2019 04-17 10 steps to ccpa compliance

© 2019 TrustArc Inc Proprietary and Confidential Information
10 Steps to CCPA Compliance - Building
and Implementing a CCPA Privacy Program
17 April 2019

Thank you for joining the webinar “10 Steps to
CCPA Compliance - Building and Implementing
a CCPA Privacy Program”
2
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording
and slides sent out later today
• Please use the GotoWebinar control panel on the
right hand side to submit any questions for the
speakers

Today’s Speakers
3
Reed Freeman
Partner
Co-Chair - Big Data Practice
Wilmerhale
Janalyn Schreiber, CIPM, CISSP
Senior Privacy Consultant
TrustArc

Today’s Agenda
4
• Welcome and Introductions
• CCPA Overview
• Legal Obligations & Prohibitions
• Definitions
• Open Issues
• Benchmarking CCPA Readiness
• Building and Implementing a CCPA Privacy
Program:10 Steps to CCPA Compliance
• Questions

CCPA Overview

California Consumer Privacy Act (CCPA)
• Set to be the toughest privacy law in the United States
• Impacts any business, whether in the U.S., Europe, Asia, or elsewhere who
has customers or employees located in California
• Broadly expands rights of consumers and requires businesses within scope
to be significantly more transparent about how they collect, use, and disclose
personal information
• All “in scope businesses” need to enhance data management practices,
expand individual rights processes, and update privacy policies by the
deadline
6
“The new GDPR”
• June 28, 2018: State of California
passes California Consumer Privacy
Act (CCPA)
• Slated to go into effect January 1,
2020

CCPA – What Companies Are Covered?
7
• “Business” is any entity that collects personal information
about California residents and makes decisions (alone or
jointly with others) about how and why the personal
information is processed, if the business either –
– (a) has annual gross revenues over $25 million OR
– (b) annually buys, sells, shares, or receives personal information
of 50,000+ consumers, OR
– (c) derives 50% or more of annual revenue from selling personal
information.

Why Comply?
8
• Under the CCPA, businesses are subject to civil action by the
California Attorney General’s Office and can face penalties of
up to $7,500 per intentional violation or $2,500 per
unintentional violation Example: 1000 records = $7.5M fine
• The CCPA also provides a private right of action to
California residents where their personal information is
subject to unauthorized access, theft, or disclosure. Under this
businesses could face paying between $100 to $750 per
resident or incident (regardless of whether actual
damages are shown)
Fines, sanctions, loss of goodwill

Legal Obligations & Prohibitions

Legal Obligations & Prohibitions –
Disclosure of personal information collected
10
“Businesses” that sell personal information or that disclose it for a
business purpose must, in response to a verified request from a
consumer, disclose:
• Categories of personal information that the business collected about the consumer;
• Categories of personal information that the business sold about the consumer and the
categories of third parties to whom the personal information was sold, by category or
categories of personal information for each third party to whom the personal
information was sold; or if the business has not sold consumers’ personal information, it
shall disclose that fact; and
• Categories of personal information that the business disclosed about the consumer for
a business purpose; or if the business has not disclosed the consumers’ personal
information for a business purpose, it shall disclose that fact.
(1798.115, 1798.130(a)(4), (a)(5)(C))
Note: Data mapping against definition of “personal information” is extremely
difficult! Awaiting clarification from the AG on what constitutes a “verified request.”

Deletion of personal information
11
“Businesses” must, in response to a verifiable consumer request, delete
personal information of the requester and make sure service providers do as
well, with certain exceptions. (1798.105(a),(c)-(d))
• The California AG must adopt regulations to clarify what is a “verifiable consumer
request”
• The CCPA states it “shall not be construed to require a business to reidentify or
otherwise link information that is not maintained in a manner that would be
considered personal information.” (1798.145(i)) (But see extremely broad definition
of personal information)
Note: Compliance depends on data mapping. Deleting all “personal
information” is also extremely difficult!

Opt-out for sales of personal information
12
“Businesses” may not sell personal information without
giving notice and a chance for affected consumers to opt out.
• “Businesses” must place a link on their website homepage
titled “Do Not Sell My Personal Information” that redirects to
a webpage that enables a consumer to opt-out of the sale of the
consumer’s personal information.
• The business cannot require consumers to create an account in
order to opt-out of the sale of their personal information.
(1798.120, 1798.115(d), 1798.135)

Enhanced disclosures of privacy rights and
practices
13
“Businesses” must disclose in their online privacy policy or
California-specific description of consumer privacy rights
consumers’ rights under the CCPA and the methods for
exercising those rights, as well as the categories of personal
information the business collects, sells, or discloses for
business purposes. (1798.130(a)(5))
• The notices must be updated annually.

