CCPA Basics – Who, What, Where, When, Why, How

Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz

Beth Hill, General Counsel & Chief Compliance Officer, FordDirect

Maggie Mansourkia Mobley, Advisor, Privacy Matters

Privacy & Security Forum 2019, Pre-Conference Day Workshop

CCPA Basics

California Consumer Privacy Act

The Basics

• Signed into law June 28, 2018

• Technical amendments signed by Governor Brown September 23, 2018

• Additional amendments passed in September 2019 and likely to be signed by Governor Newsom in September of October 2019

• Takes effect January 1, 2020

• Enforcement 6 months after AG issues final regs or July 1, 2020, whichever sooner

To What Organizations Does the Law Apply?

• Entities that have annual gross revenues in excess of $25,000,000 –OR-

• Annually buy, receive, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers or households -OR-

• Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What is a Consumer?

• California Residents regardless of location

• Online and Offline

– Individual customers

– Website visitors

Amendments

Exemptions Until January 1, 2021

– Employees, Owners, Directors, Officers, Medical Staff Members, and Contractors

• AB 25, which passed the legislature in September 2019, amends the CCPA to exempt information collected by a business where the individual is acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business

• However, these individuals can still bring a private civil action for a data breach, and still have the right to know the categories of personal information to be collected from them

More Exemptions until January 1, 2021

– Individual representatives of another business

– AB 1355, which passed the legislature in September 2019, exempts personal information reflecting a written or verbal communication or a transaction between the business and an individual, within the context of the business conducting due diligence or providing or receiving a product or service.

Exemptions Without Sunset

• Medical information governed by the CMIA or PHI collected by a HIPAA covered entity or business associate

• Personal information processing subject to the GLBA, CalFIPA, or the DPPA

• CRAs and similar with respect to personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living

What is Personal Information?

What is Personal Information? What is “De-identified” or “Aggregate”?• Personal information - “information that identifies, relates to, describes, is

reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

– Reasonably will be added by AB 874, assuming it is signed by Governor Newsom before Oct 13

• De-identified - Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.

• Aggregate - Information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.

Service Provider or Third Party?

Service Provider or Third Party

• Service Provider – Processes personal information on behalf of a business for a business purpose pursuant to a written contract

• Third Party – A person who is not (a) the business that collects personal information or (b) a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract includes certain prohibitions.

• Business purpose – use of information for operational purposes or other notified purposes, provided that the use shall be necessary and proportionate to achieve operational purpose for which it was collected or for another operational purpose that is compatible

Business Purposes

• Counting ad impressions, verifying positions and quality of ad impressions, and auditing compliance with ad standards

• Detecting security incidents and protecting against fraud

• Debugging

• Short term, transient use, where personal information is not disclosed to another third party or alter consumer’s experience outside the current interactions, such as contextual advertising

• Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services

• Internal research

• To verify or maintain quality or safety

Consumer Rights

Consumer Rights• Disclosures

– Specific pieces of information collected

– Categories of information used and shared for business purposes or commercial purposes, or sold

• Deletion

• Do Not Sell My Information

– Opt-in for kids under 16

– Parental opt-in for kids under 13

Do Not Sell Requests

Do Not Sell My Information

• A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.

• Parental opt-in for kids under 13

• Opt-in for kids 13-15

• A business must provide a clear and conspicuous link on the homepage titled “Do Not Sell My Personal Information”

What Does “Sell” Mean?

• Selling, renting, …• disclosing, …

• disseminating, …

• making available, …

• transferring, or …

• otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party

• for monetary or other valuable consideration.

Financial Incentives

Financial Incentives• A business may offer financial incentives for the

collection, sale, and deletion of personal information.

• Must notify consumers and obtain opt-in consent.

• Must not discriminate against consumers that do not opt-in or who exercise their rights.

• However, a business can charge a different amount or offer a different level or quality of service if the differential treatment is reasonably related to value provided to the business by the consumer’s data. Requires Governor Newsom to sign AB 1355 into law before Oct 13

Enforcement

Enforcement

• Civil penalties from CA AG action up to $2,500 per violation, and up to $7,500 for intentional violations.

• Private right of action only where nonencrypted and nonredacted personal information is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”

– statutory damages of $100 up to $750 per consumer, or actual damages, whichever is greater.

– 30 days’ written notice specifying violation and opportunity to cure prior to seeking statutory damages.

Q&A

CCPA Basics – Who, What, Where, When, Why, How

Tanya Forsheit, Chair, Privacy & Data Security Group, Frankfurt Kurnit Klein & Selz

Beth Hill, General Counsel & Chief Compliance Officer, FordDirect

Maggie Mansourkia Mobley, Advisor, Privacy Matters

Privacy & Security Forum 2019, Pre-Conference Day Workshop