No Opting Out of CCPA's

Data Rights

Tuesday, October 30, 2018

Time: 10–11 a.m. PT
1–2 p.m. ET
6–7 p.m. CET

www.iapp.org
 Welcome and Introductions

Host: Panelists:

Dave Cohen Debra J. Farber Robert Glaser

CIPP/E, CIPP/US CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP Specialist Leader
Knowledge Manager Senior Director, Privacy Strategy Privacy and Data Protection
IAPP Cyber Risk Services
BigID
Deloitte

2 www.iapp.org
 CCPA: A New Privacy Sheriff in Town

Consumer Data Rights Obligations

Right to Know, Right to Access, Right to Disclosure, Right to Opt Out and Right to
Delete
Establishes need to build and maintain data inventory

Expanded definition of “personal information”

Personal information is data linked or linkable to a CA consumer or household, not
just PII
Establishes need to determine & monitor identifiability of data

Real Enforcement
State AG penalties for violations and data breach notification lapses per instance after
July 1, 2020.
CA Consumers have a private right of action to sue for privacy violations and
inadequate protection against breaches after Jan 1, 2020.

Accountability In Data Processing

Need to operationalize “opt-out” decisions and delineate between sold, transferred,
and processed data

3 www.iapp.org
 Right to Know

CCPA grants consumers the right to request that

businesses disclose:

the “categories and specific pieces of personal information

the business has collected” about them.

4 www.iapp.org
 Right to Know: Obligation to Disclose

Upon receipt of a “verifiable consumer request,” a business must disclose to a consumer:

The categories of PI it has collected about him or her;

The categories of sources from which the PI was collected;

The business purpose(s) behind collecting the PI;

The categories of third-parties with whom the business has shared the info; and

The specific pieces of PI it has collected about the consumer.

Compliance Note:
- Information must be updated at least every 12 months.
- Additional uses / collection require notice to the consumer.

5 www.iapp.org
 Right to Access: Consumer Requests

A consumer can request a copy of the specific PI that a business retains about him or her.

Business Obligations to Respond to Verifiable Consumer Requests

Consumers may make this request to a business no more than twice in 12 months.

Business must provide a California consumer with access to PI held by the business and to deliver it
“in a readily useable format” that allows porting the data to another entity “without hindrance.”

Info must be provided free of charge.

Exception to Right: Not applicable to info collected for a single transaction as long as the info is not
sold or retained for the purpose of linking it to PI (e.g., “guest checkout”).

Oddly, CCPA does not have a “right to amend” or right to “rectification”

6 www.iapp.org
 Right to Access: Implied Right of Portability

7 www.iapp.org
 No More Business As Usual

Prepare, Don’t Panic

Address PI access and deletion requests at scale & with minimal
impacts to the business.

Respect & operationalize all opt-out requests for the sale of

consumers’ PI.

Collect affirmative authorizations from children 13-16 to sell

their PI.

Delete PI that the business is not required by law to retain.

Privacy compliance with CCPA goes beyond traditional notice & choice requirements.

8 www.iapp.org
 California Consumer Privacy Act
Considerations

9 www.iapp.org
9
 Why the CCPA is so impactful

Readiness will “take a village” Where California goes, the

nation could follow

Onerous, European Union- like

California’s history of strong
requirements
enforcement

10 www.iapp.org
 Principle amendments to the CCPA
Re-defining “Personal Information”
▪ The definition of PI is revised to clarify that the identifiers or data types such as IP addresses, purchasing histories and geolocation data will no longer automatically be deemed
personal information. Instead, those identifiers or data types will be considered PI only if they can be associated with a specific consumer or household.

Expanding HIPAA
▪ The law’s exemption for protected or health information now covers “business associates” as well as covered entities governed by Heath Insurance Portability and Accountability Act
(HIPAA). The exemption in the original CCPA law had not addressed HIPAA business associates.

Gramm-Leach-Bliley Act (GLBA) / Driver’s Privacy Protection Act (DPPA) revisions

▪ The contingency that the CCPA only exempts GLBA and DPPA data where in “conflict” with those statutes is removed.

Limited private right of action

▪ The bill clarified that the only permitted private right of action is in connection with unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted and
nonredacted personal information.

Limits penalty to $7,500

▪ The revised bill limited the AG’s recovery to $2,500 for each violation of the CCPA, or $7,500 per intentional violation.