Definitions

Definitions – “personal information”
15
“Personal information” means information that identifies, relates to, describes, is capable of
being associated with, or could reasonably be linked, directly or indirectly, with a particular
consumer or household. (1798.140(o)(1))
Includes, but is not limited to, the following, if they meet the test above:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier,
Internet Protocol address, email address, account name, social security number, driver’s license
number, passport number, or other similar identifiers.
(D) Commercial information, including records of personal property, products or services purchased,
obtained, or considered, or other purchasing or consuming histories or tendencies.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history,
search history, and information regarding a consumer’s interaction with an Internet Web site, application,
or advertisement.
(G) Geolocation data.
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a
consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions,
behavior, attitudes, intelligence, abilities, and aptitudes.
Conclusion: Everything.

Definitions – “sell”
16
“Sell” – It’s Not Your Mother’s Definition
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating,
making available, transferring, or otherwise communicating orally, in writing, or by electronic or
other means, a consumer’s personal information by the business to another business or a third
party for monetary or other valuable consideration. (1798.140(t)(1))
The CCPA contains various exemptions to the definition of “sell,”
including:
• Sharing based on consumer consent: A consumer uses or directs the business to
intentionally disclose personal information or uses the business to intentionally interact
with a third party, provided the third party does not also sell the personal information,
unless that disclosure would be consistent with the provisions of this title.
(1798.140(t)(2)(A))
• Sharing for opt-outs (1798.140(t)(2)(B))
• Sharing with service providers: The business uses or shares with a service provider
personal information of a consumer that is necessary to perform a business purpose if
(i) the business has provided notice that information being used or shared in its terms
and conditions; and (ii) the service provider does not further collect, sell, or use the
personal information of the consumer except as necessary to perform the business
purpose. (1798.140(t)(2)(C))

Definitions – “service provider” and
“business purpose”
17
“Service provider” is defined as: A for-profit entity that “processes information on behalf
of a business and to which the business discloses a consumer’s personal information for a
business purpose pursuant to a written contract, provided that the contract prohibits the
entity receiving the information from retaining, using, or disclosing the personal information
for any purpose other than for the specific purpose of performing the services specified in
the contract for the business, or as otherwise permitted by this title, including retaining,
using, or disclosing the personal information for a commercial purpose other than providing
the services specified in the contract with the business.” (1798.140(v))
(d) “Business purpose” means the use of personal information for the business’s or a
service provider’s operational purposes, or other notified purposes, provided that the use of
personal information shall be reasonably necessary and proportionate to achieve the
operational purpose for which the personal information was collected or processed or for
another operational purpose that is compatible with the context in which the personal
information was collected. 1798.1490(d)

Open Issues

Open Issues – Interpretation
19
• Does the CCPA apply to employee data?
– A.B. 25 (in Assembly Privacy; set for hearing 4/23)
would add exemption for job applicants, employees,
contractors, and agents.
– Could be clarified by AG in rulemaking (though no
specific statutory authorization to do so).
• Does the $25 million revenue threshold apply
to California revenue only?
– If not, CCPA could apply to a company based on a
single sale to California.
– Could be clarified by AG in rulemaking (though no
specific statutory authorization to do so).

Open Issues – Interpretation (cont’d.)
20
• What obligations do service providers have?
– Can an entity be both a “service provider” and a “business”
in relation to the same data?
– No specific requirement for service providers to handle or
pass along requests if they are not “businesses.”
– May be clarified by AG rulemaking.
• How should a business verify consumer
requests?
– Law prohibits requiring consumers to create an account.
– Consumers can authorize third parties to make requests.
– AG authorized to create rules on this topic.

Open Issues – Amendments
21
• Should businesses always be required to turn over
“specific pieces” of information?
– Businesses could be required to turn over data to another person
who shares a device with a consumer, or who is part of their
household.
– Businesses that turn over sensitive information to the wrong
person could face liability.
– A.B. 25 or A.B. 873 (both in Assembly Privacy; set for hearing
4/23) may modify this.
• Should the private right of action be expanded?
– S.B. 561 (passed Senate Judiciary, pending in Appropriations)
would create private right of action for all violations of CCPA.
– A.B. 1760 (in Assembly Privacy; set for hearing 4/23) would create
private right of action for all violations of CCPA and allow
enforcement by city attorneys.

