After conducting a data inventory (see Part 2 of our CCPA series), a business should assess its risks by benchmarking its policies and practices with applicable privacy laws and regulations. Conducting a gap analysis is a critical tool in identifying compliance gaps and developing a plan to bridge those gaps. See e.g., Stipulated Order for Permanent Injunction and Monetary Judgment, Federal Trade Commission & Others v. Vizio, Inc., No. 2:17-cv-00758 (D.N.J. Feb. 6, 2017), Document 1-3 at 5 (privacy program includes addressing privacy risks related to the development and management of new and existing products and services) and CNIL (the French Data Protection Authority) Guidance on Six Steps for GDPR Compliance (step three to identify actions to comply with current/future obligations and to prioritize such actions based on risks). Continue Reading CCPA 12-Month Compliance Series Part 3: Conduct a Gap Analysis
The GDPR and the CCPA have made headlines for their wide scope and impact on privacy practices. On the issue of data security, they take somewhat different approaches, but the bottom line for companies is quite similar: data security measures tailored to the company’s risk profile and actual practices are essential for both legal compliance and the protection of the company and its customers.
The GDPR makes data security a general obligation for all companies processing personal data from the European Union (EU) by requiring controllers and processors to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32). As stated in the GDPR, such measures include: pseudonymization and encryption; ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services; ability to timely restore availability and access to personal data in the event of a physical or technical incident; and processes for regularly testing, assessing, and evaluating the technical and organizational measures to ensure the security of processing. Comprehensive internal policies and procedures are thus crucial for all companies controlling or processing EU personal data. Recent enforcement brings home this point, as the Portuguese supervisory authority (CNPD) fined a hospital for using software that provided inadequate patient protections, even though the hospital asserted that it used the software provided by the Portuguese Health Ministry. Continue Reading Cybersecurity, GDPR, and CCPA
I wanted to take this opportunity to share the key takeaways from yesterday’s Senate Judiciary Committee hearing on The State of Data Privacy Protection: Exploring the California Consumer Protection Act and its European Counterpart (see video), where I presented my thoughts regarding a path forward for data management that involves transforming our view of data and reimagining data as a pre-tangible asset in this post-data world. Here are my takeaways from the hearing: Continue Reading CCPA- Key Takeaways from the California State Senate Judiciary Informational Hearing on the State of Data Privacy Protection: Exploring the California Consumer Protection Act and its European Counterpart
To comply with the CCPA, you need to know your data. You need to know what personal information you collect, where it is collected and stored, and whether, to whom, and for what purpose, it is shared or sold. And to know your data, you need to conduct a thorough data inventory.
The process of creating and maintaining a data inventory differs from company to company; however, several key steps are common across industries. First, you need to identify all personal information your company is collecting and where, or from whom, such information is obtained. You also need to identify where the personal information is stored and whether it is shared or sold to others. If personal information is shared with or sold to others, you need to know to whom and for what purpose. In addition, the inventory should have a mechanism to track the 12-month “lookback” period for responding to consumer data requests. If you had prepared a data inventory for GDPR, that would be helpful, but it would not be the end-all for CCPA compliance, as GDPR inventories (or Article 30 reports) are typically limited to personal information flowing from the European Union and to the data elements contained within GDPR’s definition of “personal data.” Continue Reading CCPA 12-Month Compliance Series Part 2: Know Your Data
On February 20, 2019, the Privacy & Consumer Protection Committee of the California State Assembly held an informational hearing where panelists representing different interests spoke on changes and clarifications to the California Consumer Privacy Act (CCPA). Panelists included Alastair Mactaggart, the founder of the ballot initiative of the bill, Stacey Schesser of the California Attorney General’s Office (AGO), Sarah Boot from the California Chamber of Commerce, as well as other interested parties including industry representatives, attorneys, consumer privacy advocates and professors.
