Professional Documents
Culture Documents
Beth Sipula
Senior Privacy Consultant
TrustArc
• Recommendations
• Questions?
Individual
Individual Individual
Rights: Data Disclosures
Rights: Access Rights: Deletion
Portability
Opt-Out (Sale
Non- Incentive
of Personal Opt-In (Minors)
Discrimination Programs
Information)
Similar to the GDPR, which went into effect May 25, 2018, the
central purpose of the CCPA is to expand the rights of California
residents relating to their control over personal information.
Among the most significant changes to California privacy-
related laws, businesses covered by the CCPA will now have
obligations relating to the following:
Individual Rights
• Access: Individuals may request disclosure of the specific data
elements of personal information collected about them, categories
of personal information collected, categories of sources, purposes
for collecting or selling, and categories of recipients with whom the
personal information has been shared.
Transparency
• The online privacy policy or other web-based notice must disclose
the categories of data collected, sources from which data is
collected, purposes for which the data is used, categories of third
parties with whom data is shared, information about individual
rights and how to exercise them, as well as the data collected, sold,
or disclosed within the prior 12 months.
Training
• Specific communications and training obligations for responsible
personnel
Broad right of access to personal information (Sec 100, 110, 130) Article 15 addresses fields, but not
timeframe
Right to data portability for electronic access to personal Only applies if access request is
information (Sec 100) responded to electronically, narrower
than Article 20
Right to delete personal information (Sec 105) Very similar to but arguably broader
than Article 17, which sets greater
limits on its application
Right to receive an accounting of disclosures (“sale” or “for Closest right under GDPR is right of
business purposes”) of personal information (Sec 115, 130) access under Article 15
[Significantly expands upon existing “Shine the Light”
requirements; similar to, but less stringent than, HIPAA right]
Right to object to sale of personal information (Sec 120) Narrower and more specific than
Article 21
Right to opt-in for sale of minors’ personal information or to Narrower and more specific than
authorize sale after exercising the right to object (Sec 120) Article 8
Private right of action for Yes Yes, but private citizens must
consumers? give the organization the
opportunity to rectify the issue
first and they must notify the
California AG.
Businesses cannot
The age of consent is knowingly sell data of
considered to be 16, consumers younger than
What are the requirements otherwise parental consent is 16 unless the consumer
for children’s data? required. EU member states has opted in or the parent
have the option to lower the or guardian has opted in to
age to 13. the sale if the child is under
the age of 13.
Similar to the efforts many undertook to comply with GDPR, CCPA will
require companies who do business in California across technology and
many other industry sectors to be accountable for their data handling
practices in order to address the broad scope of individual rights similar to
those under GDPR.
In order to determine readiness and prepare to comply with the key
changes required by CCPA, TrustArc recommends the following 10-Step
Plan:
1. Determine whether the CCPA applies to any part of the business, and
whether the requirements related to collection, sale, or both, are
applicable.
2. Conduct a gap analysis against current individual rights management
policies and procedures and transparency practices.
Contacts
Beth Sipula bsipula@trustarc.com
Thank You!
Our Next Webinar will be on August 22, 2018:
Managing Multiple Compliance Priorities - GDPR, HIPAA, APEC, ISO
27001, etc.