Benchmarking CCPA Readiness

CCPA compliance is starting to progress
Nearly half have started, but only 14% are done
23
16% 28% 9% 19% 16% 14%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Which of the following best describes the state of your company's CCPA
compliance?
We have not started We are working on our preliminary plan
We have a plan in place but have not started implementation We have started our implementation
Our implementation is well underway We are done and are fully CCPA compliant

Companies need wide range of CCPA help
64% need help developing their CCPA privacy plan
24
13%
14%
15%
14%
12%
15%
15%
9%
18%
18%
14%
16%
38%
38%
40%
42%
45%
44%
44%
51%
44%
45%
50%
48%
49%
47%
45%
43%
43%
42%
41%
39%
38%
37%
36%
36%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Manage cookie consent
Creating a vendor risk management program
Creating data inventory and maps
Manage direct marketing consent
Managing privacy incidents and breach notification
Meeting regulatory reporting requirements
Managing privacy complaints and individual rights / DSARs
Implementing privacy by design / privacy engineering
Demonstrate GDPR compliance (External Certification of Validation)
Addressing international data transfer (Privacy Shield, APEC CBPR,
BCRs, etc.)
Developing a CCPA privacy plan
Conducting privacy risk assessments, PIAs, DPIAs
For each of the following data privacy tasks please indicate the amount of
additional help you will need to accomplish these tasks in 2019.
Need significant help Need some help Do not need help

Wide range of CCPA investments planned
72% plan to invest in technology to prepare for CCPA
25
5%
2%
45%
55%
61%
72%
0% 10% 20% 30% 40% 50% 60% 70% 80%
We are not making any CCPA investments
Other
Internal hiring
External legal expertise
Consultants
Technology and tools
What areas will your company be investing in to prepare for CCPA?

CCPA costs expected to be significant
71% expect to spend more than six figures
1 in 5 expect to spend over $1 million
26
Include all internal and external personnel, training, consulting, legal
advice, technology, tools, and other costs in your estimate.
3% 26% 32% 20% 15% 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Approximately how much does your company expect to invest in
CCPA-related privacy compliance expenses in 2019?
Nothing Less than $100,000
Between $100,000 and $500,000 Between $500,000 and $1,000,000
Between $1,000 ,000 and $5,000,000 More than $5,000,000

Building & Implementing a
CCPA Compliance Program

CCPA Compliance Roadmap
28Build Program
and Team
Identify
Stakeholders
Conduct Data
Inventory & Data
Flow Analysis
Obtain & Manage
Consent
Conduct PIAs
Evaluate & Audit
Control
Effectiveness
Allocate
Resources &
Budget
Conduct Risk
Assessment &
Identify Gaps
Data Transfers & 3rd
Party Management
Data Necessity,
Retention &
Disposal
Internal &
External
Reporting
Appoint
Champion
Develop Policies,
Procedures &
Processes
Individual Data
Protection Rights
Data Integrity &
Quality
Privacy Notice
Define Program
Mission & Goals
Communicate
Expectations &
Conduct Training
Physical, Technical
& Administrative
Safeguards
Data Breach
Incident Response
Plan
Dispute
Resolution
Mechanism
Assess Risks
and Create
Awareness
Design and
Implement
Operational
Controls
Manage and
Enhance
Controls
Demonstrate
Ongoing
Compliance
28

CCPA – Where to Focus
29
Individual Rights
Category Requirement Best Practice
Individual
Rights:
Data
Portability
and Data
Access
The CCPA provides consumers the rights
of Access and Data Portability.
Consumers have the right to obtain from a
business their personal information, including:
• the categories and specific pieces of
information collected;
• the categories of third parties with whom
information is shared; and
• the categories of sources from which the
information was collected.
Consumers also have the right to obtain their
personal information in a format that allows the
consumer to transmit it to another organization.
Businesses need to respond within 45 days.
The GDPR and CCPA both have
the individual rights of Access
and Data Portability.
Ensure that these types of
requests are managed and your
processes documented.
Review your current process
and mechanisms to respond to
access requests.
Assess their efficacy.
Address compliance gaps and
use technology tools to
automate manual processes to
scale and simplify.

CCPA – Where to Focus
30
Individual Rights
Category Requirement Best Practice
Individual
Rights:
Deletion
The CCPA provides consumers the right of
Deletion.
Consumers may request that businesses delete
their personal information.
The GDPR and the CCPA
both have deletion obligations.
Review the types of data your
company retains, and the legal
bases for processing it.
Ensure effective processes
and mechanisms are in place
to respond to deletion
requests.
Address compliance gaps and
use technology tools to
automate manual processes to
scale and simplify.