Revised timing and delayed attorney general regulations

▪ The revised bill addressed concerns raised by the Attorney General by:
▪ Providing that civil penalties collected under the CCPA will be used by the AG and courts to offset costs
▪ Deferring the AG’s obligation to adopt regulations to July 1, 2020 and delaying the AG’s right to enforce the CCPA until July 1, 2010
▪ However, the deferred date of enforcement does not limit the private actions of consumers in connection with a security incident.

Preempts local lawmaking before 2020 implementation date

▪ The bill previously preempted local laws regulating collection and sale of consumer PI, but now clarified that this rule shall be operative on the effective date of the act. In other words,
once the bill becomes law.
▪ This change prevents confusion arising from local efforts to address privacy requirements between now and 2020 .

11 www.iapp.org
 CCPA Challenges
and Leading Practices

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should
consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

12 www.iapp.org 12
 CCPA challenges and leading practices
Control area Challenges Leading practices

• Update data classification program,

• Individuals and households
policies, standards, processes, technology,
Classification • Broad PI definition training, et al
• California or United States?
• One and done

• Inventorying processes and systems • Leverage sources of record

Records of • Determining inherent risk • Simplified risk ranking criteria
Processing • Business engagement • Change management
• Maintaining the inventory • Maintain through Privacy by Design (PbD)

• Start with “systems of record”

• Scope of “data” for port/erasure
• Integrate with retention schedule
Portability & • Retention requirements (legal, regulatory)
• Build long-term vision/plan/strategy
Erasure • No “easy” button
• Consider “ad-hoc” response vs. technology
• Risk vs. reward
enablement

• Update authentication mechanisms (e.g.,

• Explicit consent from minors multi-factor)
Consent • Authentication challenges • Enterprise consent management solutions
• Stopping processing/sale
• Inventory and maintain PI sold

13 www.iapp.org
 CCPA challenges and leading practices, cont.
Control area Challenges
• What is “required” vs. “recommended”?
• Monitoring, encryption, tokenization, and
Security
loss prevention capabilities
• Risk vs. reward
• Who am I sharing with and selling to?
• Which contracts to amend?
Third-party
• Who should be assessed?
• Breach preparedness
Technology • Now or later?
enablement • Maturity of privacy technology landscape
• Will the CCPA be modified?
• How will it be enforced?
Management
• What is my business risk?
• How to change culture?
14
Leading practices
• Leverage industry standards (e.g., ISO,
NIST)
• Enhance incident response plan, forensic
capabilities, war-gaming
• SIEM & Data Loss Prevention (DLP),
encrypt for “safe harbor”
• Inventory third parties
• Risk-based; leverage renewals
• Simplified risk ranking criteria
• Set Service Level Agreements (SLAs),
test/war-game
• Enable technology where practical
• Vendor analysis and short-/long-term
strategies
• Monitor for updates and make business
decisions
• Research California enforcement history
• Risk assessment, monitoring, and metrics
& reporting
• Training and organizational change
management
www.iapp.org
 Recommendations for how to
approach the CCPA

15 www.iapp.org
15
 An Illustrative Path to CCPA Readiness
3
Phase 1 Phase 2 Phase 3

Assess & plan 2a Enterprise design & build 3a Enterprise implementation

Documentation reviews Policies

1. Initiation & planning
People, process, & technology
assessment Individual rights & consent management
2. Policies & notices
Strategy, road-map, & project
planning Security & privacy technology enhancements
3. Individuals rights & consent management
Cost estimation
Privacy by Design (PbD)
4. Security & privacy technology enhancements
Training & communications
5. Privacy by Design (PbD)
Third-party risk management
6. Organization change (training & communications)
Metrics & reporting

7. Third-party risk management 3b Operational (business unit)

implementation
8. Organization & operating model
Notice & consent

9. Metrics & reporting

Security

10. Incident response Third-party contracts / risk assessments

2b Operational analysis Other

11. Data inventory

12. Data Protection Impact Assessment (DPIA)

16 www.iapp.org
 Technology That Can Enable
a CCPA Program

17 www.iapp.org
17
 Technology-enabled CCPA programs can do more with less
Sample challenges in manual CCPA approaches Benefits of technology enablement

Data inventory Data inventory

Vast amounts of personal data are Data collection and processing is dynamically
created daily, and should be managed mapped, allowing near real-time tracking of
consistent with policies and notices. how your organization uses data.

