As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
5. 1970 1980 1990 2000 2010 2020
2001 ‘18
September
11th
Safe Harbor
Invalidated
EU
Directive on
Data
Protection
Safe
Harbo
r
’95
Cambridge
Analytica
‘16
GDPR
‘19‘96 ‘98‘99
CCPA
‘15
HIPA
A
Gramm-
Leach-
Bliley
COPP
A
First DP Law In
the World,
Hesse
Germany
How Did We Get Here?
Computer
Mainframes
PCs
Development of
Information
Technology
Concerns About Privacy
6. • EUROPEAN UNION
• UNITED STATES
• JAPAN
• SOUTH KOREA
• BRAZIL
• NIGERIA
• AUSTRALIA
• THAILAND
8. GDPR IN A NUTSHELL
DATA PROCESSING must be lawful,
limited, accurate, secure and for an
explicit purpose
DATA SUBECTS have rights
DATA CONTROLLERS AND PROCESSORS
have obligations of security and
accountability
RECORD KEEPING IS
MANDATORY
licensed under CC BY-
SA
9. • Must be
• Lawful
• Done for “specified, explicit and
legitimate purposes”
• Limited to what is necessary
• Accurate and kept up to date
• Erased after storage is no longer
necessary
• Secure
• Subject to accountability
• 6 lawful bases for processing data
• Informed consent
• Performance of a contract
• Compliance with legal obligations
• Protection of the interests of a person
• Performance of a task in the public interest
• “Legitimate Interest of Processor”
Data
Processing
11. OBLIGATIONS OF CONTROLLERS
AND PROCESSORS
• Controllers – Responsible for “implementing
appropriate technical and organizational
measures which are designed to implement
data-protection principles”
• Security
• Pseudonymization
• Encryption
• Disaster and Breach Response Plans
• Regular Testing / Maintenance
• Impact Assessments
• Processors – those who process data on
behalf of Controllers
• Vendor (Data Protection) Agreements
• Compliance with Controller’s
Security Protocols
• Rapid Breach Notification
12. NOTICE REQUIREMENTS
& RECORD KEEPING
• Contact information of the organization,
and a responsible person inside the
organization
• Categories of personal data processed
• Any processing of children’s data
• Categories of recipients of data
• Purpose of processing, explained in detail
• Existence of any data transfers to other
countries
• Retention Periods
• Recipients of personal data
• Security and technical data
protection measures
13. EXEMPTIONS
• Anonymized Data
• Public access to official documents
• Employee data
• Obligations of secrecy
• Scientific and historical research
purposes or statistical purposes (in
the public interest)
• Archiving in the public interest
• Churches and religious associations
15. TIMING FOR
COMPLIANCE
• Effective Date – January 1, 2020
• Look-Back Period – 2019
• Rulemaking – Approximately July 2020
WHO HAS TO COMPLY?
• Businesses who:
• Collect information on more than
50,000 CA residents, “households” or
devices
• Have $25 million or more in annual
revenue
• Derive half or more of revenue from
selling Californian’s information
16. HEADLINE COMPLIANCE
POINTS
• Definition of “personal information” is
broad
• Like GDPR, consumers have rights
• If a company is collecting data, notice
to consumers is required:
• What was collected
• For what purpose
• To whom it was shared, and for what
purpose
• To whom it was sold
• A CONSUMER MAY OPT-OUT OF
HAVING THEIR INFORMATION SOLD,
AND CAN’T BE DISCRIMINATED
AGAINST
17. OTHER STATE LAWS
• Vermont – Data Brokers must register and pay a fee
• Nevada – Disclose whether third parties can collect information from a consumer-
facing website (“cookie notice”)
• Florida – In the event of a data breach, data breach policy must be in writing and
must be demonstrably followed
18. SO WHAT’S A DATA HOLDER TO DO?
• Create a Concise Privacy
Notice and Robust Internal
Policies
• Keep Good Records
• Comply with Data Subject
Requests
• Educate your team
• Don’t Keep Secrets
• Keep your Promises
19. HERE TO HELP!
• Tara Aaron, CIPP/US, CIPP/E
• Aaron | Sanders Law PLLC
• tara@aaronsanderslaw.com
• www.aaronsanderslaw.com
Editor's Notes
What it doesn’t allow data subjects to do is opt out of lawful processing completely (except in a couple of circumstances)
Vendor Agreements
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (This is the Data Security Principle)
Basic Security Protocols are also going to include employee training, user authentication, access controls, firewalls, software updates, virus control. GDPR doesn’t spell it out, but for example, if you’re ISO 27000 compliant, or HIPAA compliant, it’s likely that your security protocols are sufficient.
There are U.S. state laws that mean you should also have a written data breach policy as well, and we’ll get to those.
Major difference between the GDPR and the California law – consumers can opt out of all sale of data
These are collective numbers, so basically if you have the information of more than 16,666 Califorians, and that information includes IP addresses, this applies to you.
Definition of “sale” is super broad. Any transfer for consideration, except to service providers (those who help with internal business).
Determining if information is being sold to a service provider. -- May have to re-do contracts with service providers.
Keep California separate? The ‘do not sell’ button is only required for California residents, but Bailey said many companies plan to offer it to all U.S. users. ”Will I selectively display this link? Am I going to show it to everyone who comes to my website?” Bailey said. “Or am I going to somehow try to fence off California citizens and only show them the link? … For this particular use case, it’s a hard thing to do.”Verify users’ identity. If companies do choose to keep California residents separate, they’ll need to identify which consumers are from the state, the privacy professionals said, and that can get complicated. Leipzig advised against collecting data such as uploaded driver’s license photos; it just adds to the data a company needs to protect. At a minimum, Bailey said websites should include CAPTCHA tests and emailed verification to prevent bots from spamming ‘do not sell’ links.
If you’re in the business of collecting and selling information about data subjects that your company does not have a direct relationship with, and any of those subjects are from Vermont, you need to be registered in Vermont.
Nevada’s law is more narrow – only applies to sites that sell goods and services to consumers. So it applies to Amazon, but not Twitter. We didn’t get to a lot about cookie notices today – the EU is pretty soon going to be making a new regulation that will require cookie controls to be available at the browser level.
Florida’s fines are up to half a million dollars.