These are the top questions we are asked about the CCPA along with our recommendations based on our experience working with clients. We reveal key innovations and approaches for CIOs/CISOs to consider when designing their privacy operations, enabling efficiency and secure auditability when dealing with individual rights requests, consent management and more. Questions? Contact us here: hello@truyo.com

1. Top Questions asked about the CCPA

2. Partial Client List
IntraEdge Technology

3. Data Protection is Heating Up
Source: DLA Piper

4. State of the States
Ranked on strength of their privacy regulations
truyo.com/states
P u e r t o R i c o

5. CCPA Implementation Commonalities
Amendments
• Loyalty exemption (AB 846)
• Definition of publicly available information (AB 874)
• Private right of action – out for now
• No toll-free number to online only businesses (AB 1564)
• Does an individual have access to household (AB 25 –
may be amended to address)
• Data source/rights/impact to disclosure (AB 873 –
failed)
• Drafting errors (AB 1355)
• Reporting is defined only for large companies
Draft Regulations
• Process for verification and validation including
non-accounts
• 3rd party obligations including delete & do not sell
• Definition of a sale
• Granular rejections (partial)
• Categories of information specific to a consumer
• Process around aggregators
• Lookback period clarification
• Reporting required if you have over 4M consumers
in scope

6. Sampling of fines related to GDPR
• Google fined €50,000,000 by French DPA for inappropriate consent
• GDPR may add up to $8.8B Marriott’s data breach expenses
• After inspection, Portuguese DPA found that the hospital' s account management practices
were deficient imposed a fine of €400,000 on the hospital.
• French DPA fines €250,000 to Bouygues Telecom failing to protect the personal data
• First enforcement action under GDPR against a data controller outside the EU. UK’s DPA
served an enforcement notice on a Canadian political consultancy.
• France fines real estate company €400,000 - The company’s website easily allowed
accessing other individual’s information.
• As a result of an attack on British Airways’ website, about 500,000 customer records were
extracted by a malicious third party. Fined €183,000,000 (the largest fine to date)
“about half of the 200,000 complaints relate to the way subject access requests have been handled”

7. Top Questions Asked
1. How many requests can I expect?
2. How do I categorize my data?
3. How do I know if I am selling data?
4. How to validate a consumer’s identity?
5. How do I reduce the number of requests?
6. How do I deal with 3rd party processors?
7. How do I handle the “Do not Sell” requirement?
8. How to handle highly-sensitive data?
9. How do I handle consumer questions about their data?
10. What kind of reporting do I need?
?

8. I am not a lawyer
But I will tell you how
others have
implemented or
interpreted privacy
regulations

9. How many requests can I expect?

10. Results from GDPR
72%
At least 1 request
per month
25%
At least 10 requests
per month
9%
100-10k requests
per month
Source: IAPP/TrustArc Measuring Privacy
Operations
Benchmark Report (December 2018)

11. US vs. EU Requests
Source: Microsoft
EU
Citizens
US
Citizens
8 to 1
On average, businesses
receive eight privacy
requests from a US
Citizen for every one
request from an EU
citizen

12. Breaches in your
industry
Your
politics/public
statements
Your consumer
image
Factors Driving Requests

13. Consumer Group Targeting
• Consumer groups are gathering to
mass-submit requests
• Reduce effort by only processing
valid CCPA requests
• Could provide a bad consumer
image
Sample: TapMyData.com

14. How do I categorize my data?

15. • Contact Information
• Purchase History
• Geo-location
• Inference Data (Market
Segmentation)
• Internet Data (Click-streams, IP
address)
• Sensitive Data (CC, SSN)
• Media (Pictures, Audio, etc)
• Biometrics
• HR Information*
Recommended
Categorization

16. Custom Policy is Required
CCPA specifically prohibits all-
in-one generalized privacy
policies
• The categorization and
associated policy must be
specific to the consumer.
• List only the categories of
data you have on the
consumer, and how you are
using that consumer’s data.

17. How do I know if I’m selling data?

18. Movement of personal data to third
parties, even if not for a dollar value,
has implications for disclosure and
may require cooperation with the
third party for request fulfilment.
• Not just limited to transactions
involving monetary compensation
• Includes many non-monetary
transfers of data between 3rd
parties
• Includes transfers of data even
between internal business units

19. How do I validate a consumer’s identity?

20. First – SPAM/Fraud Prevention
Percentage of DSARs
that are spam or
autogenerated
Best Practice:
Use a verification code
sent to email/phone to
ensure legitimate
access.
60%
Source: Global CPG company
with >40k DSARs in 2018

21. Internal Verification
Ask for information you have
on file
• Account number
• Last purchase total

22. External Verification
Automatically validate
user identity via 3rd party
questions
Automatically validate
photo identification from
110 countries…without
receiving sensitive data

23. How do I reduce the number of requests?

24. Offer to address specific data

25. Offer to restrict use (opt-out) vs. delete

26. Inform the consumer of unintended consequences

27. How do I deal with 3rd party processors?

28. Considerations
• You may need to disclose to data subjects
to whom and from whom you transfer their
data.
• Track which fields are involved in third-
party transfers.
• You will need to include those 3rd party
sources or recipients of data in requests to
Delete/Do not Sell
• When requests come in, automatically
include those third parties in the request
fulfilment process or direct users to those
third parties.
• Log and record these interactions for proof

29. Use Email to Contact Vendors
• Do not send PI in email body
• Direct vendors to secure page

30. How do I handle the “Do Not Sell” requirement?

31. Definition of
“Prominent”
Required to be displayed on your
home page. Perhaps other places
• “anywhere data is collected”
• Anyone can click it, even non-
customers
Expect that…
• It will attract clicks
• It will be detected by bots

32. Option A
• Full-width banner
• Prominently
displayed on
homepage

33. Provide a simple form,
no need for a portal
IMPORTANT: Your form must inform the
consumer of all their rights under CCPA.

34. 4%Percentage of app users that
clicked on a prominent “Privacy
Policy” link during testing
Source: Large US Retailer

35. How do I handle highly sensitive data?

36. Due to the
sensitivity of the
data, you will not
disclose the
specific contents

37. Show the
consumer the
data, but show it
encrypted

38. How do I handle consumer questions about their data?

39. Educate your
consumers with
a portal

40. Explain how
you use the
data

41. And how you
acquired the
data

42. What kind of reporting do I need?

43. Not just a log…
But a ledger
• Ensure that your processing
history is immutable
• Do not store any PI in the
ledger, but ensure access to it
for legal

44. Most
Important

45. Other KPIs
Open
Requests
Requests by system
Requests by
type

46. Data Automation
Allow users to automatically
search, extract, delete, change
and present data to users
Secure Subject Access
Request Portal
Offer customers a self-serve
privacy experience
Consent Management
Let customers manage
consent in the same portal
Product Features
Scalable Privacy Rights Automation for the Enterprise
Identify Validation &
Security
Automated identity
validation with bank-level
security
Reporting & Audit
Trail
Automatically log everything
with detailed reporting
On-Premises Hosting
Capability to host in your
instance
The
Difference

47. Thank You!
Questions?
Contact John Campbell
jcampbell@intraedge.com