Assembly member Ed Chau opened the hearing by noting that even with the passage of SB 1121, which amended the CCPA, there is more work to be done and more “cleanup” bills expected. Assembly member Chau emphasized that the law should be refined so that it is true to its legislative intent and workable for both consumers and businesses. Continue Reading CCPA Hearing and New Bills
For any company handling personal information (PI), an incident involving unauthorized access of the PI may be a question of when and not if. The question then becomes: what does the company need to do? Having an incident response plan that outlines the roles and responsibilities of company stakeholders, the steps the company will take in response to an incident, and the issues it must consider is essential to re-securing the network, meeting the legal obligations arising out of the incident, and minimizing the monetary and reputational harm to the company. All 50 states have breach notification laws that require businesses to take certain actions in the event of a data breach. While notification laws vary from state to state, most states require notification without unreasonable delay and are starting to impose deadlines as short as 30 days. Meanwhile, the GDPR requires a controller to notify “without undue delay” a data breach to the supervisory authority within 72 hours, and if the breach is likely to pose a “high risk to the rights and freedoms” of individuals, it must also notify the affected individuals. Continue Reading Incident Response: Have a Plan
Recent privacy laws and standards promote, and in some cases require, privacy by design. Simply put, companies are to incorporate privacy principles in and throughout all its products and services. In Europe, Article 25 of the GDPR requires companies to implement “appropriate technical and organisational measures . . . which are designed to implement data-protection principles.” Similarly, the FTC’s 2012 Report on Consumer Privacy calls for companies to implement “privacy by design” at every stage of the development of their products and services. California’s law on Security of Connected Devices—which, along with the CCPA, becomes effective on January 1, 2020—provides that a manufacturer of any device that connects to the internet must equip it with reasonable security features “designed” to protect against unauthorized access, destruction, or use. The International Organization for Standardization has approved ISO/PC 317 (Consumer Protection: Privacy by Design for Consumer Goods and Services), which specifies design processes for consumer goods and services aimed at preventing data breaches and helping companies comply with data protection regulations.
A healthy business model then is one that promotes and integrates consumer privacy principles in all products and services, and, to that end, includes legal in product development and marketing discussions.
The California Office of the Attorney General (OAG) will be promulgating regulations to further and provide guidance regarding the California Consumer Privacy Act (CCPA). You can participate in the rulemaking process.
The OAG is holding public forums where all members of the public are invited to speak (RSVP) or simply attend. We reported on the first two forums in San Francisco and San Diego here. Continue Reading CCPA 12-Month Compliance Series Part 1: Participate in Rulemaking
With the states taking the lead on privacy (see our tip here), the federal government is starting to get in on the action.
Last week, on January 16, 2019, Republican Sen. Marco Rubio introduced the American Data Dissemination (ADD) Act (S. 142). Recognizing the lack of a single comprehensive federal privacy law, the ADD Act seeks to “provide a national consumer data privacy law that protects both consumers and the innovative capabilities of the internet economy.” It instructs the Federal Trade Commission (FTC) to prepare privacy regulations applicable to “covered providers”—i.e., persons who provide a service that uses the internet to collect records containing personally identifiable information—for approval by Congress that are substantially similar to the requirements under the Privacy Act of 1974. Among other things, the FTC would be required to establish criteria for exempting small or newly formed providers, to restrict disclosure of records, and to provide consumers with rights to access and correct their personal data. The ADD Act, if enacted, would preempt the California Consumer Privacy Act (see our CCPA page here) and other state privacy laws, including the recently introduced New York privacy bill, which would establish a privacy bill of rights for New York residents. Continue Reading Federal Privacy Bills Introduced
The California Office of the Attorney General (OAG or Office) held the first two of its six public forums on January 8, 2019 in San Francisco and on January 14, 2019 in San Diego to solicit public comments and feedback in preparation for its rulemaking efforts under the California Consumer Privacy Act (CCPA). The OAG specifically welcomed comments across seven rulemaking categories that are included in the responsibility of the OAG:
- Categories of “personal information”
- Definition of “unique identifier”
- Exceptions to the CCPA
- Submitting and complying with requests
- The uniform opt-out logo or button
- What notices and information should businesses be required to provide to consumers
- Verification of consumers’ requests
In San Francisco, 14 speakers from businesses, nonprofit organizations, trade associations, universities, Perkins Coie and individual consumers sought clarifications to definitions in, and scope of, the statute and provided specific suggestions. In San Diego, a total of five speakers, including representatives from a trade association and a cybersecurity consulting firm, shared their input. Continue Reading California AG Hosts the First Two Public Forums on California Consumer Privacy Act