PRIVACY INSIGHT SERIES

Summer / Fall 2018 Webinar Program

California Consumer Privacy Act:

What you Need to Know
July 25, 2018

© 2018 TrustArc Inc Proprietary and Confidential Information

Today’s Speakers

Beth Sipula
Senior Privacy Consultant
TrustArc

2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Today’s Agenda

• Welcome & Introductions

• CCPA Background

• CCPA - Who Does it Apply to?

• CCPA Key Changes

• GDPR vs. CCPA Comparison

• Recommendations

• Questions?

3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

CCPA Background and Overview

5 © 2018 TrustArc Inc Proprietary and Confidential Information

 CCPA Background and Overview
• The State of California passed the California Consumer Privacy Act
(now known as the CCPA) on June 28, 2018.

• Slated to go into effect January 1, 2020, the CCPA is set to be the

toughest privacy law in the United States.

• The CCPA broadly expands the rights of consumers and requires

businesses within scope to be significantly more transparent about
how they collect, use, and disclose personal information.

• All in scope businesses will need to enhance their data management

practices, expand their individual rights processes, and update their
privacy policies by the January 1, 2020 deadline.

6 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

 CCPA Sanctions for Non-Compliance

• Under the CCPA, businesses are subject to civil action by

the California Attorney General’s Office and can face
penalties of up to $7,500 per intentional violation or $2,500
per unintentional violation.

• The CCPA also provides a private right of action to California

residents where their personal information is subject to
unauthorized access, theft, or disclosure.

• If the California Attorney General’s Office declined to bring

an action, residents could bring a private action, where
businesses would face paying between $100 to $750 per
resident or incident (regardless of whether actual damages
are shown).

7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

CCPA – Who Does it Apply to?

8 © 2018 TrustArc Inc Proprietary and Confidential Information

 Applicability

The CCPA will apply to businesses worldwide

if they, or an entity they control or that
controls them, receive personal information
from California residents, either directly or
indirectly, and meet one or more of the
following criteria:

• Annual revenue exceeds US $25 Million

• The entity annually receives, directly or

indirectly, the personal information of 50,000
or more California residents, devices, or
households

9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

 Applicability (cont.)

• 50% or more of its annual revenue is

derived from the sale of personal
information about California residents

Notably, “Personal Information” and “Sale” are

given expansive definitions under the CCPA,
which greatly increase the scope of businesses
to which CCPA will apply.

10 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

CCPA Key Changes

11 © 2018 TrustArc Inc Proprietary and Confidential Information

CCPA Accountability Areas

Individual
Individual Individual
Rights: Data Disclosures
Rights: Access Rights: Deletion
Portability

Opt-Out (Sale
Non- Incentive
of Personal Opt-In (Minors)
Discrimination Programs
Information)

Updating Data Updating

Transparency Training
Inventories Privacy Policies

12 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

CCPA Key Changes

Similar to the GDPR, which went into effect May 25, 2018, the
central purpose of the CCPA is to expand the rights of California
residents relating to their control over personal information.
Among the most significant changes to California privacy-
related laws, businesses covered by the CCPA will now have
obligations relating to the following:

Individual Rights
• Access: Individuals may request disclosure of the specific data
elements of personal information collected about them, categories
of personal information collected, categories of sources, purposes
for collecting or selling, and categories of recipients with whom the
personal information has been shared.

13 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

CCPA Key Changes
Data Portability
• If the specific data elements of personal information are provided to
the requestor electronically, to the extent technically feasible, they
must be provided in a readily transferable electronic format.
Deletion
• Individuals may request to have their personal information deleted.
Disclosures about Sharing /Sale
• Individuals may request an accounting of the disclosures, including
sale, of personal information made to third parties; this significantly
expands upon the existing California “Shine the Light” law.
Opt Out
• Individuals may object to the sale of personal information about
them
Opt In.
• Minors or their guardian must affirmatively authorize the sale of the
minor’s personal information.

14 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

CCPA Key Changes
Non-Discrimination and Financial Incentives
• Businesses may not discriminate against consumers for opting out
of the sale of their personal information.
• Businesses may not deny products or services or offer differential
pricing or rates, unless directly related to the value of the data to
the consumer.
• Business may offer and enter into fair and transparent financial
incentive programs for the collection, sale, and disclosure of
personal information with informed consent of consumers.

