Professional Documents
Culture Documents
CCPA Challenges and Leading Practices
CCPA Challenges and Leading Practices
Data Rights
www.iapp.org
Welcome and Introductions
Host: Panelists:
2 www.iapp.org
CCPA: A New Privacy Sheriff in Town
Real Enforcement
State AG penalties for violations and data breach notification lapses per instance after
July 1, 2020.
CA Consumers have a private right of action to sue for privacy violations and
inadequate protection against breaches after Jan 1, 2020.
3 www.iapp.org
Right to Know
4 www.iapp.org
Right to Know: Obligation to Disclose
The categories of third-parties with whom the business has shared the info; and
Compliance Note:
- Information must be updated at least every 12 months.
- Additional uses / collection require notice to the consumer.
5 www.iapp.org
Right to Access: Consumer Requests
A consumer can request a copy of the specific PI that a business retains about him or her.
Business must provide a California consumer with access to PI held by the business and to deliver it
“in a readily useable format” that allows porting the data to another entity “without hindrance.”
Exception to Right: Not applicable to info collected for a single transaction as long as the info is not
sold or retained for the purpose of linking it to PI (e.g., “guest checkout”).
6 www.iapp.org
Right to Access: Implied Right of Portability
7 www.iapp.org
No More Business As Usual
Privacy compliance with CCPA goes beyond traditional notice & choice requirements.
8 www.iapp.org
California Consumer Privacy Act
Considerations
9 www.iapp.org
9
Why the CCPA is so impactful
10 www.iapp.org
Principle amendments to the CCPA
Re-defining “Personal Information”
▪ The definition of PI is revised to clarify that the identifiers or data types such as IP addresses, purchasing histories and geolocation data will no longer automatically be deemed
personal information. Instead, those identifiers or data types will be considered PI only if they can be associated with a specific consumer or household.
Expanding HIPAA
▪ The law’s exemption for protected or health information now covers “business associates” as well as covered entities governed by Heath Insurance Portability and Accountability Act
(HIPAA). The exemption in the original CCPA law had not addressed HIPAA business associates.
11 www.iapp.org
CCPA Challenges
and Leading Practices
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should
consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
12 www.iapp.org 12
CCPA challenges and leading practices
Control area Challenges Leading practices
13 www.iapp.org
CCPA challenges and leading practices, cont.
Control area Challenges Leading practices
• Leverage industry standards (e.g., ISO,
• What is “required” vs. “recommended”? NIST)
• Monitoring, encryption, tokenization, and • Enhance incident response plan, forensic
Security
loss prevention capabilities capabilities, war-gaming
• Risk vs. reward • SIEM & Data Loss Prevention (DLP),
encrypt for “safe harbor”
14 www.iapp.org
Recommendations for how to
approach the CCPA
15 www.iapp.org
15
An Illustrative Path to CCPA Readiness
3
Phase 1 Phase 2 Phase 3
16 www.iapp.org
Technology That Can Enable
a CCPA Program
17 www.iapp.org
17
Technology-enabled CCPA programs can do more with less
Sample challenges in manual CCPA approaches Benefits of technology enablement
Consent management
Consent management
Individuals can now opt out of the
Users can freely manage their consent
sharing of their data and should be
without manual response from the Privacy
managed on a per-user basis.
Office.
18 www.iapp.org
CCPA Building Blocks
Policy Technology
Accountability and
Find Personal Data
Transparency by
Based on Context and
Consumer
Association
Technology Process
19 www.iapp.org
Consumer Data Rights Need Data Insight
20 www.iapp.org
Consumer-Centric Insights for Consumer Data Rights
Consumer Data Rights- Right to Know
Provision 1798.110
21 www.iapp.org
No Opting Out of CCPA's Data Rights
Consumer Data Rights - Right to Opt Out
Provision 1798.145
22 www.iapp.org
Right to Be Forgotten & Erasure: Request to Fulfillment
23 www.iapp.org
Automated Data Knowledge = Intelligence & Assurance
24 www.iapp.org
Questions and Answers
Host: Panelists:
25 www.iapp.org
Thank You
to our
Sponsor
Speakers and Participants
26 www.iapp.org
Web Conference
Participant Feedback Survey
Click here:
https://www.questionpro.com/t/AOhP6ZdDqc
27 www.iapp.org
Attention IAPP Certified Privacy Professionals:
This IAPP web conference may be applied toward the continuing privacy education
(CPE) requirements of your CIPP/US, CIPP/E, CIPP/G, CIPP/C, CIPT or CIPM
credential worth 1.0 credit hours. IAPP-certified professionals who are the named
participant of the registration will automatically receive credit. If another certified
professional has participated in the program but is not the named participant then
the individual may submit for credit by submitting the continuing education
application form here: CPE credit application.
28 www.iapp.org
For questions on this or other
IAPP Web Conferences or recordings
or to obtain a copy of the slide presentation please contact:
29 www.iapp.org