These are the top questions we are asked about the CCPA along with our recommendations based on our experience working with clients.
We reveal key innovations and approaches for CIOs/CISOs to consider when designing their privacy operations, enabling efficiency and secure auditability when dealing with individual rights requests, consent management and more.
Questions? Contact us here: hello@truyo.com
4. State of the States
Ranked on strength of their privacy regulations
truyo.com/states
P u e r t o R i c o
5. CCPA Implementation Commonalities
Amendments
• Loyalty exemption (AB 846)
• Definition of publicly available information (AB 874)
• Private right of action – out for now
• No toll-free number to online only businesses (AB 1564)
• Does an individual have access to household (AB 25 –
may be amended to address)
• Data source/rights/impact to disclosure (AB 873 –
failed)
• Drafting errors (AB 1355)
• Reporting is defined only for large companies
Draft Regulations
• Process for verification and validation including
non-accounts
• 3rd party obligations including delete & do not sell
• Definition of a sale
• Granular rejections (partial)
• Categories of information specific to a consumer
• Process around aggregators
• Lookback period clarification
• Reporting required if you have over 4M consumers
in scope
6. Sampling of fines related to GDPR
• Google fined €50,000,000 by French DPA for inappropriate consent
• GDPR may add up to $8.8B Marriott’s data breach expenses
• After inspection, Portuguese DPA found that the hospital' s account management practices
were deficient imposed a fine of €400,000 on the hospital.
• French DPA fines €250,000 to Bouygues Telecom failing to protect the personal data
• First enforcement action under GDPR against a data controller outside the EU. UK’s DPA
served an enforcement notice on a Canadian political consultancy.
• France fines real estate company €400,000 - The company’s website easily allowed
accessing other individual’s information.
• As a result of an attack on British Airways’ website, about 500,000 customer records were
extracted by a malicious third party. Fined €183,000,000 (the largest fine to date)
“about half of the 200,000 complaints relate to the way subject access requests have been handled”
7. Top Questions Asked
1. How many requests can I expect?
2. How do I categorize my data?
3. How do I know if I am selling data?
4. How to validate a consumer’s identity?
5. How do I reduce the number of requests?
6. How do I deal with 3rd party processors?
7. How do I handle the “Do not Sell” requirement?
8. How to handle highly-sensitive data?
9. How do I handle consumer questions about their data?
10. What kind of reporting do I need?
?
8. I am not a lawyer
But I will tell you how
others have
implemented or
interpreted privacy
regulations
10. Results from GDPR
72%
At least 1 request
per month
25%
At least 10 requests
per month
9%
100-10k requests
per month
Source: IAPP/TrustArc Measuring Privacy
Operations
Benchmark Report (December 2018)
11. US vs. EU Requests
Source: Microsoft
EU
Citizens
US
Citizens
8 to 1
On average, businesses
receive eight privacy
requests from a US
Citizen for every one
request from an EU
citizen
13. Consumer Group Targeting
• Consumer groups are gathering to
mass-submit requests
• Reduce effort by only processing
valid CCPA requests
• Could provide a bad consumer
image
Sample: TapMyData.com
15. • Contact Information
• Purchase History
• Geo-location
• Inference Data (Market
Segmentation)
• Internet Data (Click-streams, IP
address)
• Sensitive Data (CC, SSN)
• Media (Pictures, Audio, etc)
• Biometrics
• HR Information*
Recommended
Categorization
16. Custom Policy is Required
CCPA specifically prohibits all-
in-one generalized privacy
policies
• The categorization and
associated policy must be
specific to the consumer.
• List only the categories of
data you have on the
consumer, and how you are
using that consumer’s data.
18. Movement of personal data to third
parties, even if not for a dollar value,
has implications for disclosure and
may require cooperation with the
third party for request fulfilment.
• Not just limited to transactions
involving monetary compensation
• Includes many non-monetary
transfers of data between 3rd
parties
• Includes transfers of data even
between internal business units
20. First – SPAM/Fraud Prevention
Percentage of DSARs
that are spam or
autogenerated
Best Practice:
Use a verification code
sent to email/phone to
ensure legitimate
access.
60%
Source: Global CPG company
with >40k DSARs in 2018
28. Considerations
• You may need to disclose to data subjects
to whom and from whom you transfer their
data.
• Track which fields are involved in third-
party transfers.
• You will need to include those 3rd party
sources or recipients of data in requests to
Delete/Do not Sell
• When requests come in, automatically
include those third parties in the request
fulfilment process or direct users to those
third parties.
• Log and record these interactions for proof
29. Use Email to Contact Vendors
• Do not send PI in email body
• Direct vendors to secure page
30. How do I handle the “Do Not Sell” requirement?
31. Definition of
“Prominent”
Required to be displayed on your
home page. Perhaps other places
• “anywhere data is collected”
• Anyone can click it, even non-
customers
Expect that…
• It will attract clicks
• It will be detected by bots
43. Not just a log…
But a ledger
• Ensure that your processing
history is immutable
• Do not store any PI in the
ledger, but ensure access to it
for legal
46. Data Automation
Allow users to automatically
search, extract, delete, change
and present data to users
Secure Subject Access
Request Portal
Offer customers a self-serve
privacy experience
Consent Management
Let customers manage
consent in the same portal
Product Features
Scalable Privacy Rights Automation for the Enterprise
Identify Validation &
Security
Automated identity
validation with bank-level
security
Reporting & Audit
Trail
Automatically log everything
with detailed reporting
On-Premises Hosting
Capability to host in your
instance
The
Difference