Transparency
• The online privacy policy or other web-based notice must disclose
the categories of data collected, sources from which data is
collected, purposes for which the data is used, categories of third
parties with whom data is shared, information about individual
rights and how to exercise them, as well as the data collected, sold,
or disclosed within the prior 12 months.

15 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

CCPA Key Changes
Transparency (cont.)
• Where applicable, a clear and conspicuous link titled “Do Not Sell
My Personal Information” must be included on the business’s
homepage and must link to a form where requests can be
submitted
• Notice of any financial incentives offered

Training
• Specific communications and training obligations for responsible
personnel

16 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

GDPR vs. CCPA Comparison

17 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll 1
Is your company in scope for:

•CCPA and GDPR

•CCPA
•Neither

18 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Poll 2
If already in scope for the GDPR is your company:

•Already fully compliant

•Compliance plan in progress
•Just getting started
•Not yet started

19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Comparing GDPR and CCPA
Compliance Area GDPR CCPA

Who must comply? “Controllers” and Businesses that collect

“Processors” that process consumers’ personal
personal data of data information, or authorize
subjects within the EU, another to collect it on their
regardless of whether the behalf, and either (1) have
processing takes place in annual gross revenues of
the Union. more than $25 million; (2)
annually buy, receive, sell,
or share, for commercial
purposes, information from
at least 50,000 consumers,
households, or devices; or
(3) derive at least 50% of
their annual revenues from
selling consumers’ personal
information.

20 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Comparing GDPR and CCPA
Compliance Area GDPR
When can data be There must be a specific
processed? lawful basis, which includes
consent, performance of a
contract, to protect a person’s
vital interests, for the public
interest, or legitimate interests
of the controller or a third
party.
How is personal “Any information relation to
information/data defined? an identified or identifiable
natural person.”
21 Privacy Insight Series - trustarc.com/insightseries
CCPA
Companies will need to
understand their specific
data processing uses/basis;
in addition, the sale of data
is prohibited unless consent
is obtained.
Includes standard personal
information identifiers as
well as household data, but
also includes categories
such as biometric data,
Internet activity, education,
information, and
commercial information.
© 2018 TrustArc Inc
Comparing GDPR and CCPA
Compliance Area GDPR CCPA

How is data processing Any operations performed on Any operations performed

defined? personal data, automated or on personal data,
otherwise. automated or otherwise.

Whose personal Natural persons (data Consumers, which are

information is protected subjects) in the EU who can natural persons and
by the legislation? be identified, directly or California residents.
indirectly, by reference to an
identifier.

22 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Comparing GDPR and CCPA
CCPA GDPR Comparison

Individual Rights Management

Broad right of access to personal information (Sec 100, 110, 130) Article 15 addresses fields, but not
timeframe

Right to data portability for electronic access to personal Only applies if access request is
information (Sec 100) responded to electronically, narrower
than Article 20

Right to delete personal information (Sec 105) Very similar to but arguably broader
than Article 17, which sets greater
limits on its application

Right to receive an accounting of disclosures (“sale” or “for Closest right under GDPR is right of
business purposes”) of personal information (Sec 115, 130) access under Article 15
[Significantly expands upon existing “Shine the Light”
requirements; similar to, but less stringent than, HIPAA right]

Right to object to sale of personal information (Sec 120) Narrower and more specific than
Article 21

Right to opt-in for sale of minors’ personal information or to Narrower and more specific than
authorize sale after exercising the right to object (Sec 120) Article 8

23 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Comparing GDPR and CCPA

Compliance Area GDPR CCPA

Private right of action for Yes Yes, but private citizens must
consumers? give the organization the
opportunity to rectify the issue
first and they must notify the
California AG.

What fines may be levied Up to 20 million EURO or Private causes of action,

for violations? 4% of worldwide annual between $100 and $750 USD
turnover of the previous per consumer per incident, or
fiscal year. actual damages, whichever is
greater.