Consent management
Consent management
Individuals can now opt out of the
Users can freely manage their consent
sharing of their data and should be
without manual response from the Privacy
managed on a per-user basis.
Office.

Individual rights Individual rights

Deletion, access, and other data Incoming requests, upon approval, can be
subject rights may be impractical to efficiently and completely processed
execute manually. throughout the appropriate IT systems.

Incident response and breach

Incident response and breach notification
In order to help prevent and detect Automated tracking of notification
breaches to create a more resilient requirements against the characteristics of
program. the incident allow for expedited workflow.

18 www.iapp.org
 CCPA Building Blocks

Policy Technology

Accountability and
Find Personal Data
Transparency by
Based on Context and
Consumer
Association

Technology Process

Map and Inventory

Operationalize and
Personal Information Fulfill Privacy Lifecyle
by Consumer Management

19 www.iapp.org
 Consumer Data Rights Need Data Insight

CCPA Provision 1798.110(a)(4)

Maintain an inventory of processing activities

Discovery Of Personal Information

Across The Data Estate

Correlate Discovered Personal Information to Consumer

Inventory and Index Personal Information by Consumer

Rinse and Repeat as New Data Sources, Apps and

Attributes are Introduced

20 www.iapp.org
 Consumer-Centric Insights for Consumer Data Rights
Consumer Data Rights- Right to Know
Provision 1798.110

Where consumer information was found

What categories of data are collected

How the data is related to a consumer

Justification for collection

21 www.iapp.org
 No Opting Out of CCPA's Data Rights
Consumer Data Rights - Right to Opt Out
Provision 1798.145

Correlate Opt Out Decision to Specific

Consumer In the Inventory

Identify Consumer Data and Locations

Identify Specific Processing Flows

For Consumer Datasets

Identify Applications, Third Parties

for Data Flows

Apply Opt Out Policy To Consumer Profile and

Associate Policy Tag to Attributes

Maintain Policy-based Monitoring and Alerting

for Continuous Compliance

22 www.iapp.org
 Right to Be Forgotten & Erasure: Request to Fulfillment

23 www.iapp.org
Automated Data Knowledge = Intelligence & Assurance

Privacy Intelligence Privacy Assurance

Discover all data linkable to an identity
Detect “dark data” within your enterprise
Map personal data flows to assess privacy risks
Easily inventory data by person and state of
residence
Know with a high-level of certainty whose data
lives where across your enterprise
Please your auditors, DPO, & regulators
Confidently & effectively manage consent,
integrate and monitor data processing

Respond to access requests at scale

Instantly know whose data has been compromised

during a breach

24 www.iapp.org
 Questions and Answers
Host: Panelists:

Dave Cohen Debra Farber Robert Glaser

CIPP/E, CIPP/US CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP Specialist Leader
Knowledge Manager Senior Director, Privacy Strategy Privacy and Data Protection
IAPP Cyber Risk Services
BigID
dave@iapp.org Deloitte
debraf@bigid.com rglaser@deloitte.com

25 www.iapp.org
 Thank You
to our
Sponsor
Speakers and Participants

26 www.iapp.org
 Web Conference
Participant Feedback Survey

Please take this quick (2 minute) survey to let us know how

satisfied you were with this program and to provide us with
suggestions for future improvement.

Click here:
https://www.questionpro.com/t/AOhP6ZdDqc

Thank you in advance!

For more information: www.iapp.org

27 www.iapp.org
 Attention IAPP Certified Privacy Professionals:
This IAPP web conference may be applied toward the continuing privacy education
(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM
credential worth 1.0 credit hours. IAPP-certified professionals who are the named
participant of the registration will automatically receive credit. If another certified
professional has participated in the program but is not the named participant then
the individual may submit for credit by submitting the continuing education
application form here: CPE credit application.

Continuing Legal Education Credits:

The IAPP provides certificates of attendance to web conference attendees.
Certificates must be self-submitted to the appropriate jurisdiction for
continuing education credits. Please consult your specific governing body’s
rules and regulations to confirm if a web conference is an eligible format
for attaining credits. Each IAPP web conference offers either 60 or 90 minutes of
programming.

28 www.iapp.org
 For questions on this or other
IAPP Web Conferences or recordings
or to obtain a copy of the slide presentation please contact:

Dave Cohen, CIPP/E, CIPP/US

Knowledge Manager
International Association of Privacy Professionals (IAPP)
dave@iapp.org
603.427.9221

29 www.iapp.org