CCPA 10 Step Compliance Plan
31
1. Conduct a CCPA Threshold Assessment – does CCPA apply to
any part of the business? Are the applicable requirements related
to Data Collection, Data Sale, or Both?
2. Conduct a GDPR-CCPA Readiness Assessment – perform a gap
analysis against current Individual Rights Management Policies
and Procedures, Transparency Practices, and the Security
Program.
3. Build, Review & Update the Data Inventory – document all
information needed to comply with CCPA (including the 12 month
look back requirements), creating Data Flow Maps representing
the business processes relevant to the collection, sale, and
disclosure of personal information.

32
4. Evaluate All In-scope Records – leverage the Data Inventory to
determine which CCPA Individual Rights apply to each – and
which involve minors!
5. Review the definition of “Sale” under CCPA and identify
impacted processes.
6. Update Data Subject Access Request Policies & Procedures
to include additional CCPA requirements and develop
mechanisms to effectively manage, track and fulfill incoming
requests.

33
7. Update Externally Facing Privacy Policies & Notices – include
required disclosures and information about any financial incentives,
including 12 month look-back requirements.
8. Update Vendor Data Processing Addendums & Other Third-Party
Contracts to address CCPA obligations.
9. Review IT Systems for current security controls and functionality;
identify which need updates to comply with CCPA and support
Individual Rights.
10. Collaborate cross-functionally to drive compliance plans.

Questions?

Contacts
Reed Freeman reed.freeman@wilmerhale.com
Janalyn Schreiber jschreiber@trustarc.com
2

Thank You!
Register now for the next webinar in our 2019 Winter / Spring
Webinar Series “Putting your Data Inventory to Work: Getting a
Return on your Investment” on May 22, 2019.
See http://www.trustarc.com/insightseries for the 2019
Privacy Insight Series and past webinar recordings.

Appendix: Research Methodology

Goal The primary research goal was to understand readiness and
plans for CCPA (California Consumer Privacy Act) and
compare to GDPR readiness.
Methodology
Methodology An online survey was fielded to independent databases of
IT and privacy/legal professionals with responsibility for
privacy at companies in the United States required to meet
CCPA compliance. The survey was fielded from Feb 15th to
27th, 2019. Certain questions were repeated from a similar
2018 GDPR survey to understand trends.
Participants
250 qualified individuals completed the survey. All had
responsibility for privacy as a significant part of their job at
companies of 500 employees or more, were aware of the
CCPA and all were required to comply with it.
38

Individuals Represented
39
Mix of CCPA + GDPR impacted
companies and companies only
impacted by CCPA*
Mix of Legal, IT, and
Privacy roles
CCPA and
GDPR
50%
CCPA only
50%
Applicable Regulations
*This even split is the result of planned requirements to
enable some GDPR related analysis.
During fielding about 70-80% of CCPA-impacted
companies reported that they were impacted by GDPR.
55%
50%
53%
30%
39%
35%
14%
11%
13%
0% 20% 40% 60% 80% 100%
CCPA-Only
CCPA + GDPR
All
Department
IT Legal Dedicated Compliance or Privacy

Individuals Represented
40
Mix of job levels
represented across study
Privacy management was 25% or
more of each participant’s job
40%
38%
39%
38%
44%
41%
22%
17%
20%
0% 20% 40% 60% 80% 100%
CCPA-Only
CCPA + GDPR
All
Job Level
Executive Team manager Individual contributor
27%
31%
29%
73%
69%
71%
0% 20% 40% 60% 80% 100%
CCPA-Only
CCPA + GDPR
All
Privacy Role
Data privacy is my entire job
Data privacy is an important part of my job (more than 25%)

Companies Represented
41
Range of company sizes over 500
employees represented
Range of industries including mix of
highly regulated and less regulated
Highly
Regulated
34%
20%
27%
37%
41%
39%
16%
10%
13%
6%
17%
12%
6%
12%
9%
0% 20% 40% 60% 80% 100%
CCPA-Only
CCPA + GDPR
All
Company Size
(# of employees)
500 - 1,000 1,000 - 5,000 5,000 - 10,000
10,000 - 50,000 More than 50,000 6%
1%
1%
2%
2%
4%
4%
4%
4%
4%
4%
13%
15%
18%
1%
6%
12%
0% 5% 10% 15% 20%
Other
Food and Beverage
Media
Hospitality and Entertainment
Transportation
Aerospace and Defense
Internet and E-commerce
Telecommunications
Retail
Consumer Products
Education
Business Services
Manufacturing
Technology
Energy and Utilities
Healthcare and Pharmaceutical
Financial and Insurance Services
Industry

2019 04-17 10 steps to ccpa compliance

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à 2019 04-17 10 steps to ccpa compliance

Similaire à 2019 04-17 10 steps to ccpa compliance (20)

Plus de TrustArc

Plus de TrustArc (20)

Dernier

Dernier (20)

2019 04-17 10 steps to ccpa compliance