, business
must disclose categories of PI,
categories of sources of PI, purpose
for collecting/selling PI, categories of
3rd parties with whom PI is shared,
and specific pieces of PI collected
for the past 12 months
Note—
• Businesses do not have to retain PI collected for a single, one-time
transaction, if such PI is not sold/retained by business and business
does not use that information to identify consumers going forward

Right to Deletion
13
• Consumers can require businesses or
their service providers to delete their PI
Exceptions—
• Needed to complete the transaction PI was collected for
• Need to provide a good or service requested by the consumer
• Reasonably anticipated in the context of ongoing business relationship
• Required to perform a contract between parties
• Used to detect security incidents and protect against malicious, fraudulent or illegal activity
(or to prosecute those responsible)
• Needed to debug/identify/repair errors that impair existing intended functionality
• Free speech
• Needed to engage in scientific, historical, or statistical research in the public interest if
consumer provided informed consent
• Used solely for internal uses reasonably aligned with the expectations of the
consumer
• Required to comply with a legal obligation

How Do You Verify The Consumer Request?
14
• Business must reasonably
verify the requestor is the
consumer (or authorized
by consumer) about whom
the business has collected
PI
• CaAG is expected to
distribute regulations to
explain this further
• CCPA does confirm that a
request made using a
consumer’s password
protected account with the
business is “verifiable”
Practice Tips
Encourage account
set-up to purchase
tickets/products
Provide mechanism
for users to log into
account (if they have
one) on CCPA web
page
Train toll free # staff to
ask for account
information
Consider third party
vendor verification

Right to Opt Out of Sale of PI
15
• Consumers have right to opt-out of business selling their PI
• CCPA defines "sell, selling, sale, or sold" broadly to include selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise communicating PI to a 3rd party for monetary
or other valuable consideration
• Businesses must post opt-out option online:
⎼ Clear and conspicuous link titled “Do Not Sell My Personal Information” on homepage and in
privacy policy

Right to Not Be Discriminated Against
16
• Businesses may not discriminate
against individuals who exercise
their rights
⎼ Cannot charge different prices
⎼ Cannot provide different level
of quality
• Businesses may offer “financial
incentives” including
compensation for allowing the
collection and sale of PI
Give us your email
and receive your 5th
coffee on us!

Enforcement & Penalties for Violating the CCPA
17
CA Attorney General Enforcement
⎼ Not more than $2,500 per violation (i.e., per
person)
⎼ Not more than $7,500 per intentional violation
(i.e., per person)
⎼ Injunctive or declaratory relief
Private Right of Action
⎼ If there is a data breach that resulted from
noncompliance
• $100 to $750 per individual
• Actual damages (if higher)
• Injunctive or declaratory relief

Compliance Road Map — “Suits to Boots”
18
• Create internal data privacy team, including point person, with relevant
stakeholders
• Obtain cyber insurance
• Retain outside counsel
• Consider retaining a company to assist with operations/IT
• Conduct inventory of data collection and use
• Prepare and update privacy policies and procedures
• Prepare and update vendor agreements
• Set up compliance mechanism for consumer access requests
• Train personnel
• Ensure PI is protected with adequate and reasonable security measures
• Regular audits of privacy and security programs

Don’t Neglect Data Security While Addressing Privacy
19
• 1 in 4 will experience a data breach.
• If a data breach results from CCPA noncompliance, you could be liable.
• Don’t depend on privacy compliance alone—Be Proactive!
Ponemon Institute’s 2017 Cost of Data Breach Study

Breach Prep—Be Proactive
20

How to Respond to an Incident
21
§ Initial Assessment
⎼ Scope, extent and nature of the incident; Is it malicious?
⎼ Initiate incident response plan, assemble stakeholders and counsel
§ Internal Investigation (forensic, interviews)
⎼ Minimize continuing damage
⎼ Collect and preserve data (network image, logs, notes, and records)
⎼ Keep records of ongoing attacks
§ Notifications
⎼ Board of Directors, management team, key personnel
⎼ Law enforcement, government agencies
⎼ Partners, third parties (vendors)
§ Prepare for:
⎼ Consumer data breach notification
⎼ Government investigations (State AGs, FTC, SEC, etc.)
⎼ Negative publicity; Ancillary litigation

Susan Natland
Susan.Natland@knobbe.com
Jessica Sganga
Jessica.Sganga@knobbe.com
THANK YOU!

How to not strike out with the CCPA

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to How to not strike out with the CCPA

Similar to How to not strike out with the CCPA (20)

More from Knobbe Martens - Intellectual Property Law

More from Knobbe Martens - Intellectual Property Law (20)

Recently uploaded

Recently uploaded (20)

How to not strike out with the CCPA