For California AG actions, civil

penalties of up to $7,500 USD
per violation.

24 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Comparing GDPR and CCPA

Compliance Area GDPR CCPA

The age of consent is
considered to be 16,
What are the requirements otherwise parental consent is
for children’s data? required. EU member states
have the option to lower the
age to 13.
Businesses cannot
knowingly sell data of
consumers younger than
16 unless the consumer
has opted in or the parent
or guardian has opted in to
the sale if the child is under
the age of 13.

25 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Recommendations for Preparation

and Implementation

26 © 2018 TrustArc Inc Proprietary and Confidential Information

Recommendations
Getting Started

Those who have helped their companies prepare for the

GDPR compliance date know the importance and benefit of
starting early.
Creating processes to manage these new and ongoing
compliance obligations under the CCPA will be a large
undertaking for any company in scope.

© 2018 TrustArc Inc Proprietary and Confidential Information

Poll 3
Where does CCPA rank on your overall compliance priorities?

•Top of the list

•High priority
•Medium priority
•Low priority
•I’m just researching

28 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Recommendations
Prepare

Similar to the efforts many undertook to comply with GDPR, CCPA will
require companies who do business in California across technology and
many other industry sectors to be accountable for their data handling
practices in order to address the broad scope of individual rights similar to
those under GDPR.
In order to determine readiness and prepare to comply with the key
changes required by CCPA, TrustArc recommends the following 10-Step
Plan:
1. Determine whether the CCPA applies to any part of the business, and
whether the requirements related to collection, sale, or both, are
applicable.
2. Conduct a gap analysis against current individual rights management
policies and procedures and transparency practices.

© 2018 TrustArc Inc Proprietary and Confidential Information

Recommendations
Prepare (cont.)

3. Determine which business processes and activities are in scope for

CCPA and which involve minors.
4. Create and/or update in scope data flow maps relevant to the
collection, sale, and disclosure of personal information.
5. Determine which CCPA individual rights apply to each business
process or activity.
6. Determine whether to offer any financial incentives.

© 2018 TrustArc Inc Proprietary and Confidential Information

Recommendations
Implement

7. Develop updates to individual rights management policies and

procedures.
8. Update Privacy Policies to include required disclosures under CCPA.
9. Update contracts with vendors and third parties with whom personal
information is shared.
10. Implement individual rights mechanisms to effectively manage
incoming requests.

© 2018 TrustArc Inc Proprietary and Confidential Information

Takeaways
True or False?

The CCPA applies only to business in California

The CCPA applies to

organizations that conduct
business in California and
meet one or more of the
following requirements:

False - Annual revenue exceeds

$25M
- Buy or sell personal
information about at least
$50K individuals, devices or
households annually
- More than half of annual
revenue comes from selling
data about CA residents

© 2018 TrustArc Inc Proprietary and Confidential Information

Takeaways
True or False?

The CCPA is a lot like GDPR

Similarities: The CCPA Differences: The CCPA

addresses many of the does not address the full
same requirements of scope of requirements
the GDPR: under GDPR such as:
- Appointing a DPO
- Risk assessments
True & - Individual rights
management - DPIAs
- Cross-border data
False - Consent
- Transparency transfer
- Data use limitations - Privacy by Design
- Security and breaches - Data retention
- Third party obligations - Right to not be subject
- Training to automated decision
making

© 2018 TrustArc Inc Proprietary and Confidential Information

Takeaways
True or False?

The CCPA doesn’t provide for major fines like GDPR

The CCPA provides for

fines up to $7500 for
intentional violations and
$2500 for other violations.
For example: A business
that knowingly sells data
False on just 1000 consumers
who have opted-out of the
sale of their data could be
liable for $7.5M.

CCPA also provides a private

right of action

© 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Contacts
Beth Sipula bsipula@trustarc.com

36 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thank You!
Our Next Webinar will be on August 22, 2018:
Managing Multiple Compliance Priorities - GDPR, HIPAA, APEC, ISO
27001, etc.

See http://www.trustarc.com/insightseries to register and to access

past Privacy Insight Series webinar recordings.

37 © 2018 TrustArc Inc Proprietary and Confidential Information